Web Shield - HTTP traffic in Thunderbird

[DaveD]

Why does Web Shield not scan HTTP traffic in Mozilla Thunderbird?

The example that I have is an HTML weather report e-mail from:
http://www.theweathernetwork.ca/inter/weathercentre/email/

The e-mail is HTML and downloads all images from the website via HTTP. I have seen other e-mails similar to this; like movie theater show times.

Is it not possible that Thunderbird could receive an HTML-based e-mail and download something from a malicious website via HTTP?

Thanks,
Dave

[DavidR]

What is your OS ?
What is your Browser ?

Well Your http email would normally be viewed over a Browser, not an email program like thunderbird, in that instance web shield would monitor http traffic. So how do you view this email, in your browser or downloaded in your email program ?

If you have somehow set-up thunderbird to download that http mail by some sort of conversion so it appears in your inbox, then it isn't using standard pop3 protocol so won't be scanned by the Internet Mail provider either.

[alanrf]

David,

I was surprised by the post of DaveD.  So I looked into it a bit more.

The point being made is that a huge amount of email we all get these days is html based.  That html code is rendered by the mail client whether it be Thunderbird or Outlook or whatever.  That code directs that images and other stuff be retrieved from websites to compose the image that we see on the screen.

Looking at my system it certainly appears that avast is not intercepting the http calls to port 80 while the html elements are being retrieved from remote sites.  The Web Shield count is not increasing and I see direct connections to port 80 established from Thunderbird (ie not being intercepted by avast).

[alanrf]

Just a bit of follow up ...

I just looked at some html based email on Yahoo viewing it thru my browser - Firefox.   Now I see that the sites from which the message components are being retrieved are being recorded by the Web Shield (and the scan count increasing).

The non-scanning of http accesses is also occurring with html mail viewed in Outlook Express as well.

[DaveD]

What is your OS ?
What is your Browser ?

Well Your http email would normally be viewed over a Browser, not an email program like thunderbird, in that instance web shield would monitor http traffic. So how do you view this email, in your browser or downloaded in your email program ?

If you have somehow set-up thunderbird to download that http mail by some sort of conversion so it appears in your inbox, then it isn't using standard pop3 protocol so won't be scanned by the Internet Mail provider either.

Windows 2000 SP4 UR1
Mozilla Firefox
Mozilla Thunderbird

It is coming in directly to Thunderbird and viewed in Thunderbird, however, it is HTML-based e-mail and therefore pulls images and such directly from the website each time the e-mail is viewed. On port 80 of course.

[DaveD]

I remember when avast! first came out with Web Shield it originally scanned ALL traffic from ALL programs on HTTP Port 80. However, due to complications with certain programs, I believe avast! limited the scanning to only a certain number of browsers and programs. E-mail programs should definitely be scanned by Web Shield when accessing data through port 80, and it sounds as though they have been excluded. It probably wouldn't be difficult for the avast! team to add these e-mail programs to the list or through avast4.ini somehow.

I do see this as a possible vulnerability though.

[DaveD]

Will this avast4.ini adjustment allow HTTP scanning in Thunderbird?

[WebScanner]
OptinProcess=thunderbird.exe

I have never edited the avast4.ini file before, so I would prefer to ask here first if this is the correct way to do it. I got this idea from Tech's thread on editing the avast4.ini file. Thank you Tech.

Do I need to put the full path name to the process?

Thanks,
Dave

[RejZoR]

Just use my avast! External Control tool (see link below) and enable "Power Mode" for web shield.
Web Shield checked all HTTP traffic at the beginning but they removed that because of compatibility reasons (it's now checking just most common browsers). Power Mode forces avast! again to check all HTTP traffic.
If you encounter problems you can always disable it later...

[Lisandro]

Will this avast4.ini adjustment allow HTTP scanning in Thunderbird?
[WebScanner]
OptinProcess=thunderbird.exe

Maybe... Lukas must confirm this, or Igor...

I have never edited the avast4.ini file before, so I would prefer to ask here first if this is the correct way to do it. I got this idea from Tech's thread on editing the avast4.ini file. Thank you Tech.

You're welcome 

Do I need to put the full path name to the process?

No. You must use the process name (not the file/path name).

[alanrf]

I request the courtesy of a response in this thread from the Alwil team please.

[lukor]

Hello Guys,
it is really true that mail clients are currently not intercepted by WebShield. The reasoning behind was that mails were scanned during downloads by Mail Providers and you should be safe this way. WebMails are of course scanned by WebShield - when viewed from common browsers. The other problem we were facing when WebShield was used with Outlook / Outlook Express was the compatibility with Hotmail WebMails which uses uncommon extensions to HTTP protocol.

In any case adding the line into avast4.ini

[WebScanner]
OptinProcess=thunderbird.exe

or

[WebScanner]
OptinProcess=thunderbird.exe, outlook.exe, msimn.exe

would enhance scanning to these apps too.

If there is someone with Hotmail Web Access enabled, who might confirm that Outlook Express + Hotmail + WebShield is working correctly, we might perhaps consider expanding the list of scanned "browsers" with some of the common mail clients too.

Cheers.
Lukas.

[DaveD]

I have tested this out with Thunderbird with several e-mails; all successfully scanned.

WeatherDirect - http://www.theweathernetwork.ca/inter/weathercentre/email/
BlockBuster Video - http://www.blockbuster.ca/
Cineplex Odeon movie theaters - http://www.cineplex.com/

I receive weekly e-mails from these sites in HTML format which pull the images from the Internet via HTTP. All we scanned successfully by Web Shield.

However, I did not test the Hotmail web-based e-mail because I do not use it. Wouldn't that be SSL anyways? If it were SSL it wouldn't be scanned by Web Shield anyways.

[lukor]

However, I did not test the Hotmail web-based e-mail because I do not use it. Wouldn't that be SSL anyways? If it were SSL it wouldn't be scanned by Web Shield anyways.

Last time I checked It was not via SSL (https://).

[alanrf]

With Thunderbird and Outlook Express included in the OptinProcess I tested the following:

1) Outlook Express to WebDav enabled Hotmail account - mail received without any problems, it was clear from Webshield that html elements performing http accesses were being scanned as html messages were being rendered.

2) Direct Web access to the same Hotmail account - I aready reported earlier in this thread that the html elements performing accesses were being reported as scanned by Webshield (only the login is https)

3) WebDav access to Hotmail message store and conversion to POP3 by Thunderbird Webmail extensions.  No problems in retrieving via WebDav (http) and the Webshield showed that html elements performing http accesses were being scanned as html messages were being rendered by Thunderbird.

While I do not claim these tests are exhaustive they included plain text, html and mixed mode messages containing attachments.

[treker96]

maybe they can add an option to enable http scanning in thunderbird and OE without editing the ini file?

i just don't fell comfortable editing ini files.