Eudora mailbox .mbx errors ?

Discussion in 'NOD32 version 2 Forum' started by John2222, Sep 27, 2005.

Thread Status:
Not open for further replies.
  1. John2222

    John2222 Registered Member

    Joined:
    Sep 27, 2005
    Posts:
    140
    Agent is a newsreader + email program, used mostly for newsreading, but also email sending/receiving.
    http://www.forteinc.com/agent/index.php

    Agent keeps all the messages in files with table-of-condents indexes corresponding to each subscribed newsgroup as well as your emails.

    Maybe my statement more technically should have said
    "Kaspersky found 4 or 5 viruses in a Agent newsgroup file, which NOD32 analyzed but never picked up!"
     
  2. enduser999

    enduser999 Registered Member

    Joined:
    Apr 17, 2005
    Posts:
    418
    Location:
    The Peg

    After coming across this thread I too did a Kaspersky on line scan and to my horror it it found Klez and Bagle infected email messages in my Eudora mail boxes! I have done scans on a ongoing weekly basis and NOD32 reported no such infections using the following parameters:

    /local /adware /ah /all /arch+ /delete /heur+ /log+ /mailbox+ /pack+ /quarantine /scanboot+ /scanmbr+ /scanmem+ /scroll+ /sfx+ /unsafe /wrap+
    :(
     
    Last edited: Dec 18, 2005
  3. webyourbusiness

    webyourbusiness Registered Member

    Joined:
    Nov 16, 2004
    Posts:
    2,662
    Location:
    Throughout the USA and Canada
    was kaspersky able to CLEAN them?
     
  4. ronjor

    ronjor Global Moderator

    Joined:
    Jul 21, 2003
    Posts:
    162,650
    Location:
    Texas
  5. enduser999

    enduser999 Registered Member

    Joined:
    Apr 17, 2005
    Posts:
    418
    Location:
    The Peg
    I was using their online scanner and they only report which items including the actual email messages are infected which is ok. There is no cleaning option and I have left the messages as is for the time being after generating a report. I am deciding whether I will be dropping NOD32 as the antivirus that I recommend to clients and friends.


    :doubt:
     
  6. alglove

    alglove Registered Member

    Joined:
    Jan 17, 2005
    Posts:
    904
    Location:
    Houston, Texas, USA
    How different are Eudora .mbx files from other mailbox formats? I see conflicting things on the web about this. Some seem to say that they are very similar to those used by Thunderbird and various Unix mail programs that follow RFC 822 or RFC 2822.
     
  7. Blackspear

    Blackspear Global Moderator

    Joined:
    Dec 2, 2002
    Posts:
    15,115
    Location:
    Gold Coast, Queensland, Australia
    Can you please zip up the file and send it to my email account found in my profile, I wonder if these infections are in fact infections or if they are crippled variants that do nothing.

    Cheers :D
     
  8. enduser999

    enduser999 Registered Member

    Joined:
    Apr 17, 2005
    Posts:
    418
    Location:
    The Peg
    Well some of the "infected" messages that Kaspersky has reported have no actual file attachments like normal messages Instead there are several lines in the body of the message like the following which makes sending a physical file attachment impossible:

    TVqQAAMAAAAEAAAA//8AALgAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
    AAAAAAAA2AAAAA4fug4AtAnNIbgBTM0hVGhpcyBwcm9ncmFtIGNhbm5vdCBiZSBydW4gaW4g
     
  9. Blackspear

    Blackspear Global Moderator

    Joined:
    Dec 2, 2002
    Posts:
    15,115
    Location:
    Gold Coast, Queensland, Australia
    So more than likely there is no infection whatsoever, it is remnants of a crippled infection. The only way to confirm this is to send a sample to Eset of the message, but I'm 99.99% sure if there isn't an attachment, there isn't an infection, in this case.

    Cheers :D
     
  10. enduser999

    enduser999 Registered Member

    Joined:
    Apr 17, 2005
    Posts:
    418
    Location:
    The Peg
    Probably, but the thing is that I had not realized that NOD will/can not scan Eudora email mailboxes. I use this as my business email client. Now normally this would probably not be the problem, UNLESS a virus in the wild does not have a definition in NOD32 when an infected email message was received. Then the virus infected attachment would be on the computer's hard drive without the end user knowing or finding about it unless the attachment is opened!

    As well I have noticed that the NOD32 Control Center on several occasions was no longer running in the Systray. Does this mean that NOD32 had been shutdown entirely?

    o_O
     
  11. mikkl

    mikkl Guest

    My email program, Pocomail, also uses the .mbx extension. In my case, I have configured my email program to strip all attachments and to save them to an external folder. Since the binaries are not captured in the mbx files, there is nothing there that can run - it is simply a very, very long text file. However, similar to your experience with Kaspersky, I have experienced a false positive with NOD32 when it scanned my inbox.mbx file. After much work, I have confirmed it to be a false positive as it requires the headers from one email message in 2001 and the body of an email message from 2004 to cause the false positive. Delete either message and the file is clean as far as NOD is concerned.

    While waiting for ESET to figure out how to update the definitions to avoid this false positive, I have added *.mbx to the file exclusions and mbx to the extension exclusions.

    If it is possible and you have Eudora stripping out the attachments, I would not worry about scanning your mailbox file and would add mbx to your exclusions to avoid the long delays with deep scans.

    Just my two cents,

    mikkl
     
  12. enduser999

    enduser999 Registered Member

    Joined:
    Apr 17, 2005
    Posts:
    418
    Location:
    The Peg
    Well Eudora by design places file attachments in Eudora's own attachment directory. However these are only the physcial files that the sender had attached to the message. Any items that are embedded in the body of the messages are still left in the .MBX file which as I understand it NOD32 skips entirely during its scanning real time and scheduled scans.

    I am just concerned that NOD32 has been designed this way which may leave it open to allow malicious code to hide in Eudora email messages and go undetected.
     
Thread Status:
Not open for further replies.
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.