Quite a few avast users have come to this forum for advice on connection timeouts reported by the avast mail scanner.
A recent example:
"avast connection time out" Internet Connection Elapsed Continue Waiting?
(taskdir.exe->mta-v24.mail.yahoo.com:25)
Almost all of these users reporting outbound timeouts have been infected with an email spambot (the example above is a well known trojan).
The good thing about the avast email scanner message is that is does draw the attention of the user to the existence of a problem (it does not really explain to the user what the problem is).
Now the downside.
It seems that the avast mail scanner actually assists the spambot to do its nasty work. How? The email messages may be created by the email spambot but, because of the way the internet mail scanner works, it is avast that is actually delivering the mail to the internet and ... since we all trust avast ... avast has been given permission (in most of our firewalls) to have outbound access. So avast provides a tunnel through the firewall for these spambots.
If the avast email scanner were not active on outbound mail the user of a firewall with outbound protection would see an alert from the firewall that the spambot process was trying to get outbound permission and would have the opportunity to block it.
Forbidding outbound access to the spambot process in the firewall will not stop the outbound emails so long as avast is ferrying them through the firewall. For the firewall to be effective the user would need to turn off avast outbound mail scanning while going through the process of removing the trojan.
In this case avast is very much a two edged sword.
I still believe that the avast internet mail scanner is valuable in detecting this problem, however it would be helpful if the user - having encountered a spambot - could be allowed to tell the avast email scanner to forbid that process to create an email connection outbound.
For the Alwil team: I sincerely hope that I have missed a vital point in the way the intercept works and that, at some point in establishing the connection, the originating process name is available to be validated by the firewall. That would imply all users reporting this kind of infection either do not have outbound protection or have, in fact, given approval to the spambot.
Please advise.
