MAIL SHEILD - WHERE DOES STUFF GO?

[surfing69]

In expert settings, I have set all the actions in the 'Suspicious' tab to 'Move to chest'.  However, when someone tried to send me an email with an attachment that had a white space of 27, instead of the email and/or attachment being placed in the Virus chest, all I received in my Inbox was the following:

"From: <avast! 5>
Sent: Wednesday, December 01, 2010 1:44 PM
Subject: [personal] [avast! heuristic - WARNING]


> Suspicious whitespace sequence"

What I would like to know is what happened to the email with the suspicious white-space if it was not dumped into the virus chest. It seems that it has disappeared into thin air.

When I changed the actions to Ask, the same thing happened but I did not get an 'Ask' notification and again the email with the attachment disappeared.

When I changed the actions to ' No Action', this time the email with the attachment was received in my Inbox with the following message;

"Subject: [personal] *** SUSPICIOUS ***Fw: mail sheild test"

Can someone please tell me what happens to the email with an attachment that has a suspicious white-space sequence when I select 'Move to chest' or 'Ask' in Actions? 

At the moment these actions dont appear to be doing what they should be doing.

[schmidthouse]

Hi surfing69: Not really sure about that.
What email program are you using?
Possibilities Might Be ends up in the recycle bin??...does not get downloaded from the server??
I'm sure more experienced help with Mail Shield operation can provide better options/answers

[surfing69]

Hi

Using Outlook Express.

And no, the email is not dumped into deleted or recycle bin. And the email does appear in my server webmail inbox. Rather than being moved to the virus chest as selected in the actions options, it looks as though the email is getting deleted completely by Avast - but dont know why and where 

[igor]

I'm afraid the interface is quite confusing here.

What you configure on the "Actions" page is related to the detection of files in attachments; namely, the page "Suspicious" specifies the behavior when malware called "Something [Susp]" is detected in the file.

The detection of suspicious messages as you describe, however, is the Mail heuristics (second page of the settings). It doesn't really check the content of the attachment, but rather its name, extension, or maybe even the content of the e-mail body, whether there is an attachment or not.

These two settings are completely unrelated, I'm afraid, it's "a different kind of suspiciousness" - therefore it doesn't behave as you'd expect it to.

[Nesivos]

1. Use the Windows option in Explorer to unhide all your folders.

2. Use Windows search to try and locate the Email.  If you are using W7 you may need to index your drive first, not sure about that

3. After the search is complete and you have or have not located the email change the unhide feature back to allowing folders to be hidden.

Good luck

[surfing69]

I'm afraid the interface is quite confusing here.

What you configure on the "Actions" page is related to the detection of files in attachments; namely, the page "Suspicious" specifies the behavior when malware called "Something [Susp]" is detected in the file.

The detection of suspicious messages as you describe, however, is the Mail heuristics (second page of the settings). It doesn't really check the content of the attachment, but rather its name, extension, or maybe even the content of the e-mail body, whether there is an attachment or not.

These two settings are completely unrelated, I'm afraid, it's "a different kind of suspiciousness" - therefore it doesn't behave as you'd expect it to.

I dont understand what you mean by "I'm afraid the interface is quite confusing here."?

Also I do understand that the Mail heuristics doesnt really check the content of the attachment but instead checks the name, extension etc.

And when you say "these two settings are unrelated" I do realise this to be the case. And what should happen if the action 'Ask' is selected when an email arrives with a suspicious white-space?

In conclusion I would like to know what happens to the emails + attachment with 'suspicious' white-space sequence. If they are deleted, where do they go?

[igor]

I am trying to say that the setting "Ask" doesn't apply at all to e-mails with suspicious white spaces; you'd be asked if a suspicious content were detected in the attachment, but not for whitespaces in the name.

If you get an e-mail where the heuristics reports something (e.g. suspicious whitespaces in the name) and you select delete... well, it's deleted, gone - it doesn't go anywhere.

[surfing69]

I think you may have misunderstood.

If I select the action 'move to chest', I do NOT get an option to 'select delete'. The email with the attachment with suspicious white-space sequence is detected by Avast but it isnt dumped into the chest. The original email with attachment disappears and instead I receive an email from Avast stating the following:

"From: <avast! 5>
Sent: Wednesday, December 01, 2010 1:44 PM
Subject: [personal] [avast! heuristic - WARNING]


> Suspicious whitespace sequence"

I would like to know why it wasnt moved to the chest and if it was deleted, it was deleted by Avast and not by me.

[igor]

Well, what I'm saying is that the whole "Suspicious" page is unrelated to the detection you're getting - so it doesn't matter whether you set "ask" or "move to chest" there.
Do you have silent mode enabled?

[igor]

OK, seems I've been misinformed, sorry.
There actually is an additional connection between the "Suspicious" page and e-mail heuristics. So, while the Suspicious page affects the "handling of Something [Susp]" files, just like it does for any other shields or on-demand scans, it also affects the e-mail heuristics (e.g. the detection of whitespace sequences)... "somehow" (a bit artificial).

I was told that the "mapping" for this special case is as follows:
"Ask" - should show a question, with the options delete/ignore (I didn't try it myself - are you saying you don't get any popup?)
"No action" - the message is delivered
anything else - the message is deleted and replaced by the info text

In any case, when the message is deleted, it's simply deleted, gone.

[surfing69]

Ahh - finally some clarity.  Thank you for admitting that your initial advice may have been flawed. This is appreciated.

Regarding my situation;

1. when I set action to 'Ask' I do NOT get a pop up.
2. if i set action to ' No Action' the email IS delivered but has the warning term 'suspicious' embedded in the subject line.

Finally, if I select 'move to chest' then I would like Avast to move the item to the chest . I dont understand why the email should deleted when asked to be moved to chest. There is already an action called 'delete' in Actions. Is this something to feedback to the developers?

[igor]

1. when I set action to 'Ask' I do NOT get a pop up.

OK, correction - there has to be "Ask, if fails, No action" - then the question should appear. So, the behavior is this:
"Ask, if fails, No action" - shows a question with the options delete/ignore
"No action" - the message is delivered
anything else - the message is deleted and replaced by the info text

2. if i set action to ' No Action' the email IS delivered but has the warning term 'suspicious' embedded in the subject line.

Yes, that's the expected behavior - the subject line is changed (you can configure that on the Behavior page), but the e-mail body is intact.

Finally, if I select 'move to chest' then I would like Avast to move the item to the chest . I dont understand why the email should deleted when asked to be moved to chest. There is already an action called 'delete' in Actions. Is this something to feedback to the developers?

No, as I was trying to explain, the settings on the Suspicious page are generally for something else (for actions on infected attachment for specific malware types). The e-mail heuristics is somehow affected by the Suspicious page in the end, but not all the options are supported. The engine cannot move the whole e-mail to Chest, it can be done only for attachments (when an infection is found in the attachment). So, such an option is not available for e-mail heuristics.

[surfing69]

OK, correction - there has to be "Ask, if fails, No action" - then the question should appear. So, the behavior is this:
"Ask, if fails, No action" - shows a question with the options delete/ignore
"No action" - the message is delivered
anything else - the message is deleted and replaced by the info text

OK - i have tried the above and it appears to work i.e. it gives me two options 1. Delete OR Ignore.

Because there are 3 available actions in the Suspicious Tab, unless I have been unable to find them, I could not see any specific instructions on how to configure these actions for my situation. For example I was selecting ALL 3 actions to 'Ask' and couldn't understand why no pop up message was appearing.

However, should there be more detailed help notes in this section in regards to setting up this facility?