I have been using avast! for quite some time. My ISP’s e-mail is SSL, so I have been using avast!'s Internet Mail provider configured with Stunnel and scanning has always been successful.
However, it is a PITA setting up Stunnel and configuring Thunderbird to reflect that as well as the changes in Internet Mail provider.
What I would like to do is install avast! with only Web Shield, Standard Shield, and Network Shield. I do not want to install Internet Mail provider this time around.
The Thunderbird 1.5x series now have an option to have each message come in to it’s own temporary file before it gets put together with the main inbox file, which prevents the on-access virus scans from anti-virus programs from deleting the entire inbox file.
Therefore, since I’m not running the Internet Mail provider it will be up to the Standard Shield to check the attachment upon save/execute. I do have trust in the Standard Shield. Now if Standard Shield does catch a virus in the temporary file created by that message, I am assuming that I will be safe now from having my entire inbox being deleted by Standard Shield thanks to the new option in Thunderbird.
You are in danger of losing the entire inbox (file) or other file where the infected email is located. This is because of the way Thunderbird stores emails, they are packed together in a file and there by all accounts another file to indicate where emails are located in this file.
So when avast or any other AV finds a virus signature it is in one file and not one email so it doesn’t know how to extract that email from that file (it doesn’t know where it starts or ends) so the only option is to delete the file or move it to the chest depending on your choice. There are even issues about trying to restore it from the chest.
This is a very simplified explanation based on comments in the forums as I don’t use thunderbird.
Thunderbirds on-line FAQ even warns not to use your inbox for general storage, rather having read an email it should be moved to a more appropriate folder/mailbox, e.g. personal, newsletters, etc. That way if your inbox goes walk about you don’t lose lots of emails. The inbox is the most likely to suffer corruption, deletion, etc. because it is the default mailbox and is frequently open if you experience a crash.
However, if this is a thunderbird based virus checker I would hope that it could cope with removing infected emails from its own method of storing those emails. I suggest a forum search as this I believe was previously discussed and I believe alanrf tried it but wasn’t totally impressed with the option.
The beauty of using the Internet Mail option (with STunnel for SSL) is that emails are scanned prior to arrival in your inbox and if an infected one is detected it can be removed without problem as it hasn’t been saved in the overly complex storage of thunderbird.
Based on this caution it is important to back-up your email folders/mailboxes or possibly lose them.
I was busy with some other testing … I need to get back to the avast team with suggestions on avast being able to recognize the Thunderbird mail folders as mail folders and not as eml files. As I noted in another thread the other day Panda can do it so it should not be beyond the wit of the clever avast folks.
At the same time I understand (but have not tested) that AVG provides a mechanism to scan mail received from mail servers via an SSL connection. It would appear that they have “built in” the termination of the SSL session and passing of the mail through the virus scanner and on to the client. Again … if another AV service can do this perhaps the avast team could look at relieving all of us from the need to play with STunnel.
I read the entire thread of your previous testing, as well as the thread in the Thunderbird forum. Quite an interesting read for sure.
At first I came to the conclusion that the new feature in Thunderbird was pretty much useless.
I was also surprised to see that the Home Edition of avast! does not scan MIME encoded files and does not have the option to enable it (only Pro). Therefore, the Home Edition is even more limited then I originally had thought.
The very last post on the Thunderbird forum thread had a user running McAfee and it was scanning and detecting properly from those temporary files. So that goes to show that the new Thunderbird option DOES infact work correctly.
I have experience with McAfee (my work gives me VSE 8.0i free) and I know that it does scan MIME encoded files with it’s on-access scanner which explains why it worked for that user and not for users of avast! Home Edition.
I was trying to test the new feature of Thunderbird on Windows 2000 and no temporary files were showing up in C:\WINNT\Temp\ as you were mentioning in your post. I wonder if there is a difference between Windows OS’s where it stores those temporary files…
Anyways, I will probably mess around and do some testing myself later because I am just curious about it. If I come up with any useful information I will post back with that info.
So there is no way to enable scanning of MIME enabled files in avast! Home Edition?
I have, as I noted above, yet to complete some testing of (deliberately) infected Thunderbird mail folders with avast.
DavidR’s description of Thunderbird mail folders is essentially correct. Each mail folder is a separate file (having just a name and no file type) and each mail folder has a separate index file which has the same name as the mai lfolder and .msf as the file type. This is not overly complex - most mail clients do something similar internally - its just that most mail clients then smoosh all these files together, encrypt the whole mess and then save it as one big file. This successfully stops avast from ever finding any viruses in the mail folder of those clients.
My testing so far, confirmed by posts from Igor (a member of the avast team) shows that the avast on demand scanner logic only “sees” the first message in the Thunderbird mail folder which is always the oldest message in the mail folder. So avast can only detect a virus in a Thunderbird mail folder if the infection is in the oldest message in the folder.
This problem is most likey to affect new users of avast on their first on demand scan of the mail folders. Most experienced users of avast will, sensibly, use the avast Internet Mail scanner to ensure that no more infected messages will be added to the Thunderbird mail store. Of course, if the Internet Mail scanner is turned off then you would be exposed to this problem all the time. The Standard Shield and Network Shield will not stop infected messages from being added to the Thunderbird mail folders.
My tests also show that avast does not treat the Thunderbird folder as it would other files. It does not quaratine the file. Since avast thinks the Thunderbird mail folder is just an eml file it snips out the infected attachment and, as it were, restitches the rest together. The infected attachment is moved to the virus chest (and cannot be restored). There have been some silly claims made here that this then confuses Thunderbird since the index file is now not correct.
In the testing I have done so far with infected folders Thunderbird has dealt perfectly well with the “disinfected” mail folder - rebuilding the index with no noticeable ill effect.
I believe that there may be an issue with very large mail folders. When the folders become very large avast scans them in “chunks”. That will be the focus of my next set of tests.
But the net of all this is that, for users of the avast Internet Mail scanner, the chances that avast will find a problem in on demand scans of Thunderbird mail folders is very very small.
My ISP provides a free version of McAfee too - but I do not know how different that is from the standard retail product.
I did use that free version of McAfee for my testing too and it did not detect eicar virus in the temporary file written by Thunderbird when the AV option is turned on.
Remember that the Standard Shield does not scan file writes by default. So even if avast did scan for MIME types you would have to turn on scanning for all file writes, probably a signifcant extra overhead just to be able to scan those temporary writes by Thunderbird.
Testing e-mail scanning is something that I cannot do anyways because my ISP removes all infected attachments from e-mails on the server level. I tried that site where they send many EICAR samples to your e-mail and none of the attachments ever made it through, they were all removed by the ISP. I have also tried sending infected samples from my e-mail address to my e-mail address and all messages would come back, but the attachments would always be removed. I have never had a virus come through e-mail for the last 6 years that I have been with this ISP.
Enabling scanning of file writes in Standard Shield, is that only in Professional Edition?
I was going to do some testing with McAfee, by slipping the samples by my ISP’s server level scanning by putting the infected samples in .7z archives. This would have worked. But the only problem is that I just found out now that McAfee does not support scanning of .7z archives. Go figure. I will have to try and think of something else now.
Enabling of scanning of all file writes in the Standard Shield is in the home version:
Customize > Scanner (advanced) tab
It would not be possible to scan the Thunderbird temporary file by filetype (which the Standard Shield can support) because the temporary file has no file type.
That just made me think of something. You know how avast! (and most other AV’s) has the option to ‘exclude’ certain files or directories? Well, I wonder if it would be a good idea to have an option within the Standard Shield to ‘include’ certain files or directories… having an option to lightly scan the majority of the hard drive, yet do a more throrough scan on certain specified areas. Blah, I don’t know what I’m talk about anymore. Just an idea.
I just wish I could get my ISP to stop scanning e-mail attachments temporarily so I can do some testing.
Does anybody know of any places to get free POP3 mail that does not do virus scanning on the server level?
EDIT: I just tried Gmail through POP3 and they scan and remove infected attachments as well.
I did some quick testing with McAfee with the MIME encoding enabled. I had the Anti-Virus option checked in Thunderbird and everything worked flawlessly. The viruses were removed before getting to my Inbox and my Inbox file never got quarantined or deleted. This was very easy to setup and worked like a charm.
So my conclusion is that this new feature of Thunderbird is actually quite excellent. There is no problems with this new feature. If this feature does not work, then it is a flaw in the anti-virus program for not scanning MIME encoded files.
Therefore, this is a limitation of avast! Home Edition. And I do not criticize Alwil for this either because it is available in the Professional Edition.
I just wish there was a way to enable this in Home Edition… like in avast4.ini or something like that.
So you were able to get some viruses actually delivered to Thunderbird? I thought you were having trouble doing that.
Did McAfee have a function equivalent to avast’s Internet Mail scanner and if so was that turned off for your test?
Don’t get me wrong, I have never said that the Thunderbird function did not do what it said it does (I ran traces and saw the file created - that’s how I reported the naming convention for it). I just felt it was not well thought out and, I am fairly certain, designed by folks who did not bother to consult too many av companies while they were doing so. Thunderbird users could well be tempted to believe in it and have an antivirus product that does not work the way the Thunderbird designers think it should. These people would then be left exposed.
I tested the Thunderbird feature with avast, AVG and with the free version of McAfee available to me (that was almost entirely non-configurable - so I suspect a very limited free offering). None of them supported the av “integration” feature with Thunderbird at the time of my testing.
So, my advice to users of free antivirus programs would be to stick with the Internet Mail scanner (or its equivalent) - which do a great job. You do raise a good point that more and more we will be likely to see ISPs offer/demand SSL connections.
While I have to doubt the value of having email scanned by the ISP and by avast if folks really want both then avast should look to making it easier to terminate SSL sessions with the help of avast and allow the mail to scanned (as AVG claims to do).
However, I cannot see all the AV companies jumping to support a particular feature in Thunderbird which (even though I use Thunderbird) I cannot claim to be anything other than a small niche player in the email client world.
I didn’t actually send out and receive any samples because that was not going to work. What I ended up doing was created several messages, each with a different virus sample, and saved them into the Drafts folder of Thunderbird which is put together into one file the same way the Inbox is. Then I scanned the Thunderbird profile with the McAfee Command Line Scanner (conveniently free from http://vil.nai.com/vil/virus-4d.aspx) using only the /MIME option which picked up the samples from within the MIME encoded Drafts file. This really only simulated the way it would work with the normal Inbox file, but was all I could do at this time.
McAfee actually does not have a feature similar to Internet Mail that avast! has. The mail scanner that McAfee has, from my understanding, only works with Outlook, not typical POP e-mail programs. So this is certainly something that McAfee lacks at this time.
You’re right, a lot of people would probably have a false sense of security over this if in fact their AV was not scanning it. It would’ve been better if the Thunderbird team could have designed it in a more commonly recognized file-type. But I suppose they must have their reasons for doing it the way the did, but I don’t know.
I am only familiar with the Enterprise version of McAfee, as that is what my work provides to me for free, and it has plenty of options. My guess is that the free one provided to you just had many of those options removed. However, I believe it would still be using the exact same engine and same signature files as well.
I agree with you 100%, all users of avast! should use the Internet Mail provider. I just like to do things differently once in a while. I personally would prefer to have an SSL connection with my e-mail anyways. Just a PITA having to rely on Stunnel, OpenSSL, and avast! Internet Mail provider just to scan e-mail.
From my understanding, for an anti-virus program to intercept and scan an SSL encrypted message, that would be against the law. That is why no AV has done this yet. Otherwise it would have been easy for them to do this. But I could be wrong. Just like the warning from the OpenSSL site:
This software package uses strong cryptography, so even if it is created, maintained and distributed from liberal countries in Europe (where it is legal to do this), it falls under certain export/import and/or use restrictions in some other parts of the world.
PLEASE REMEMBER THAT EXPORT/IMPORT AND/OR USE OF STRONG CRYPTOGRAPHY SOFTWARE, PROVIDING CRYPTOGRAPHY HOOKS OR EVEN JUST COMMUNICATING TECHNICAL DETAILS ABOUT CRYPTOGRAPHY SOFTWARE IS ILLEGAL IN SOME PARTS OF THE WORLD. SO, WHEN YOU IMPORT THIS PACKAGE TO YOUR COUNTRY, RE-DISTRIBUTE IT FROM THERE OR EVEN JUST EMAIL TECHNICAL SUGGESTIONS OR EVEN SOURCE PATCHES TO THE AUTHOR OR OTHER PEOPLE YOU ARE STRONGLY ADVISED TO PAY CLOSE ATTENTION TO ANY EXPORT/IMPORT AND/OR USE LAWS WHICH APPLY TO YOU. THE AUTHORS OF OPENSSL ARE NOT LIABLE FOR ANY VIOLATIONS YOU MAKE HERE. SO BE CAREFUL, IT IS YOUR RESPONSIBILITY.
I am not suggesting that anyone try to intercept an SSL session and that cannot be read into the comments I have posted.
What AVG has done (it appears) is provided a mechanism for users of SSL sessions to terminate the session in their own machine and then pass the non-SSL encrypted mail through the AVG equivalent of Internet Mail scanner. In other words they have built the functionality of STunnel into their product.
By the way - you mentioned Outlook. Now if only their could be some more generalized agreement on providing a standard plugin method between mail clients and antivirus services then that would definitely be the way to go. However, having worked closely with some of the largest software developers over the years I will not be holding my breath on that one.
I did not mean that you were suggesting for anyone to intercept an SSL session, I apologize if it may have sounded that way.
This is what I was referring to. It was my impression that it would be illegal for an AV company to intercept an SSL connection in the way that Stunnel does it. But as I said, I could be wrong. I did do a bunch of Google searching for “AVG SSL” and “AVG port intercept” and whatnot, but I didn’t find much on it. Is it just in beta or has this been released already?
STunnel does not intercept SSL sessions, it simply manages an SLL session created using parameters provided by the user. So does Thunderbird when you connect to your GMail server.
Once the output is received by STunnel it is no longer encrypted. STunnel simply manages the session and provides a connection or tunnel for you to direct the output from the secure session to your mail client. avast is then able, quite properly, to scan that unencrypted connection in which the POP3 stream is passed from STunnel to Thunderbird.
There is nothing improper about an antivirus program providing the same management for an SSL session instead of STunnel or your mail client. Again, the av program can only manage an SSL session to the mail server based on the directions of the user.
The current release of AVG provides such support. A Google search of AVG email SSL gave me the AVG FAQ page on setting up the connection to scan the POP3 stream from SSL email connections. It looks, in essence, very similar to the way connections have to be set up in AVG for third party webmail/POP3 converters as described in the sticky under my userid in the AVG email forum. That function is handled rather more elegantly in avast so I hope that if avast does provide a way to connect to SSL email access they will also do that more seamlessly.
I do not want this to sound like an AVG promotion but my testing of the Thunderbird AV feature was not done with the current release of AVG. It may be worth checking if their current free offering would support the Thunderbird feature.