Avast WEBforum
Consumer Products => Avast Free Antivirus / Premium Security (legacy Pro Antivirus, Internet Security, Premier) => Topic started by: DaveD on April 06, 2006, 04:25:36 PM
-
Why does Web Shield not scan HTTP traffic in Mozilla Thunderbird?
The example that I have is an HTML weather report e-mail from:
http://www.theweathernetwork.ca/inter/weathercentre/email/
The e-mail is HTML and downloads all images from the website via HTTP. I have seen other e-mails similar to this; like movie theater show times.
Is it not possible that Thunderbird could receive an HTML-based e-mail and download something from a malicious website via HTTP?
Thanks,
Dave
-
What is your OS ?
What is your Browser ?
Well Your http email would normally be viewed over a Browser, not an email program like thunderbird, in that instance web shield would monitor http traffic. So how do you view this email, in your browser or downloaded in your email program ?
If you have somehow set-up thunderbird to download that http mail by some sort of conversion so it appears in your inbox, then it isn't using standard pop3 protocol so won't be scanned by the Internet Mail provider either.
-
David,
I was surprised by the post of DaveD. So I looked into it a bit more.
The point being made is that a huge amount of email we all get these days is html based. That html code is rendered by the mail client whether it be Thunderbird or Outlook or whatever. That code directs that images and other stuff be retrieved from websites to compose the image that we see on the screen.
Looking at my system it certainly appears that avast is not intercepting the http calls to port 80 while the html elements are being retrieved from remote sites. The Web Shield count is not increasing and I see direct connections to port 80 established from Thunderbird (ie not being intercepted by avast).
-
Just a bit of follow up ...
I just looked at some html based email on Yahoo viewing it thru my browser - Firefox. Now I see that the sites from which the message components are being retrieved are being recorded by the Web Shield (and the scan count increasing).
The non-scanning of http accesses is also occurring with html mail viewed in Outlook Express as well.
-
What is your OS ?
What is your Browser ?
Well Your http email would normally be viewed over a Browser, not an email program like thunderbird, in that instance web shield would monitor http traffic. So how do you view this email, in your browser or downloaded in your email program ?
If you have somehow set-up thunderbird to download that http mail by some sort of conversion so it appears in your inbox, then it isn't using standard pop3 protocol so won't be scanned by the Internet Mail provider either.
Windows 2000 SP4 UR1
Mozilla Firefox
Mozilla Thunderbird
It is coming in directly to Thunderbird and viewed in Thunderbird, however, it is HTML-based e-mail and therefore pulls images and such directly from the website each time the e-mail is viewed. On port 80 of course.
-
I remember when avast! first came out with Web Shield it originally scanned ALL traffic from ALL programs on HTTP Port 80. However, due to complications with certain programs, I believe avast! limited the scanning to only a certain number of browsers and programs. E-mail programs should definitely be scanned by Web Shield when accessing data through port 80, and it sounds as though they have been excluded. It probably wouldn't be difficult for the avast! team to add these e-mail programs to the list or through avast4.ini somehow.
I do see this as a possible vulnerability though.
-
Will this avast4.ini adjustment allow HTTP scanning in Thunderbird?
[WebScanner]
OptinProcess=thunderbird.exe
I have never edited the avast4.ini file before, so I would prefer to ask here first if this is the correct way to do it. I got this idea from Tech's thread on editing the avast4.ini file. Thank you Tech.
Do I need to put the full path name to the process?
Thanks,
Dave
-
Just use my avast! External Control tool (see link below) and enable "Power Mode" for web shield.
Web Shield checked all HTTP traffic at the beginning but they removed that because of compatibility reasons (it's now checking just most common browsers). Power Mode forces avast! again to check all HTTP traffic.
If you encounter problems you can always disable it later...
-
Will this avast4.ini adjustment allow HTTP scanning in Thunderbird?
[WebScanner]
OptinProcess=thunderbird.exe
Maybe... Lukas must confirm this, or Igor...
I have never edited the avast4.ini file before, so I would prefer to ask here first if this is the correct way to do it. I got this idea from Tech's thread on editing the avast4.ini file. Thank you Tech.
You're welcome 8)
Do I need to put the full path name to the process?
No. You must use the process name (not the file/path name).
-
I request the courtesy of a response in this thread from the Alwil team please.
-
Hello Guys,
it is really true that mail clients are currently not intercepted by WebShield. The reasoning behind was that mails were scanned during downloads by Mail Providers and you should be safe this way. WebMails are of course scanned by WebShield - when viewed from common browsers. The other problem we were facing when WebShield was used with Outlook / Outlook Express was the compatibility with Hotmail WebMails which uses uncommon extensions to HTTP protocol.
In any case adding the line into avast4.ini
[WebScanner]
OptinProcess=thunderbird.exe
or
[WebScanner]
OptinProcess=thunderbird.exe, outlook.exe, msimn.exe
would enhance scanning to these apps too.
If there is someone with Hotmail Web Access enabled, who might confirm that Outlook Express + Hotmail + WebShield is working correctly, we might perhaps consider expanding the list of scanned "browsers" with some of the common mail clients too.
Cheers.
Lukas.
-
I have tested this out with Thunderbird with several e-mails; all successfully scanned.
WeatherDirect - http://www.theweathernetwork.ca/inter/weathercentre/email/
BlockBuster Video - http://www.blockbuster.ca/
Cineplex Odeon movie theaters - http://www.cineplex.com/
I receive weekly e-mails from these sites in HTML format which pull the images from the Internet via HTTP. All we scanned successfully by Web Shield.
However, I did not test the Hotmail web-based e-mail because I do not use it. Wouldn't that be SSL anyways? If it were SSL it wouldn't be scanned by Web Shield anyways.
-
However, I did not test the Hotmail web-based e-mail because I do not use it. Wouldn't that be SSL anyways? If it were SSL it wouldn't be scanned by Web Shield anyways.
Last time I checked It was not via SSL (https://).
-
With Thunderbird and Outlook Express included in the OptinProcess I tested the following:
1) Outlook Express to WebDav enabled Hotmail account - mail received without any problems, it was clear from Webshield that html elements performing http accesses were being scanned as html messages were being rendered.
2) Direct Web access to the same Hotmail account - I aready reported earlier in this thread that the html elements performing accesses were being reported as scanned by Webshield (only the login is https)
3) WebDav access to Hotmail message store and conversion to POP3 by Thunderbird Webmail extensions. No problems in retrieving via WebDav (http) and the Webshield showed that html elements performing http accesses were being scanned as html messages were being rendered by Thunderbird.
While I do not claim these tests are exhaustive they included plain text, html and mixed mode messages containing attachments.
-
maybe they can add an option to enable http scanning in thunderbird and OE without editing the ini file? ???
i just don't fell comfortable editing ini files.
-
Just make a copy of the ini file and paste it to a different folder before you edit the file, it is only a text file. Just use your favourite text editor, notepad or wordpad will be fine, just don't use a word processor like word, etc.
Before you edit it terminate the Internet Mail provider, make the changes and save the avast4.ini file, enable the Internet Mail provider and that should be it.
Making an option in the GUI would likely be cumbersome, why stop at thunderbird and OE but all other email programs that could have the same functionality. The avast4.ini provided for many customisations that would otherwise make the GUI cumbersome and with reasonable care there is no problem in editing it.
-
David,
I have to agree with you about the GUI issue.
Why should every user of avast have to fix this gaping hole in the product personally via a GUI facility?
While Lukas has offered us the paliative "the messages are scanned on download" I have to wonder what these words are really worth.
Agreed the attachments are scanned. So far so good. Agreed the message content is scanned.
But ... if the html says "go to this website and download a file that is a trojan". What does avast do about it ...
NOTHING
ZERO
NO PROTECTION
Come on team - tell me where I am missing the protection this product affords!
-
Big hole, simple fix for Alwil Team. It shouldn't take them more then 60 seconds to fix this issue.
All we can do is wait and see if it gets fixed for the 4.7 release.
Sure, RejZor's program allows a quick fix for this problem... but it should be enabled by default because it has the potential to allow malicious data in without being scanned, when it would be so simple for the program to do so.
I get about 3 e-mails each week that are HTML-based and I trust them. However, what if HTML-based phishing e-mails come around that 'look' trustworthy to most? Users wouldn't even need to click on anything to visit the malicious site because the malicious site would've already visited them, you know.
Anyways, I do appreciate the avast! antivirus program and I trust that Alwil with do the right thing with this.
Cheers,
Dave
-
But ... if the html says "go to this website and download a file that is a trojan". What does avast do about it ...
NOTHING
ZERO
NO PROTECTION
Come on team - tell me where I am missing the protection this product affords!
Alanrf, what about standard shield? This is the protection avast! provides. Well, not only that, we have implemented a WebShield to further reinforce the protection for one type of applications - Web Browsers. Now, when you take it as granted, you might also want to use the same type of double protection for other applications as well - well, you have the option, don't you?
Just edit the avast4.ini or setup your mail client to use WebShield as it's proxy.
WebShield can be configured to monitor all access to port 80 regardless of an application, and you know that and you know how to do it.
And I have already explained here why we have chosen not to configure WebShield to behave like that on default. It may bring all sort of compatibility problems, especially when applications use HTTP protocol in not very standard way.
Like probably the mail client might be using HTTP to download mails from a webmail. Aborting a connection in this situation would cause what? Would it terminate just the current mail or whole download process? Would the mail client retry the download? What about the mails that have been already downloaded? Would they be downloaded again? Hmm, I can image several thousand users complaining about the fact that old mails are redownloaded every time until they delete their infected mail via webmail interface. Hmm.
Perhaps these problems can be solved, of course. My estimate is that it would probably take a little more time than 60 secs. But until they are solved at least to a certain degree I would not recommend to enable such potentionally problematic feature for all. I don't have a problem with allowing it for more advanced users. That's what we do.
But of course, this might be changed. This change can be done by a VPS update. However if there are some mails containing links to thunderbird exploits, I think the mail itself should be considered as a virus - so it should be caught by the Mail providers itself...
Lukas
-
***
Somehow, I am missing the problem. Most of my email is html enriched. When I open each email & downloading begins, the "a" is constantly spinning until downloading is completed. I am sure it is Web Shield checking all that is downloaded. And, as lukor points out, what about the protection Standard Shiled provides?
-
Somehow, I am missing the problem. Most of my email is html enriched. When I open each email & downloading begins, the "a" is constantly spinning until downloading is completed. I am sure it is Web Shield checking all that is downloaded. And, as lukor points out, what about the protection Standard Shiled provides?
The "a" is constantly spinning because the Standard Shield is scanning the content in that particular case.
Web Shield does scan the HTML within the e-mail itself, but does not scan the contents that the HTML pulls from the Internet which is typically just images. However, those images would be scanned by the Standard Shield anyways.
So I suppose that, after all, the Standard Shield would catch any virus that were to come in this way. Only exception being a compressed archive, but that would be scanned upon opening/executing whatever is in it anyways.
Thanks everyone!
-
how do i post screenshots?
-
Start here http://forum.avast.com/index.php?topic=8982.0
-
Quotes from the last post of DaveD in response to CharleyO:
The "a" is constantly spinning because the Standard Shield is scanning the content in that particular case.
Web Shield does scan the HTML within the e-mail itself, but does not scan the contents that the HTML pulls from the Internet which is typically just images.
Sorry - both comments are just plain wrong.
The "a" is mainly spinning because the Internet Mail scanner is scanning your mail as it is being downloaded, message body and attachments. The Standard Shield is only scanning the email executables and the existing mail files as they are being read (in a default avast setting).
Webshield plays no part whatsoever in scanning email - as it is being downloaded (because that is POP3 and not http) and, unfortunately, as it is being displayed by your mail client or to use the technical term rendered. I say rendered because for most of us these days much of our email comes in the form of html email. This email is not just displayed (as old fashioned plain text would be) but the image on the screen is created by obeying (or rendering) the html commands that make up the email. Effectively these emails are displayed by a browser engine (if you use a Microsoft mail client then it uses the same code as Internet Explorer; if you use Thunderbird then it uses the same code as Firefox). As these html commands are executed they use browser functions to go out to the Internet to retrieve pieces of the email that are then executed on your system to produce the display you see.
The issue that is being discussed here (CharleyO are you on board now?) is that because this code is not being executed under the "process name" of a list of browsers that is included in the VPS file of avast, but instead are being executed under the process name of your email client then avast does not scan these files as they are downloaded.
For DaveD - there is a lot more than just images in the files downloaded.
I am happy to accept the assurance of Lukas that the execution of these files will be intercepted by the Standard Shield though I would appreciate formal confirmation that all files so executed are scanned by the Standard Shield prior to any involvement in execution.
By the way, I should add (as I have mentioned above in the thread but just to reinforce it):
If you happen to use an email account that can be displayed in your browser (such as Yahoo, Hotmail, Gmail etc) then, simply because you are displaying that email in the browser then avast will perform a scan of every element of the email as it is being retreived which it will not do for the same email displayed by your mail client.
I suppose the moral of this story is - if you want a higher level of security from avast then if you can read your email in your browser, not in your email client.
If you use a mail client then the Internet Mail Scanner is still pretty good for checking attachments.
-
Lukas,
my sincere thanks for responding again in this thread. Though I try your patience I appreciate it very much.
My responses in this forum are not based upon my own needs. I merely suggest that I know how to use the excellent features built into avast and available to experienced users to configure avast to my needs.
I am trying to put myself in the place of and represent the needs of the average home user of avast. Since I support a number of such users who are using avast on my recommendation I hope you will understand that I consider this my duty. It is not my wish to be contentious but, as an avast supporter, I want your product to be the best it can be. If my opinions have to suggest you are not being the best ... then so be it.
So Lukas ... on to my response:
What about the Standard Shield?
Are you professionally content to stand behind the Standard Shield? I'm sorry while I understand it is the foundation of avast - you have introduced so much more since I first encountered your product. I do have to wonder though if you have not developed cold feet and whether certain moves mean that you are planning to exit recent forays such as mail scanning.
we have implemented a WebShield to further reinforce the protection for one type of applications - Web Browsers
What is a Web Browser? It seems that you now wish to define this as a specific group of applications that are recorded in the VPS file - again - I am sorry to note - after developing cold feet about your ability to scan http accesses in a more general fashion when you first introduced this feature. I cannot know the feedback your support teams experienced (though I ask you to believe me I have been there in all the ungodly hours of the morning) but I still believe that this would be better based on exclusion of anomalies rather than inclusion of acceptances. I know that the latter is much easier to explain to your management (and heavens! do I know what explaining to corporate management means).
You know and I know that what we are talking about is not the scanning of email during download. Readers of this thread may think we are - but that is an irrelevance. What we are really talking about is the rendering (displaying) of email which is a completley separate issue (in a mail client) from downloading the mail. I have covered this in my previous post in this thread and I will not bore everyone with it again.
I do accept that it not too easy for avast to understand the difference between an email client using http to download (in certain restricted instances) mail from the mail store and the incredibly frequent use of http by email clients in displaying html based email messages. What is does mean though is that you have avoided the mail download issues of the few mail clients and ignored the issues of retrieving http files that is an essential part of displaying the content of a huge proportion of today's email.
There are not too many mail clients that use http to download mail from a Webmail mailstore to a client.
I have to confess at this point that I believe that you have thrown a certain amount of FUD (for those reading the thread and not knowing the acronym - Fear Uncertanity and Doubt) across the path here.
There are (to the best of my knowledge) two types of http access to Webmail:
1) WebDav access to appropriately enabled Hotmail clients. This is supported in an IMAP fashion by Outlook Express and Outlook (2001 and later editions). As far as I can tell (and you should have tested it far better than I can) the avast WebShield has no negative affect on either of these products.
There are other third party solutions that provide WebDav to POP3 conversions. These include HotPop (a paid solution) and the Thunderbird Webmail extensions. My testing with avast, so far, indicates no problems with either of these offerings.
Somewhere in this area falls IncrediMail and so,while here, I will admit there may be many other mail clients in this field that I have not tested (there's a get-out if ever you needed one).
2) There are also a number of programs that provide access to WebMail mail stores through http by what are know as screen-scraper solutions.
I have tested avast fequently with MrPostman and with FreePops (well known free offerings in this area) with no ill effect. (In the unlikely case you care to check - you will find a sticky under my id in the AVG email forum advising users how to scan WebMail using these products).
In short Lukas, I am merely suggesting that the problems you raise are not that large. I am very familiar with (and have worked with developers to reduce) the instances of re-download of mail (see my id in the FreePops and Mr Postman forums). I think - just think - that if the majority of users had to choose between downloading unscanned malware to their systems over a re-download of email then they would agree with me ....
you bet your a$$ what I would choose!!!
I simply want what is best for the majority of avast users who could not give a d*mn about the details of this post and ... honestly ... why should they? They rely on you guys to make the best decisions for this product. The defaults must be the best for the majority. I'm sure that is your view too. Some of us sometimes do not agree with the view coming from avast central and I hope you will accept our input.
Sincerely,
Alan
-
***
Ok, alanf ... I'm on board now. :)
***
-
As of the 4.7 release (or possibly through recent VPS update) the HTTP scanning of HTML-based e-mail in Thunderbird is now being scanned. This is very nice to see.
Thanks Alwil Team!