Antivirus software: Difference between revisions

From MozillaZine Knowledge Base
Jump to navigationJump to search
(clean up (no effect on wsm's last edit))
Line 23: Line 23:
* Many antivirus programs have problems scanning outgoing messages, especially if you use SSL. It is recommended that you only scan incoming messages. If the recipient doesn't scan their incoming messages they have bigger problems to worry about than your not scanning your outgoing mail.
* Many antivirus programs have problems scanning outgoing messages, especially if you use SSL. It is recommended that you only scan incoming messages. If the recipient doesn't scan their incoming messages they have bigger problems to worry about than your not scanning your outgoing mail.
   
   
Most email providers scan new messages and may use better software than you can buy. Advanced users that understand the risks sometimes disable email scanning by their antivirus software and rely upon the email provider to protect them. However, most users don't know how anything about what their email provider does (for example, does it scan both the message body and the attachments) so its safest to always scan the mail yourself.  
Most email providers scan new messages and may use better software than you can buy. Advanced users that understand the risks sometimes disable email scanning by their antivirus software and rely upon the email provider to protect them. However, most users don't know anything about what their email provider does (for example, does it scan both the message body and the attachments) so its safest to always scan the mail yourself.


===Thunderbird settings and use===
===Thunderbird settings and use===

Revision as of 01:11, 20 May 2010

This article was written for Thunderbird but also applies to Mozilla Suite/SeaMonkey.

Much of this information has not been updated in 2 years. Word to the wise - be conservative and cautious. And make sure you have backups of your profiles.

Preventing infection

In this article, "virus" means any malware program, including worms, trojans, etc.

Despite talk of "heuristics", most antivirus programs do not provide protection against rapidly spreading new malware infections before the antivirus companies manage to provide appropriate updates. To protect yourself against new e-mail viruses, open e-mail attachments only if you trust the sender and if the sender announces the attachment. Be alert for messages where the sender's address is spoofed (the message appears to have come from one source but in fact was sent from somewhere else) or where the attachment is announced in a way that sounds suspiciously generic (e.g., "Hi, here's the file you wanted"); both techniques are commonly used by the creators of malware to trick you into opening the attachment. If you have any suspicions about the origin or authenticity of a message, do not open any attached files until you have checked with the sender.

Do not check (enable) "View -> Display Attachments Inline".

Unless the e-mail is job-related or otherwise important, consider waiting a while before opening the attachment. This gives your antivirus program's manufacturer a chance to provide a necessary update. Be especially careful if the e-mail is not a new one and is being forwarded.

Opening attachments is the major risk, but consider using "View -> Message Body As -> Plain Text" to view a message as plain text whenever you're going to read a suspicious message. For example, reading a message in your junk mail folder to confirm whether its really spam. Viruses and scripts rely upon the email client interpreting the message. If you view it as plain text there is nothing to interpret (unless you click on a link in the message or open an attachment)

Keeping your antivirus software from deleting your Inbox

Thunderbird stores all of the messages that you see in your Inbox folder in a single file called "Inbox." in your profile folder. All of the other mail folders also use a single file named after the folder ("Sent.", "Drafts.", "Trash.", etc.). Some antivirus software assumes each message is stored as a separate file so when it detects a virus in your Inbox it deletes the whole file (your entire Inbox folder) rather than deleting that message. This problem is due to a design flaw in certain antivirus programs, not in Thunderbird. It is known to occur with Outlook Express , Eudora and other email clients. Fortunately, there are measures you can take to keep it from happening.

Antivirus program settings

  • Use an antivirus program that's compatible with Thunderbird (listed below).
  • Set your antivirus software to ask what to do or to at least only quarantine infected files rather than to automatically delete or "repair" them.
  • Many antivirus programs have problems scanning outgoing messages, especially if you use SSL. It is recommended that you only scan incoming messages. If the recipient doesn't scan their incoming messages they have bigger problems to worry about than your not scanning your outgoing mail.

Most email providers scan new messages and may use better software than you can buy. Advanced users that understand the risks sometimes disable email scanning by their antivirus software and rely upon the email provider to protect them. However, most users don't know anything about what their email provider does (for example, does it scan both the message body and the attachments) so its safest to always scan the mail yourself.

Thunderbird settings and use

To minimize the chance of your Inbox being quarantined or deleted:

  • Compact folders regularly. Otherwise your antivirus software might detect infected messages that you've deleted. Deleted messages are just marked deleted and hidden from view but aren't physically deleted until the folder is compacted.
  • If your anti-virus program can't quarantine individual messages set Thunderbird to download each individual message to a separate file before adding it to your Inbox. Don't do this unless absolutely necessary as it slows performance and has been known to create bugs as a side effect.

To minimize the loss of mail if your Inbox ever does become quarantined or deleted:

  • Keep your Inbox relatively empty by storing most old messages in other folders. That way, if your antivirus software deletes/damages your Inbox, fewer e-mails will be affected.
  • If you use a POP account configure Thunderbird to leave mail on the server for a short period (e.g., 3 days), rather than deleting them immediately when downloaded. That way, if your antivirus software damages your Inbox you can download those messages again. To leave messages on the server for a specified number of days:
    • in Thunderbird: go to "Tools -> Account Settings -> [account name] Server Settings", check the box for "Leave messages on server" and set the number of days.
    • in Mozilla Suite: go to "Edit [in Mozilla Mail] -> Preferences -> Mail & Newsgroups Settings -> [account name] Server Settings", check the box for "Leave messages on server" and set the number of days.
  • Make regular backups of your Thunderbird mail and other profile data.

Recovering a quarantined Inbox

  1. Switch off the "auto-protect" feature on your anti-virus software, or otherwise deactivate your anti-virus software.
  2. Back up your profile folder.
  3. Take the Inbox (or other affected mail file) out of quarantine.
  4. In Thunderbird, delete the infected message.
  5. Empty the Trash for the affected account.
  6. Compact folders for the affected account.
  7. Reactivate your anti-virus software.
  8. Verify that all your e-mail is present.

Other potential problems

  • If you receive blank messages it might be a side effect of the antivirus program certifying that each message was safe. If "View -> Message Source" confirms that the messages are empty try disabling that feature. For example, with AVG you would use E-mail Scanner -> Configure -> (Disable)Certify mail Incoming & Outgoing and then restart your system.

Compatible antivirus programs

Avast, AVG, NOD32, and Kaspersky seem to be safe choices, and the retail version of Symantec a risky choice based on comments from the forums over several years. There doesn't seem to be a consensus for CA, F-Prot, McAfee, Panda etc. though typically enterprise versions of any anti-virus program seem to be more compatible than retail versions. We used to try to identify what versions of anti-virus programs worked and didn't work but that information was typically several years out of date so its been deleted. What version of Thunderbird you use doesn't seem to effect what antivirus programs are safe choices.

The free version of Avast seems to meet most users needs.

Safe test virus

Many anti-virus programs (those that are EICAR complaint) can be tested to ensure some minimal level of functionality by using the European Institute for Computer Anti-Virus Research (EICAR)'s anti-virus test file.

See also

External links

  • Security forums: