Avast WEBforum

Avast Products => Avast Free Antivirus / Premium Security (legacy Pro Antivirus, Internet Security, Premier) => Topic started by: alanrf on July 27, 2007, 02:27:37 AM

Title: VPS 761-0 preventing Thunderbird Hotmail access
Post by: alanrf on July 27, 2007, 02:27:37 AM
This should be interesting to explain. 

I have been retrieving my email all day on Thunderbird.  I use the Thunderbird Webmail extension to allow me to download email from Hotmail to my Thunderbird mail client.  The Webmail extension acts as an http to POP converter.  It accesses my Webmail via http and converts the http screens to a POP stream. 

I have made no changes to my Thunderbird environment.

I just downloaded VPS 761-0 dated 27/7/2007 (must be just released since you are only just into that date in Prague).

Now when attempting to retrieve my mail on my Hotmail accounts when one of the internal http screens of Hotmail (curmbox = current mail box) is accessed avast is preventing it due to a Malware report and aborting the connection. 

I cannot send you the page, because I do not have it - it is internal to the status my mail account.  Please note this is a page giving the status of my mail account it contains no email content whatsoever but is needed by the function in preparation for accessing the mail store of Hotmail.

This, if it is generalized, will prevent access by all Thunderbird users to all free Hotmail accounts.   
Title: Re: VPS 761-0 preventing Thunderbird Hotmail access
Post by: alanrf on July 27, 2007, 02:37:24 AM
I just reverted my system to one minute before the VPS update and prevented the update, so I am now back on VPS 760-3.  There are no alarms from avast when my Hotmail is downloaded by Thunderbird.


Later edit:

I have done some further testing with the folks I support and on my own accounts.  The problem is a little more restricted than I first reported. 

The problem is occurring when Thunderbird attempts to retrieve mail for free Hotmail accounts that have not been converted to the Hotmail Live environment.  It is irrelevant whether there is any mail in the Inbox of the account or not - avast aborts the connection.   
Title: Re: VPS 761-0 preventing Thunderbird Hotmail access
Post by: DavidR on July 27, 2007, 03:15:38 AM
Hi Alan, another topic same problem, http://forum.avast.com/index.php?topic=29573.0 (http://forum.avast.com/index.php?topic=29573.0).

I've just send an email to virus (at) avast.com referring to the problem and the two topics on the forums.
Title: Re: VPS 761-0 preventing Thunderbird Hotmail access
Post by: alanrf on July 27, 2007, 03:25:39 AM
Thanks for your help David.
Title: Re: VPS 761-0 preventing Thunderbird Hotmail access
Post by: alanrf on July 27, 2007, 03:47:27 AM
As a temporary work around:

In the Webshield:

Click Customize > Exceptions tab > next to the box "URLs to exclude" click Add > modify the highlighted box to:

http://by*

Click OK > OK

Remember to go back and remove this exception when the problem is reported as fixed here.
Title: Re: VPS 761-0 preventing Thunderbird Hotmail access
Post by: DavidR on July 27, 2007, 03:53:40 AM
Thanks for your help David.

Yes it is a bit weird reporting a possible false positive without submitting a file. I did it two days ago for a similar problem with paypal where it was getting an iFrame Exploit alert and that one was resolved very quickly and I got an email reply which was a surprise ;D

Fingers crossed this will be resolved quickly as I would think it could effect a lot of people.

Edit: You may want to modify your wildcard use so as not to have too large a security hole, e.g.
Code: [Select]
http://by*.hotmail.*
Title: Re: VPS 761-0 preventing Thunderbird Hotmail access
Post by: havard on July 27, 2007, 03:55:40 AM
I had the same Alert from Avast when connecting to Hotmail while I was using the IE accessing my hotmail. The Alert was triggered on when I was at the interface of email list, and when none of the email was opened yet
Title: Re: VPS 761-0 preventing Thunderbird Hotmail access
Post by: alanrf on July 27, 2007, 04:01:36 AM
David,

I deliberately made the exclusion as simple as possible on basis that it would be easier for most folks to type that without errors and that the avast folks need to fix this very quickly or look pretty silly.  In fact if it is affecting IE users as reported above then I think this one is important enough for them to pull 761-0 and put 760-3 back as 761-1 if necessary.
Title: Re: VPS 761-0 preventing Thunderbird Hotmail access
Post by: DavidR on July 27, 2007, 04:12:12 AM
I think it would effect all browsers as the detection isn't browser specific but at hotmail.

I appreciate you are trying to keep things simple for users, copy and paste is easy.

They could just examine the VBS:Malware [Script] and just revert that to the previous pre 761-1 value whilst investigating why rather than revert the whole 761-1 145KB update.

First though they have to find what emails that have been sent relating to this before they can take any action.
Night Alan my bed is calling after 3a.m. here.
Title: Re: VPS 761-0 preventing Thunderbird Hotmail access
Post by: alanrf on July 27, 2007, 07:10:19 AM
Unfortunately, it has been observed, the workaround I posted earlier is insufficient for IE users (and perhaps for other browser users too).

The workaround I posted earlier is sufficient for users of Thunderbird downloading Hotmail to the Thunderbird mail client.

The workaround posted earlier is needed by IE users but they also need another exception in the Standard Shield to avoid scanning the Temporary Internet folder for IE.  I am reluctant to try to post how to do that since the folder name is dependent on the user name of each system: the opportunities for error are significant and it increases the risk of exposure to real problems.

Reluctantly, I would suggest that any user really needing to get to their Hotmail (before the avast team come up with a new VPS file) should pause the Webshield and the Standard Shield before accessing their Hotmail.

Please, please remember to continue the Webshield and the Standard Shield when you have finished accessing your Hotmail.
Title: Re: VPS 761-0 preventing Thunderbird Hotmail access
Post by: kubecj on July 27, 2007, 10:53:37 AM
I just want to explain the situation - this is caused by the new script/text scanning engine which is quite new and is prone to some bugs.

We'd like to clean up the FP mess as soon as possible, so I anybody has any Hotmail sample, please send it to virus@avast.com and please cc me (kubecj at you know what.com).
Title: Re: VPS 761-0 preventing Thunderbird Hotmail access
Post by: alanrf on July 27, 2007, 10:59:55 AM
kubecj,

I am more than happy to work with you to get the sample - but its not clear how to trap the Webshield sample when it just aborts the connection.

If we turn off the Webshield then there is no certainty the final page is the one avast is complaining about.
Title: Re: VPS 761-0 preventing Thunderbird Hotmail access
Post by: alanrf on July 27, 2007, 11:36:48 AM
Confirming that VPS 761-1 has corrected the Hotmail retrieval problem in IE, Firefox and with the Thunderbird mail client
Title: Re: VPS 761-0 preventing Thunderbird Hotmail access
Post by: news on July 27, 2007, 12:45:09 PM
Thanks for the update alanrf.
 
Many thanks to kubecj and the avast! team for the quick response.
Title: Re: VPS 761-0 preventing Thunderbird Hotmail access
Post by: DavidR on July 27, 2007, 03:39:22 PM
Just got this email back from Alwil when I awoke from my slumbers:

Quote
please update avast's VPS database, this false positive detection has
been fixed.

Two emails in a week I'm honoured ;D ;D
Title: Re: VPS 761-0 preventing Thunderbird Hotmail access
Post by: alanrf on July 27, 2007, 08:25:03 PM
Quote
Many thanks to kubecj and the avast! team for the quick response.

While I certainly agree that the thanks are due given the size of the affected population I cannot agree that this was a quick response. 

I hope that the Alwil management team will review their responsiveness given that this sizable VPS update was released just after midnight (local time to the avast team) and their capability to deal with a large affected population at that hour.
Title: Re: VPS 761-0 preventing Thunderbird Hotmail access
Post by: news on July 27, 2007, 08:40:38 PM
alanrf...
While it may not have been rapid response...it was truly very quick to me.

I've run into far more grave situations with software...and the problems were not handled nearly as fast as this team of folks handled this.

I'm pleased with the way things went. Could have been far worse...and for me...it has been. Just my opinion is all.
Title: Re: VPS 761-0 preventing Thunderbird Hotmail access
Post by: alanrf on July 27, 2007, 09:38:05 PM
Depends on your perspective - I have had the job of being responsible for worldwide availability of services for major corporations (a well known bank and a well known airline) 24x7.  The difference there was, of course, the major financial impact to those corporations of even the briefest outages.  I am very familiar with the pager going off in the middle of the night. 

For avast it is their reputation - if they take out access by their users to major functions like Hotmail or GMail for any lengthy period (and I consider >8 hours lengthy) it certainly is not enhancing it.   
Title: Re: VPS 761-0 preventing Thunderbird Hotmail access
Post by: DavidR on July 27, 2007, 10:25:30 PM
Yes the response could have been quicker somewhere between 8 and 12 hours in this case, well under 8 hours (5 I beileve) for the PayPal issue.

That however could be down to the VPS release time as you mention, releasing a largish update late at night will always be at risk of adding about 4-6 hours to response time. Perhaps that is something that needs to be addressed, releasing only critical updates in the we small hours, with lessor priority updates released the next morning.
Title: Re: VPS 761-0 preventing Thunderbird Hotmail access
Post by: Vlk on July 27, 2007, 10:36:38 PM
I agree that we could have done better.

Just to explain little bit, the reason that the update was released at roughly 1:30am our time is that 1:00am to 6:00am is the most idle period of the day for our updating servers. The update was almost 200KB in size (relatively large), and so we needed to avoid releasing it during the rush hours (let's do some math: there's 34+ millions of users, and roughly 60% of them are connected permanenty; these usually get updated during the first 4 hours [that's the default update check interval]. That is, 20 millions of people times 0.2MB equals to 4 TB during 4 hours - equivalent to the need of a 2.2 GBit/s continuous stream - something our updating infrastructure [currently consisting of ~150 servers] can barely withstand).

But that doesn't change anything on the fact that there should've been someone ready to solve potential problems.

I apologize for any inconvenience this might have caused.

Thanks
Vlk
Title: Re: VPS 761-0 preventing Thunderbird Hotmail access
Post by: polonus on July 27, 2007, 10:49:17 PM
Hi Vlk,

That is inconvenient for those concerned, but that leaves even more people without noticing it even.
And that is good for the users of an AV product, I missed out on some of Avast's FP's because I did download at another point in time, or while the case was already fixed when I got to it. So every thing has two sides to it.
Just a question apart from the downloading capacity, I think Avast is getting more and more popular. What is your personal opinion on this?

polonus
Title: Re: VPS 761-0 preventing Thunderbird Hotmail access
Post by: alanrf on July 27, 2007, 11:01:53 PM
vlk

it is clear you have the point - many thanks for your response.

DavidR

thanks for staying up so late to help.

Polonus - don't worry - those of us living on the other side of the planet will investigate the problems while you sleep so that you are not affected when you wake up.