I have been retrieving my email all day on Thunderbird. I use the Thunderbird Webmail extension to allow me to download email from Hotmail to my Thunderbird mail client. The Webmail extension acts as an http to POP converter. It accesses my Webmail via http and converts the http screens to a POP stream.
I have made no changes to my Thunderbird environment.
I just downloaded VPS 761-0 dated 27/7/2007 (must be just released since you are only just into that date in Prague).
Now when attempting to retrieve my mail on my Hotmail accounts when one of the internal http screens of Hotmail (curmbox = current mail box) is accessed avast is preventing it due to a Malware report and aborting the connection.
I cannot send you the page, because I do not have it - it is internal to the status my mail account. Please note this is a page giving the status of my mail account it contains no email content whatsoever but is needed by the function in preparation for accessing the mail store of Hotmail.
This, if it is generalized, will prevent access by all Thunderbird users to all free Hotmail accounts.
I just reverted my system to one minute before the VPS update and prevented the update, so I am now back on VPS 760-3. There are no alarms from avast when my Hotmail is downloaded by Thunderbird.
Later edit:
I have done some further testing with the folks I support and on my own accounts. The problem is a little more restricted than I first reported.
The problem is occurring when Thunderbird attempts to retrieve mail for free Hotmail accounts that have not been converted to the Hotmail Live environment. It is irrelevant whether there is any mail in the Inbox of the account or not - avast aborts the connection.
Yes it is a bit weird reporting a possible false positive without submitting a file. I did it two days ago for a similar problem with paypal where it was getting an iFrame Exploit alert and that one was resolved very quickly and I got an email reply which was a surprise ;D
Fingers crossed this will be resolved quickly as I would think it could effect a lot of people.
Edit: You may want to modify your wildcard use so as not to have too large a security hole, e.g.
I had the same Alert from Avast when connecting to Hotmail while I was using the IE accessing my hotmail. The Alert was triggered on when I was at the interface of email list, and when none of the email was opened yet
I deliberately made the exclusion as simple as possible on basis that it would be easier for most folks to type that without errors and that the avast folks need to fix this very quickly or look pretty silly. In fact if it is affecting IE users as reported above then I think this one is important enough for them to pull 761-0 and put 760-3 back as 761-1 if necessary.
I think it would effect all browsers as the detection isn’t browser specific but at hotmail.
I appreciate you are trying to keep things simple for users, copy and paste is easy.
They could just examine the VBS:Malware [Script] and just revert that to the previous pre 761-1 value whilst investigating why rather than revert the whole 761-1 145KB update.
First though they have to find what emails that have been sent relating to this before they can take any action.
Night Alan my bed is calling after 3a.m. here.
Unfortunately, it has been observed, the workaround I posted earlier is insufficient for IE users (and perhaps for other browser users too).
The workaround I posted earlier is sufficient for users of Thunderbird downloading Hotmail to the Thunderbird mail client.
The workaround posted earlier is needed by IE users but they also need another exception in the Standard Shield to avoid scanning the Temporary Internet folder for IE. I am reluctant to try to post how to do that since the folder name is dependent on the user name of each system: the opportunities for error are significant and it increases the risk of exposure to real problems.
Reluctantly, I would suggest that any user really needing to get to their Hotmail (before the avast team come up with a new VPS file) should pause the Webshield and the Standard Shield before accessing their Hotmail.
Please, please remember to continue the Webshield and the Standard Shield when you have finished accessing your Hotmail.
I just want to explain the situation - this is caused by the new script/text scanning engine which is quite new and is prone to some bugs.
We’d like to clean up the FP mess as soon as possible, so I anybody has any Hotmail sample, please send it to virus@avast.com and please cc me (kubecj at you know what.com).
Many thanks to kubecj and the avast! team for the quick response.
While I certainly agree that the thanks are due given the size of the affected population I cannot agree that this was a quick response.
I hope that the Alwil management team will review their responsiveness given that this sizable VPS update was released just after midnight (local time to the avast team) and their capability to deal with a large affected population at that hour.
Depends on your perspective - I have had the job of being responsible for worldwide availability of services for major corporations (a well known bank and a well known airline) 24x7. The difference there was, of course, the major financial impact to those corporations of even the briefest outages. I am very familiar with the pager going off in the middle of the night.
For avast it is their reputation - if they take out access by their users to major functions like Hotmail or GMail for any lengthy period (and I consider >8 hours lengthy) it certainly is not enhancing it.
Yes the response could have been quicker somewhere between 8 and 12 hours in this case, well under 8 hours (5 I beileve) for the PayPal issue.
That however could be down to the VPS release time as you mention, releasing a largish update late at night will always be at risk of adding about 4-6 hours to response time. Perhaps that is something that needs to be addressed, releasing only critical updates in the we small hours, with lessor priority updates released the next morning.
Just to explain little bit, the reason that the update was released at roughly 1:30am our time is that 1:00am to 6:00am is the most idle period of the day for our updating servers. The update was almost 200KB in size (relatively large), and so we needed to avoid releasing it during the rush hours (let’s do some math: there’s 34+ millions of users, and roughly 60% of them are connected permanenty; these usually get updated during the first 4 hours [that’s the default update check interval]. That is, 20 millions of people times 0.2MB equals to 4 TB during 4 hours - equivalent to the need of a 2.2 GBit/s continuous stream - something our updating infrastructure [currently consisting of ~150 servers] can barely withstand).
But that doesn’t change anything on the fact that there should’ve been someone ready to solve potential problems.
I apologize for any inconvenience this might have caused.