false positive with backuped thunderbird profile

[zivilist]

Hello,

if a scan my thunderbird backup file (created with http://mozbackup.jasnapaka.com)
avast found several worms:

JS:Seeker-Iu2 [Wrm]

avs: 0605-2, 31.01.2006

But there are definitly no infections.

The same like if I want to install thunderbird 1.5.

Can anybody verify it?

thanks

Raymond

[galooma]

pressure for Increased detections have brought a spate of false positives in recent days .
I suggest you send a copy of the file in a password protected zip file (using 'virus' as the password) to virus @ avast.com  with a brief explanation or reference to this thread so it can be corrected.
you can exclude this file in the interim if you want by adding to exclusion lists in standard sheild and main settings

[DavidR]

You could also check the offending/suspect file at: Jotti - Multi engine on-line virus scanner if any other scanners here detect them it is less likely to be a false positive. You can't do this with the file in the chest, you will need to move it out.
Or VirusTotal - Multi engine on-line virus scanner

If it is indeed a false positive, add it to the exclusions lists and check scan it periodically using the ashQuick scan (right click scan), when it is no longer detected then remove it from the exclusions.
Also see (Mini Sticky) False Positives

[alanrf]

Raymond,

I just used that program to backup my Thunderbird 1.5 profile.  I then scanned the resulting 79Mb backup file and avast! reported no errors, VPS 0605-2.

[zivilist]

hello,

I note that the infection is only in one folder (happened before using avast! home)
I can't scan it because its already in downloaded messages and avast! scans only while incoming messages in thunderbird.
Can you build a provider that scans every mail (unreaded/readed mail)?

If I use the backup tool, unpack it and scan the infected file (one big file for one thunderbird folder) avast delete the folder after the warning

thanks for help

[alanrf]

First please note that I am just an avast user - I do not speak for the avast team.

I am sorry to say that none of the on demand avast scanners available for the avast Home edition has any idea that a file being scanned by it is part of Thunderbird email.

One big part of the problem is Thunderbird itself.  Many email products (like Outlook and Lotus Notes store the mail files in an encrypted format that prevents anyone just reading the email contents).  Those products not only encrypt the mail content but also any virus information that may be contained in the emails, so that an antivirus scanner, like avast, cannot detect it. 

Thunderbird stores the email in each folder in clear text, but each folder is just a clear text file with a filename such as Inbox or Sent or a folder name that you have chosen.  That means that if an email in one of the Thunderbird folders is recognized as a malicious script, for example, then avast will identify the folder as infected and move it completely to the virus chest. 

Avast has no way of knowing that this is an email file and still less has it any way of identifying a single infected mail message in that folder and surgically removing it from the folder. 

That is why it is vital with Thunderbird to use the Internet Mail scanner, which does understand the format of email, to scan email as it is being received (or sent) and to prevent any infected email messages from ever being put into the Thunderbird mail store.

If you can identify the infected message in your Thunderbird folder then it is imperative that you:

1) delete the infected message from the folder
2) empty the trash folder into which the infected message is moved
3) compact the folder from which you deleted the message
4) compact the trash folder to which you emptied in (2) above

Remember that in Thunderbird a mail message is only ever really deleted when you compact any folder in which it was held or any trash folder to which it was copied.   

I realize that this will not solve your problem but I hope that it helps.

[zivilist]

Did a developer contact the developers of thunderbird?
Some information Thunderbird <> Antivirus:

http://kb.mozillazine.org/Thunderbird_:_FAQs_:_Anti-virus_Software (Avast is listed as compatible  )
http://forums.mozillazine.org/viewtopic.php?p=445420#445420

[alanrf]

There is no standard for the way the email packages store email messages.  There is indeed a lot of internal argument going on in the Thunderbird community about wanting to change the way Thunderbird stores the mail. 

Even though I am a Thunderbird user I think the (limited) resources of the avast team would be wasted on writing code to understand the email structures of every mail package that is out there.  If they did they would probably concentrate on heavily used mail packages and not one (like Thunderbird) which still has a very low adoption rate.