OE Deleted items folder emptied by NOD scanner

Discussion in 'NOD32 Early v2 Beta' started by Mele20, Jan 10, 2003.

Thread Status:
Not open for further replies.
  1. Mele20

    Mele20 Former Poster

    Joined:
    Apr 29, 2002
    Posts:
    2,495
    Location:
    Hilo, Hawaii
    This may not be a bug. Perhaps this is intentional. If so, I don't like it as the action is unnecessarily invasive. Perhaps this is happened though because much of the help files are inaccessible for me so I may have configured it wrong.

    IMON, I thought, had intercepted an infected email several days ago and put it in quarantine. That is what I have it set to do. In this case, IMON sent the email to my deleted items box in OE. I'm don't know why. Perhaps, I clicked on some button unintentionally? I just noticed it there today, unopened. I ran the on demand scanner set to clean and clicked delete when presented with this particular email. (Not possible to clean). Afterwards, I went to my deleted items box in OE and to my utter surprise...all items (about 50 or more) were gone! I didn't tell the scanner to delete all items! I told it to delete the one infected item.

    I don't know if I have my configurations wrong or if this is a bug. Can someone tell me how to configure it so this doesn't happen again? I didn't want all those emails deleted! I hadn't emptied the deleted items folder for a reason. I don't want the NOD scanner emptying the folder!
     
  2. LowWaterMark

    LowWaterMark Administrator

    Joined:
    Aug 10, 2002
    Posts:
    17,878
    Location:
    New England
    Hmm, that sounds almost like it was a file system scan, not an email-only message type of scan, and NOD found the virus in the OE deleted items file, "Deleted Items.dbx", which is where all "deleted" emails sit awaiting their fate.

    Is there a log from the run that deleted those emails that you could post here so they can examine the details of how it happened?
     
  3. Mele20

    Mele20 Former Poster

    Joined:
    Apr 29, 2002
    Posts:
    2,495
    Location:
    Hilo, Hawaii
    This is even worse than I thought!!! NOD scanner deleted the ENTIRE CONTENTS of my SENT folder in OE also! I am furious! I had messages in the sent folder going back TWO YEARS ( around 2000 messages). They were ones I was specifically keeping!! I hope it didn't tamper with my backup dbx files! Thing is they haven't been backed up in several weeks so there is no way I can recover many of the sent messages. This is OUTRAGEOUS!

    NOD has never made much sense to me. It is set up in an illogical manner, including the current version, and looks like a child created the interface for both versions. NAV would never have tampered with my sent folder! I don't understand this and I don't know if I want NOD at all after this.

    I would have gone back to the current version long ago, but I can't get any answer from Eset regarding whether or not doing so may kill my internet connection because of the missing Winsock LSP files. But I don't really care now. I want this beta version off my system! If uninstalling corrupts Winsock2 then I will have a major problem as I can't download the fix for this first as precaution because it is designed to go a floppy and my floppy drive is not working properly.


    Of course it was an all system file scan! That is the only kind I do. I scan all files once a day (while I'm sleeping) along with defragging, scan disk and maintence disk clean up. I have been doing this for years long before I switched to NOD. Since I got this beta version, I have not put once a day scans into Windows scheduler because I wanted to watch the scans since this a beta version. So, I have been doing it manually for now.

    With McAfee the only virus I got was a stealth boot virus but with NAV, scanning all files and finding an infected email file, quarantining it and then cleaning it or deleting, etc. didn't wipe out the contents of the deleted items box MUCH LESS WIPE OUT THE ENTIRE CONTENTS OF MY SENT BOX in OE!

    I have no idea why NOD put the email with the virus into the deleted items box anyhow! Ordinarily, a virus would be in the inbox. I thought I was getting rid of it when it was sent to me and intercepted before it reached my mailbox. I had clicked on delete after I extracted the information I wanted which was how does NOD name yaha.k. I assumed this would delete it off my computer not put it in the deleted items OE box unopened!

    I can't put up a screen shot of the log because if I doubleclick on one of the logs to bring it up, that hangs the control center and the only solution is c/a/d. I don't even see any logs listed in the window since Dec 29. NOD is saving a scan to the logs though as it tells me to wait when it finishes a scan and I want to "hide' it. If I use Windows Explorer and go to C:\Program Files\ESET\logs\nod32, and open a log (can't tell which one is which so I just open at random) the log opens in Wordpad and is not readable. But I don't really care about the logs now that I have discovered HALF of my mail is now missing!
     
  4. marti

    marti Registered Member

    Joined:
    Mar 25, 2002
    Posts:
    646
    Location:
    Houston, Texas, USA
    This is slightly off the subject, but using the default OE folders for storage can cause folder corruption. The recommendation is to create your own folders and move items from the "to," "sent," "drafts," and "deleted" items into them. The "outbox" is the other default folder, which can't be used for storage.

    Other reasons for folder corruption is using the "compact folders in the background" feature.

    I'm not saying that NOD32 didn't cause the folder problem, but having many emails stored in the default folders can cause corruption, all by itself.
     
  5. Mele20

    Mele20 Former Poster

    Joined:
    Apr 29, 2002
    Posts:
    2,495
    Location:
    Hilo, Hawaii
    I'm not sure I understand what you are saying. The folder did not become corrupted. NOD deleted the entire contents of the folder when I told it to clean one item in the sent items folder than contained a virus.

    As far as folders becoming corrupted in OE because they have too many messages in them, my understanding is that OE can accomodate a total of 5,000 stored messages without problems.

    I was unaware that I should not use the sent items folder. What is it there for if it is not intended to be used? I have always stored my sent messages in that folder and have always had large numbers in there with no problems. That of course, does not mean that I might not have a problem sometime in the future so what should I do...you are saying I should create another sent items folder and use it because the default one is buggy?

    I suppose I should also not store messages in the inbox? I am supposed to create a new inbox because the default one becomes corrupted easily? This doesn't make sense to me. I have had absolutely no problems whatsoever with OE except for problems receiving hotmail in OE when I had a hotmail account and a problem, several years ago, with Netscape mail corrupting OE when I had Netscape mail as default. Since that time I have kept OE as default and haven't had any of the problems you describe.
     
  6. LowWaterMark

    LowWaterMark Administrator

    Joined:
    Aug 10, 2002
    Posts:
    17,878
    Location:
    New England
    Mele, this goes back to my earlier question. Did you do a scan of email messages with NOD, or was it an external file system scan? Above you answered this, this way:

    So when NOD found the virus, did it ask to delete "message # such and such" or "Msg with subject: xyz", or, if it was a file scan, could it have said virus found in "Deleted Items.dbx" or "Sent Items.dbx"? Cleaning those files would have deleted every message in those folders, of course.

    I know you are rightly upset at losing all your email, but, I'm just trying to find out the specifics, otherwise, they will never be able to figure out what went wrong and get it fixed for the final release.
     
  7. sig

    sig Registered Member

    Joined:
    Feb 9, 2002
    Posts:
    716
    Just by the way, I haven't a clue if this will help, Mele, but ordinarily if OE mail is deleted, it's still retained on the disk. (Dunno what may have happened with NOD though, or how it might have deleted the files.) But if you can find your email files on the disk, there is a recovery utility, DBXtract, that might help. I haven't used it myself so I can't speak from first hand experience.

    http://insideoe.tomsterdam.com/tools/index.htm

    Perhaps other things on the tomsterdam site might help also. If it doesn't, sorry, but that's all I could think of.
     
  8. Mele20

    Mele20 Former Poster

    Joined:
    Apr 29, 2002
    Posts:
    2,495
    Location:
    Hilo, Hawaii
    >So when NOD found the virus, did it ask to delete "message # such and such" or "Msg with subject: xyz", or, if it was a file scan, could it have said virus found in "Deleted Items.dbx" or "Sent Items.dbx"? Cleaning those files would have deleted every message in those folders, of course


    I first did an on demand all files scan. Then because NOD only shows the total number of viruses found at the end of scan, but does not list each one, I have to scroll back through all the scanned files in the log trying to not miss a red flagged one. That is very tedious and easy to miss the viruses found. My other choice, the one I took, is to repeat the all files scan, but choose the clean button for the second scan. This way, the scanner stops on each found virus and waits until I tell it what to do. The scanner stopped and listed the title of the email (What does NOD Call this Sucker?) and the virus infecting it (YahaN). It said the virus could not be cleaned.

    I couldn't understand why it was in that folder unopened because IMON had intercepted it before it reached my inbox and I thought I had told IMON to delete it right then. Maybe I didn't or I hit the wrong button, but I never expected to later find it in the deleted items folder unopened. Anyhow, I clicked delete and the entire contents of the folder was deleted. I didn't realize that right then, otherwise, I would not have done what I did when NOD stopped on the next virus it found which was identified as several infiltrations infecting the email "NOD32 not detecting one virus" and as being located in the sent items folder. I clicked delete on that and again the entire contents of the folder was deleted. I'm sorry I can't be more specific, but as I was not expecting any problems, I didn't write anything down.
     
  9. Phil

    Phil Registered Member

    Joined:
    Oct 24, 2002
    Posts:
    248
    Here's a simi-educated guess. In the release version of NOD32 when you tell the POP3Scan to delete a virus, it moves it to your OE "deleted" folder. You then just empty and compact the folder and the virus is gone. Some other AV's handle the deletion itself but NOD32 moves it to the deleted folder so you can empty it for some reason. After I became aware of how it functioned, it was no problem. I'm not sure how the new version works because I am now using Pocomail and IMON does not work with Poco, but I would suspect the same.

    Now -- to the deleted mail. OE by default stores *all* mail in ONE file per folder -- a database file. Most email clients do likewise. Makes no difference how many emails you have in "sent", they are all in one file. The same goes for the other folders. So, by doing a "file" scan, it found the virus in that "deleted" database file because you had not emptied the folder before closing OE. So when NOD found the virus again during your file scan and you told it to delete, what you told it to delete was that database file that contained ALL the mail. Poof -- it's history. We learn as we go along, and I have learned some painful lessons with beta software. That's why I *never* install a beta without first creating a complete image of all partitions with Drive Image. It has saved my bacon more than once. ;)

    Phil
     
  10. LowWaterMark

    LowWaterMark Administrator

    Joined:
    Aug 10, 2002
    Posts:
    17,878
    Location:
    New England
    Hi Phil - Looks like you and I were thinking along the same line there. ;)

    I'm sure Mele doesn't feel much like testing this right now, but, if there is someone else here with OE and the NOD beta running who like to do a full file system virus scan while they have an email based virus sitting in their OE deleted item folder, they could easily verify for us that the file flagged by NOD is actually "Deleted Items.dbx" - that would help to solve the mystery here.

    And if it turns out to be something else, then that would help identify any possible beta issues, if that turns out to be the case.
     
  11. Phil

    Phil Registered Member

    Joined:
    Oct 24, 2002
    Posts:
    248
    Yep. I knew you had already provided what I believe to be the correct answer. :) It seemed Mele was still a little confused so I tried to put a little different spin on it in an attempt to help him understand.

    Phil
     
  12. marti

    marti Registered Member

    Joined:
    Mar 25, 2002
    Posts:
    646
    Location:
    Houston, Texas, USA
    Portion of a NOD32 system scan

    date: 12.1.2003 time: 11:37:47
    Scanned disks, directories and files: D:
    D:\My Documents\AA OE backups\OE Folders\Sent Items.dbx » DBX » from: "marti " <xxx@dslr.net> to: "marti" <xxx@sbcglobal.net> with subject Big test -- part 2 dated Sun, 12 Jan 2003 11:10:35 -0600 » MIME » eicar.com - Eicar test file


    NOD32 beta removed all files from the "deleted items" folder and the "sent items" folder

    There were several test files in the "sent items" that I sent from one of my email addresses to other, all were deleted. There were other deleted items in that folder besides the email with the EICAR test virus attached.
     
  13. LowWaterMark

    LowWaterMark Administrator

    Joined:
    Aug 10, 2002
    Posts:
    17,878
    Location:
    New England
    Thanks for testing that Marti!! :)

    So, that's probably how it happened... All entries in the folder were deleted along with the virus infected items, right?
     
  14. marti

    marti Registered Member

    Joined:
    Mar 25, 2002
    Posts:
    646
    Location:
    Houston, Texas, USA
    Yes, all items in the Outlook Express "deleted items" folder were deleted. A couple were infected, the rest were not.
     
  15. marti

    marti Registered Member

    Joined:
    Mar 25, 2002
    Posts:
    646
    Location:
    Houston, Texas, USA
    Another test. Deleted items folder before scan. After scan & clean, it was empty.

    http://pages.sbcglobal.net/computermoon/nod_pic1a.jpg

    Sent items before two files, one OK, one infected. After scan & clean, it was empty.

    http://pages.sbcglobal.net/computermoon/nod_pic1b.jpg
     
  16. Phil

    Phil Registered Member

    Joined:
    Oct 24, 2002
    Posts:
    248
    Thanks for running the test, Marti. That's precisely what I expected would happen since all emails are in *one* file per folder on the HDD. Now Mele will know for sure what happened. This is, by far, not the only issue to arise due to MS using a proprietary database for OE mail.

    Every app has little "things" you have to learn to use it properly. With NOD32 and OE, you have to empty (and preferably compact) your "Deleted Items" folder when NOD deletes an infected email.

    Phil
     
  17. sig

    sig Registered Member

    Joined:
    Feb 9, 2002
    Posts:
    716
    Phil, you mentioned earlier that other email clients store email in the same fashion, in one db in a folder. If so, how does that make it an OE problem? Wouldn't the same thing happen in with another email client using the same storage methods?

    I'm just trying to get a handle on this. :)
     
  18. Phil

    Phil Registered Member

    Joined:
    Oct 24, 2002
    Posts:
    248
    Erm -- don't think I said this was an OE "problem". I said there are other issues related to the OE database and that is certainly true. If the interaction between NOD and OE is to be considered a problem, that problem would lie with NOD for not actually deleting the offending email instead of putting it in the deleted folder or with the user for not understanding how his/her AV works -- take your pick. I personally don't think it is a problem because I watched what happened when I first installed NOD about a year ago and simply emptied that folder any time a nasty came my way. Pocomail also uses a single file per folder but I don't know if the same situation exists because, at this point in time, the beta IMON does not work with Poco. It might not because Poco puts any attachment in a seperate folder. I installed the NOD beta before I installed Poco so don't know how the release version would react with Poco.

    The short version -- I don't know what would happen with a different client. A user will have to chime in with that answer. :)

    Phil
     
  19. marti

    marti Registered Member

    Joined:
    Mar 25, 2002
    Posts:
    646
    Location:
    Houston, Texas, USA
    Phil,

    The problem has nothing to do with IMON (in my opinion) I have IMON disabled. I was able to delete the contents of two Outlook Express folders via a full system scan.

    What do you mean "single file per folder?" Do you mean this: OE can have multiple emails in one "folder" but they are treated like one big file, instead of many individual files.
     
  20. Phil

    Phil Registered Member

    Joined:
    Oct 24, 2002
    Posts:
    248
    That is correct. If you had IMON enabled, it would put it in the deleted items folder just like you did it yourself. Makes no difference how it got there. Then the system scan would find it there. If you told NOD to delete it, everything in that folder would be deleted because it actually is just one file. The same thing would happen if you did a system scan with a virus (or the Eicar file) in your "In" box -- everything in it would be deleted as well.

    Precisely!! They ARE just one big file. If you have some mail in your OE inbox, search your HDD for a file called "Inbox.dbx" without the quote marks. Included in that *one* file is every email in your inbox, even though they show as individual mail in OE. The ONLY place they show as individual mail is in OE itself -- the program seperates the dbx file into individual pieces for viewing, but what you are REALLY seeing is just a part of that one file. The same goes for "Deleted Items.dbx", "Sent Items.dbx", "Outbox.dbx", etc -- all without the quotes, of course. Even if a folder is empty, the file is still there at 0 size because the "folder" exists in OE.

    That's why if you delete an email in OE without compacting the "folder", the email can still be read even though it does not show in any OE folder. It is still in the database, just with the marker removed. Only when you "compact" the folder, is the actual email removed from the database by compressing the database file.

    Does that help or have I just added to the confusion? o_O

    Phil
     
  21. marti

    marti Registered Member

    Joined:
    Mar 25, 2002
    Posts:
    646
    Location:
    Houston, Texas, USA
    Phil,

    I'm clear on how OE stores information (I've spent a lot of time looking at OE for a procedure that I wrote). I wan't sure that you and I were on the same page.

    An empty DBX file (or folder) does not have "0" bytes, it's 59KB (after you have compacted all folders).

    Dumb question, but if you have IMON enabled, and an email with a virus is downloaded, why does IMON put it into Deleted Items.dbx? Why isn't the file removed from the system? I don't use POP3 scanners and have only "caught" infected attachments when I was 100% sure that I knew the name of the virus and that my AV program would detect it. My method for "catching" them is to try to save the attachment as a unique file, which will set most resident scanners "off."
     
  22. Phil

    Phil Registered Member

    Joined:
    Oct 24, 2002
    Posts:
    248
    As for being on the same page, I'll just ask you a question. Is there a single file per folder? :D :D

    So, I'm not very good at explaining things. :rolleyes:

    As to why NOD32, first edition *or* the beta IMON, does not REALLY delete the infected email -- beats me. You'll have to ask them. I wondered the same thing when I first installed but saw how it worked so was no problem for me. As mentioned, I now use Poco and by default it puts attachments in a different folder so the fact IMON does not work correctly makes no difference. I have had IMON disabled since day one.

    Phil
     
  23. marti

    marti Registered Member

    Joined:
    Mar 25, 2002
    Posts:
    646
    Location:
    Houston, Texas, USA
    Phil, in a word "yes." But the "folder" is a file, the way I define a file. :D :D :D
     
  24. Blackspear

    Blackspear Global Moderator

    Joined:
    Dec 2, 2002
    Posts:
    15,115
    Location:
    Gold Coast, Queensland, Australia
    I have a friend who tried the Nod 2.0 Beta, and it did the same thing, deleted all messages within the sent folder. He has returned to the standard version for now :)

    Cheers :D
     
  25. sig

    sig Registered Member

    Joined:
    Feb 9, 2002
    Posts:
    716
    >Mele queried, "Dumb question, but if you have IMON enabled, and an email with a virus is downloaded, why does IMON put it into Deleted Items.dbx? Why isn't the file removed from the system? "

    Not a dumb question IMO at all. If IMON had a "delete and send to total oblivion" option that would not retain the infected emails in the Deleted Items mailbox, there would be no chance for someone running into what Mele encountered. (Or what evidently what Blackspear's friend encountered too.)

    That's something I think Eset should consider as a user friendly option that prevents this sort of thing from happening.

    So far I can see potential users reading this thread and another at BBR and thinking, "Whoa, NOD can't delete an infected email without deleting the whole mailbox?? I'm staying away from that POS AV." The finer points of how it happens will be missed, but the end result of the mishap will be remembered.

    So why not design IMON (or even AMON if it works similarly) so that "delete" means truly deleted from the email client? And not, as at present, where "delete" only means it's sent to the deleted item folder and the true deletion you have to do yourself?

    From the consumer's point of view, I think when a scanner offers to delete an infected email, my first choice is that I want it deleted from my email client altogether so that I don't have to go back and manually "delete" it again myself. It's easier for the users. And since the users pay the bills, why not accommodate the users?
     
Thread Status:
Not open for further replies.