nod32 detects trojan with thunderbird transfer?

Discussion in 'NOD32 version 2 Forum' started by trock, Jul 8, 2005.

Thread Status:
Not open for further replies.
  1. trock

    trock Registered Member

    Joined:
    Jul 5, 2005
    Posts:
    27
    I was attempting to import mail from outlook after installing thunderbird on my system. I have been running nod32 with advanced options set as described by blackspear in this forum. During the transfer, I received a warning and quaranteen message from Nod32 :


    This message was attached:

    Event occurred on a new file created by the application: C:\Program Files\Mozilla Thunderbird\thunderbird.exe. The file was moved to quarantine. You may close this window.

    What should I do? I want to use thunderbird but is there a need to go through this trouble with NOD having an outlook module already configured? Thoughts? I am rather new, so be easy with the tech talk :)
     
  2. rumpstah

    rumpstah Registered Member

    Joined:
    Mar 19, 2003
    Posts:
    486
    Hi trock:

    In the Outlook message store (database where all e-mails are kept) when importing to Thunderbird there was a piece of malware in one of the e-mails which NOD32 removed by moving the file into the quarantine directory (c:\program files\eset\infected) disabling its ability to run.

    If one goes into the Quarantine module in the NOD32 Control Center, the piece of malware will be listed.

    No need to worry, just NOD32 doing its job. ;)

     
  3. trock

    trock Registered Member

    Joined:
    Jul 5, 2005
    Posts:
    27
    Thank you,

    Why then when I try the same function from thunderbird (importing my mail folders from outlook) does the same warning come up in NOD32?

    That is what has me confused. Is this some false pos with thunderbird? Anyone else have such experience?

    trock
     
  4. beng

    beng Registered Member

    Joined:
    Jun 6, 2004
    Posts:
    38
    Location:
    Melbourne/Australia
    G'day Trock,
    Rumpstah has answered this, but perhaps it needs to be explained a bit more.

    When a file is Written/Created or Read by an application or the Operating System, NOD32 scans it for potential nasties. If it finds one, it will fire a big red warning and notify you that the file just created by program X contains a problem, and, (in most cases), you would simply delete it(perhaps also tick move to quarantine) and carry on, depending on your "default action" settings.

    In your specific case, Thunderbird is reading the emails in the Outlook PST file, then creating them as a file in a directory of Thunderbird's choice.
    When Thunderbird tries to write an email with a virus/malware signature, NOD32 intercepts this and prevents it (Thunderbird.exe) from writing the file.
    I can't tell from your post, and I don't use Thunderbird, but I suspect this may be halting the Import process, and stopping you from completley importing your emails?
    Perhaps a Thunderbird user may be able to confirm.

    The reason that these emails may be in your Outlook PST are probably because they are old emails, that NOD32 didn't previously detect as Malware but now does. Or perhaps you didn't have NOD32 when they were downloaded in the first place.
    Anyway, thats not that important right now.

    There are three things I can suggest to get around this problem in order of preference:
    1) Dive into your Outlook and delete any emails such as Junk emails, or suspicous ones etc and make sure you "Empty" the deleted items!!!!!

    2)Create a "Second" PST file and progressively copy emails into it, then import them from the "Second" PST file into Thunderbird.
    This will take a while, and assumes you have multiple folders.

    And finally, and I don't reccomend this lightly, and I will not be held responsible if something goes wrong. Get a second or third opinion if you like.
    3) Make sure you are fully patched and not running any Peer to Peer File sharing etc.
    Disconnect your PC from the Net, Re-boot and make contirbutions to the Deity of your choice.

    Open the Nod32 Control Centre and Unload your AMON, (untick the "File System Monitor" option)
    This will prevent AMON from detecting the files as they are written by Thunderbird.
    As soon as the process is completed, Re Enable AMON, and they should both be happy until Thunderbird tries to read one of the problem emails, or you run a full system scan.

    Disclaimer.... By unticking AMON you are leaving yourself open to Viral/Trojan/Malware infection so I can't/will not be held responsible if this does happen.


    Cheers Ben.
     
  5. zashita

    zashita Registered Member

    Joined:
    May 17, 2005
    Posts:
    309
    Or you could try this too .....
    Scan your drive with Nod32, be sure you tick all like in the image ...
    The threats should be detected in your mail files, but not deleted, as Nod32 can't delete into email files.
    Next step : open your Outlook, and manually delete all emails detected by Nod32.
    Then try to import your emails in thunderbird.

    Cheers
     

    Attached Files:

  6. beng

    beng Registered Member

    Joined:
    Jun 6, 2004
    Posts:
    38
    Location:
    Melbourne/Australia
    Duh.... Why didn't I think of that!
    Ignore my post Trock, Zashita's is a much better/safer idea!
    Cheers Ben.
     
  7. zashita

    zashita Registered Member

    Joined:
    May 17, 2005
    Posts:
    309
    Yours is a good idea too. It is good to know how this is possible.
    Maybe it is a little more complicated, only :D

    Cheers
     
  8. trock

    trock Registered Member

    Joined:
    Jul 5, 2005
    Posts:
    27
    Perfect! Thank you all for the advice. Problem solved...the problem was with a compressed email file, which when being transferred by thunderbird from outlook required decompression, and at that point in time Nod32 decided NO NO! YOU Shalt NOT Pass!

    All is well.

    TRock
     
  9. Blackspear

    Blackspear Global Moderator

    Joined:
    Dec 2, 2002
    Posts:
    15,115
    Location:
    Gold Coast, Queensland, Australia
    Good to see that your issue was resolved and thanks for reporting back...

    Cheers :D
     
Thread Status:
Not open for further replies.