MozillaZine

Email scanning - pros and cons

From MozillaZine Knowledge Base

This article is a work in progress and still under discussion.

Use the information in this article in deciding whether you wish to disable e-mail scanning and/or autoprotect monitoring of your mailbox files by your antivirus software. For other, more basic information on using antivirus software with Thunderbird or Mozilla Suite, see Antivirus software.

Contents

Scanning incoming e-mail

In Thunderbird and Mozilla Suite, malware attachments are dangerous not as attachments per se, but only when activated by users opening them. As long as your AV program’s autoprotect function (sometimes called “guard” or “shield”) is turned on, it should prevent any “infection” by malware your AV program knows about: i.e., it will not let you open and thereby activate any known malware program in an e-mail attachment. As Symantec thus states regarding Norton Antivirus, disabling e-mail scanning "does not leave you unprotected against viruses that are distributed as email attachments" as long as autoprotect is enabled. [1] If you wish to test your own AV software's autoprotect feature, you can download this harmless test file.

Summary of cons: reasons for not scanning e-mail

Since your AV program's autoprotect feature should protect your computer from infection, as noted above, you may thus wish to disable scanning of incoming (and perhaps outgoing) mail. Key reasons:

  • If you turn off e-mail scanning and properly set your AV program to exclude your Inbox file from autoprotect and system scans (see below), this should drastically reduce the chance of your AV program deleting or quarantining your Inbox, while still leaving your computer protected.
  • If your AV software should happen to lock up your Inbox file when scanning incoming mail, getting the Inbox out of quarantine may be difficult and time-consuming for some users.
  • By contrast, in Thunderbird/Mozilla Suite it is easy to remove infected messages from your computer. All you need to do is delete the messages, empty the Trash, and compact folders. Moreover, since much infected mail may be detected by Thunderbird/Mozilla Suite as spam and automatically sent to the Junk folder, if you regularly delete junk, empty the Trash and compact folders, these infected messages will be removed from your system without you even needing to be aware that they were infected.
  • In addition, there is a chance that if you do get a non-spam e-mail with a malicious attachment that this e-mail will contain an important message from a known sender. It is senseless to let your AV program destroy an important e-mail just because it has an infected attachment.
  • "Surgical" operations in an e-mail program's data files by another program include the risk of corrupting those files. Turning off e-mail scanning should reduce the risk of such corruption.
  • Scanning all e-mails consumes system resources and may cause noticeable slowdown on your computer.

Summary of pros: reasons for scanning e-mail

Even though your AV program's autoprotect feature should protect your computer from being infected, you may still wish to let your AV program scan incoming mail. Key reasons:

  • If your AV software's e-mail scanning can reliably keep infected messages from reaching your Inbox, then your Inbox file will not become "infected" in the first place and your AV software will thus have no reason to take action against the whole Inbox file.
  • Even though malicious attachments are ordinarily not dangerous unless opened and your AV software's autoprotect should prevent you from activating them, some people nevertheless prefer to not have dormant virus code in their Inbox or other mailbox files (Junk, Trash, etc.).
  • Any time a message is moved or deleted from the Inbox, it actually remains in the Inbox file until you compact folders (see below). Unless you compact folders frequently and consistently, your AV software could still quarantine your Inbox during a system scan if it finds an infected message there. Disabling e-mail scanning will actually increase the chance of this happening unless you properly configure your AV program to exclude your Inbox from system scans (see below).
  • For users with enough computer skills, getting the Inbox back from quarantine may be easy and usually succeed.
  • Even if it doesn't succeed, users who back up their mail every day and/or move everything out of the Inbox never risk losing more than today’s mail. Users who set up Thunderbird/Mozilla Suite to leave messages on the server for a few days will also be able to recover those messages if needed.
  • The overall effect on system resources by your AV software may be negligible on your computer.

Excluding your Inbox from autoprotect and system scans

To reduce the likelihood of your Inbox being quarantined or corrupted by your AV program, you may wish to configure your AV program to exclude the Inbox from autoprotect and system scans. Important information in this regard:

  • Some AV programs are configured by default to not let their autoprotect function monitor Outlook Express’s mail files (.dbx). Symantec suggests excluding the Inbox file from being scanned in order to keep it from becoming quarantined [2]. Excluding the Inbox file from autoprotect should only prevent your AV program from taking action on the mailbox file, but it should still enable autoprotect to prevent any virus from being activated if you try to open an infected attachment. (The reason for this is that the attachment is stored together with the message in the mailbox file, and it has to come "out” of the mailbox file to be activated.)
  • In Thunderbird (and Mozilla Suite), a message that is moved or deleted from the Inbox actually remains in the "Inbox" file on your computer until you compact folders; it is merely hidden from the Inbox view in Thunderbird. For instance, if you download an infected message and Thunderbird's junk-mail filtering automatically moves it to the Junk folder, you now have two copies of that message in your mailbox files: one in the Junk file, and one in the Inbox file. Even if you delete the infected message and empty the Trash, it remains in your Inbox until you compact folders. This is important because your AV program, such as during a system scan, could detect a virus in one of these mailbox files and quarantine the file—even though the corresponding mail folder in Thunderbird "looks" like it is empty of suspicious e-mails. To avoid this you may want to configure your AV program to skip your Inbox and other mailbox files during system scans.
  • Since Thunderbird's (and Mozilla Suite's) mailbox files are not named with a file extension like ".dbx" and thus cannot be excluded all at once based on a shared extension, they need to be excluded individually. Thus, for the Inbox you need to exclude the file named "Inbox", and the same for any other mailbox files that you want to exclude ("Sent", "Templates", etc.). It is strongly recommended that you do not exclude your entire profile folder from autoprotect: doing so would likely allow a virus inadvertently saved there to be activated, unchecked by your AV software. Consult your AV program's documentation for how to set file exclusions.