Author Topic: Avast 4.7 Home missed email eicar Test Virus  (Read 12233 times)

0 Members and 1 Guest are viewing this topic.

Offline acegap

  • Newbie
  • *
  • Posts: 12
Re: Avast 4.7 Home missed email eicar Test Virus
« Reply #15 on: July 19, 2006, 07:35:25 PM »
I have no idea what SSL communication is.
email server is in top left corner of the .png 5 posts back

Internet Mail Scanner:
Scanned count = 0
Infected Count = 0

If I click on the attachment in the downloaded email (that hasn't been scanned) in the the Thunderbird inbox  Avast then gives the Alert and deals with it.

Offline Lisandro

  • Avast team
  • Certainly Bot
  • *
  • Posts: 67255
Re: Avast 4.7 Home missed email eicar Test Virus
« Reply #16 on: July 19, 2006, 07:43:03 PM »
I have no idea what SSL communication is.
For instance: http://www.ssl-forum.com/forum/index.php?showtopic=100&hl=yahoo+mail

It's not possible to scan SSL (Secure Socket Layer) connections. Avast mail scanner doesn't support SSL (Secure Socket Layer) connections.
But take a look here: http://forum.avast.com/index.php?topic=10428.0 to see how to set up secure email with avast!.

Since SSL/TLS e-mail is encrypted and decrypted in the client, external virus scanners (including avast!) can't read or scan it.
The solution is to pass e-mail in and out un-encrypted from your client (Outlook Express, Thunderbird, ...) to a proxy program (Stunnel) that does the actual ssl or tls encryption/decryption of the pop3/smtp e-mail and communicates directly with the ISP server on the appropriate ports. Another drivers (OpenSSL) are need as a library of encryption/decryption routines. Stunnel now comes as an installer which installs Open SSL and Stunnel so now you just have to download the installer version from here http://www.stunnel.org/download/binaries.html
The best things in life are free.

Offline acegap

  • Newbie
  • *
  • Posts: 12
Re: Avast 4.7 Home missed email eicar Test Virus
« Reply #17 on: July 19, 2006, 09:25:01 PM »
Thanks for all your help Tech but that isn't what I am looking for. I didn't come here looking for a  developers forum. I came here looking for a forum on what I thought was a straightforward Anti-Virus / email scanning problem. I am a programmer myself and if I gave you some of the stuff I work on you would get a headache I guarantee it.

I want something I can look at and trust without thinking about it. I've never used an email client since I started using email in 1994, preferring to stick with the relative safety of Web based email. I never had an email on my hardrive before two days ago. I thought I would take a look see at Thunderbird.

What a nightmare.

Many Thanks all for your time but I might be gone some time...

Offline igor

  • Avast team
  • Serious Graphoman
  • *
  • Posts: 11796
    • AVAST Software
Re: Avast 4.7 Home missed email eicar Test Virus
« Reply #18 on: July 19, 2006, 09:33:35 PM »
SSL communication is a crypted connection to the mail server. Such a connection cannot be scanned - because it's crypted. So, it's quite important to know... I'm not familiar with Thunderbird, but I'm sure there must be an option for SSL (or secure, or something like that) somewhere in the account configuration.

Offline ardvark

  • Avast Evangelist
  • Super Poster
  • ***
  • Posts: 1512
  • John 3:16 (I'm not an "avast! evangelist")
Re: Avast 4.7 Home missed email eicar Test Virus
« Reply #19 on: July 19, 2006, 10:59:24 PM »
I came here looking for a forum on what I thought was a straightforward Anti-Virus / email scanning problem.

Very little in computers is ever straightforward ;)

Like tech and igor mentioned, the mail scanner does not support SSL transactions. Along with igor's suggestion of turning off SSL in Thunderbird's configuration box, you could also try using Outlook or Outlook Express (or another non SSL client) if you still want to (take another chance and) retrieve your email through POP3.

Best Regards...

« Last Edit: July 19, 2006, 11:07:52 PM by ardvark »

Offline alanrf

  • Avast Evangelist
  • Massive Poster
  • ***
  • Posts: 3866
  • Just an avast user
Re: Avast 4.7 Home missed email eicar Test Virus
« Reply #20 on: July 20, 2006, 12:10:28 AM »
The answer is, in fact, very simple.

These eicar test messages have not been scanned by avast at all due to the default settings of avast.

Unfortunately acegap has not been able to respond fully to the requests for information that we have put. 

SSL is not involved in any way here and acegap has finally told us (in a round about way) why the messages are not being scanned. That's why I asked details on how the message was delivered and for a screen capture of the message source ... which we did not get.  It would have shown that the X-Antivirus headers (inserted when avast scans a message) would not be there.

acegap used a well known eicar test site to send emails to his email account on Yahoo.co.uk.

Yahoo does not scan messages as they are delivered to the Yahoo message store.  Yahoo scans the messages when the user accesses the message from the message store either using the web interface or via POP3 if the user is allowed that access.  In either case acegap would not have been able to get the eicar virus delivered.

Instead, acegap uses YPops to deliver Yahoo mail messages to his Thunderbird client as a POP3 stream.  YPops and other similar programs (MrPostman, FreePops, the WebMail extensions of Thunderbird)) all perform this conversion by http accesses to the users mail account in Yahoo.  It accesses the raw messages in the Yahoo message store, converts the message to a standard POP3 stream and delivers it to the mail client (any old client) and, in doing so, the scan performed by Yahoo is avoided.

YPops (and the others mentioned) all run as a local proxy (any bells ringing yet?).  The user specifies localhost as the server and can define to YPops which port will be used (the default for Ypops is 110) but acegap told us that initially port 111 was being used. 

It is the default setting in the avast Internet Mail server to ignore all local communication.  All acegap needs to do to get these messages scanned by avast is to go to the Redirect tab of the Internet Mail scanner and uncheck the "Ignore local communication" box and these messages will all be scanned by avast.  With the proviso that if a non-standard port (like 111) is used then that port needs to added to the POP port box in the same tab.

I first came into this forum two years ago with the same question, others have followed.  There is still precious little help for anyone with the same question in avast. 

Before I came here I was testing out AVG.  While I was in their forum I was asked to write a post which is still a sticky at the head of their mail forum.  If avast has somewhere to put a description for users of these 3rd party Webmail to POP converters and how to make them work with avast then I will be happy to put something together for review by the team.   

     

 
« Last Edit: July 20, 2006, 12:18:21 AM by alanrf »

Offline alanrf

  • Avast Evangelist
  • Massive Poster
  • ***
  • Posts: 3866
  • Just an avast user
Re: Avast 4.7 Home missed email eicar Test Virus
« Reply #21 on: July 20, 2006, 03:08:29 AM »
A couple of extra thoughts on this issue.

Just the quick observation - the issue acegap reported is mail client independent and could have been reported with whatever POP3 client was being used.

More important - and related to another recent thread is the undisclosed selectivity of avast in the scanning of http accesses and the lost opportunities for avast to be more effective in detection.  If the http accesses being performed by YPops were being scanned by default then the eicar virus might well have been detected at source.  Now, in this case we know that the eicar virus was part of a base64 encoded attachment and might not have been caught. 

In recent testing I downloaded a large range of eicar test viruses from Yahoo to deliberately infect Thunderbird mail folders for testing with avast but I was using the Thunderbird Webmail extensions instead of YPops.  What's the difference?  The Webmail extensions run as part of Thunderbird.  avast now does scan the http accesses of Thunderbird and a whole lot of the eicar viruses were detected by the avast Webshield as the Webmail extensions performed the http accesses to the Yahoo mail store.       

Offline acegap

  • Newbie
  • *
  • Posts: 12
Re: Avast 4.7 Home missed email eicar Test Virus
« Reply #22 on: July 20, 2006, 01:56:31 PM »
alanrf - You Are The Man - in fact, Bingo! It works. base64 attachment caught first time! Everyone in here owes alanrf A Beer.

I knew it should be something simple that's why I was getting cheesed off.

Please excuse for the non-delivery of "..how the message was delivered and for a screen capture of the message source" - I wasn't quite sure what you were after so I sent the printscreen of Thunderbird which was all I could think of.

I think avast owes him a Beer as well.

No wonder Yahoo! shares went down 22% yesterday lol!