Avast WEBforum

Consumer Products => Avast Free Antivirus / Premium Security (legacy Pro Antivirus, Internet Security, Premier) => Topic started by: AvastDestroysMails_wtf on April 14, 2018, 01:21:29 PM

Title: Avast destroyed over 4k Mails
Post by: AvastDestroysMails_wtf on April 14, 2018, 01:21:29 PM
Today I made a full search with Avast! Free (ver 180413-4) and after a while it found something and because I dont want to wait forever I stopped the search. It found 3 problems, all within my Thunderbird Inbox and older versions of it. Detection was "HTML:Facebook-A[Phish]". I would have ignored it, because I can look after myself in regards of phishing, but THE ONLY OPTION AVAST GAVE ME WAS AUTOMATICALLY. And that led to the "move" of my ENTIRE inbox to the virus-container, where it NEVER ARRIVED. So now about 3000 Mails are simply GONE except the title, whos saved in another file. Another number of mails is unreadable garbage. In total I LOST 4042 mails over that, and my most recent backup is gone as well because I shifted it to this PC for a short period of time.

Using Win8.1.

I used Avast! for over 10 years and seen some mistakes and ridiculous false positives over the years, I still stayed with you. But this is outrageous! Your software simply destroyed my EMails with an action that should have been reversable! Even using Recuva doesnt help because Avast! completely DESTROYED all data.
So my question is pretty simple. Is there a way to get whats in the virus container? I want my data back that your retarded garbage software destroyed. I cant say it any other way because Im really pissed right now!  >:(
Title: Re: Avast destroyed over 4k Mails
Post by: Pondus on April 14, 2018, 01:44:04 PM
If you sett your mail client to leave mail on server, then you always have a backup at your mail provider that you can access using webmail



Title: Re: Avast destroyed over 4k Mails
Post by: Mike23 on April 14, 2018, 04:18:18 PM
@ fh...
Open AVAST & go to > Protection > Virus Chest.
Hopefully, your emails will be there & can be recovered.

Regs, Mike..
Title: Re: Avast destroyed over 4k Mails
Post by: AvastDestroysMails_wtf on April 14, 2018, 04:51:16 PM
Well setting TB to leave server-mails wont help me now. I contacted my mail provider and they restored all they had. Not much, but at least something.

@Mike23: the Virus Chest contains 3 false positive .exe files, but not my Inbox. Despite the report saying that the Inbox was moved to the chest.

Is there a way to dump all content of the Virus Chest into a folder or something? Maybe the transfer didnt finish but the bulk is still there.
Title: Re: Avast destroyed over 4k Mails
Post by: DavidR on April 14, 2018, 05:41:46 PM
Dumping the virus chest even if it were possible wouldn't help, the contents of the virus chest are encrypted (and renamed), unless it is avast restoring the files then they would remain encrypted.

Email folders aren't like normal explorer folders. I believe they are more like database files that contain the emails in that email folder.  See attached example of my Thunderbird folders when viewed in windows explorer.  Notice the 'Inbox' file (it doesn't actually show a file type), that is I believe the database file where the individual emails are contained. 

You don't actually see individual emails, but on a scan avast can see within that file and report anything it detects.  It may well try to send the email to the virus chest according to your settings or choice. If it can't extract the file from the inbox file to send to the virus chest then it would try the second or third option in your mail shield settings.

The likelihood is that one or other of those options would try to send it to the chest and if that fails the next option may be deletion of the archive file containing the detected email. and now your inbox file would go.  But it looks like that failed as you don't see it or any email in the virus chest.  Even if it were in the virus chest and elected to restore it, that too I believe would fail as it doesn't really know how to fit it back into the database file.

Personally on-demand scans are of little benefit and there are quirks involved also as outline above.
- With a resident (on-access) scanner the need for on-demand scans is much depreciated. For the most part dormant/inert files are being scanned, the other active files are going to be scanned by the resident shields when they are activated.

See my Mail Shield settings - I don't believe they are defaults - I don't allow Avast to take any autonomous action, so my first Option is to Ask and the second is that fails (almost impossible) is to take No Action.

Notice the bit about Archives and said Inbox is in effect an Archive multiple things stored within one file, so if you have the option to remove the whole containing archive if it fails, you have just lost your inbox.
Title: Re: Avast destroyed over 4k Mails
Post by: AvastDestroysMails_wtf on April 14, 2018, 06:23:32 PM
@DavidR: thanks for the answer. As far as I seen it you can open the Input and other Mail-Database-Files with a simple text editor, as the information is stored in plain text. I was able to restore some data from an old backup, but the newest (which I overwrite every now and then) has been destroyed by Avast! as well  >:(

I do on-demand very rarely, escpecially to that extend like today. It was a file scan, so the Mail Shield wasnt really involved. I wanted to change the action Avast! should make, but even clicking repeatedly on "Automatically" didnt allow me to change the selection or show a list of options for that matter. Beats me why Avast! cant show that, shouldnt happen.  >:(
Mail/Filesystem-Shield Auto apparently means Repair->Chest->Delete. Since it shows in the report "Moved to Chest. Successfull" I guess Avast failed 3 Times!!!!!! with a simple action.  >:(

Also besides the file being several hundred MB Avast should not just completely delete it like it did. That is just retarded. Either it should cut out the detected part (like 1 message) or move the entire file to the Virus Chest.  >:(

I have been scanning with different recovery tools but so far didnt find intact data to recover. Im searching all my drives if there is a more recent backup, but I dont think I have much luck.  >:(
Title: Re: Avast destroyed over 4k Mails
Post by: stibi on April 14, 2018, 06:29:19 PM
Email folders aren't like normal explorer folders. I believe they are more like database files that contain the emails in that email folder.
No, David - "Inbox" is no database but a simple text file including all messages, "*msf" files contains pointers to each start of message. Copy "Inbox" and add the extension ".txt" ...

@TO
Do you have a backup of your messages? Replace it to the proper place in your TB-profile.
You should hold you Inbox as small as possible & shift mails to other objects like family, common, hobby etc.; so a damage bewteen AV software & mail program will be restricted. Example: my inbox contains about 50 mails; not more. And just this may be to much in an error situation - I'm lazy...
Title: Re: Avast destroyed over 4k Mails
Post by: DavidR on April 14, 2018, 08:31:58 PM
Email folders aren't like normal explorer folders. I believe they are more like database files that contain the emails in that email folder.
No, David - "Inbox" is no database but a simple text file including all messages, "*msf" files contains pointers to each start of message. Copy "Inbox" and add the extension ".txt" ...
<snip>

It is more that I believe it is being treated as an archive it won't be using the .msf file to strip it out (or for that matter to put it back if restored from the chest) and how would this stripped out email be stored in the virus chest, it isn't a file, but part of a file. 

The inbox has always been a bit of an issue (not just for Avast) if you have a system crash open files are at risk of corruption.  And if you have your email program open generally the inbox is open.

Currently my inbox is probably as large as it has ever been (image shows 12MB ish) I used to be very active in moving emails to other folders depending on content.  If I lost the inbox it wouldn't be that big a deal, not to mention I do weekly drive image backups. 

I also do a daily backup (often several times a day) for more volatile files, and this includes thunderbird, ...\Application Data\Thunderbird so I have it pretty well covered for any eventuality. I have always been a belt and braces guy with a robust backup and recovery strategy, many don't until they actually experience a problem.
Title: Re: Avast destroyed over 4k Mails
Post by: AvastDestroysMails_wtf on April 15, 2018, 10:20:11 AM
Okay, got hold of an older backup and was able to restore two thirds of lost data.

@DavidR: even if I had it in another folder, that one would have been destroyed. And an Antivirus shouldnt destroy data thats not virus. Regarding backups: two instances of backups were destroyed by Avast! while killing the primary file.  >:(

The whole situation is extremely shit, and while part of the lost data is still in replied messages in the outbox, received files are gone.  >:(

Basically I can live with rare false positives that are reversible, and with the memory leak a few years back, and the annoying "unprotected"-bugs last year or so (even if these things shouldnt happen). But this time I have to ask how far I can trust Avast! at all. I mean, that was not just one mistake, but a ton of them. The acclaimed Message was not detected when creating backups, receiving mails, or in previous scans. Now all of the sudden there is a phishing Mail, that Avast! has to handle (but why?! its not virus, just phish, I know its bad but it requires user input). And it failes a basic action of moving a file from A to B 3 times in a row, destroying the original files and the underlying data on the disk in the process, so that its impossible to recover. This is a shitload of failed tasks, which makes me wonder if this software is reliable around sensitive data. So, yeah, Im gonna look if there is a better, more reliable AV.
Title: Re: Avast destroyed over 4k Mails
Post by: DavidR on April 15, 2018, 11:29:35 AM
I'm an Avast user just like yourself and even if I wasn't using avast but another AV, the precautions I mentioned would still be in force. 

As you can see from my settings image, I don't allow avast (or any other AV) autonomous action in regard to detections and that included other shields including the file system shield.  Most of the shield settings the 'Actions' section are very much the same, I always set the Primary action to Ask.
Title: Re: Avast destroyed over 4k Mails
Post by: stibi on April 15, 2018, 11:52:56 AM
The settings of Avast or any other AV software should be:

The  AV software must been allowed to move incoming mail to quarantaine-
The  AV software must NOT been allowed to scan the Inbox file.
Title: Re: Avast destroyed over 4k Mails
Post by: AvastDestroysMails_wtf on April 15, 2018, 09:13:46 PM
Backups dont help much if they get destroyed by the AV as well. Also I wanted to change the action Avast took on the detected files (mentioned that earlier): it showed me a white box with "Automatic" and an arrow-down next to it. So it should be some kind of list/select. But pressing it did absolutely nothing, leaving me no other choice than to do automatically. If you make the effort of creating such a window element, it should work as expected.  >:(

@stibi: I only once had avast delete an attachment from a spam mail. Currently I think you should NOT let Avast move valuable files to the quarantine, or the might be destroyed.
Title: Re: Avast destroyed over 4k Mails
Post by: DavidR on April 15, 2018, 11:36:53 PM
1. There is nothing to stop you unchecking the Automatic option for on-demand scan settings, nor is there anything to stop you from changing the 'Processing of infected files' options - as in my attached image.

2. Where are you looking at this Automatic value with a down arrow that has no options ?
Title: Re: Avast destroyed over 4k Mails
Post by: AvastDestroysMails_wtf on April 16, 2018, 05:41:26 AM
1. I changed it now. Had it on default before because I thought Avast! was capable of something and I also remembered being able to change the action.

2. The options where on the result-page of the scan, where it asks you what to do with the issues found. It showed the 3 instances of the Inbox and on the right side were the "Automatic"-buttons.
Title: Re: Avast destroyed over 4k Mails
Post by: DavidR on April 16, 2018, 10:55:36 AM
1. I changed it now. Had it on default before because I thought Avast! was capable of something and I also remembered being able to change the action.

2. The options where on the result-page of the scan, where it asks you what to do with the issues found. It showed the 3 instances of the Inbox and on the right side were the "Automatic"-buttons.

2. The result page is effectively historic, it is just showing the 'result' of the detections and the Action already taken in the scan.  You can't apply any action after it has been actioned already.

If you change the scan settings and click 'Automatically apply actions during scan' (see image) it is here that it shows what Actions you want carried out automatically.  If I had that set, then my settings for all 3 tabs I would set to No Action, PLUS the options I mentioned previously.
Title: Re: Avast destroyed over 4k Mails
Post by: AvastDestroysMails_wtf on April 16, 2018, 03:11:37 PM
@DavidR: then why bother making it look like you can select it? Honestly that doesnt make sense. It showed it as a button/list and even changed style (color) when hovering and clicking, but with no functionally behind it. Why would you make it look like you can choose an option when it is already processed? Its this kind of stuff that makes me think Avast! is becoming unreliable. This plus the fact that it destroys files it "moves".
Title: Re: Avast destroyed over 4k Mails
Post by: DavidR on April 16, 2018, 05:35:59 PM
I guess to give it a better layout than producing a listing looking like the original text file. 

If you open the avastUI > Protection and click the Scan history, you can select a specific scan that you have run.

Or you can look at the actual report text file, that contains information on all scans and is listed in chronological order, so you would have to scroll down to the bottom of the page for recent scans.
C:\ProgramData\AVAST Software\Avast\report.

But as I have said I'm just an avast user.
Time spent in reconnaissance is seldom wasted, a little time rummaging round the avastUI is time well spent. 
Title: Re: Avast destroyed over 4k Mails
Post by: stibi on April 16, 2018, 07:14:07 PM
Backups dont help much if they get destroyed by the AV as well.
At least one backup should always be stored on an disk tha is not permanently connected to your PC.

Quote
I only once had avast delete an attachment from a spam mail. Currently I think you should NOT let Avast move valuable files to the quarantine, or the might be destroyed.
If you leave many mails in you Inbox, you can be sure that all of them will go to quarantine with a new, infected object.
Title: Re: Avast destroyed over 4k Mails
Post by: Pondus on April 16, 2018, 07:31:01 PM
It seems he is using GMX mail, and they say unlimited storage  >>  https://www.gmx.com/mail/mail-storage/#.1559512-stage-expendlist1-1

So if he does as i suggested in my first post, then backup should not be a problem   ;)


Title: Re: Avast destroyed over 4k Mails
Post by: AvastDestroysMails_wtf on April 16, 2018, 09:58:00 PM
I appreciate the help of you all, but sadly that doesnt help get the missing mails back.  :( I have contacted Avast via report false-positive section and MartinZ here in forums, as he seems to work for the company. So far I got no answer.

I like my backups local and not in the cloud or on a server somewhere. And that works pretty well. In this case I had to move the primary backup temporarily for privacy reasons, not realizing Avast! would simply destroy every instance of the Inbox it came across. I use Thunderbird for over 10 years now and before that I used MS Outlook. Until now I never lost any mail.

@stibi: Yes I have two older instances of backups. But Im still missing a third of the mails. Its not just the amount, things like this simply should not happen.

@DavidR: my report folder only has aswBoot, BehaviourShield, EmailShield, FileSystemShield, WebShield. In the Scan-History its still there, dunno where its saved. I took a look at the index of the chest and it really only shows the 3 older false positives from some games.

Digging in the files a bit, log of chest shows
Quote
14.04.2018   11:59:58   Error 112 in s_NewFile
14.04.2018   11:59:58   Error 112 in chestAddFileRpc
14.04.2018   11:59:59   Error 112 in s_NewFile
14.04.2018   11:59:59   Error 112 in chestAddFileRpc
14.04.2018   11:59:59   Error 112 in s_NewFile
14.04.2018   11:59:59   Error 112 in chestAddFileRpc
Well, destroyed everything in 2 seconds. And from what I can see that happened after I stopped the scan, so if the list/button would have worked it might have been avoidable  >:(
Title: Re: Avast destroyed over 4k Mails
Post by: DavidR on April 16, 2018, 11:12:15 PM
If you have no report files for the various scans you have run, you need to activate the Generation of a report file, see attached (as in the attached image).

The * asterisk indicates that the report file will take the name of the scan, as in the image in my Reply #16
Title: Re: Avast destroyed over 4k Mails
Post by: AvastDestroysMails_wtf on April 19, 2018, 01:07:46 PM
Sorry for the late answer, I tried to contact Avast over this issue, so far I didnt even get an auto-response.

Regarding the Report-Files: I looked through different settings and turns out: everywhere except on full scan and target scan it makes logs. Makes no sense but currently Im not suprized by anything from this software.  >:(
Title: Re: Avast destroyed over 4k Mails
Post by: MartinZ on April 19, 2018, 05:36:00 PM
Hi it's strange that you don't see it in the scan results. Might be a case that the file was too big for chest. Need to check it out
Title: Re: Avast destroyed over 4k Mails
Post by: AvastDestroysMails_wtf on April 19, 2018, 06:15:06 PM
Its the same issue that happend here https://forum.avast.com/index.php?topic=218074.0
@MartinZ: currently see 2 Bugs in Avast!
#1 - the functionality of the element to change the actions (that Avast! performs on detected files) in the scan-result area is broken and the user is unable to change the action
#2 - Avast! failes to move files into the Chest and destroys them in the process (should not happen under any circumstances)

Please fix this!

EDIT: adjusted username on request of bob3160
Title: Re: Avast destroyed over 4k Mails
Post by: Asyn on April 27, 2018, 06:09:05 AM
Dev-Info: The underlying detection (common for all 3 cases) has been updated yesterday so that it shouldn't happen on Thunderbird mailboxes anymore, and I'll try to prevent their removal in a generic way in the next few days.