Thunderbird Inbox file scrambled

TimothyJMcGowan · ‎04-03-2011

Norton Anti-Virus 2011 (Version 18.5.0.125), in trying to remove an invoice_copy.exe virus that was downloaded, scrambled a couple dozen e-mails in my Thunderbird (Version 3.1.9) in-box while I was away from the computer.

Thunderbird may likely have been in the process of moving the virus-infested e-mail from the Inbox folder to the Junk folder, because the same virus was found in both Inbox and Junk. NAV seems to have deleted the messages or scrambled them in such a way that they didn't even show up in the message list, so I can't prove that they were the same message. However, NAV reports the same virus being found at the same time in both folders. And I have Thunderbird configured to filter some messages to Junk. (Don't know what tripped the trigger, however, as the message is gone, but each virus has been quarantined. Not a helpful default setting, to my mind.)

NAV Activity report (which I can't seem to simply copy and paste):

invoice_copy.exe

[Contained in] invoice_copy_in32948.zip

[Contained in] unknown01f28e0d.data

[Contained in] (path to file)\inbox

Deleted

invoice_copy.exe

[Contained in] invoice_copy_in32948.zip

[Contained in] unknown000f1d07.data

[Contained in] (path to file)\junk

Deleted

Relevant Thunderbird settings:

Tools, Options, Security icon, Anti-Virus tab, "Allow anti-virus clients to quarantine individual incoming messages" is checked.

Relevant NAV 2011 settings:

Settings, Real Time Protection section:

SONAR Protection: On

SONAR Advanced Mode: Automatic

Remove Risks Automatically: Off

Remove Risks if I Am Away: On

Show SONAR Block Notifications: Show all

I have now turned off "Remove Risks if I Am Away," hoping that I will be prompted to deal with a suspect file when I return. If I'm not, I trust NAV will still check every file I save to the hard drive and every file I execute.

Hugh Wyn Griffith asked me to post my experience here. Let me know if there's any further information you need, and I'll see what I can do. A bit more discussion here, but I think this is the best distillation of that discussion.

-- Timothy J. McGowan

SendOfJive · ‎02-07-2009

Hi TimothyJMcGowan,

Yeah, about Thunderbird and Antivirus....

Thunderbird does store all messages in each folder as one single file. So if a message in your Inbox is found to contain a virus, Norton will quarantine the whole Inbox. That seems not to have happened in your case, but obviously there was still some sort of problem. The reason the infected message was found in both the Inbox as well as the Junk folder is that when a message is deleted or moved from one folder to another it does not actually go anywhere. Instead, what happens is that a copy is created, in this case, in the Junk folder, and the original remains in the Inbox but is now hidden. So now the message actually exists in both places. Deleting a message only hides it. In order to physically remove messages, you need to compact the folders. You should be compacting your folders regularly, which will eliminate a lot of other problems, as well.

To lessen the chances of your Inbox ending up in quarantine you should add it to the two Scan Exclusion lists in Norton: Items to Exclude from Scans, and Items to Exclude from Auto-Protect and SONAR Detection. Since opening an attachment takes the file out of the Inbox, any malicious content will be detected by Auto-Protect when you open it, and you will still be protected from email-borne threats. To exclude the Inbox from scans click Configure [+] in the Norton Exclusion settings, click Add in the Exclusions box and navigate (in XP) to:

C:\Documents and Settings\<your username>\Application Data\Thunderbird\Profiles\<your profile>\Mail\Local Folders\Inbox

The "Allow anti-virus clients to quarantine individual incoming messages" setting enables Thunderbird to store new incoming messages as temporary individual files before moving them to the Inbox. This allows Norton's Incoming Email Scan to quarantine an infected message before it becomes part of the larger Inbox file. The decision to scan incoming messages is a matter of personal preference - from a security standpoint, Incoming Email Scanning is not essential, since Auto-Protect will detect any malicious file on access anyway, as explained above. Mozilla offers a good discussion of the Pros and Cons here:

http://kb.mozillazine.org/Email_scanning_-_pros_and_cons

And for a really thorough discussion of Thunderbird and Antivirus see the following Mozilla article:

http://kb.mozillazine.org/Thunderbird_:_FAQs_:_Anti-virus_Software

So what scrambled your messages? It's hard to know, but maybe from what I've said you can trace down whether it was a problem with the Incoming Email Scan or a virus scan of your mail folders that might have corrupted something.

TimothyJMcGowan · ‎04-03-2011

SendAsJive:

Many thanks for all the information!

I have a number of e-mail accounts, so I have multiple in-boxes and other storage folders. I was considering ignoring the entire directory tree, but that probably wouldn't be the safest approach. No sense making entire folders potential havens for malware, I suppose. And I see now that the second article to which you linked says exactly that.

I don't suppose there's any way that NAV and other anti-virus products could be configured to include the exclusions automatically, or at least suggest the exclusions during installation.

-- Tim

SendOfJive · ‎02-07-2009

TimothyJMcGowan wrote:
I don't suppose there's any way that NAV and other anti-virus products could be configured to include the exclusions automatically, or at least suggest the exclusions during installation.

You know, years ago when Outlook Express was still vibrant, Norton by default used to exclude .dbx files from scans due to this same issue of file corruption and quarantined Inboxes. I agree that there should still be documentation on the issue, as it does affect many popular email clients, not just Thunderbird. I actually stumbled across the MozillaZine articles long before I started using Thunderbird and found them to be a real treasure of useful information no matter what email product you use.

SendOfJive · ‎02-07-2009

Hi TimothyJMcGowan,

I took a peek at that other forum and saw that someone named Duane_White had posted about turning off email scanning in Norton, which results in a constant alert that it needs to be "fixed." He will be happy to learn that there is a way to turn off this "at risk" warning while leaving email scanning disabled. Please inform him that, depending on the Norton program he is using, he should be able to hover his mouse either over the words "Email Protection," or over a small circle containing the letter "i" next to that text on the main Norton window. Doing so will bring forth a pop-up with an option to "Ignore" the status of the setting. In other words, Norton will no longer monitor the setting and will no longer alert you that the email scan is disabled or needs fixing. The "ignore" option only stops the status alerts - it does not change the underlying email scanning on-off option that the user has selected. A small circle with a diagonal line will appear over the toggle switch to indicate the status is being ignored. Hovering the mouse again will present the option to once again "Monitor" the setting.

TimothyJMcGowan · ‎04-03-2011

SendOfJive: Thank you very much for the follow-up information on the Ignore feature. I'll direct Duane_White here so he can get it straight from the horse's mouth. (That metaphor is totally inoffensive where I'm from, by the way!)

huwyngr · ‎04-13-2008

Duane White is one of the really good knowledgeable guys over on Compuserve's Forums and has come back to using Norotn again after the peformance improvements since 2010. He has posted here.

I told Timothy we had some real experts here!

Hugh

TimothyJMcGowan · ‎04-03-2011

>> I told Timothy we had some real experts here! <<

Never doubted it for an instant, Hugh!

This is a bit different from the CompuServe forums. I see I should accept an answer, which I'll do next. What are the other buttons for? (Or where did I skim too quickly when Reading The Fine Manual?)

-- Tim

Duane_White · ‎04-16-2008

SendOfJive, Thank-you very much for posting the info on how to set NIS to ignore the fact Email scanning has been turned off. I have been looking for it since coming back to the Norton product in 2009 as it seemed there should be a way. /...Duane (and thank you Hugh for the kind words...) BTW, I tried to post this same message twice with IE9 but it seems the forum software doesn't like it.