Norton 360 Corrupting Thunderbird MBOX files

I provide support for the Thunderbird Email client

 

For many months now people accross our support forum have complained that their mail was unreadable unless they repaired their inbox, yesterday I finally found what appears to be Norton removing individual emails from the underlying MBOX files and occasionally leaving the files in such a corrupted state that all mail received after the edit in the file is simply lost.

 

How is the average user to know they need to rebuild their mail index after one of these Norton security mess making excercises which leave the mail store and index out of sync?.

 

How does the average user prevent the corruption of their mail store by Norton 360?

 

Hi MadMattAu,

 

MozillaZine has much documentation on issues that can arise between antivirus software and the Thunderbird mail folders.  Specifically, messages in a folder are all contained in a single file, so if an AV program attempts to remove an infected attachment from one message, the entire mail folder can become corrupted.  The solution has always been to exclude the Inbox and other important folders from scans.

 

The Thunderbird option to "Allow anti-virus clients to quarantine individual incoming messages" mitigated much of this, because the AV could quarantine a malicious attachment before it was added to the inbox.  However, more ISPs are now requiring secure email ports to be used, which leaves Norton unable to scan the encrypted traffic as it arrives.  So, I suppose it is possible that more malware could now be getting into users' Inboxes than in the past, which might explain a rise in folder corruption incidents being reported.

 

In any case, it has always been recommended to exclude the important mail folders from scans.  The following MozillaZine articles offer some great advice that you can pass on to Thunderbird users:

 

http://kb.mozillazine.org/Thunderbird_:_FAQs_:_Anti-virus_Software

 

http://kb.mozillazine.org/Email_scanning_-_pros_and_cons

Thank you for the thoughtful reply, but you do not get my concern.

 

Norton is removing mail from the inbox, or at least that is what the logs indicate to me. ( appended is an excerpt.)

 

Category: Quarantine
Date & Time,Risk,Activity,Status,Recommended Action,Path - Filename
2013-06-20 9:58:29,High,WS.Malware.1 detected by Virus scanner,Quarantined,Resolved - No Action Required,c:\users\n\documents\thunderbird mail\mail\inbox
2013-06-20 9:58:29,High,W32.Cridex detected by Virus scanner,Quarantined,Resolved - No Action Required,c:\users\n\documents\thunderbird mail\mail\inbox
2013-06-20 9:58:29,High,Trojan.Zbot detected by Virus scanner,Quarantined,Resolved - No Action Required,c:\users\n\documents\thunderbird mail\mail\inbox
2013-06-20 9:58:29,High,Trojan.Malscript detected by Virus scanner,Quarantined,Resolved - No Action Required,c:\users\n\documents\thunderbird mail\mail\inbox

 

Thunderbird contains no mechanism to detect the editing of it's MBOX files, and as such does not know the MSF file that is used to display mail and locate mail needs to be updated.  The result  Thunderbird displays mails based on the old index and insead of mails being displayed, the partial source of whatever is at that location is displayed. ie gibberish to the average user.

 

In the case that I extracted the log entries from the lady complained that repairing the index deleted all the emails that were not correctly displayed.

 

My working theory here is that where Norton makes multiple edits, data loss occurs.  where Norton makes a single edit display errors only occur.  This is based on the numbers of Norton users that have appeared in the support forum complaining of display issues that have no data loss following repair, or report none.

 

So in the first instance, does Nortons edit the MBOX files?

 

 

 

Hi MadMattAu,

 

In your excerpt, it appears that Norton is quarantining the entire Inbox folder, which is what one would expect to see.  Is that actually what you observed?  Or did you only see a problem with the msf files afterward?

I provide support for the Thunderbird Email client

 

For many months now people accross our support forum have complained that their mail was unreadable unless they repaired their inbox, yesterday I finally found what appears to be Norton removing individual emails from the underlying MBOX files and occasionally leaving the files in such a corrupted state that all mail received after the edit in the file is simply lost.

 

How is the average user to know they need to rebuild their mail index after one of these Norton security mess making excercises which leave the mail store and index out of sync?.

 

How does the average user prevent the corruption of their mail store by Norton 360?