Norton Anti-Virus 2011 (Version 18.5.0.125), in trying to remove an invoice_copy.exe virus that was downloaded, scrambled a couple dozen e-mails in my Thunderbird (Version 3.1.9) in-box while I was away from the computer.

Thunderbird may likely have been in the process of moving the virus-infested e-mail from the Inbox folder to the Junk folder, because the same virus was found in both Inbox and Junk. NAV seems to have deleted the messages or scrambled them in such a way that they didn't even show up in the message list, so I can't prove that they were the same message. However, NAV reports the same virus being found at the same time in both folders. And I have Thunderbird configured to filter some messages to Junk. (Don't know what tripped the trigger, however, as the message is gone, but each virus has been quarantined. Not a helpful default setting, to my mind.)

NAV Activity report (which I can't seem to simply copy and paste):

invoice_copy.exe

[Contained in] invoice_copy_in32948.zip

[Contained in] unknown01f28e0d.data

[Contained in] (path to file)\inbox

Deleted

invoice_copy.exe

[Contained in] invoice_copy_in32948.zip

[Contained in] unknown000f1d07.data

[Contained in] (path to file)\junk

Deleted

Relevant Thunderbird settings:

Tools, Options, Security icon, Anti-Virus tab, "Allow anti-virus clients to quarantine individual incoming messages" is checked.

Relevant NAV 2011 settings:

Settings, Real Time Protection section:

    SONAR Protection: On

    SONAR Advanced Mode: Automatic

    Remove Risks Automatically: Off

    Remove Risks if I Am Away: On

    Show SONAR Block Notifications: Show all

I have now turned off "Remove Risks if I Am Away," hoping that I will be prompted to deal with a suspect file when I return. If I'm not, I trust NAV will still check every file I save to the hard drive and every file I execute.

Hugh Wyn Griffith asked me to post my experience here. Let me know if there's any further information you need, and I'll see what I can do. A bit more discussion here, but I think this is the best distillation of that discussion.

-- Timothy J. McGowan

Hi TimothyJMcGowan,

Yeah, about Thunderbird and Antivirus....

Thunderbird does store all messages in each folder as one single file.  So if a message in your Inbox is found to contain a virus, Norton will quarantine the whole Inbox.  That seems not to have happened in your case, but obviously there was still some sort of problem.  The reason the infected message was found in both the Inbox as well as the Junk folder is that when a message is deleted or moved from one folder to another it does not actually go anywhere.  Instead, what happens is that a copy is created, in this case, in the Junk folder, and the original remains in the Inbox but is now hidden.  So now the message actually exists in both places.  Deleting a message only hides it.  In order to physically remove messages, you need to compact the folders.  You should be compacting your folders regularly, which will eliminate a lot of other problems, as well.

To lessen the chances of your Inbox ending up in quarantine you should add it to the two Scan Exclusion lists in Norton:  Items to Exclude from Scans, and Items to Exclude from Auto-Protect and SONAR Detection.  Since opening an attachment takes the file out of the Inbox, any malicious content will be detected by Auto-Protect when you open it, and you will still be protected from email-borne threats.  To exclude the Inbox from scans click Configure [+] in the Norton Exclusion settings, click Add in the Exclusions box and navigate (in XP) to:

C:\Documents and Settings\<your username>\Application Data\Thunderbird\Profiles\<your profile>\Mail\Local Folders\Inbox

The "Allow anti-virus clients to quarantine individual incoming messages" setting enables Thunderbird to store new incoming messages as temporary individual files before moving them to the Inbox.  This allows Norton's Incoming Email Scan to quarantine an infected message before it becomes part of the larger Inbox file.  The decision to scan incoming messages is a matter of personal preference - from a security standpoint, Incoming Email Scanning is not essential, since Auto-Protect will detect any malicious file on access anyway, as explained above.  Mozilla offers a good discussion of the Pros and Cons here:

http://kb.mozillazine.org/Email_scanning_-_pros_and_cons

And for a really thorough discussion of Thunderbird and Antivirus see the following Mozilla article:

http://kb.mozillazine.org/Thunderbird_:_FAQs_:_Anti-virus_Software

So what scrambled your messages?  It's hard to know, but maybe from what I've said you can trace down whether it was a problem with the Incoming Email Scan or a virus scan of your mail folders that might have corrupted something.

SendAsJive:

Many thanks for all the information!

I have a number of e-mail accounts, so I have multiple in-boxes and other storage folders. I was considering ignoring the entire directory tree, but that probably wouldn't be the safest approach. No sense making entire folders potential havens for malware, I suppose. And I see now that the second article to which you linked says exactly that.

I don't suppose there's any way that NAV and other anti-virus products could be configured to include the exclusions automatically, or at least suggest the exclusions during installation.

-- Tim

---

TimothyJMcGowan wrote:
I don't suppose there's any way that NAV and other anti-virus products could be configured to include the exclusions automatically, or at least suggest the exclusions during installation.

---

You know, years ago when Outlook Express was still vibrant, Norton by default used to exclude .dbx files from scans due to this same issue of file corruption and quarantined Inboxes.  I agree that there should still be documentation on the issue, as it does affect many popular email clients, not just Thunderbird.  I actually stumbled across the MozillaZine articles long before I started using Thunderbird and found them to be a real treasure of useful information no matter what email product you use.

Hi TimothyJMcGowan,

I took a peek at that other forum and saw that someone named Duane_White had posted about turning off email scanning in Norton, which results in a constant alert that it needs to be "fixed."  He will be happy to learn that there is a way to turn off this "at risk" warning while leaving email scanning disabled.  Please inform him that, depending on the Norton program he is using, he should be able to hover his mouse either over the words "Email Protection," or over a small circle containing the letter "i" next to that text on the main Norton window.  Doing so will bring forth a pop-up with an option to "Ignore" the status of the setting.  In other words, Norton will no longer monitor the setting and will no longer alert you that the email scan is disabled or needs fixing.  The "ignore" option only stops the status alerts - it does not change the underlying email scanning on-off option that the user has selected.  A small circle with a diagonal line will appear over the toggle switch to indicate the status is being ignored.  Hovering the mouse again will present the option to once again "Monitor" the setting.

SendOfJive: Thank you very much for the follow-up information on the Ignore feature. I’ll direct Duane_White here so he can get it straight from the horse’s mouth. (That metaphor is totally inoffensive where I’m from, by the way!)

Duane White is one of the really good knowledgeable guys over on Compuserve's Forums and has come back to using Norotn again after the peformance improvements since 2010. He has posted here.

I told Timothy we had some real experts here!

>> I told Timothy we had some real experts here! <<

Never doubted it for an instant, Hugh!

This is a bit different from the CompuServe forums. I see I should accept an answer, which I'll do next. What are the other buttons for? (Or where did I skim too quickly when Reading The Fine Manual?)

-- Tim

SendOfJive, Thank-you very much for posting the info on how to set NIS to ignore the fact Email scanning has been turned off. I have been looking for it since coming back to the Norton product in 2009 as it seemed there should be a way. /…Duane (and thank you Hugh for the kind words…) BTW, I tried to post this same message twice with IE9 but it seems the forum software doesn’t like it.

Hi Tim and Duane,

You are very welcome.  Glad I was able to help.  Hope you will drop in again sometime.

---

TimothyJMcGowan wrote:

>> I told Timothy we had some real experts here! <<

Never doubted it for an instant, Hugh!

 

This is a bit different from the CompuServe forums. I see I should accept an answer, which I'll do next. What are the other buttons for? (Or where did I skim too quickly when Reading The Fine Manual?)

 

-- Tim

 

---

Yeah!

You can see what the Quote button does and it helps here because unlike Compuserve you can't address a message to a person by ID and there is no threading via message numbers either -- although there is actually the option to a threaded view in your personal setup it doesn't help others unless they are using it and most people use the default, horrible blog view!

Compuserve is superb in that respect although not as user friendly in viewing as the original HMI with visible threading trees.

If you mean like Kudos and the [ + * ] button then Kudos are a way of indicating that you appreciated a message contents, even if it were not addressed to you -- you can click on the button on the message you appreciate and it notches up 1 in the button to the left of it and the symbol on the  [ + * ]  changes to a check mark so you know you've done it and can't do it again.

Although you can mark one of your own messages as Solution you can't kudos yourself!

The Mark as Solution button in a thread only shows on messages when read by the first poster ie only he can mark a message as the solution. The idea since it shows up in searches and indeed you can search on a topic filtered to Solutions only if you use Advanced Search which you get by clicking on Search even with nothing in the search box.

So you and Duane (and anyone else) could give kudos to any of the messages here, and not necessarily just one, but only you Timothy can mark a message as the solution to the original question.

You'll recognize the editor toolbar since it's the same open source as Compuserve uses although some buttons are different.

Hope that helps.

The truth, nothing but the truth .....

IE9 is OK if you switch to compataibility mode but otherwise the message posts but has no text apart from the topic-- they are working on that and the messing up of the formating in the Message Listing which sometimes happens but you can fix with F5 ....

Hope you'll become a regular here ....

I just spent a long time on a CHAT window with technical support because I didn't think the exception flag was an acceptable "solution".

It seems clear that the Thunderbird store corruption is just ONE example of how this problem can occur. Other container files may also be corrupted when the virus scanner extracts and deletes contents from the container file. In those other incidents the user isn't alerted to the problem as instantly as having 100's of recent emails becoming unreadable.

If NIS can navigate a container file structure well enough to identify and scan an individual single file unit within the container, it should also know HOW to remove the file without damaging the container.

If this cannot be done the code should WARN the user of the virus presence without removing. A virus removal tool that damages a user's files is second only to the virus itself in causing pain and grief.

Thoughts on the provided exception flag workaround:

Yes, a user can flag the Thunderbird folder as an Exception, but then they are going day to day thinking their system has been scrubbed of viruses, but it's not true. A person could accidentally spread viruses by move a virus infected file from one computer to the next simply because this "solution" relies on disabling virus scanning on the source email store.

On behalf of all Thunderbird users I submit this is NOT A SOLUTION. This is a work-around. And I request that any NORTON employee reading this forum raise this issue as a bug.

You raise a good point especially with regard to "containers" in general.

I'm trying to see if I can get some comments from Norton programmers on this.

huwyngr

Thanks.

I have been contacted and have now forwarded a set of emails in which I can recreate the problem.

The exercise was interesting: I recreate the problem only on my Windows 7 64-bit machine, not on Windows XP. (I've been thinking it was NIS2010/2011 since the problem only recently started. But it was likely my switch to Windows 7 64-bit that was crucial to recreating the issue.)

One minor data point: I'm also using 64-bit Windows 7, the Home Premium edition. (Service Pack 1 not yet applied, but all other available updates applied.)

However, I can offer no means of re-creating the issue.

-- Tim

Timothy J. McGowan

I am using same version of Norton 18 5 0 125 and after a full scan it has cleaned a few inboxes under Thunderbird (I use at least a dozen accounts in Thunderbird hence a lot of inboxes). My OS is Windows 7 32 bit.

Please describe how I can unquarantine the inboxes I have emails from over 12 years in them just cannot afford to lose them at all.

Many thanks in anticipation!

Hi Kaushik,

I assume you know where to find Norton's quarantine.  Specific iInstructions for restoring your Inboxes from quarantine are given here:

http://kb.mozillazine.org/Thunderbird_:_FAQs_:_Anti-virus_Software#Recovering_a_quarantined_Inbox

Hiya - thanks

I did take a look however step 4 has this:

Take the Inbox (or other affected mail file) out of quarantine

I cannot un-quarantine the inbox at all 

Through NIS interface and history option i can see the mailbox however when I say "restore" it only restores the rogue file not the entire inbox file if that makes sense?

Cheers

Please see my reply in your other thread, here:

http://community.norton.com/t5/Norton-Internet-Security-Norton/Thunderbird-and-NIS11/m-p/447432/message-uid/447432/highlight/true#U447432