Thunderbird 1.5, SSL, and Avast!

I’m using TB1.5 RC1 and trying to get the new “allow AV clients to quarantine individual incoming messages” option to work properly with Avast! and SSL on IMAP. I’ve been getting test viruses sent to me (“Sober” worm). But Avast! won’t give me any warnings. Not sure which program is causing the problem.

If I save the attachment to the desktop, Avast detects it immediately. But if I save an .eml file to the desktop, it won’t. And it won’t detect it automatically when TB apparently saves the incoming email to an individual file.

Any help would be appreciated!

I posted in the Thunderbird forums about this issue and was referred here!
(http://forums.mozillazine.org/viewtopic.php?p=1902819)

Search function is your friend.

Email over SSL

Umath the user is not asking for the information you provided. The user is asking about a reputed new feature in Thunderbird that sounds as though it should work with antivirus software in the way the current Outlook/Exchange plugin works in avast and totally eliminate the need for Stunnel.

My post in the Thunderbird forum:

I am surprised to see people posting such nonsense as "avast has problems with SSL" and "Something is amiss in the email scanning engine of Avast" - but then again perhaps I should not be.

There is nothing wrong with email scanning in avast. No mail clients can screen a mail stream that is protected by SLL period end of discussion - because that is what SSL is designed to prevent.

There are two ways to scan such mail - first by using a third party program that effectively interrupts the SSL steam to allow the stream to become non-SSL in the users system and be scanned by the antivirus program or to have an email client work with a plugin that can scan each message as it is received in the client.

Avast works very well in the first case and in the second works very well with two mail clients, MS Outlook and The Bat.

When the Thunderbird team announced that the 1.5 release would “work better with antivirus programs” I looked forward to seeing it posted to the world how this would be done. I have searched for this information a number of times but it remains remarkably elusive.

If someone with some real knowledge of what has been done in Thunderbird 1.5 to facilitate better interaction with antivirus programs I will be more than happy to promote it in the avast forums.

Oops. Please forgive my carelessness. :stuck_out_tongue: Probably, I shouldn’t have replied to a question about an application which I am not using form the first place.

P.S. I guess I am quite happy with my current email application.

Thus speaks the Thunderbird:

Beginning with version 1.5, Thunderbird can be set to download each e-mail message from a POP3 account to a separate, temporary file before appending the message to the Inbox file. There will be one temporary file per message, and the temporary file will later be deleted.

This option was added in response to user complaints about antivirus software deleting or quarantining the entire Thunderbird Inbox when scanning incoming mail instead of taking action on just a single infected message. Because your antivirus software should automatically scan incoming files as they are written to your computer, downloading each e-mail message as a separate file should make it easier for your antivirus software to quarantine an infected message before it reaches your Inbox. This is especially true for antivirus programs that have compatability issues with Thunderbird, or for messages downloaded via an SSL connection

To have Thunderbird download your POP3 e-mail in this way, go to “Tools → Options → Privacy → Antivirus” and check the box for “Allow anti-virus clients to quarantine individual incoming messages”.

So, in case it is not entirely clear here is my understanding though I have yet to try it out.

For POP3 users (not IMAP - sorry jj44) who select this option:

as each mail message is received it will be written to a temporary file.

Thunderbird assumes that an antivirus product, if present, will detect the write of the temporary file and scan it. If the antivirus product finds the file to be infected it is assumed by Thunderbird that the infected file will be either deleted or moved to quarantine and thus removed from Thunderbird’s sight.

If it is removed from Thunderbird’s sight it will pop a warning message to the user that the message is lost before it proceeds with the retrieval of any other mail messages.

If Thunderbird can still “see” the temporary file then it will assume that the antivirus has scanned the file and found it clean. It will then proceed to add the message to the main message folder and delete the temporary file before it proceeds with the retrieval of any other mail messages.

About the only advantage in this new feature for avast users will be in those cases where avast cannot scan the mail stream with its present intercept methods. So the cases that come to mind are with SSL connections (for POP3 accounts only) where an STunnel solution would not be necessary and for those users of “accelerator” packages which also interfere with avast interception of port 110.

This feature, if robust, may also prove a little “easier to use” for users of Win9x systems rather than dealing with the Setup Wizard - though it does only cover the POP3 side would not assist those users with the SMTP side. Of course, it could just result in a lot more confusion too.

I will check it out with my use of Thunderbird and report back.

Later edit.

Those users of secure connection services such as Gmail may find this feature of Thunderbird less valuable if they also want to have outbound mail scanned and optionally have the scanned message inserted by avast. To achieve this would still require most of the STunnel setup for the outbound side, if they are doing that they might just as well use it for the inbound side too and forgo the new Thunderbird feature.

I conducted a series of tests of the new Thunderbird feature - here are the results.

Please note that in every case where I say I turned on or turned off a feature I also stopped and restarted all avast providers.

1.1) turned on this new feature in Thunderbird (1.5 RC1).

1.2) turned off POP3 mail scanning in the avast Internet Mail provider

1.3) used a well known web site to deliver a series of Eicar test emails to one of my accounts where I knew the messages would be delivered unhindered by any other antivirus scans.

1.4) started Thunderbird which automatically contacted the account and proceeded to download all 12 Eicar messages which had been sent from the Eicar email test site.

1.5) all 12 email messages were successfully delivered to the Thunderbird Inbox and there were no warning messages from avast (or from Thunderbird).

On examination of my system logs I found that for every message downloaded by Thunderbird had created a file. That file was placed in the system defined windows temporary folder (on my system C:\Windows\Temp).

The file was named for every downloaded message C:\Windows\Temp\newmsg

For every downloaded message the Inbox was updated with the message and the temporary file was deleted and flushed (never actually reaching disk surface).

2.1) turned off the new feature in Thunderbird

2.2) turned on POP3 mail scanning in the avast Internet Mail provider

2.3) set Thunderbird to re-download the same 12 Eicar test emails which were still sitting on the email server.

2.4) started Thunderbird which automatically contacted the account and proceeded to download all 12 Eicar messages from the mail server.

2.5) every message was intercepted by avast with a virus warning - all 12 messages reached the inbox with a warning included and the virus removed. In other words, normal avast interception and processing.

3.1) turned on this new feature in Thunderbird

3.2) turned off POP3 mail scanning in the avast Internet Mail provider
turned on “scan all files written/modified” in the Standard Shield

3.3) set Thunderbird to re-download the same 12 Eicar test emails which were still sitting on the email server.

3.4) started Thunderbird which automatically contacted the account and proceeded to download all 12 Eicar messages from the mail server.

3.5) all 12 email messages were successfully delivered to the Thunderbird Inbox and there were no warning messages from avast (or from Thunderbird).

The logs (not surprisingly) show the same temporary file created, deleted and flushed by Thunderbird for each of the messages downloaded.

Why did I conduct test 3?

It was clear after test 1 and a review of the logs that a file named C:\Windows\Temp\newmsg did not fall within the criteria of the Standard Shield for scanning. Since it had no filetype it could not be added to the list to be scanned, so I opted to go for “scan all files written/modified”.

Why didn’t avast report any errors detected in test 3?

I believe that the file C:\Windows\Temp\newmsg contains, for each message the simple plain text image of the email received. The attachments are simply in there as base64 encoded text files. As they stand they are nothing more than just a whole lot of text with no detectable virus signatures.

When the avast Internet Mail provider is scanning a mail stream it is expecting emails. It recognizes each email and processes it, much as a mail client would. Each body section is identified and examined. Each attachment is decoded and reconstituted and then examined for viruses. It is treated as an email and the “scanned text” can be appended if that option is selected.

When the Standard Shield is forced into examining an anonymous file called C:\Windows\Temp\newmsg it is just another text file, no virus signatures are detectable in it and it passes the test.

The mail message is then added to the Inbox where Thunderbird treats that text file as a mail message, takes apart its body parts, decodes the attachments and reconstitutes the virus.

I shall withold any personal comments on this new Thunderbird feature (other than to recommend to avast users to avoid it for now) to see if the avast team has any comment.

You also need to enable “MIME” packer in the Standard Shield, that is the thing that is able to extract attachments from plain mail message. But the Resident task can be fully edited only in Professional version.

Additionally, you’d have to make sure that scanning of “Created/modified files” is enabled for this particular file (as it has no extension, you would have to enable the scanning of all files (*), or at least one-letter extensions (?)). And, you probably wouldn’t like the virus alerts to be displayed all the time, so you’d have to turn on the silent mode for Standard Shield provider.

These settings, however, will affect scanning of all the files on your disk (not just in the Temp folder) - so I’d say it’s too much changes just to enable e-mail scanning this way.

Thanks to the avast team members for their comments.

As you probably noticed in my testing report I had no choice but to use “all files written/modified” in Standard Shield because of the lack of a file type on the temporary file created by Thunderbird (C:\Windows\Temp\newmsg). I agree with you that this is, for most of us, an unacceptable overhead.

Before I return and respond to the Thunderbird forum perhaps you could help me with another question.

If the temporary message file were given a file type then it could be added to the list to be scanned by the Standard Shield. Is there any file type (perhaps EML) that would cause the Standard Shield to treat the file as an email message and perform MIME type scanning of the file using the avast Home Edition?

avast team friends …

while I await your response to my previous question there is another one I would like to add.

Was there any effort to contact the avast team for consultation from the Thunderbird development group while this update to their product was being developed?

I will be content with:

Yes
No
We are not able to disclose such inter-organization contacts

See Vojtech’s post - that’s exactly the answer to your question :wink:

With due respect - you have not answered my question.

My command of the English language is quite reasonable. I understood the post saying that any old file of whatever type can be checked for MIME encoding with the option available in the Pro edition.

I asked is there any file type that will be checked for MIME encoding in the Home Edition?

From your post - I assume that your answer is no - but please read my questions and do not assume that I do not read your responses.

Before I go to the Thunderbird forum to report that avast is unable to work with the new feature of Thunderbird may I get an answer to my other question please?

avast team friends,

By way of an update - I have just conducted the same tests with the current version of the Grisoft AVG product (free version). That product also does not detect viruses with this Thunderbird feature.

While (you may have noticed) I am not entirely uncritical of avast, testing with the other product reconfirmed my view that you guys definitely have a superior offering.

Might I please have an answer to my “contact” question? I promised to report back to the Thunderbird forum after contact with the avast team - and I am used to honouring my commitments.

many thanks,

Alan

Well, I hoped I did :wink:

No. The archive format is determined by the file content, not by the extension. So, unless you turn on the MIME archiver (which can be done in the Professional version), avast! will not try to unpack the MIME content, no matter what the file extension is. When you turn the MIME packer on, avast! will try to unpack any file, no matter what the file extension is.

Anyone who cares to wade through my report to the Thunderbird forum can find it in this thread on page 2:

http://forums.mozillazine.org/viewtopic.php?p=1902819

To summarize:

  1. this feature in Thunderbird is, I believe, largely harmless if turned on.
  2. this feature in Thunderbird is, I believe, largely useless and no Thunderbird user should rely on it to provide any assistance in antivirus detection and prevention of viruses reaching their Inbox.

I must sadly end by saying, as one of the best email development managers who ever worked for me would say, “It is broken as designed”.