Demand-Scans Of Thunderbird And Seamonkey Mbox Email Files

Discussion in 'ESET NOD32 Antivirus' started by rnfolsom, May 25, 2009.

Thread Status:
Not open for further replies.
  1. rnfolsom

    rnfolsom Registered Member

    Joined:
    Nov 9, 2005
    Posts:
    247
    Location:
    Monterey, California
    How do Eset NOD32 Antivirus 4.0.424 and 3.0.684 (hereafter just Eset 4.0 and 3.0) demand-scan Mozilla Thunderbird email and Mozilla SeaMonkey email? (I use the latter.) I ask because both use an MBox email format (many messages in a single file), and I fear that if an infected message is found, Eset 4.0 or Eset 3.0 would delete the entire file containing that infected message, e.g. would delete my entire Inbox.

    Eset 4.0 has a Thunderbird plugin (although I think I saw somewhere that Eset 3.0 does not), but no SeaMonkey plugin (not surprising, given their respective market shares).
    Nevertheless, my understanding is that Eset 4.0 scans SeaMonkey email downloads anyway, because SeaMonkey uses POP3 mail. But I don't know what Eset 4.0 (or Eset 3.0) do when a Demand-Scan comes across SeaMonkey MBox format mail, especially since SeaMonkey has no plugin.

    1) What will Eset 4.0 do, if a demand scan discovers infected email within a Thunderbird or SeaMonkey MBox email format file? Can Eset 4.0 (or 3.0), with or without an email client plugin, locate and either clean or delete a single message that contains malware?

    And to prevent loss of an entire file of messages what should my settings be?

    2) Eset 4.0's help contains the following warning: "If an archive contains a file or files which are infected, there are two options for dealing with the archive. In standard mode, the whole archive would be deleted where [only if?] all the files it contains are infected files. In strict cleaning mode, the archive would be deleted if it contains at least one infected file, regardless of the status of the other files in the archive."

    For purposes of this warning, is an MBox email file (e.g. my Inbox file), which has no extension (details below), an "archive"?

    Thanks for any comments, suggestions, or help.

    Roger Folsom

    ================================================================

    P.S. BACKGROUND

    The NOD32v4 help file does say that for demand-scans,
    "Email
    "The program supports the following extensions: DBX (Outlook Express) and EML.
    "Archives
    "The program supports the following extensions: ARJ, BZ2, CAB, CHM, DBX, GZIP, ISO/BIN/NRG, LHA, MIME, NSIS, RAR, SIS, TAR, TNEF, UUE, WISE, ZIP, ACE, and many others."

    And in SeaMonkey mail, if one saves a specific message as a separate file (located outside of SeaMonkey, by using SeaMonkey's File | Save as File, or Ctrl-S), the default extension is eml --- but does that extension represent a specific file type, or is it used by a variety of email software for a variety of different file types? In any case, I don't know if that is relevant for Eset 4.0 (or Eset 3.0) demand scans if the message.eml is buried in a huge file of other messages (e.g. Inbox).

    ----------------------------------------------------------------

    Currently, my settings, under Antivirus and Antispyware, are as follows:

    Threat Sense parameter cleaning is standard (in the middle, between No Cleaning and Strict Cleaning). Everything else is checked, except for Log All Objects.

    Email Client Protection and Email Clients: Everything is checked, except Convert Email Body To Plain Text. Infected email is moved to an Infected Items folder. (If I were using Thunderbird, and its Inbox contained an infected message, would the entire Inbox file be moved to the Infected Items Folder?)

    Email Client Protection and POP3,POP3S: POP3 Protocol Checking is checked (port 110).
    POP3,POP3S, Email Clients: SeaMonkey is checked, but it also offers (but has not checked) Webroot SpySweeper's User Interface exe file, Foxit PDF Reader.exe; and System32\svchost.exe. Compatability is at maximum efficiency.

    Web Access Protection: I think everything is at the original defaults, including Threat Sense Parameter Setup at No Cleaning. Web Browsers do check SeaMonkey but in Active Mode it is not checked. In both locations, the same set of other items listed above are not checked.

    On Demand Computer Scan's Selected profile is In-depth scan. However, ThreatSense parameter setup is set to No Cleaning, because of my fears of losing my entire inbox.
    Scan Targets include everything on both partitions (C and D) and also my CD drive (which is present but empty). Whether my modular bay hard disk drive or diskette drive or an external backup drive (I have both USB and Firewire external drives available) would be automatically added to this list, I know not.
    (Incidentally, in the Advanced Setup Tree, I cannot imagine why On Demand Computer Scan is a sub-entry under Web Access Protection. I would expect it to be a major item under Antivirus and Antispyware.)

    Protocol Filtering is at the original defaults. I need to study the User Guide to figure out these settings choices.

    Update: My settings have been discussed extensively elsewhere, in the "Signature Update Notices" thread, at https://www.wilderssecurity.com/showthread.php?t=242544

    ----------------------------------------------------------------

    My previous flailing around attempts to figure out how Eset 4.0 (or Eset 3.0) would demand-scan SeaMonkey email's multiple-messages-in-a-single-file MBox format, together with valiant efforts by others to clarify the differences between demand-scans in my previous NOD32 v2.7 experience and my beginning-amateur-novice understanding of Eset 4.0, is in the thread "Infected files in Scan Log," at https://www.wilderssecurity.com/showthread.php?p=1461260#post1461260
     
    Last edited: May 26, 2009
  2. estbird

    estbird Eset Staff

    Joined:
    Feb 19, 2009
    Posts:
    97
    First of all you should now that ESS/EAV can scan POP3 protocol and therefore it is message scanned before it is received by email client. If you enable SSL scanning then it should be scanned POP3s protocol too.

    Thunderbird Extension built-in ESS/EAV increases protection because it gives an extra possibility to scan message before it is read, delivered and sent.
    Of course message is scanned by delivery by POP3 protocol scanner, but Thunderbird extension covers IMAP protocol too or when you want to disable POP3/POP3s protocol filter scanner. On read scan can you protect in situation when you receive infected email (in time when EAV don't now to detect new kind of infiltration) you didn't read it (or opened attachment) but virus database was updated meanwhile you read email. Because virus database is updated several a days it can protect you in these cases. On send scan protect recipients of your email to not send infected emails.

    >1) What will Eset 4.0 do, if a demand scan discovers infected email within a Thunderbird or SeaMonkey MBox email format file? Can Eset 4.0 (or 3.0), with or without an email client plugin, locate and either clean or delete a single message that contains malware?

    As you've written since certain version can EAV scan mbox format.
    I did several tests and here are my findings:
    If you start on demand-scan when thunderbird is off and you enable/disable Email in scanner setting, everything is ok. Infected part of email is removed from mbox file.
    If you start demand scan when Thunderbird is on and Email option is off everything is ok even if mbox contain viruses.
    Problem is when you enable Email options and you start demand scan and Thunderbird is on.
    It can softly damage messages. Reason why "softly" is this.
    If EAV find virus it remove it from mbox which cause that message boundaries are changed (offset from beginning of file). Thunderbird holds message boundaries in files with extension msf. Indexes in this file is rebuild if it is detected that mbox was changed since last start (integrity is checked by filesize of mbox file and date time of last modification). But when Thunderbird is running it doesn't have reason to rebuild this strange Mork database because it didn't know that mbox file was changed. Because of this I thing this ESET set this option off by default and user has to change it if he want to scan mail files.
    I think you can force Thunderbird to rebuild this database by two possibilities to turn off TB and manually change last time of modification or by deleting of msf file. You can probably have more emails in inbox if you didn't compact folders but you get your emails back (reason is that Thunderbird remove messages from mbox only when it is compacted).

    >Email
    >"The program supports the following extensions: DBX (Outlook Express) and EML.
    ESET should add notice that it scans MBOX files too.
     
  3. rnfolsom

    rnfolsom Registered Member

    Joined:
    Nov 9, 2005
    Posts:
    247
    Location:
    Monterey, California
    Estbird:

    First, please excuse my very tardy reply. I was dealing with some medical issues, and then I received an email spoof ("Critical Update for Microsoft Outlook and Outlook Express" allegedly from "microsoft.com") and I spent several days confirming that it was a spoof (apparently also known as phishing), then learning that since the email itself was clean, I shouldn't expect NOD32 AV 4.0.437 to have intercepted it (although ESS would have intercepted it)
    https://www.wilderssecurity.com/showthread.php?t=246250
    and then distributing detailed warnings about the spoof (which was very well done, except for its extended headers) to other locations, such as a MozillaZine SeaMonkey forum
    http://forums.mozillazine.org/viewtopic.php?f=40&t=1324405
    and also to my ISP, since this spoof got through its Spam Assassin and TMDA (Tagged Message Delivery Agent) anti-spam filters.

    My apologies for these delays in answering your very useful email.

    But thanks to your detailed reply and the experiments you ran (and also to a short private message to me from Marcos), I had the confidence to run an "In-Depth" demand-scan on everything on my computer, including all email files (all of which are POP3, and in Mozilla SeaMonkey's MBox format).

    As you may recall, my previous "scan only, don't clean" demand-scan had showed some MBox files that did contain one or two trojan-infected emails, and on the first scan-with-standard-cleaning that I ran after receiving your message, NOD32 AV 4.0.437 did what it should do: it deleted only the infected emails, and left the rest of the MBox file alone. And it told me that it had deleted rather than cleaned the infected emails because each infected email didn't contain any information other than the trojan. (These were some old email files, that I had received when I was using Norton AV, and not Eset.)

    Understood.

    Thanks for that summary of the Thunderbird plugin. I hope that someday someone at Eset does a SeaMonkey plugin. Since Thunderbird and SeaMonkey both use the MBox format, apparently known also as the Mork format (and later will both use the MozStorage format, as mentioned below), I would guess that a SeaMonkey plugin shouldn't be too difficult to write.

    Actually, I first started NOD32 back in 2005, using version 2.5, and it had no problem scanning my SeaMonkey MBox files. From the documentation for version 3.0 and 4.0, I just wasn't sure that SeaMonkey email files had remained scanable in the new versions.

    I'm pretty sure that SeaMonkey mail works the same way. However, according to Wikipedia, http://en.wikipedia.org/wiki/Mork_(file_format), "Plans exist for Mork to be replaced with MozStorage in the upcoming Thunderbird 3.0. As of version 3.0 beta 1, Thunderbird still uses the Mork file format." If Thunderbird switches to MozStorage, I'm pretty sure that some future SeaMonkey version (maybe not 2.0, but some later 2.x; SeaMonkey is now at version 1.1.17; 2.0 is in alpha or beta) also will switch to the MozStorage format.

    Thank you, very much, for running those tests.

    And thank you especially for the warning not to run a demand-scan at the same that Thunderbird (or SeaMonkey) are running [and not to start running Thunderbird or SeaMonkey while you are running a demand-scan], and also for a possible fix if by accident you did run simultaneously a demand scan and Thunderbird or SeaMonkey. Deleting the *.msf files sounds a lot safer to me than manually changing the last modification date and time of the MBox file --- or did you mean changing the last modification date and time of the *.msf file?

    Agreed.

    If the Help file --- at Contents, Dialog Windows, Antivirus Protection, Virus Scanner Setup, Objects --- had included that information, I would have saved an enormous amount of worry time. The Help file statement should have read:
    "Email
    "The program supports the following extensions: DBX (Outlook Express) and EML. It also supports MBox email files (which use the Mork format), such as those used by Mozilla Thunderbird and SeaMonkey."
    Later versions of that statement, of course, should refer to supporting MozStorage, as soon as Thunderbird and/or SeaMonkey switch to that format.
    And that information also should be in the User Guide.

    One last (relatively minor) question remains about how NOD32 AV 4.0.437 treats MBox files: If Demand-Scan ThreatSense Cleaning had been set to Strict instead of to Standard Cleaning, what would Strict Cleaning do with an MBox file containing only some infected messages? Would Strict Cleaning delete only each infected message, or would would Strict Cleaning treat the entire MBox file as an archive and delete the entire MBox file?

    I no longer have any infected messages in an MBox file on which I could run a test of that question.

    But what Strict Cleaning would do with an MBox file that contains only some infected messages is a minor question for me, because I don't expect ever to use Strict Cleaning.

    Thank you again for all of the help you provided me.

    Roger Folsom
     
    Last edited: Jul 2, 2009
Thread Status:
Not open for further replies.