Antivirus software: Difference between revisions

From MozillaZine Knowledge Base
Jump to navigationJump to search
(External links - added one link, grouped security forum links together)
m (problems due to a sandbox)
(40 intermediate revisions by 4 users not shown)
Line 1: Line 1:
:''This article was written for Thunderbird but also applies to [[Mozilla Suite|Mozilla Suite/SeaMonkey]].''
:''This article was written for Thunderbird but also applies to [[Mozilla Suite|Mozilla Suite/SeaMonkey]].''


'''Manufacturers of antivirus programs often change their behavior without prior warning or sufficient testing on non-Microsoft products. Word to the wise - be conservative and cautious. And make sure you have backups of your profiles.'''


==Preventing infection==
==Preventing infection==
:''In this article, "virus" means any malware program, including worms, trojans, etc.''
:''In this article, "virus" means any malware program, including worms, trojans, etc.''


Despite talk of [http://www.vmyths.com/rant.cfm?id=242&page=4 "heuristics"], [http://vmyths.com/rant.cfm?id=605&page=4 most] AV programs do not provide protection against rapidly spreading new malware infections in the many hours before the AV companies manage to provide appropriate updates. To protect yourself against these new e-mail viruses, open e-mail attachments '''only''' if you trust the sender '''and''' if the sender announces the attachment. Additionally, be alert for messages where the sender's address is spoofed (the message appears to have come from one source but in fact was sent from somewhere else) or where the attachment is announced but in a way that sounds suspiciously generic (e.g., "Hi, here's the file you wanted"); both techniques are commonly used by the creators of malware to trick you into opening the attachment. If you have any suspicions about the origin or authenticity of a message, do not open any attached files until first checking with the sender.  
Despite talk of [http://www.vmyths.com/rant.cfm?id=242&page=4 "heuristics"], [http://vmyths.com/rant.cfm?id=605&page=4 most] antivirus programs do not provide protection against rapidly spreading new malware infections before the antivirus companies manage to provide appropriate updates. '''To protect yourself against new e-mail viruses, open e-mail attachments only if you trust the sender and if the sender announces the attachment'''. Be alert for messages where the sender's address is spoofed (the message appears to have come from one source but in fact was sent from somewhere else) or where the attachment is announced in a way that sounds suspiciously generic (e.g., "Hi, here's the file you wanted"); both techniques are commonly used by the creators of malware to trick you into opening the attachment. If you have any suspicions about the origin or authenticity of a message, do not open any attached files until you have checked with the sender.  


Do not check (enable) "View -> Display Attachments Inline".  
'''Do not check (enable) "View -> Display Attachments Inline"'''.  


Unless the e-mail is job-related or otherwise important, you may also wish to consider waiting a while before opening the attachment. This gives your AV program's manufacturer a chance to provide a perhaps necessary new update. Be especially careful if the e-mail is not a new one and is being forwarded.
Unless the e-mail is job-related or otherwise important, consider waiting a while before opening the attachment. This gives your antivirus program's manufacturer a chance to provide a necessary update. Be especially careful if the e-mail is not a new one and is being forwarded.


While opening attachments is the major risk, you might consider using "View -> Message Body As -> Plain Text" to view a message as plain text whenever you're going to read a suspicious message. For example, reading a message in your junk mail folder to confirm whether its really spam. Viruses and scripts rely upon the email client interpreting the message. If you view it as plain text there is nothing to interpret (unless you click on a link in the message or open an attachment)
Opening attachments is the major risk, but consider using "View -> Message Body As -> Plain Text" to view a message as plain text whenever you're going to read a suspicious message. For example, reading a message in your junk mail folder to confirm whether it's really spam. Viruses and scripts rely upon the email client interpreting the message. If you view it as plain text, there is nothing to interpret (unless you click on a link in the message or open an attachment)


==Keeping your antivirus software from deleting your Inbox==
==Keeping your antivirus software from deleting your Inbox==


Thunderbird stores all of the messages that you see in your Inbox folder in a single file called "Inbox." in your [[profile folder]]. All of the other mail folders also use a single, correspondingly named file ("Sent.", "Drafts.", "Trash.", etc.). Some antivirus software assumes each message is stored as a seperate file so when it detects a virus in your Inbox it deletes the whole file (your entire Inbox folder) rather than deleting that message. This problem is due to a design flaw in certain AV programs, not in Thunderbird, and it is known to occur [http://www.microsoft.com/windows/IE/community/columns/filecorruption.mspx#EEAA with Outlook Express] , Eudora and other email clients. Fortunately, there are measures you can take to keep it from happening.
Thunderbird stores all of the messages that you see in your Inbox folder in a single file called "Inbox" in your [[profile folder]]. All of the other mail folders also use a single file named after the folder ("Sent.", "Drafts.", "Trash.", etc.). Some antivirus software assumes each message is stored as a separate file so when it detects a virus in your Inbox it deletes the whole file (your entire Inbox folder) rather than deleting that message. This problem is due to a design flaw in certain antivirus programs, not in Thunderbird. It is known to occur [http://www.microsoft.com/windows/IE/community/columns/filecorruption.mspx#EEAA with Outlook Express] , Eudora and other email clients. Fortunately, there are measures you can take to keep it from happening.


===Antivirus program settings===
===Antivirus program settings===
* RECOMMENDED: Use an antivirus program that's compatible with Thunderbird (listed below).
* Use an antivirus program that's compatible with Thunderbird (listed below).
* IMPORTANT: Set your antivirus software to '''ask''' what to do or to at least only '''quarantine''' infected files rather than to automatically delete or "repair" them.
* Set your antivirus software to '''ask''' what to do or to at least only '''quarantine''' infected files rather than to automatically delete or "repair" them.
* If your antivirus software includes a proxy for incoming e-mail, which scans for viruses before they reach Thunderbird, use it and keep it updated.
* Many experts recommend turning off email scanning in antivirus software since it provides no added protection and corrupts and destructs email folders much more often than viruses and other malware do. It also eats up CPU power, slows down sending and receiving, and causes many problems such as time-outs and changes in account settings. To be safe it's enough to make sure your antivirus software is monitoring your whole computer, in other words make sure that it provides real-time protection (also called "background guard" etc.) and that this is turned on.[http://www.microsoft.com/windows/IE/community/columns/filecorruption.mspx#EEAA][http://service1.symantec.com/support/nav.nsf/docid/2002111812533106][http://www.mcse.ms/message616024.html][http://thedailyreviewer.com/outlook/view/blank-error-message-when-sending-emails-107357585][http://forums.mozillazine.org/viewtopic.php?p=541747#p541747]
Advanced users might also wish to configure their AV software as follows. (For explanation of the rationale behind these measures, see [[Email scanning - pros and cons]].)
* If you nevertheless want to let your antivirus program scan email, it is recommended to only let it scan incoming messages because many antivirus programs have problems scanning outgoing messages, especially if you use SSL. If the recipient doesn't have an up-to-date antivirus program with real-time protection, they have bigger problems to worry about than your not scanning your outgoing mail.
* Especially if you must use an incompatible antivirus program, configure it to not scan Thunderbird's "Inbox" file (located in your [[profile folder]]) for viruses. You may also want to exclude other mailbox files (such as "Sent", "Templates", etc.) from being scanned.
* Your email provider may automatically scan messages and "remove" infected ones (prevent them from reaching your mailbox) or may provide this service for a fee and may be using better software than you can buy. Advanced users that understand the risks sometimes disable email scanning by their antivirus software and rely upon the email provider to "remove" infected messages. However, most users don't know anything about what their email provider does (for example, whether it scans both the message body and the attachments) so if you want to scan incoming mail, it's safest to always scan the mail yourself.
* Even if your AV program is compatible with Thunderbird, consider turning off your AV program's e-mail scanning but not its autoprotect function.
* Even if your AV program is compatible with Thunderbird, consider also configuring it to not scan the Inbox and other mailbox files during system scans and to not let autoprotect monitor these files.


===Thunderbird settings and use===
===Thunderbird settings and use===
To minimize the chance of your Inbox being quarantined or deleted:
To minimize the chance of your Inbox being quarantined or deleted:
* [[Compacting folders | Compact folders]] regularly. Otherwise your antivirus software might detect infected messages that you've deleted. Deleted messages are just marked deleted and hidden from view but aren't physically deleted until the folder is compacted.   
* [[Compacting folders | Compact folders]] regularly. Otherwise your antivirus software might detect infected messages that you've deleted. Deleted messages are just marked deleted and hidden from view but aren't physically deleted until the folder is compacted.   
* Try setting Thunderbird (version 1.5 or later) to [[Download each e-mail to a separate file before adding to Inbox | download each individual message to a separate file]] before adding it to your Inbox. This should make it easier for some antivirus software to quarantine individual messages instead of taking action on the whole Inbox file.
* If your anti-virus program can't quarantine individual messages, set Thunderbird to [[Download each e-mail to a separate file before adding to Inbox | download each individual message to a separate file]] before adding it to your Inbox. Don't do this unless absolutely necessary because it slows performance and has been known to create bugs as a side effect.


To minimize the loss of mail if your Inbox ever does become quarantined or deleted:
To minimize the loss of mail if your Inbox ever does become quarantined or deleted:
* Keep your Inbox relatively empty by storing most old messages in other folders. That way, if your antivirus software deletes/damages your Inbox, fewer e-mails will be affected.
* Keep your Inbox relatively empty by storing most old messages in other folders. That way, if your antivirus software deletes/damages your Inbox, fewer e-mails will be affected.
* If you use a POP account configure Thunderbird to leave mail on the server for a short period (e.g., 3 days), rather than deleting them immediately when downloaded. That way, if your antivirus software damages your Inbox you can download those messages again. To leave messages on the server for a specified number of days:
* If you use a POP account, configure Thunderbird to leave mail on the server for a short period (at least a few days), rather than deleting them immediately when downloaded. That way, if your antivirus software damages your Inbox you can download those messages again. To leave messages on the server for a specified number of days:
**''in Thunderbird'': go to "Tools -> Account Settings -> [account name] Server Settings", check the box for "Leave messages on server" and set the number of days.
**''in Thunderbird'': go to "Tools -> Account Settings -> [account name] Server Settings", check the box for "Leave messages on server" and set the number of days.
** ''in Mozilla Suite'': go to "Edit [in Mozilla Mail] -> Preferences -> Mail & Newsgroups Settings -> [account name] Server Settings", check the box for "Leave messages on server" and set the number of days.
** ''in Mozilla Suite'': go to "Edit [in Mozilla Mail] -> Preferences -> Mail & Newsgroups Settings -> [account name] Server Settings", check the box for "Leave messages on server" and set the number of days.
* Make regular [[profile backup | backups]] of your Thunderbird mail and other profile data.
* Make regular [[profile backup | backups]] of your Thunderbird mail and other profile data.
===Other measures===
* Consider using third-party software such as Mailwasher that will remove infected messages from the server before Thunderbird downloads them.
* Use an e-mail provider (usually, your ISP [Internet Serivce Provider] or hosting company) that scans incoming e-mail for viruses.


==Recovering a quarantined Inbox==
==Recovering a quarantined Inbox==


# Switch off the "auto-protect" feature on your anti-virus software, or otherwise deactivate your anti-virus software.
# Switch off the "auto-protect" feature on your anti-virus software, or otherwise deactivate your anti-virus software.
# IMPORTANT: [[Thunderbird : FAQs : Backing Up and Restoring | back up your profile folder]].
# [[Thunderbird : FAQs : Backing Up and Restoring | Back up your profile folder]].
# Make a copy of your Inbox (If you don't do this, the next step will overwrite the current Inbox with the older version in quarantine.) Right-click the account to make a new folder called OldInbox, and then copy everything in your Inbox (Ctrl+a and then right-click).
# Take the Inbox (or other affected mail file) out of quarantine.
# Take the Inbox (or other affected mail file) out of quarantine.
# In Thunderbird, delete the infected message.
# In Thunderbird, delete the infected message.
Line 51: Line 47:
# [[Thunderbird : Tips : Compacting Folders | Compact folders]] for the affected account.
# [[Thunderbird : Tips : Compacting Folders | Compact folders]] for the affected account.
# Reactivate your anti-virus software.
# Reactivate your anti-virus software.
# Verify all your e-mail is present.
# Verify that all your e-mail is present.
 
==Side effects of a sandbox==
Avast! supports a optional sandbox. If you create an account in sandbox mode the account will disappear when you exit Thunderbird. A similar problem occurs for almost any changes you may make to the profile since it tries to undo any changes made by Thunderbird on your PC. [https://blog.avast.com/2015/09/09/what-does-the-avast-sandbox-do/] [https://support.mozilla.org/en-US/questions/1101507]
A similar problem would occur if you use the [https://www.sandboxie.com/ Sandboxie] program with Thunderbird. See [https://www.techsupportalert.com/freeware-forum/security/12815-sandboxie-and-thunderbird.html#post95256 this thread] for how to configure Sandboxie to save mail outside of the sandbox. You would need to temporarily disable the program beforehand to add accounts, modify your settings and install any add-ons.
 
[https://www.techsupportalert.com/content/introduction-and-quick-guide-sandboxie.htm]


==Other potential problems==
==Other potential problems==
* If you receive blank messages it might be a sideffect of the antivirus program certifying that each message was safe. If "View -> Message Source" confirms that the messages are empty try disabling that feature. For example, with AVG you would use E-mail Scanner -> Configure -> (Disable)Certify mail Incoming & Outgoing and then restart your system.
* If you receive blank messages it might be a side effect of the antivirus program certifying that each message was safe. If "View -> Message Source" confirms that the messages are empty try disabling that feature. For example, with AVG you would use E-mail Scanner -> Configure -> (Disable)Certify mail Incoming & Outgoing and then restart your system.
*  Antivirus programs can cause slow or poor performance.  If you see poor performance in Thunderbird, test with antivirus turned off.  See also [[Firewalls]], [https://wiki.mozilla.org/Thunderbird:Testing:Antivirus_Related_Performance_Issues Antivirus Related Performance Issues], and [https://wiki.mozilla.org/Thunderbird:Testing:Memory_Usage_Problems].
 
* Poor performance can also occur from enabling too many optional features in the anti-virus program. For example, one person had poor performance due to enabling seven "shields" in Avast!. The problem was fixed by disabling the "Behavior Shield" (it reports suspicious behavior by analyzing the behavior of programs.). [http://forums.mozillazine.org/viewtopic.php?f=39&t=1872345]


* Many antivirus programs have problems scanning outgoing messages, especially if you use SSL. It is recommended you only scan incoming messages. If the recipient doesn't scan their incoming messages they have bigger problems to worry about than your not scanning your outgoing mail.
==Compatible antivirus programs==
==Compatible antivirus programs==


Avast, AVG, NOD32, and Kaspersky seem to be safe choices, and the retail version of Symantec a risky choice based on comments from the forums over several years. There doesn't seem to be a consensus for CA, F-Prot, McAfee, Panda etc. though typically enterprise versions of any anti-virus program seem to be more compatible than retail versions. We used to try identify what versions of anti-virus programs worked and didn't work but that information was typically several years out of date so its been deleted.  
Avast!, AVG, NOD32, and Kaspersky seem to be safe choices, and the retail version of Symantec a risky choice based on comments from the forums over several years. Symantec's Norton Antivirus does not support IMAP and its POP3 scanner frequently quarantines the Inbox according to many reports in the forums. There doesn't seem to be a consensus for CA, F-Prot, McAfee, Panda, etc., though typically the enterprise version of a anti-virus program is more compatible than the retail version. The free version of Avast! seems to meet most users' needs. Any antivirus program with real-time protection (including Norton) can be safely used by turning off email scanning.
 
We used to have a long list of compatible and problematic antivirus programs, but it was removed since it was too hard to keep up to date. The [https://wiki.mozilla.org/Thunderbird:Testing:Antivirus_Related_Performance_Issues Mozilla Wiki] has a list of compatible and problematic antivirus programs, though it also has problems being kept up to date. What version of Thunderbird you use doesn't seem to effect what antivirus programs are safe choices.
 
===Issues===
 
* The update of Avast! to 10.3.223 prevents Thunderbird from sending a HTML message. You will get an error message about it not being able to include nsemail.html when it tries to send the message. The workaround is to configure Avast! to exclude that file.  [https://forum.avast.com/index.php?topic=78428.msg1236322#msg1236322] [http://forums.mozillazine.org/viewtopic.php?p=14240795#p14240795]
 
* McAfee seems to be causing a lot of problems with Thunderbird.
 
* AVG has [http://forums.avg.com/ww-en/avg-forums?sec=thread&act=show&id=190910 stopped development] of "AVG Plugin For Mozilla Thunderbird" and recommends you install the "Personal E-mail Scanner service" instead. [http://free.avg.com/us-en/faq.num-4385] They aren't the only anti-virus manufacturer that has had problems dealing with the frequent release cycle of Thunderbird. If your vendor doesn't have a version that supports the latest version of Thunderbird, see if you can use the generic solution they have for less popular email clients instead of the Thunderbird specific plugin.  


The free version of Avast seems to meet most users needs.
* In some cases the Thunderbird add-on (the ESET Smart Security extension for example) just adds a toolbar to report spam, and if you don't install that add-on it will still scan your messages for viruses.  The ESET addon is not supported in newer Thunderbird versions [https://forum.eset.com/topic/1700-thunderbird-reports-ess-add-on-is-not-compatible/#entry9811].


==Safe test virus==
==Safe test virus==


If you are unsure whether your anti-virus program is really scanning for viruses the European Institute for Computer Anti-Virus Research (EICAR) web site has a [http://www.eicar.org/anti_virus_test_file.htm anti-virus test file] that is supposedly supported by all leading anti-virus programs.  [http://www.webmail.us/testvirus This web site] claims it will send you that same file (the EICAR test virus ) in a email message. Obviously you need to be very carefull where you get this file to avoid getting a harmful virus in disguise. Perhaps the safest approach is to look on your vendors web site for some mention of it. For example, Avast has a [http://www.avast.com/eng/eicar_standard_antiv.html EICAR Standard Antivirus Test File Information]web page while AVG has a link to the EICAR home web page at [http://www.grisoft.com/doc/64/lng/us/tpl/tpl01 Interesting Pages].
Many anti-virus programs (those that are EICAR compliant) can be tested to ensure some minimal level of functionality by using the [http://en.wikipedia.org/wiki/EICAR_test_file European Institute for Computer Anti-Virus Research (EICAR)'s] [http://www.eicar.org/anti_virus_test_file.htm anti-virus test file].


==See also==
==See also==
*[[Antivirus program claims Thunderbird.exe has a virus]]
* [[Antivirus program claims Thunderbird.exe has a virus]]
* [[Email scanning - pros and cons]]
* [[Firewalls]]
 
==External links==
==External links==
*[https://wiki.mozilla.org/Thunderbird:Testing:Antivirus_Related_Performance_Issues Antivirus Related Performance Issues]
*[http://www.howtogeek.com/218675/beware-free-antivirus-isnt-really-free-anymore/ Beware: Free Antivirus Isn’t Really Free Anymore]
*[https://arstechnica.com/information-technology/2017/01/antivirus-is-bad/ It might be time to stop using antivirus]
* [https://arstechnica.com/information-technology/2017/11/how-av-can-open-you-to-attacks-that-otherwise-wouldnt-be-possible/ How AV can open you to attacks that otherwise wouldn’t be possible]
*[http://support.f-secure.com/enu/home/supportissue/fsis2006/email_spam_q07.shtml F-Secure FAQ - Why does Thunderbird freeze when sending and receiving e-mail?]
*[https://bugzilla.mozilla.org/show_bug.cgi?id=582918 Message body missing if a message filter moves it and you download each message to a temporary file]
*[https://wiki.mozilla.org/Thunderbird:Testing:Antivirus_Related_Performance_Issues Testing anti-virus related problems]
*[http://antivirus.about.com/od/antivirussoftwarereviews/tp/aatpavwin.htm Top 9 Windows Antivirus programs]
*[http://antivirus.about.com/od/antivirussoftwarereviews/tp/aatpavwin.htm Top 9 Windows Antivirus programs]
*[http://en.wikipedia.org/wiki/Antivirus Wikipedia antivirus article] It has links to three free online scanners and four testing organizations whose reports you can use to compare a anti-virus programs track record. The Virus Bulletin (free registration required) is the most popular.  
*[http://en.wikipedia.org/wiki/Antivirus Wikipedia antivirus article] It has links to three free online scanners and four testing organizations whose reports you can use to compare a anti-virus programs track record. The Virus Bulletin (free registration required) is the most popular.  
*[http://support.f-secure.com/enu/home/supportissue/fsis2006/email_spam_q07.shtml F-Secure FAQ - Why does Thunderbird freeze when sending and receiving e-mail?]


* Security forums:
* Security forums:
:*[http://castlecops.com/forums.html Castle Cops security forums]
:*[http://www.dslreports.com/forum/cleanup Security cleanup forum at dslreports]
:*[http://www.dslreports.com/forum/cleanup Security cleanup forum at dslreports]
:*[http://www.dslreports.com/forum/security Security forum at dslreports]
:*[http://www.dslreports.com/forum/security Security forum at dslreports]
:*[http://www.wilderssecurity.com/ Wilders security forums]
:*[http://www.wilderssecurity.com/ Wilders security forums]
:*[http://www.spywarewarrior.com/index.php Spyware Warrior forums]


[[Category:Issues (Thunderbird)]]
[[Category:Issues (Thunderbird)]]

Revision as of 19:43, 15 February 2018

This article was written for Thunderbird but also applies to Mozilla Suite/SeaMonkey.

Manufacturers of antivirus programs often change their behavior without prior warning or sufficient testing on non-Microsoft products. Word to the wise - be conservative and cautious. And make sure you have backups of your profiles.

Preventing infection

In this article, "virus" means any malware program, including worms, trojans, etc.

Despite talk of "heuristics", most antivirus programs do not provide protection against rapidly spreading new malware infections before the antivirus companies manage to provide appropriate updates. To protect yourself against new e-mail viruses, open e-mail attachments only if you trust the sender and if the sender announces the attachment. Be alert for messages where the sender's address is spoofed (the message appears to have come from one source but in fact was sent from somewhere else) or where the attachment is announced in a way that sounds suspiciously generic (e.g., "Hi, here's the file you wanted"); both techniques are commonly used by the creators of malware to trick you into opening the attachment. If you have any suspicions about the origin or authenticity of a message, do not open any attached files until you have checked with the sender.

Do not check (enable) "View -> Display Attachments Inline".

Unless the e-mail is job-related or otherwise important, consider waiting a while before opening the attachment. This gives your antivirus program's manufacturer a chance to provide a necessary update. Be especially careful if the e-mail is not a new one and is being forwarded.

Opening attachments is the major risk, but consider using "View -> Message Body As -> Plain Text" to view a message as plain text whenever you're going to read a suspicious message. For example, reading a message in your junk mail folder to confirm whether it's really spam. Viruses and scripts rely upon the email client interpreting the message. If you view it as plain text, there is nothing to interpret (unless you click on a link in the message or open an attachment)

Keeping your antivirus software from deleting your Inbox

Thunderbird stores all of the messages that you see in your Inbox folder in a single file called "Inbox" in your profile folder. All of the other mail folders also use a single file named after the folder ("Sent.", "Drafts.", "Trash.", etc.). Some antivirus software assumes each message is stored as a separate file so when it detects a virus in your Inbox it deletes the whole file (your entire Inbox folder) rather than deleting that message. This problem is due to a design flaw in certain antivirus programs, not in Thunderbird. It is known to occur with Outlook Express , Eudora and other email clients. Fortunately, there are measures you can take to keep it from happening.

Antivirus program settings

  • Use an antivirus program that's compatible with Thunderbird (listed below).
  • Set your antivirus software to ask what to do or to at least only quarantine infected files rather than to automatically delete or "repair" them.
  • Many experts recommend turning off email scanning in antivirus software since it provides no added protection and corrupts and destructs email folders much more often than viruses and other malware do. It also eats up CPU power, slows down sending and receiving, and causes many problems such as time-outs and changes in account settings. To be safe it's enough to make sure your antivirus software is monitoring your whole computer, in other words make sure that it provides real-time protection (also called "background guard" etc.) and that this is turned on.[1][2][3][4][5]
  • If you nevertheless want to let your antivirus program scan email, it is recommended to only let it scan incoming messages because many antivirus programs have problems scanning outgoing messages, especially if you use SSL. If the recipient doesn't have an up-to-date antivirus program with real-time protection, they have bigger problems to worry about than your not scanning your outgoing mail.
  • Your email provider may automatically scan messages and "remove" infected ones (prevent them from reaching your mailbox) or may provide this service for a fee and may be using better software than you can buy. Advanced users that understand the risks sometimes disable email scanning by their antivirus software and rely upon the email provider to "remove" infected messages. However, most users don't know anything about what their email provider does (for example, whether it scans both the message body and the attachments) so if you want to scan incoming mail, it's safest to always scan the mail yourself.

Thunderbird settings and use

To minimize the chance of your Inbox being quarantined or deleted:

  • Compact folders regularly. Otherwise your antivirus software might detect infected messages that you've deleted. Deleted messages are just marked deleted and hidden from view but aren't physically deleted until the folder is compacted.
  • If your anti-virus program can't quarantine individual messages, set Thunderbird to download each individual message to a separate file before adding it to your Inbox. Don't do this unless absolutely necessary because it slows performance and has been known to create bugs as a side effect.

To minimize the loss of mail if your Inbox ever does become quarantined or deleted:

  • Keep your Inbox relatively empty by storing most old messages in other folders. That way, if your antivirus software deletes/damages your Inbox, fewer e-mails will be affected.
  • If you use a POP account, configure Thunderbird to leave mail on the server for a short period (at least a few days), rather than deleting them immediately when downloaded. That way, if your antivirus software damages your Inbox you can download those messages again. To leave messages on the server for a specified number of days:
    • in Thunderbird: go to "Tools -> Account Settings -> [account name] Server Settings", check the box for "Leave messages on server" and set the number of days.
    • in Mozilla Suite: go to "Edit [in Mozilla Mail] -> Preferences -> Mail & Newsgroups Settings -> [account name] Server Settings", check the box for "Leave messages on server" and set the number of days.
  • Make regular backups of your Thunderbird mail and other profile data.

Recovering a quarantined Inbox

  1. Switch off the "auto-protect" feature on your anti-virus software, or otherwise deactivate your anti-virus software.
  2. Back up your profile folder.
  3. Make a copy of your Inbox (If you don't do this, the next step will overwrite the current Inbox with the older version in quarantine.) Right-click the account to make a new folder called OldInbox, and then copy everything in your Inbox (Ctrl+a and then right-click).
  4. Take the Inbox (or other affected mail file) out of quarantine.
  5. In Thunderbird, delete the infected message.
  6. Empty the Trash for the affected account.
  7. Compact folders for the affected account.
  8. Reactivate your anti-virus software.
  9. Verify that all your e-mail is present.

Side effects of a sandbox

Avast! supports a optional sandbox. If you create an account in sandbox mode the account will disappear when you exit Thunderbird. A similar problem occurs for almost any changes you may make to the profile since it tries to undo any changes made by Thunderbird on your PC. [6] [7]

A similar problem would occur if you use the Sandboxie program with Thunderbird. See this thread for how to configure Sandboxie to save mail outside of the sandbox. You would need to temporarily disable the program beforehand to add accounts, modify your settings and install any add-ons.

[8]

Other potential problems

  • If you receive blank messages it might be a side effect of the antivirus program certifying that each message was safe. If "View -> Message Source" confirms that the messages are empty try disabling that feature. For example, with AVG you would use E-mail Scanner -> Configure -> (Disable)Certify mail Incoming & Outgoing and then restart your system.
  • Poor performance can also occur from enabling too many optional features in the anti-virus program. For example, one person had poor performance due to enabling seven "shields" in Avast!. The problem was fixed by disabling the "Behavior Shield" (it reports suspicious behavior by analyzing the behavior of programs.). [10]

Compatible antivirus programs

Avast!, AVG, NOD32, and Kaspersky seem to be safe choices, and the retail version of Symantec a risky choice based on comments from the forums over several years. Symantec's Norton Antivirus does not support IMAP and its POP3 scanner frequently quarantines the Inbox according to many reports in the forums. There doesn't seem to be a consensus for CA, F-Prot, McAfee, Panda, etc., though typically the enterprise version of a anti-virus program is more compatible than the retail version. The free version of Avast! seems to meet most users' needs. Any antivirus program with real-time protection (including Norton) can be safely used by turning off email scanning.

We used to have a long list of compatible and problematic antivirus programs, but it was removed since it was too hard to keep up to date. The Mozilla Wiki has a list of compatible and problematic antivirus programs, though it also has problems being kept up to date. What version of Thunderbird you use doesn't seem to effect what antivirus programs are safe choices.

Issues

  • The update of Avast! to 10.3.223 prevents Thunderbird from sending a HTML message. You will get an error message about it not being able to include nsemail.html when it tries to send the message. The workaround is to configure Avast! to exclude that file. [11] [12]
  • McAfee seems to be causing a lot of problems with Thunderbird.
  • AVG has stopped development of "AVG Plugin For Mozilla Thunderbird" and recommends you install the "Personal E-mail Scanner service" instead. [13] They aren't the only anti-virus manufacturer that has had problems dealing with the frequent release cycle of Thunderbird. If your vendor doesn't have a version that supports the latest version of Thunderbird, see if you can use the generic solution they have for less popular email clients instead of the Thunderbird specific plugin.
  • In some cases the Thunderbird add-on (the ESET Smart Security extension for example) just adds a toolbar to report spam, and if you don't install that add-on it will still scan your messages for viruses. The ESET addon is not supported in newer Thunderbird versions [14].

Safe test virus

Many anti-virus programs (those that are EICAR compliant) can be tested to ensure some minimal level of functionality by using the European Institute for Computer Anti-Virus Research (EICAR)'s anti-virus test file.

See also

External links

  • Security forums: