I conducted a series of tests of the new Thunderbird feature - here are the results.
Please note that in every case where I say I turned on or turned off a feature I also stopped and restarted all avast providers.
1.1) turned on this new feature in Thunderbird (1.5 RC1).
1.2) turned off POP3 mail scanning in the avast Internet Mail provider
1.3) used a well known web site to deliver a series of Eicar test emails to one of my accounts where I knew the messages would be delivered unhindered by any other antivirus scans.
1.4) started Thunderbird which automatically contacted the account and proceeded to download all 12 Eicar messages which had been sent from the Eicar email test site.
1.5) all 12 email messages were successfully delivered to the Thunderbird Inbox and there were no warning messages from avast (or from Thunderbird).
On examination of my system logs I found that for every message downloaded by Thunderbird had created a file. That file was placed in the system defined windows temporary folder (on my system C:\Windows\Temp).
The file was named for every downloaded message C:\Windows\Temp\newmsg
For every downloaded message the Inbox was updated with the message and the temporary file was deleted and flushed (never actually reaching disk surface).
2.1) turned off the new feature in Thunderbird
2.2) turned on POP3 mail scanning in the avast Internet Mail provider
2.3) set Thunderbird to re-download the same 12 Eicar test emails which were still sitting on the email server.
2.4) started Thunderbird which automatically contacted the account and proceeded to download all 12 Eicar messages from the mail server.
2.5) every message was intercepted by avast with a virus warning - all 12 messages reached the inbox with a warning included and the virus removed. In other words, normal avast interception and processing.
3.1) turned on this new feature in Thunderbird
3.2) turned off POP3 mail scanning in the avast Internet Mail provider
turned on “scan all files written/modified” in the Standard Shield
3.3) set Thunderbird to re-download the same 12 Eicar test emails which were still sitting on the email server.
3.4) started Thunderbird which automatically contacted the account and proceeded to download all 12 Eicar messages from the mail server.
3.5) all 12 email messages were successfully delivered to the Thunderbird Inbox and there were no warning messages from avast (or from Thunderbird).
The logs (not surprisingly) show the same temporary file created, deleted and flushed by Thunderbird for each of the messages downloaded.
Why did I conduct test 3?
It was clear after test 1 and a review of the logs that a file named C:\Windows\Temp\newmsg did not fall within the criteria of the Standard Shield for scanning. Since it had no filetype it could not be added to the list to be scanned, so I opted to go for “scan all files written/modified”.
Why didn’t avast report any errors detected in test 3?
I believe that the file C:\Windows\Temp\newmsg contains, for each message the simple plain text image of the email received. The attachments are simply in there as base64 encoded text files. As they stand they are nothing more than just a whole lot of text with no detectable virus signatures.
When the avast Internet Mail provider is scanning a mail stream it is expecting emails. It recognizes each email and processes it, much as a mail client would. Each body section is identified and examined. Each attachment is decoded and reconstituted and then examined for viruses. It is treated as an email and the “scanned text” can be appended if that option is selected.
When the Standard Shield is forced into examining an anonymous file called C:\Windows\Temp\newmsg it is just another text file, no virus signatures are detectable in it and it passes the test.
The mail message is then added to the Inbox where Thunderbird treats that text file as a mail message, takes apart its body parts, decodes the attachments and reconstitutes the virus.
I shall withold any personal comments on this new Thunderbird feature (other than to recommend to avast users to avoid it for now) to see if the avast team has any comment.