strange behaviour mail scanner

[batterio]

hi avast friends.
os  win xp sp2
av avast 4.7 home
anybody would know why lately the little mail scan mail icon pops up every so often when no mail client is in use? hovering on it it says that it is scanning mail for: 147.163.79.126
i have scanned my notebook with different anti spy/adware and it results clear.
thanks

[DavidR]

You may well have a trojan spambot on your system, enable the 'Show detailed info on performed actions' this will show you what is going on.



Exactly what were you doing when this happened, browsing, p2p, etc. what ?
What is your firewall, this should ideally be stopping unauthorised outbound connections ?

If you haven't already got this software (freeware), download, install, update and run it, preferably in safe mode.
1. Ewido, a.k.a. avg anti-spyware If using winXP. or a-Squared free if using win98/ME.

[batterio]

thanks DavidR. when it happens i am actually browsing and p2p.
i performed scans with adaware, spybot, spyware terminator and superantispyware and everything was ok. now i will try the soft you indicated and see.my firewall is the windows default
thanks for now.

[Lisandro]

my firewall is the windows default

It does not protect you to 'outbound' connections, programs that connect the Internet from your computer.
Use TCPView to see if this will identify the processes making the connections http://www.sysinternals.com/Utilities/TcpView.html

[batterio]

the process is very random and not relly obsessive and constant.
could you please reccomend me a good firewall that would complete and cohabit well with avast?
thanks

[Lisandro]

could you please reccomend me a good firewall that would complete and cohabit well with avast?

Comodo or ZoneAlarm.
Both are free. Comodo is stronger in protection. ZoneAlarm is easier to start and understand.

Personal Firewall Tests & Results. Firewall rating: http://www.matousec.com/projects/windows-personal-firewall-analysis/leak-tests-results.php#firewalls-ratings

Freeware firewalls:
http://www.firewallleaktester.com/tests_overview.php
http://www.thefreecountry.com/security/firewalls.shtml
http://forum.avast.com/index.php?topic=22742.0;topicseen

[DavidR]

thanks DavidR. when it happens i am actually browsing and p2p.
i performed scans with adaware, spybot, spyware terminator and superantispyware and everything was ok. now i will try the soft you indicated and see.my firewall is the windows default
thanks for now.

What P2P program are you using ?
Some communicate using email ports and that causes the Internet Mail scanner which monitors those ports to scan the content. The 'Show detailed info on performed actions' if you enabled it as I suggested should show this.

You could also change some settings in the Internet Mail, set the protection to High, click the Customize button, Advanced Tab, enable the Timeout section, reduce the delay to say 20 seconds and have it Ask. These settings can be reversed after the test to identify what is the cause I would hoever recommend you leave the scanner sensitivity on High.

If it is your p2p application communicating on the email ports the timeout warning should show this, do a screen shot of the warning if you get it.

[batterio]

thanks very much guys. i use bit torrent and i have all avast settings set on high, just in case.

[DavidR]

Your welcome.

Sorry I don't use any P2P application so I don't know who you would check the communication port settings in bit torrent.

Have you made the tweaks I suggested as those or TCPView is likely to pinpoint the true problem ?
Let us know what is found as suggestions without feedback makes it hard knowing what you tried, etc.

[Lisandro]

I have all avast settings set on high, just in case.

The better balance between protection and performance is 'Normal' level of the Standard Shield provider 

[batterio]

I have all avast settings set on high, just in case.

The better balance between protection and performance is 'Normal' level of the Standard Shield provider 

ok i didn't know.

Your welcome.

Sorry I don't use any P2P application so I don't know who you would check the communication port settings in bit torrent.

Have you made the tweaks I suggested as those or TCPView is likely to pinpoint the true problem ?
Let us know what is found as suggestions without feedback makes it hard knowing what you tried, etc.

i changed the settings as you suggested, but since i posted it hasn't happened again. as i say it is not a constant issue. a few times last week, a couple this morning. it is very random.
if i get some result i will come back to you.
thanks

[alanrf]

If, as seems most likely, that this is a p2p connection that is being scanned by avast then how frequently it happens has nothing to do with your settings. 

The problem occurs when another peer out in the network tells you to connect to the peer at its port 25, 110, 119 or 143.  It is the fact that you are making the connection to that port at the other peer that avast is intercepting.  So it is not under your control at all and you will only see it happening infrequently since many other peers will not use those ports. 

The best way to stop this happening is to tell the avast Internet Mail provider not to scan connections made by bit torrent. 

To do this edit the avast4.ini file (usually found at C:\Program Files\Alwil Software\Avast4\DATA\avast4.ini ) and in the section headed:

[MailScanner]

add a line:

IgnoreProcess=bittorrent.exe


If you continue to see the "blue light" tray icon after this when you are not processing your email or newsgroups would be a cause for further investigation.

@avast team

Any good reason why this process should not be in the list of automatic exclusions for the Internet Mail provider?