Author Topic: Where Does Blocked Email Go?  (Read 1768 times)

0 Members and 1 Guest are viewing this topic.

Offline Henry151

  • Newbie
  • *
  • Posts: 1
Where Does Blocked Email Go?
« on: October 09, 2019, 03:37:04 PM »
Product: Avast Security (Free Version)
Version: 14.2 (a3145f33d364)
OS: macOS 10.14.6

I just received notification that Avast blocked an incoming email, apparently due to a URL? I'm a consultant and the email was an important message related to a job. However I cannot find what happened to the email. It's not in the virus chest and I can't find any log which shows anything about the message. All information about what happened disappeared when I closed the alert. Where can I find this message?

I have uninstalled Avast because I can't have it making important email vanish.

Offline ondrej.kolacek

  • Avast team
  • Sr. Member
  • *
  • Posts: 394
Re: Where Does Blocked Email Go?
« Reply #1 on: October 10, 2019, 11:41:43 AM »
Hello,

First, the original email is still intact on your mail server, however the infected part (usually an attachment) has been removed when the mail has been downloaded to your mail application (usually such attachment shows as empty in the email client). At the same time, the email has been marked via a custom header.

if you really need to know which mail was it, assuming you are using Apple's Mail application, open a terminal and run the following command (it takes a long while to finish):

Code: [Select]
grep -rl "X-Antivirus-Status: Infected" ~/Library/Mail/
The result should be a list of raw email files which have been marked as infected.

If you open the found files, you should be able to find out who sent it (From: header), when you have received it (Date: header), email subject (Subject: header) etc.

You should be able to get to the content of the original email body eg. via a web mail.

We are currently designing a new notification system which should eventually contain easily accessible log of received notifications, thus the task of identifying such emails after dismissing the alert should become much easier in the future.

Kind regards,
Ondrej Kolacek