Avast WEBforum
Consumer Products => Avast Free Antivirus / Premium Security (legacy Pro Antivirus, Internet Security, Premier) => Topic started by: acegap on July 18, 2006, 09:53:30 PM
-
I just installed an email application for the first time and sent a standard base64 MIME encoded eicar.com file as a Virus Test to see how I am doing so far...
Congratulations... this newbie now has a Virus Test File sitting on his hardrive that got past Avast 4.7 Home Edition without a whimper...
Anyone tell me what I should do now?
Thanks in advance
-
What is the e-mail client, and was Avast configured to scan incoming? Is it a secure client
-
Thanks Essex - Robin Hood here lol
I've set up Thunderbird 1.5.0.4.
In the Help of Avast I found:
"The avast! package contains the Mail Protection Wizard that can be used for easy settings of mail protection. This program can be started via Start button on Windows taskbar, Start ® Programs ® avast! Antivirus ® Mail Protection Wizard."
..but there is no such thing in my Start Menu..!
I only have:
1) avast! AntiVirus
2) avast Web site
3) Help
-
..but there is no such thing in my Start Menu..!
This is only for Windows 9x or Me.
You don't need it for XP.
Which is your Standard Shield security level? High or Normal?
-
Thanks Tech. I've done a bit of searching and I had better say right now I am using Windows 2000 - fully updated. However, Avast has been installed for about three weeks. About one week ago I installed XP 64-bit as a secondary operating system (running OK but I'm too busy on W2000 to have had much time on it yet). And it is only yesterday that I installed Thunderbird.
According to my searching in this forum so far, the Mail Protection Wizard should be in my Start Menu, but it ain't.
Resident Scanner says 'Standard' but surely a standard eicar test should trigger it? There was a large list to choose from and I chose what looked to be the most simple test to start off with.
-
ahh... Internet Mail: "the provider is currently running" "scan inbound mail" = enabled sensitivity "normal"
man, I only just found this after two days at it! I don't want to be judgemental but there does seem to be a lot of stuff scattered everywhere in Avast. The Help isn't accessible from the System tray either. Anyway, that's just how a newbie is seeing it...
Getting back to my virus, it look's like it's scanning but not getting the very basic test to me.
Hmm..
-
I assume that you sent it as an attachment, try saving the attachment to your HDD. Thunderbird (sorry I don't use it) has a different method of storing emails and that can and does cause some problems, like if a virus isn't found on the way in and you do an on-demand scan avast might find it in the email folder and in trying to remove it, avast can't extract the infected email part of the folder and can delete the whole file, losing all email in that folder. This is on the FAQs for Thunderbird not to use the inbox for general storage as this can happen with many AVs.
I don't know how avast would deal with an encrypted (base64 or otherwise) infected email/attachment, after all that is the whole point of encryption is to secure the email. I would expect untill it is decrypted it won't be detected, that is why I suggest saving the attachment to your HDD as that should remove the encryption ?
Try it on a standard email attachment and see what happens.
-
The Help isn't accessible from the System tray either. Anyway, that's just how a newbie is seeing it...
Right click the i-icon in the system tray, then click "What is avast! VRDB?". This will open the help file on that topic buts its easy enough to navigate from there.
Or. just consider the forum your help file.
-
The location for the help file is C:\Program Files\Alwil Software\Avast4\ENGLISH\HELP\help.chm you can also create a desktop shortcut for it.
You can also use the windows Start, All Programs, avast! Anti-virus, Help.
-
Thunderbird (sorry I don't use it) has a different method of storing emails and that can and does cause some problems
Sorry David, I do use Thunderbird and I am very familiar with its internals and workings and your comment is completely without foundation.
Base64 encoding is not about encryption or security. All (well almost all) POP3 non-text email attachments are base64 encoded in billions of emails around the world every day. Base64 encoding is what makes it possible to make a binary file attachment look like regular numbers and letters and able to send them through the old as dirt SMTP protocol that was really only designed to transmit text. Avast knows all about base64, it caches the attachments, decodes them to turn them back into the real files and thoroughly scans the real files just as it would any other file.
I recently spent quite some time sending every available eicar virus format I could find through to Thunderbird (1.5.0.4) ... and avast caught every one of them with the IM scanner setting at normal.
Getting back to my virus, it look's like it's scanning but not getting the very basic test to me.
Can you tell us how you know it is being scanned - are you seeing the number of messages scanned in the Internet Mail scanner increasing? Are you seeing the subject line of the eicar message recorded in the scanner?
I am just wondering how you are getting the eicar message delivered to Thunderbird at all when most major ISPs and mailing services include virus scans that will prevent even the eicar virus from being delivered.
Could it be that the connection you used to deliver the eicar message from the mail server was a secure session? Those cannot, by definition, be intercepted by avast to scan the messages and, if not stopped at the mail server, will be delivered to the Thunderbird messages store (or that of any other mail client for that matter).
Last but not least, I suspect this is a very short mail message. Could you capture the view of the message source in Thunderbird (select message then View > Message source) ... obscure any personal details of yours and then post the result here, if not all of it then at least the message headers?
-
Many thanks guys.
alan: On Access Protection Control has everything functioning at default, including:
Internet Mail: "the provider is currently running"
sensitivity: "normal"
"scan inbound mail" = enabled
I sent the eicar from http://www.declude.com/Articles.asp?ID=99
I clicked on the attachment in the inbox today and of course Avast got it straight away. The Standard shield now has an infected count of 1.
So, I sent the eicar again this morning to the same Yahoo! account (Ypops running as well). Clicked on Get Mail in Thunderbird and there it is in the inbox again.
Internet Mail scanner is currently:
Sensitivity = Normal
POP Scan Inbound Mail = Enabled
Scanned count = 0
Infected Count = 0
..maybe it isn't scanning after all..?
I have attached a .png printscreen of Thunderbird inbox with eicar full message.
Dave: Thanks for the Inbox non-storage tip... Priceless info!
and mauserme: Thanks for the post but my whinge was really from the Programmers viewpoint - I just thought it was a bit stingy to allocate two full lines in a very full system tray menu to 'Upgrade to Professional..' and leave us to 'navigate' heaven knows where (newbie) to find Help - If I can get it setup to work OK it looks good but I just think the whole thing needs pulling together a bit more, imho. Settings and Scanner look like two different applications for instance - I'm not continuing the whinge, I am on ur side, just explaining. lol
Thank you for your time, all
-
a quick update...
After roaming through the Ypops forum and Thunderbird forum I changed the port on Thunderbird accounts and Ypops to 111 from 110 (default) and changed the SMTP port on both to 26 from 25 (default) - I then sent the same virus to the same email address again and it got through Avast and is now sitting in the inbox in Thunderbird.
-
avast, by default, scans only 110 and 25 (the default ports).
In order to scan other ports communication, you need to set them into the 'Redirection' page of settings of the Internet Mail provider and boot ;)
-
thanks Tech - I changed the settings to 111 & 26 in the Internet Mail / Redirect... rebooted the computer... sent the same eicar test to the same email address.. started up Thunderbird, downloaded email..
..and it got through.
Avast Internet Mail still at:
Scanned count = 0
Infected count = 0
-
Are you using SSL communication? Which is your email server, I mean, what do you have after the @ on your email address?
Doesn't avast detect any of the eicar files? Or it just does not detect the archive files of the eicar ones?
-
I have no idea what SSL communication is.
email server is in top left corner of the .png 5 posts back
Internet Mail Scanner:
Scanned count = 0
Infected Count = 0
If I click on the attachment in the downloaded email (that hasn't been scanned) in the the Thunderbird inbox Avast then gives the Alert and deals with it.
-
I have no idea what SSL communication is.
For instance: http://www.ssl-forum.com/forum/index.php?showtopic=100&hl=yahoo+mail
It's not possible to scan SSL (Secure Socket Layer) connections. Avast mail scanner doesn't support SSL (Secure Socket Layer) connections.
But take a look here: http://forum.avast.com/index.php?topic=10428.0 to see how to set up secure email with avast!.
Since SSL/TLS e-mail is encrypted and decrypted in the client, external virus scanners (including avast!) can't read or scan it.
The solution is to pass e-mail in and out un-encrypted from your client (Outlook Express, Thunderbird, ...) to a proxy program (Stunnel) that does the actual ssl or tls encryption/decryption of the pop3/smtp e-mail and communicates directly with the ISP server on the appropriate ports. Another drivers (OpenSSL) are need as a library of encryption/decryption routines. Stunnel now comes as an installer which installs Open SSL and Stunnel so now you just have to download the installer version from here http://www.stunnel.org/download/binaries.html
-
Thanks for all your help Tech but that isn't what I am looking for. I didn't come here looking for a developers forum. I came here looking for a forum on what I thought was a straightforward Anti-Virus / email scanning problem. I am a programmer myself and if I gave you some of the stuff I work on you would get a headache I guarantee it.
I want something I can look at and trust without thinking about it. I've never used an email client since I started using email in 1994, preferring to stick with the relative safety of Web based email. I never had an email on my hardrive before two days ago. I thought I would take a look see at Thunderbird.
What a nightmare.
Many Thanks all for your time but I might be gone some time...
-
SSL communication is a crypted connection to the mail server. Such a connection cannot be scanned - because it's crypted. So, it's quite important to know... I'm not familiar with Thunderbird, but I'm sure there must be an option for SSL (or secure, or something like that) somewhere in the account configuration.
-
I came here looking for a forum on what I thought was a straightforward Anti-Virus / email scanning problem.
Very little in computers is ever straightforward ;)
Like tech and igor mentioned, the mail scanner does not support SSL transactions. Along with igor's suggestion of turning off SSL in Thunderbird's configuration box, you could also try using Outlook or Outlook Express (or another non SSL client) if you still want to (take another chance and) retrieve your email through POP3.
Best Regards...
-
The answer is, in fact, very simple.
These eicar test messages have not been scanned by avast at all due to the default settings of avast.
Unfortunately acegap has not been able to respond fully to the requests for information that we have put.
SSL is not involved in any way here and acegap has finally told us (in a round about way) why the messages are not being scanned. That's why I asked details on how the message was delivered and for a screen capture of the message source ... which we did not get. It would have shown that the X-Antivirus headers (inserted when avast scans a message) would not be there.
acegap used a well known eicar test site to send emails to his email account on Yahoo.co.uk.
Yahoo does not scan messages as they are delivered to the Yahoo message store. Yahoo scans the messages when the user accesses the message from the message store either using the web interface or via POP3 if the user is allowed that access. In either case acegap would not have been able to get the eicar virus delivered.
Instead, acegap uses YPops to deliver Yahoo mail messages to his Thunderbird client as a POP3 stream. YPops and other similar programs (MrPostman, FreePops, the WebMail extensions of Thunderbird)) all perform this conversion by http accesses to the users mail account in Yahoo. It accesses the raw messages in the Yahoo message store, converts the message to a standard POP3 stream and delivers it to the mail client (any old client) and, in doing so, the scan performed by Yahoo is avoided.
YPops (and the others mentioned) all run as a local proxy (any bells ringing yet?). The user specifies localhost as the server and can define to YPops which port will be used (the default for Ypops is 110) but acegap told us that initially port 111 was being used.
It is the default setting in the avast Internet Mail server to ignore all local communication. All acegap needs to do to get these messages scanned by avast is to go to the Redirect tab of the Internet Mail scanner and uncheck the "Ignore local communication" box and these messages will all be scanned by avast. With the proviso that if a non-standard port (like 111) is used then that port needs to added to the POP port box in the same tab.
I first came into this forum two years ago with the same question, others have followed. There is still precious little help for anyone with the same question in avast.
Before I came here I was testing out AVG. While I was in their forum I was asked to write a post which is still a sticky at the head of their mail forum. If avast has somewhere to put a description for users of these 3rd party Webmail to POP converters and how to make them work with avast then I will be happy to put something together for review by the team.
-
A couple of extra thoughts on this issue.
Just the quick observation - the issue acegap reported is mail client independent and could have been reported with whatever POP3 client was being used.
More important - and related to another recent thread is the undisclosed selectivity of avast in the scanning of http accesses and the lost opportunities for avast to be more effective in detection. If the http accesses being performed by YPops were being scanned by default then the eicar virus might well have been detected at source. Now, in this case we know that the eicar virus was part of a base64 encoded attachment and might not have been caught.
In recent testing I downloaded a large range of eicar test viruses from Yahoo to deliberately infect Thunderbird mail folders for testing with avast but I was using the Thunderbird Webmail extensions instead of YPops. What's the difference? The Webmail extensions run as part of Thunderbird. avast now does scan the http accesses of Thunderbird and a whole lot of the eicar viruses were detected by the avast Webshield as the Webmail extensions performed the http accesses to the Yahoo mail store.
-
alanrf - You Are The Man - in fact, Bingo! It works. base64 attachment caught first time! Everyone in here owes alanrf A Beer.
I knew it should be something simple that's why I was getting cheesed off.
Please excuse for the non-delivery of "..how the message was delivered and for a screen capture of the message source" - I wasn't quite sure what you were after so I sent the printscreen of Thunderbird which was all I could think of.
I think avast owes him a Beer as well.
No wonder Yahoo! shares went down 22% yesterday lol!