Eudora mailbox .mbx errors ?

[John2222]

Quote:

Originally Posted by Marcos

NOD32 only scans inside Microsoft Outlook's pst files and Outlook Express' dbx files so your statement that NOD32 analysed a different kind of mailbox is wrong.

Agent is a newsreader + email program, used mostly for newsreading, but also email sending/receiving.
http://www.forteinc.com/agent/index.php

Agent keeps all the messages in files with table-of-condents indexes corresponding to each subscribed newsgroup as well as your emails.

Maybe my statement more technically should have said
"Kaspersky found 4 or 5 viruses in a Agent newsgroup file, which NOD32 analyzed but never picked up!"

[enduser999]

Quote:

Originally Posted by John2222

I was impressed with the NOD32 low overhead. However, after I gave up on NOD32 because of the Eudora issue, I tried an online scan using Kaspersky ( http://www.kaspersky.com/ ) which is a well respected antivirus program.

Kaspersky found 4 or 5 email viruses in a newsgroup Forte Agent mailbox, which NOD32 analyzed but never picked up!

So NOD32 isn't perfect either.

After coming across this thread I too did a Kaspersky on line scan and to my horror it it found Klez and Bagle infected email messages in my Eudora mail boxes! I have done scans on a ongoing weekly basis and NOD32 reported no such infections using the following parameters:

/local /adware /ah /all /arch+ /delete /heur+ /log+ /mailbox+ /pack+ /quarantine /scanboot+ /scanmbr+ /scanmem+ /scroll+ /sfx+ /unsafe /wrap+

[webyourbusiness]

was kaspersky able to CLEAN them?

[ronjor]

Let's stay on topic. "Eudora mailbox .mbx errors" using NOD.


http://www.wilderssecurity.com/showp...81&postcount=7

[enduser999]

Quote:

Originally Posted by webyourbusiness

was kaspersky able to CLEAN them?

I was using their online scanner and they only report which items including the actual email messages are infected which is ok. There is no cleaning option and I have left the messages as is for the time being after generating a report. I am deciding whether I will be dropping NOD32 as the antivirus that I recommend to clients and friends.

[alglove]

How different are Eudora .mbx files from other mailbox formats? I see conflicting things on the web about this. Some seem to say that they are very similar to those used by Thunderbird and various Unix mail programs that follow RFC 822 or RFC 2822.

[Blackspear]

Quote:

Originally Posted by enduser999

I am deciding whether I will be dropping NOD32 as the antivirus that I recommend to clients and friends.

Can you please zip up the file and send it to my email account found in my profile, I wonder if these infections are in fact infections or if they are crippled variants that do nothing.

Cheers

[enduser999]

Well some of the "infected" messages that Kaspersky has reported have no actual file attachments like normal messages Instead there are several lines in the body of the message like the following which makes sending a physical file attachment impossible:

TVqQAAMAAAAEAAAA//8AALgAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAA2AAAAA4fug4AtAnNIbgBTM0hVGhpcyBwcm9ncmFtIGNhbm5vdCBiZSBydW4gaW4g

[Blackspear]

Quote:

Originally Posted by enduser999

Well some of the "infected" messages that Kaspersky has reported have no actual file attachments like normal messages Instead there are several lines in the body of the message like the following which makes sending a physical file attachment impossible:

TVqQAAMAAAAEAAAA//8AALgAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAA2AAAAA4fug4AtAnNIbgBTM0hVGhpcyBwcm9ncmFtIGNhbm5vdCBiZSBydW4gaW4g

So more than likely there is no infection whatsoever, it is remnants of a crippled infection. The only way to confirm this is to send a sample to Eset of the message, but I'm 99.99% sure if there isn't an attachment, there isn't an infection, in this case.

Cheers

[enduser999]

Quote:

Originally Posted by Blackspear

So more than likely there is no infection whatsoever, it is remnants of a crippled infection. The only way to confirm this is to send a sample to Eset of the message, but I'm 99.99% sure if there isn't an attachment, there isn't an infection, in this case.

Cheers

Probably, but the thing is that I had not realized that NOD will/can not scan Eudora email mailboxes. I use this as my business email client. Now normally this would probably not be the problem, UNLESS a virus in the wild does not have a definition in NOD32 when an infected email message was received. Then the virus infected attachment would be on the computer's hard drive without the end user knowing or finding about it unless the attachment is opened!

As well I have noticed that the NOD32 Control Center on several occasions was no longer running in the Systray. Does this mean that NOD32 had been shutdown entirely?

My email program, Pocomail, also uses the .mbx extension. In my case, I have configured my email program to strip all attachments and to save them to an external folder. Since the binaries are not captured in the mbx files, there is nothing there that can run - it is simply a very, very long text file. However, similar to your experience with Kaspersky, I have experienced a false positive with NOD32 when it scanned my inbox.mbx file. After much work, I have confirmed it to be a false positive as it requires the headers from one email message in 2001 and the body of an email message from 2004 to cause the false positive. Delete either message and the file is clean as far as NOD is concerned.

While waiting for ESET to figure out how to update the definitions to avoid this false positive, I have added *.mbx to the file exclusions and mbx to the extension exclusions.

If it is possible and you have Eudora stripping out the attachments, I would not worry about scanning your mailbox file and would add mbx to your exclusions to avoid the long delays with deep scans.

Just my two cents,

mikkl

[enduser999]

Quote:

Originally Posted by mikkl

While waiting for ESET to figure out how to update the definitions to avoid this false positive, I have added *.mbx to the file exclusions and mbx to the extension exclusions.

If it is possible and you have Eudora stripping out the attachments, I would not worry about scanning your mailbox file and would add mbx to your exclusions to avoid the long delays with deep scans.

Just my two cents,

mikkl

Well Eudora by design places file attachments in Eudora's own attachment directory. However these are only the physcial files that the sender had attached to the message. Any items that are embedded in the body of the messages are still left in the .MBX file which as I understand it NOD32 skips entirely during its scanning real time and scheduled scans.

I am just concerned that NOD32 has been designed this way which may leave it open to allow malicious code to hide in Eudora email messages and go undetected.