How to analyze flagged email?

[Blork]

I'm using 4.7 home edition, fully updated. I got an email from a friend, and Avast flagged it as dangerous (sirens, audio warning, etc.). However, I had already received the message while logged into a different computer, and I knew that it contained only two lines of text, no links, no graphics, etc. So I let it through, thinking I could analyze it afterwards to see what had tripped the flag.

Well, I can't figure out how to analyze it. It's as if once I let it through, Avast just walked away. Surely there's something in a log file, or a way to specifically analyze that message. But how???

(I'm using Thunderbird 2.0.0.9)

[alanrf]

In the popup (the one with the "radiation" symbol) avast would have given the reason for intercepting the email.  It appears that you perhaps overlooked that in all the mayhem.

Have you checked the log viewer of avast to see the information that has been logged?

There is nowhere to "put" an email.  Email messages only have any real existence as part of an email database maintained by an email client.  There are absolutely no general standards for supporting "orphaned" emails so avast cannot save the message for you. 

[Blork]

Well, all I saw in the popup was vague "DANGER! VIRUS DETECTED!" or something like that. I was expecting to have the option to somehow isolate the message or whatever. Didn't want to flat-out delete it without even a preview.

So now the message is sitting in my In box, pretty as a picture. There's no sign of it having been flagged. I was hoping I could right-click and scan it or something like that, but apparently not.

I checked the logs twice. All sorts of notices about updating and whatnot, but there's nothing in the logs that indicates this message was ever flagged.

[alanrf]

Sorry, avast does not understand the (incredibly simple) Thunderbird mail file structure, once you have accepted a message into Thunderbird then avast cannot detect it in the mail file. 

With email you get two choices keep or delete.  I have explained why quarantine is not possible (avast is not alone in this - there is simply no support for such a thing as an isolated "email message").

You could use the Panda stand alone antivirus scan - it does understand the Thunderbird mail files, but if you choose to install  and run it please be sure to turn off the avast Standard Shield during the Panda scan since Panda does not encrypt its signatures and may well provoke avast to seeing Panda itself as a problem.       

[Lisandro]

avast does not understand the (incredibly simple) Thunderbird mail file structure

Can't it be improved on avast 5 version?

[Rick F]

This is just my opinion, but I'd just delete the email.  Why take a chance?

If you think it might be an important email from a friend or business acquaintance, email them and ask what their emai was about. If important, they can send it again.  Then if it's flagged as 'infected' again, you can read the pop-up from avast! more carefully and take appropriate action... like quarantine or delete.

Hope this helps.

[Blork]

It's not a question of taking a chance or not; I already knew what was in the message (because I had already received a copy on another computer). The question was: once a message is flagged, can you analyze it and determine WHY it was flagged? (In this case there seemed to be nothing suspicious, so if there was some kind of hidden script or trojan, it would be useful to know what it is so I could inform the sender of what they're unknowingly sending around.)

I asked her to send me another message with just a line of text and no images or links. It got flagged again, but this time I paid more attention to the alert. It turns out it was flagged simply because the message had no header.

Seems a bit hyperactive, but I suppose it's better safe than sorry. Still, the message in the alert was really vague and ambiguous. Could have been clearer.

[alanrf]

I think I answered your question already.  Once you have chosen to receive the email into the Thunderbird message store the answer I gave you was a plain and simple "no".

An email can have no existence without some form of header - and I doubt that was the exact problem reported. 

It would be more helpful if you could capture a screenshot of the avast error message as you see it and post it here. 

   

[Lisandro]

It turns out it was flagged simply because the message had no header.

Header or Subject?

Seems a bit hyperactive, but I suppose it's better safe than sorry. Still, the message in the alert was really vague and ambiguous. Could have been clearer.

On help file, if you search for the Heuristic mail settings, you'll find an explanation of each setting and option. That will make them clear to you. avast is a very configurable program

[Blork]

My mistake: I meant to say it had no subject.

I should have taken a screenshot of the alert. It said something like:

    Potentially dangerous message due to subject:

... which made me go "huh?" until I realized it meant because the subject was blank.

I can't even replicate the problem myself. If I send myself blank subject messages (from one of my other email addresses) it goes through no problem. So I still don't know for sure why this person's messages get flagged.

e
d

[Lisandro]

... which made me go "huh?" until I realized it meant because the subject was blank.

Exactly... See the Heuristic tab of settings... "Subject structure check"