Why is e-mail scan going off?

[Moonbarker]

Hi! :-)

This isn't a big problem, but I am curious about it.  Every so often, I'll see an icon appear in the system tray (you know, the same area where the clock appears) for a few seconds then vanish.  If I mouse opver it, the tag that appears says something like "Avast e-mail scan"  Why is it going off?  My e-mail is and always has been web-based.  How do I turn it off so it doesn't do that?

[Lisandro]

Hmmm... that icon only appears if you're sending email with an email client (program like Outlook Express, Thunderbird or MS Outlook). Are you sending/receiving emails when that icon appears?

I suggest you create a HijackThis log to post here or, better, submit the RunScanner log to to on-line analysis.

[Moonbarker]

Hmmm... that icon only appears if you're sending email with an email client (program like Outlook Express, Thunderbird or MS Outlook). Are you sending/receiving emails when that icon appears?

Nope.  Even if I were, it's web based, does Avast scan web based mail too?

I suggest you create a HijackThis log to post here or, better, submit the RunScanner log to to on-line analysis.

OK, I'll look into that :-)  Thanx!

[alanrf]

Are you using any peer-2-peer programs?

When you connect to a peer they could be telling you to use a well-known email port to connect to them and causing avast to trigger the email scan that you are seeing.

If you are not using P2P then Tech's suggestion may help tell us if you have an email spambot infection.  Another way to catch that is by running the Internet Mail provider with the sensitivity set to high ... it will not degrade your system performance but will detect unauthorized sending of emails from your system.

[Moonbarker]

Are you using any peer-2-peer programs?

When you connect to a peer they could be telling you to use a well-known email port to connect to them and causing avast to trigger the email scan that you are seeing.

I do have E-mule and at present, GetRight is downloading a torrent, but the icon appears when neither program is even open.

If you are not using P2P then Tech's suggestion may help tell us if you have an email spambot infection.  Another way to catch that is by running the Internet Mail provider with the sensitivity set to high ... it will not degrade your system performance but will detect unauthorized sending of emails from your system.

Is the "running the Internet Mail provider" you refer to a function of Avast?  If so, how do I run it?  If not, what do I do?

[alanrf]

Yes, the Internet Mail provider is one of the functions of avast.

It occurs to me that I was foolish to forget that if the icon is showing in system tray then you are already running the provider. 

You just need to double click on the avast icon in the system tray and select "Details" if you have not already done so to show the status of the various providers.  In the Internet Mail provider move the slider to "High" sensitivity.

[Lisandro]

I do have E-mule and at present, GetRight is downloading a torrent, but the icon appears when neither program is even open.

emule does not use email ports and traffic. GetRight is a download manager and even downloading a torrent, shouldn't be using the email function.

Maybe you can follow the HijackThis and RunScanner suggestions...

[alanrf]

Tech,

you are missing the main point about email ports and P2P programs.  As far as ports go they do two things:

1) P2P programs tells other peers which port they are listening on to receive contacts from other peers.  In this function emule may well not use well known port numbers (but that is irrelevant to avast)

2) P2P programs make contacts to other peers.  Other peers say which port they are listening on - emule has no control over their choice.  It is these other peers telling P2P programs to connect to them on well known email ports that can trips avast's intercept.

So you cannot say ever that P2P program xxxxx does not use email ports.

All that being said, I too am at fault for not having checked something before my last response.  The avast team has added a number of automatic exclusions to the Internet Mail provider amd among the exclusion is emule.exe.  Any contacts by emule.exe to well known mail ports of other peers are ignored by the Internet Mail provider.  However the list of exclusions in avast is not exhaustive and we needed to know which P2P was being used here before we could eliminate it as a possibility.  Getright on the other hand is not included in the exclusions of the Internet Mail provider.  If it is performing a torrent download and if the peer has specified a mail port to connect to then Getright will trip the intercept of avast and show the icon in the tray.

The Internet Mail provider on high sensitivity is still a good idea even for those using only Webmail since it will provide the earliest alert of a spambot infection.

Given the above it is not possible to say whether it was Getright tripping the intercept or whether there is a spambot infection.  It would probably be a good idea for this user to include getright.exe in the exclusions of the Internet Mail scanner while also following your other recommendations. 

       

   

[miscreant]

The email icon will also appear if you have set it to scan nntp ..i.e you have a newsreader .Just a thought.

[Lisandro]

In this function emule may well not use well known port numbers (but that is irrelevant to avast)

You can configure emule to use static ports.

2) P2P programs make contacts to other peers.  Other peers say which port they are listening on - emule has no control over their choice.  It is these other peers telling P2P programs to connect to them on well known email ports that can trips avast's intercept.

How avast in my computer can intercept a connection to a port outside of my computer? I have no control over their ports and I thought neither do avast

So you cannot say ever that P2P program xxxxx does not use email ports.

Ok. My emule does not use email ports and generally, the default of emule is not using email ports (at least is what is written in their helps, website, etc.).

If it is performing a torrent download and if the peer has specified a mail port to connect to then Getright will trip the intercept of avast and show the icon in the tray.

I don't think so... it connects on port 80, at least is what is shown here...

[miscreant]

Just another thought....you could click Internet mail module>customize>advanced >tick "show detailed info on performed action"..
Maybe it will show you  what the connection is if it shows for long enough to read.

[alanrf]

How avast in my computer can intercept a connection to a port outside of my computer? I have no control over their ports and I thought neither do avast

Oh dear Tech ... c'mon now this is how avast works day in day out ...by intercepting the connection to ports on other computers.

The Internet Mail providers works by intercepting connection to ports 25, 100, 143, 119 on other computers.

The Webshield works by intercepting connections to port 80 on other computers.

All of these ports have nothing whatsoever to do with our systems ... these are the ports that the other systems are listening on.

The ports that a P2P program uses to listen on your computer (static or whatever) are completely and totally irrelevant to avast.

If you cannot believe me - then ask the avast team.

And download managers are not confined to connecting to other systems at their port 80.

[Lisandro]

Oh dear Tech ... c'mon
If you cannot believe me - then ask the avast team.

Sorry to disappoint you. I need to learn every day, you overestimate my knowledge.