Why does Web Shield not scan HTTP traffic in Mozilla Thunderbird?
The example that I have is an HTML weather report e-mail from:
http://www.theweathernetwork.ca/inter/weathercentre/email/
The e-mail is HTML and downloads all images from the website via HTTP. I have seen other e-mails similar to this; like movie theater show times.
Is it not possible that Thunderbird could receive an HTML-based e-mail and download something from a malicious website via HTTP?
Thanks,
Dave
What is your OS ?
What is your Browser ?
Well Your http email would normally be viewed over a Browser, not an email program like thunderbird, in that instance web shield would monitor http traffic. So how do you view this email, in your browser or downloaded in your email program ?
If you have somehow set-up thunderbird to download that http mail by some sort of conversion so it appears in your inbox, then it isn’t using standard pop3 protocol so won’t be scanned by the Internet Mail provider either.
David,
I was surprised by the post of DaveD. So I looked into it a bit more.
The point being made is that a huge amount of email we all get these days is html based. That html code is rendered by the mail client whether it be Thunderbird or Outlook or whatever. That code directs that images and other stuff be retrieved from websites to compose the image that we see on the screen.
Looking at my system it certainly appears that avast is not intercepting the http calls to port 80 while the html elements are being retrieved from remote sites. The Web Shield count is not increasing and I see direct connections to port 80 established from Thunderbird (ie not being intercepted by avast).
Just a bit of follow up …
I just looked at some html based email on Yahoo viewing it thru my browser - Firefox. Now I see that the sites from which the message components are being retrieved are being recorded by the Web Shield (and the scan count increasing).
The non-scanning of http accesses is also occurring with html mail viewed in Outlook Express as well.
Windows 2000 SP4 UR1
Mozilla Firefox
Mozilla Thunderbird
It is coming in directly to Thunderbird and viewed in Thunderbird, however, it is HTML-based e-mail and therefore pulls images and such directly from the website each time the e-mail is viewed. On port 80 of course.
I remember when avast! first came out with Web Shield it originally scanned ALL traffic from ALL programs on HTTP Port 80. However, due to complications with certain programs, I believe avast! limited the scanning to only a certain number of browsers and programs. E-mail programs should definitely be scanned by Web Shield when accessing data through port 80, and it sounds as though they have been excluded. It probably wouldn’t be difficult for the avast! team to add these e-mail programs to the list or through avast4.ini somehow.
I do see this as a possible vulnerability though.
Will this avast4.ini adjustment allow HTTP scanning in Thunderbird?
[WebScanner]
OptinProcess=thunderbird.exe
I have never edited the avast4.ini file before, so I would prefer to ask here first if this is the correct way to do it. I got this idea from Tech’s thread on editing the avast4.ini file. Thank you Tech.
Do I need to put the full path name to the process?
Thanks,
Dave
Just use my avast! External Control tool (see link below) and enable “Power Mode” for web shield.
Web Shield checked all HTTP traffic at the beginning but they removed that because of compatibility reasons (it’s now checking just most common browsers). Power Mode forces avast! again to check all HTTP traffic.
If you encounter problems you can always disable it later…
Maybe… Lukas must confirm this, or Igor…
You’re welcome 8)
No. You must use the process name (not the file/path name).
I request the courtesy of a response in this thread from the Alwil team please.
Hello Guys,
it is really true that mail clients are currently not intercepted by WebShield. The reasoning behind was that mails were scanned during downloads by Mail Providers and you should be safe this way. WebMails are of course scanned by WebShield - when viewed from common browsers. The other problem we were facing when WebShield was used with Outlook / Outlook Express was the compatibility with Hotmail WebMails which uses uncommon extensions to HTTP protocol.
In any case adding the line into avast4.ini
[WebScanner] OptinProcess=thunderbird.exe
or
[WebScanner] OptinProcess=thunderbird.exe, outlook.exe, msimn.exe
would enhance scanning to these apps too.
If there is someone with Hotmail Web Access enabled, who might confirm that Outlook Express + Hotmail + WebShield is working correctly, we might perhaps consider expanding the list of scanned “browsers” with some of the common mail clients too.
Cheers.
Lukas.
I have tested this out with Thunderbird with several e-mails; all successfully scanned.
WeatherDirect - http://www.theweathernetwork.ca/inter/weathercentre/email/
BlockBuster Video - http://www.blockbuster.ca/
Cineplex Odeon movie theaters - http://www.cineplex.com/
I receive weekly e-mails from these sites in HTML format which pull the images from the Internet via HTTP. All we scanned successfully by Web Shield.
However, I did not test the Hotmail web-based e-mail because I do not use it. Wouldn’t that be SSL anyways? If it were SSL it wouldn’t be scanned by Web Shield anyways.
Last time I checked It was not via SSL (https://).
With Thunderbird and Outlook Express included in the OptinProcess I tested the following:
Outlook Express to WebDav enabled Hotmail account - mail received without any problems, it was clear from Webshield that html elements performing http accesses were being scanned as html messages were being rendered.
Direct Web access to the same Hotmail account - I aready reported earlier in this thread that the html elements performing accesses were being reported as scanned by Webshield (only the login is https)
WebDav access to Hotmail message store and conversion to POP3 by Thunderbird Webmail extensions. No problems in retrieving via WebDav (http) and the Webshield showed that html elements performing http accesses were being scanned as html messages were being rendered by Thunderbird.
While I do not claim these tests are exhaustive they included plain text, html and mixed mode messages containing attachments.
maybe they can add an option to enable http scanning in thunderbird and OE without editing the ini file? ???
i just don’t fell comfortable editing ini files.
Just make a copy of the ini file and paste it to a different folder before you edit the file, it is only a text file. Just use your favourite text editor, notepad or wordpad will be fine, just don’t use a word processor like word, etc.
Before you edit it terminate the Internet Mail provider, make the changes and save the avast4.ini file, enable the Internet Mail provider and that should be it.
Making an option in the GUI would likely be cumbersome, why stop at thunderbird and OE but all other email programs that could have the same functionality. The avast4.ini provided for many customisations that would otherwise make the GUI cumbersome and with reasonable care there is no problem in editing it.
David,
I have to agree with you about the GUI issue.
Why should every user of avast have to fix this gaping hole in the product personally via a GUI facility?
While Lukas has offered us the paliative “the messages are scanned on download” I have to wonder what these words are really worth.
Agreed the attachments are scanned. So far so good. Agreed the message content is scanned.
But … if the html says “go to this website and download a file that is a trojan”. What does avast do about it …
NOTHING
ZERO
NO PROTECTION
Come on team - tell me where I am missing the protection this product affords!
Big hole, simple fix for Alwil Team. It shouldn’t take them more then 60 seconds to fix this issue.
All we can do is wait and see if it gets fixed for the 4.7 release.
Sure, RejZor’s program allows a quick fix for this problem… but it should be enabled by default because it has the potential to allow malicious data in without being scanned, when it would be so simple for the program to do so.
I get about 3 e-mails each week that are HTML-based and I trust them. However, what if HTML-based phishing e-mails come around that ‘look’ trustworthy to most? Users wouldn’t even need to click on anything to visit the malicious site because the malicious site would’ve already visited them, you know.
Anyways, I do appreciate the avast! antivirus program and I trust that Alwil with do the right thing with this.
Cheers,
Dave
Alanrf, what about standard shield? This is the protection avast! provides. Well, not only that, we have implemented a WebShield to further reinforce the protection for one type of applications - Web Browsers. Now, when you take it as granted, you might also want to use the same type of double protection for other applications as well - well, you have the option, don’t you?
Just edit the avast4.ini or setup your mail client to use WebShield as it’s proxy.
WebShield can be configured to monitor all access to port 80 regardless of an application, and you know that and you know how to do it.
And I have already explained here why we have chosen not to configure WebShield to behave like that on default. It may bring all sort of compatibility problems, especially when applications use HTTP protocol in not very standard way.
Like probably the mail client might be using HTTP to download mails from a webmail. Aborting a connection in this situation would cause what? Would it terminate just the current mail or whole download process? Would the mail client retry the download? What about the mails that have been already downloaded? Would they be downloaded again? Hmm, I can image several thousand users complaining about the fact that old mails are redownloaded every time until they delete their infected mail via webmail interface. Hmm.
Perhaps these problems can be solved, of course. My estimate is that it would probably take a little more time than 60 secs. But until they are solved at least to a certain degree I would not recommend to enable such potentionally problematic feature for all. I don’t have a problem with allowing it for more advanced users. That’s what we do.
But of course, this might be changed. This change can be done by a VPS update. However if there are some mails containing links to thunderbird exploits, I think the mail itself should be considered as a virus - so it should be caught by the Mail providers itself…
Lukas
Somehow, I am missing the problem. Most of my email is html enriched. When I open each email & downloading begins, the “a” is constantly spinning until downloading is completed. I am sure it is Web Shield checking all that is downloaded. And, as lukor points out, what about the protection Standard Shiled provides?