Author Topic: Eicar Test - Mozilla Thunderbird  (Read 2280 times)

0 Members and 1 Guest are viewing this topic.

Offline viraldet

  • Newbie
  • *
  • Posts: 2
Eicar Test - Mozilla Thunderbird
« on: May 13, 2007, 11:40:27 PM »
Sorry to bother you all, but I have a problem with the testing of e-mail scanning. I have used http://www.aleph-tec.com/eicar/index.php to automatically send the "Eicar" test virus to my e-mail address, in order to check whether the e-mail scanner works. When it arrives, I can see the message in my inbox (including the attatchment icon). I would have expected Avast! to have at least notified me by now, but nothing. When I then open the e-mail, the attatchment suddenly disappears, and I am simply left with the text of the e-mail.

When I look at my inbox again, the message is still there, but the attatchment icon is not. I find it strange that Avast! has not given me any sort of warning or notification regarding this. I am using 4.7 Home Edition (fully updated) with Windows XP SP2 (fully updated). Any suggestions?

Offline Vladimyr

  • Avast Evangelist
  • Super Poster
  • ***
  • Posts: 1640
  • Super(massive black hole) Poster
Re: Eicar Test - Mozilla Thunderbird
« Reply #1 on: May 14, 2007, 06:00:42 AM »
I'm using XP Pro SP2, Avast! 4.7 & Thunderbird (it says 1.0.6 but I thought it was later) and am not having the same experience.
Quote
When it arrives, I can see the message in my inbox (including the attatchment icon). I would have expected Avast! to have at least notified me by now, but nothing.
Are you using IMAP or POP? If IMAP the message header and attachment icon will appear but the EICAR test file will not be detected until you actually open the message, just as you describe.
Quote
When I then open the e-mail, the attatchment suddenly disappears, and I am simply left with the text of the e-mail.
This doesn't sound right. If the Avast Internet Mail provider is in Silent mode, with General answer No, the attachment will be stripped and quarantined but you should still get a notification in the message like:
---
avast! Antivirus: Inbound message INFECTED:
\eicar.com#1825043748 (EICAR Test-NOT virus!!) Moved to chest

Virus Database (VPS): 000740-0, 13/05/2007
Tested on: 14/5/2007 14:04:07 PM
avast! - copyright (c) 1988-2007 ALWIL Software.
http://www.avast.com
« Last Edit: May 14, 2007, 06:49:59 AM by Vladimyr »
There is a way that seems right to a man,
       but in the end it leads to death
.” - Proverbs 16:25

Offline alanrf

  • Avast Evangelist
  • Massive Poster
  • ***
  • Posts: 3867
  • Just an avast user
Re: Eicar Test - Mozilla Thunderbird
« Reply #2 on: May 14, 2007, 08:04:50 AM »
Remember that avast scans the email messages received on regular accounts where the user is connecting to a real mail server on port 110 (POP) and 143 (IMAP).

If you are receiving email into your mail client by any other means it will not be scanned by avast.

So, if you receive your email using secured access (like with GMail on an SSL connection) or if you receive your email using a WebMail to POP converter (FreePops, YPops, Hotmail Popper or the Thunderbird Webmail extensions) it will not be scanned by avast.

It is very hard these days to get a virus (even eicar) delivered to a mail client - because most email services scan the mail and refusre to even allow the user to access an infected mail - even before avast gets to scan it.  I know of only one way that I can get viruses delivered to my mail client.

In this case the problem is almost certainly being detected by the "on access" scanner in the attachment and you should be seeing an avast alert in the lower right of the screen.

I would make a small wager that the original poster is using Yahoo and one of the Webmail to POP converters I have listed above - and ensuring that even that avenue is scanned is but one click of the avast interface.

« Last Edit: May 14, 2007, 08:10:32 AM by alanrf »

Offline viraldet

  • Newbie
  • *
  • Posts: 2
Re: Eicar Test - Mozilla Thunderbird
« Reply #3 on: May 14, 2007, 06:09:56 PM »
Still a mystery. I'm not using a Webmail to POP converter, and it's using the default 110 port (as it's a POP address). Very strange...

Offline alanrf

  • Avast Evangelist
  • Massive Poster
  • ***
  • Posts: 3867
  • Just an avast user
Re: Eicar Test - Mozilla Thunderbird
« Reply #4 on: May 15, 2007, 01:59:33 AM »
I believe that your email service provider removed the attachment before you read the message. 

If you can please post here the Thunderbird "View source" of the message (obscure any personal information before posting).