Antivirus software: Difference between revisions

From MozillaZine Knowledge Base
Jump to navigationJump to search
m (→‎Compatible antivirus programs: updating Avast working with latest version.)
(Trimmed compatible/incompatible list as proposed in talk page, some rewording in other sections)
Line 15: Line 15:
==Keeping your antivirus software from deleting your Inbox==
==Keeping your antivirus software from deleting your Inbox==


Thunderbird stores all the different messages that you see in your Inbox folder in a single file called "Inbox" in your [[profile folder]]. Each of your other mail folders likewise consists of a single, correspondingly named file (Sent, Drafts, Trash, etc.). Some antivirus software unfortunately isn't familiar with Thunderbird, so when it detects a virus in your Inbox, it takes action on the whole file (your entire Inbox) instead of taking action on just one e-mail. For instance, if your antivirus software is set to automatically delete infected messages, it might delete your entire Inbox! This problem is due to a design flaw in certain AV programs, not in Thunderbird, and it is known to occur [http://www.microsoft.com/windows/IE/community/columns/filecorruption.mspx#EEAA with Outlook Express] and other e-mail programs too. Fortunately, there are measures you can take to keep it from happening.
Thunderbird stores all of the messages that you see in your Inbox folder in a single file called "Inbox." in your [[profile folder]]. All of the other mail folders also use a single, correspondingly named file ("Sent.", "Drafts.", "Trash.", etc.). Some antivirus software assumes each message is stored as a seperate file so when it detects a virus in your Inbox it deletes the whole file (your entire Inbox folder) rather than deleting that message. This problem is due to a design flaw in certain AV programs, not in Thunderbird, and it is known to occur [http://www.microsoft.com/windows/IE/community/columns/filecorruption.mspx#EEAA with Outlook Express] , Eudora and other email clients. Fortunately, there are measures you can take to keep it from happening.


===Antivirus program settings===
===Antivirus program settings===
Line 28: Line 28:
===Thunderbird settings and use===
===Thunderbird settings and use===
To minimize the chance of your Inbox being quarantined or deleted:
To minimize the chance of your Inbox being quarantined or deleted:
* [[Compacting folders | Compact folders]] regularly. Otherwise, your antivirus software might detect infected messages that you've deleted but which have not actually been erased from your mail files. (Deleting messages and emptying the Trash still leaves those message in your Inbox; they are only hidden from the Inbox view and remain that way until you compact folders).
* [[Compacting folders | Compact folders]] regularly. Otherwise your antivirus software might detect infected messages that you've deleted. Deleted messages are just marked deleted and hidden from view but aren't physically deleted until the folder is compacted.
* Try setting Thunderbird (version 1.5 or later) to [[Download each e-mail to a separate file before adding to Inbox | download each individual message to a separate file]] before adding it to your Inbox. This should make it easier for some antivirus software to quarantine individual messages instead of taking action on the whole Inbox file.
* Try setting Thunderbird (version 1.5 or later) to [[Download each e-mail to a separate file before adding to Inbox | download each individual message to a separate file]] before adding it to your Inbox. This should make it easier for some antivirus software to quarantine individual messages instead of taking action on the whole Inbox file.


To minimize the loss of mail if your Inbox ever does become quarantined or deleted:
To minimize the loss of mail if your Inbox ever does become quarantined or deleted:
* Keep your Inbox relatively empty by storing most old messages in other folders. That way, if your antivirus software deletes/damages your Inbox, fewer e-mails will be affected.
* Keep your Inbox relatively empty by storing most old messages in other folders. That way, if your antivirus software deletes/damages your Inbox, fewer e-mails will be affected.
* If you use POP3, configure Thunderbird to leave mail on the server for a short period (e.g., 3 days), rather than deleting them immediately when downloaded. That way, if your antivirus software damages your Inbox, you can download those messages again. (Note: Leaving messages on the server might cause the same messages to be [[Duplicate messages received | downloaded again and again]]; test this setting before accepting it permanently.) To leave messages on the server for a specified number of days:
* If you use a POP account configure Thunderbird to leave mail on the server for a short period (e.g., 3 days), rather than deleting them immediately when downloaded. That way, if your antivirus software damages your Inbox you can download those messages again. To leave messages on the server for a specified number of days:
**''in Thunderbird'': go to "Tools -> Account Settings -> [account name] Server Settings", check the box for "Leave messages on server" and set the number of days.
**''in Thunderbird'': go to "Tools -> Account Settings -> [account name] Server Settings", check the box for "Leave messages on server" and set the number of days.
** ''in Mozilla Suite'': go to "Edit [in Mozilla Mail] -> Preferences -> Mail & Newsgroups Settings -> [account name] Server Settings", check the box for "Leave messages on server" and set the number of days.
** ''in Mozilla Suite'': go to "Edit [in Mozilla Mail] -> Preferences -> Mail & Newsgroups Settings -> [account name] Server Settings", check the box for "Leave messages on server" and set the number of days.
Line 58: Line 58:
* Many antivirus programs have problems scanning outgoing messages, especially if you use SSL. It is recommended you only scan incoming messages. If the recipient doesn't scan their incoming messages they have bigger problems to worry about than your not scanning your outgoing mail.
* Many antivirus programs have problems scanning outgoing messages, especially if you use SSL. It is recommended you only scan incoming messages. If the recipient doesn't scan their incoming messages they have bigger problems to worry about than your not scanning your outgoing mail.
   
   
==List of compatible and incompatible antivirus programs==
==Compatible antivirus programs==
''Please include version numbers of the antivirus program and Thunderbird (or Mozilla Suite).''


===Compatible antivirus programs===
Avast, AVG, NOD32, and Kaspersky seem to be safe choices, and the retail version of Symantec a risky choice based on comments from the forums over several years. There doesn't seem to be a consensus for CA, F-Prot, McAfee, Panda etc. though typically enterprise versions of any anti-virus program seem to be more compatible than retail versions. We used to try identify what versions of anti-virus programs worked and didn't work but that information was typically several years out of date so its been deleted.  
These programs cause no problems when used with Thunderbird. Note that this list is incomplete.


* Alwil Avast! with Thunderbird 0.9, 1.0 - 1.5.0.9 - version 2.0.0.16 (20080708)
The free version of Avast seems to meet most users needs.
* eset NOD32 version 2.12.3
* Computer Associates eTrust EZ Antivirus version 6.2.0.28 with Thunderbird 0.9
**eTrust v6.4 may prevent Thunderbird from retrieving mail from Ipswitch Imail POP servers (not all POP servers, just this particular brand) according to [http://forums.mozillazine.org/viewtopic.php?p=1209019 this post]. This is a known bug in bugzilla and generally affects Thunderbird 0.7.3 and higher.
* Grisoft AVG7 with Thunderbird 1.0, 0.9
**[http://www.grisoft.cz/us/us_ts_wizard.php Configuration instructions] (apparently not necessary; automatic install seems to work fine unless installing a new account where reinstallation may be necessary)
** [http://forums.mozillazine.org/viewtopic.php?p=1202435 This post] describes an unusual problem with certain incoming e-mails. It can be avoided by turning off AVG's certification of email scanning (email scanner, properties, configure); this does not turn off email scanning, only the announcements that emails have been scanned. Such certification is useless, and in outgoing email it is annoying, a kind of spam, and in fact dangerous (They give a false sense of security to the recipient, and not only in forwarded messages.)
* Kaspersky Lab Anti-Virus with Thunderbird versions 0.x and 1.x
* Trend Micro PC-cillin Internet Security 2005 version 12 with Thunderbird 0.9 (20041103)
* Trend Micro ServerProtect v5.x  with Mozilla v1.3 & Netscape v7.1
 
===Antivirus programs with compatibility problems===
These programs may cause e-mails to be damaged or lost; note that this list is incomplete. ''Please list workarounds if you know them.''
 
* Symantec Norton AntiVirus version 9.0.1.1000 with Thunderbird 1.0.x
** See [http://forums.mozillazine.org/viewtopic.php?p=1161143#1161143 this post], this [http://service1.symantec.com/SUPPORT/ent-security.nsf/d04e6f2f2dfad5de88256c910079502c/712247a53df336e088256a22002724ad?OpenDocument&prod=Norton%20AntiVirus&ver=2004%20for%20Windows%202000/Me/98/XP&src=sg&pcode=nav&svy=&csm=no workaround], or get more help [http://inetexplorer.mvps.org/archive/data/nav.htm here].
** [http://service1.symantec.com/SUPPORT/nav.nsf/pfdocs/2001091807593406 E-mail scanning is not compatible with accounts using SSL] (e.g., Gmail)
** Using Symantec products' incoming mail virus scanning may block Thunderbird from retrieving mail from Ipswitch Imail POP servers (not all POP servers, just this particular brand).  This is a known bug in bugzilla and affects Thunderbird 0.7.3 and higher; one post referencing it is [http://forums.mozillazine.org/viewtopic.php?p=1206995 here]
** Use the incoming mail proxy, and keep it updated.
* Panda Antivirus Internet Security with Thunderbird 0.9 may create delays (no reports of quarantining/deleting the Inbox) ''[http://forums.mozillazine.org/viewtopic.php?t=166608 report & workaround]''
* Panda Antivirus Internet Security with Thunderbird 0.9 may corrupt database (making every email dublicated up to three times and causing general disorder) ''[http://forums.mozillazine.org/viewtopic.php?p=1322793 report & workaround]''
* McAfee VirusScan with Thunderbird 1.0 and 0.9 may cause delays when reading from local folders (no knowledge of quarantining/deleting folders) ''[http://forums.mozillazine.org/viewtopic.php?p=1086943#1086943 report & workaround]''
* F-Prot Antivirus for Windows 3.16f is not compatible with Thunderbird 1.5
* Avira Antivir Guard does not scan any mbox files ([http://forum.avira.com/thread.php?threadid=16152 more information]).


==Safe test virus==
==Safe test virus==


If you are unsure whether your anti-virus program is really scanning for viruses the European Institute for Computer Anti-Virus Research (EICAR) web site  has a [http://www.eicar.org/anti_virus_test_file.htm anti-virus test file] that is supposedly supported by all leading anti-virus programs.  [http://www.webmail.us/testvirus This web site] claims it will send you that same file (the EICAR test virus ) in a email message. Obviously you need to be very carefull where you get this file to avoid getting a harmful virus in disguise. Perhaps the safest approach is to look on your vendors web site for some mention of it. For example, Avast has a [http://www.avast.com/eng/eicar_standard_antiv.html EICAR Standard Antivirus Test File Information]web page while AVG has a link to the EICAR home web page at [http://www.grisoft.com/doc/64/lng/us/tpl/tpl01 Interesting Pages].
If you are unsure whether your anti-virus program is really scanning for viruses the European Institute for Computer Anti-Virus Research (EICAR) web site  has a [http://www.eicar.org/anti_virus_test_file.htm anti-virus test file] that is supposedly supported by all leading anti-virus programs.  [http://www.webmail.us/testvirus This web site] claims it will send you that same file (the EICAR test virus ) in a email message. Obviously you need to be very carefull where you get this file to avoid getting a harmful virus in disguise. Perhaps the safest approach is to look on your vendors web site for some mention of it. For example, Avast has a [http://www.avast.com/eng/eicar_standard_antiv.html EICAR Standard Antivirus Test File Information]web page while AVG has a link to the EICAR home web page at [http://www.grisoft.com/doc/64/lng/us/tpl/tpl01 Interesting Pages].


==See also==
==See also==

Revision as of 07:34, 19 November 2008

This article was written for Thunderbird but also applies to Mozilla Suite/SeaMonkey.


Preventing infection

In this article, "virus" means any malware program, including worms, trojans, etc.

Despite talk of "heuristics", most AV programs do not provide protection against rapidly spreading new malware infections in the many hours before the AV companies manage to provide appropriate updates. To protect yourself against these new e-mail viruses, open e-mail attachments only if you trust the sender and if the sender announces the attachment. Additionally, be alert for messages where the sender's address is spoofed (the message appears to have come from one source but in fact was sent from somewhere else) or where the attachment is announced but in a way that sounds suspiciously generic (e.g., "Hi, here's the file you wanted"); both techniques are commonly used by the creators of malware to trick you into opening the attachment. If you have any suspicions about the origin or authenticity of a message, do not open any attached files until first checking with the sender.

Do not check (enable) "View -> Display Attachments Inline".

Unless the e-mail is job-related or otherwise important, you may also wish to consider waiting a while before opening the attachment. This gives your AV program's manufacturer a chance to provide a perhaps necessary new update. Be especially careful if the e-mail is not a new one and is being forwarded.

While opening attachments is the major risk, you might consider using "View -> Message Body As -> Plain Text" to view a message as plain text whenever you're going to read a suspicious message. For example, reading a message in your junk mail folder to confirm whether its really spam. Viruses and scripts rely upon the email client interpreting the message. If you view it as plain text there is nothing to interpret (unless you click on a link in the message or open an attachment)

Keeping your antivirus software from deleting your Inbox

Thunderbird stores all of the messages that you see in your Inbox folder in a single file called "Inbox." in your profile folder. All of the other mail folders also use a single, correspondingly named file ("Sent.", "Drafts.", "Trash.", etc.). Some antivirus software assumes each message is stored as a seperate file so when it detects a virus in your Inbox it deletes the whole file (your entire Inbox folder) rather than deleting that message. This problem is due to a design flaw in certain AV programs, not in Thunderbird, and it is known to occur with Outlook Express , Eudora and other email clients. Fortunately, there are measures you can take to keep it from happening.

Antivirus program settings

  • RECOMMENDED: Use an antivirus program that's compatible with Thunderbird (listed below).
  • IMPORTANT: Set your antivirus software to ask what to do or to at least only quarantine infected files rather than to automatically delete or "repair" them.
  • If your antivirus software includes a proxy for incoming e-mail, which scans for viruses before they reach Thunderbird, use it and keep it updated.

Advanced users might also wish to configure their AV software as follows. (For explanation of the rationale behind these measures, see Email scanning - pros and cons.)

  • Especially if you must use an incompatible antivirus program, configure it to not scan Thunderbird's "Inbox" file (located in your profile folder) for viruses. You may also want to exclude other mailbox files (such as "Sent", "Templates", etc.) from being scanned.
  • Even if your AV program is compatible with Thunderbird, consider turning off your AV program's e-mail scanning but not its autoprotect function.
  • Even if your AV program is compatible with Thunderbird, consider also configuring it to not scan the Inbox and other mailbox files during system scans and to not let autoprotect monitor these files.

Thunderbird settings and use

To minimize the chance of your Inbox being quarantined or deleted:

  • Compact folders regularly. Otherwise your antivirus software might detect infected messages that you've deleted. Deleted messages are just marked deleted and hidden from view but aren't physically deleted until the folder is compacted.
  • Try setting Thunderbird (version 1.5 or later) to download each individual message to a separate file before adding it to your Inbox. This should make it easier for some antivirus software to quarantine individual messages instead of taking action on the whole Inbox file.

To minimize the loss of mail if your Inbox ever does become quarantined or deleted:

  • Keep your Inbox relatively empty by storing most old messages in other folders. That way, if your antivirus software deletes/damages your Inbox, fewer e-mails will be affected.
  • If you use a POP account configure Thunderbird to leave mail on the server for a short period (e.g., 3 days), rather than deleting them immediately when downloaded. That way, if your antivirus software damages your Inbox you can download those messages again. To leave messages on the server for a specified number of days:
    • in Thunderbird: go to "Tools -> Account Settings -> [account name] Server Settings", check the box for "Leave messages on server" and set the number of days.
    • in Mozilla Suite: go to "Edit [in Mozilla Mail] -> Preferences -> Mail & Newsgroups Settings -> [account name] Server Settings", check the box for "Leave messages on server" and set the number of days.
  • Make regular backups of your Thunderbird mail and other profile data.

Other measures

  • Consider using third-party software such as Mailwasher that will remove infected messages from the server before Thunderbird downloads them.
  • Use an e-mail provider (usually, your ISP [Internet Serivce Provider] or hosting company) that scans incoming e-mail for viruses.

Recovering a quarantined Inbox

  1. Switch off the "auto-protect" feature on your anti-virus software, or otherwise deactivate your anti-virus software.
  2. IMPORTANT: back up your profile folder.
  3. Take the Inbox (or other affected mail file) out of quarantine.
  4. In Thunderbird, delete the infected message.
  5. Empty the Trash for the affected account.
  6. Compact folders for the affected account.
  7. Reactivate your anti-virus software.
  8. Verify all your e-mail is present.

Other potential problems

  • If you receive blank messages it might be a sideffect of the antivirus program certifying that each message was safe. If "View -> Message Source" confirms that the messages are empty try disabling that feature. For example, with AVG you would use E-mail Scanner -> Configure -> (Disable)Certify mail Incoming & Outgoing and then restart your system.
  • Many antivirus programs have problems scanning outgoing messages, especially if you use SSL. It is recommended you only scan incoming messages. If the recipient doesn't scan their incoming messages they have bigger problems to worry about than your not scanning your outgoing mail.

Compatible antivirus programs

Avast, AVG, NOD32, and Kaspersky seem to be safe choices, and the retail version of Symantec a risky choice based on comments from the forums over several years. There doesn't seem to be a consensus for CA, F-Prot, McAfee, Panda etc. though typically enterprise versions of any anti-virus program seem to be more compatible than retail versions. We used to try identify what versions of anti-virus programs worked and didn't work but that information was typically several years out of date so its been deleted.

The free version of Avast seems to meet most users needs.

Safe test virus

If you are unsure whether your anti-virus program is really scanning for viruses the European Institute for Computer Anti-Virus Research (EICAR) web site has a anti-virus test file that is supposedly supported by all leading anti-virus programs. This web site claims it will send you that same file (the EICAR test virus ) in a email message. Obviously you need to be very carefull where you get this file to avoid getting a harmful virus in disguise. Perhaps the safest approach is to look on your vendors web site for some mention of it. For example, Avast has a EICAR Standard Antivirus Test File Informationweb page while AVG has a link to the EICAR home web page at Interesting Pages.

See also

External links

Retrieved from "http://kb.mozillazine.org/index.php?title=Antivirus_software&oldid=37857"