Talk:Antivirus software: Difference between revisions

From MozillaZine Knowledge Base
Jump to navigationJump to search
Line 89: Line 89:
I suggest the following: Revert the article to the version before the changes were made.  Propose and discuss the ideas in Mozillazine's forums.  Once/if they get general agreement there, post them here in final form (concise, clear and to the point) and we can come to some agreement at that time.
I suggest the following: Revert the article to the version before the changes were made.  Propose and discuss the ideas in Mozillazine's forums.  Once/if they get general agreement there, post them here in final form (concise, clear and to the point) and we can come to some agreement at that time.
- [[User:Guanxi|Guanxi]] 01:00, 25 Aug 2005 (EDT)
- [[User:Guanxi|Guanxi]] 01:00, 25 Aug 2005 (EDT)
---
Guanxi, calling for a removal of everything one author has contributed is not "trying to fairly and respectfully address" the info and help that author provided, especially since the newest form of the article addresses all your objections with information that backs up my claims and advice and shows why your objections and fears are unfounded. You, on the contrary, have not reacted to the new contents i presented in addressing your objections.
Trying to disqualify information provided by referring to one's personal qualifications and job and/or the majority of IT professionals are not valid arguments and not responses to the new contents. In addition, the majority of IT professionals are not a good reference because most are lazy and still only interested in following the pack in saying that the best solution is using exclusively MS products (and checking for updates every 15 minutes). Therefore, using the majority of IT professionals as an argument in a Mozilla forum at best proves the opposite of what you're trying to say. (BTW, i guess everyone realises that i do not consider you lazy or any of the other critical things i'm saying about your colleagues because otherwise you obviously wouldn't be active in a Mozilla project.)
I am no expert, but i quoted experts; it is simply incorrect to claim that the article's current content is "one person's unusual ideas and long discussions of viruses and antivirus software". Didn't you read the quoted security experts and AV manufacturers at the links i provided? The majority of *IT professionals* may disagree with what i wrote about AV program settings (and the reasonableness of using exclusively MS products and not using FF or TB), but that does not make them right, and more importantly, the majority of _independent_ *security and malware experts* probably support my views, not yours.
I'm willing to have the "controversial", minimalist, and efficient (i.e. Mozilla-like) approach to email malware i presented moved to a separate section at the end, which only interested readers will read, but people with the intelligence and courage to choose open source software have the right to hear (and most want to hear!) about a sane and no-nonsense approach to email that frees them of the drug addict mentality and hysteria fostered by the AV industry.
Once we agree on the contents, i am of course also willing to shorten and reorganise the text considerably and am thankful for any help in doing that.
[[User:80.186.187.128|80.186.187.128]] 22:09, 25 August 2005 (PDT)


== not opening attachments for a day ==
== not opening attachments for a day ==

Revision as of 05:09, 26 August 2005

if someone knows how to make gmail work in thunderbird with avg anti-virus, could they add that to the wiki as well? thanks!--134.58.253.131 03:43, 29 Nov 2004 (PST)

ClamMail (.sf.net) and ThunderBird/Mozilla suite mail

here is a link to current RFE to ClamMail to add support for simple account modification for ThunderBird :

http://sourceforge.net/tracker/index.php?func=detail&aid=1173082&group_id=125389&atid=702313

the author of clammail asks this because he added that functionnality for Outlook Express users in 1.2.7 (1.2.8 is latest) it was easy as outlook express stores all mail account details into registry.

it is a RFE to make integration between ThunderBird and ClamMail more user-friendly (checkboxes for each account instead of having to modify manually login, host, port, whatever)

Norton AV has it for ages, that's why i asked him to add it (for Outlook Express) and gave him details on how to do it (via registry)

so, if someone knows programmaticaly how to access to account info (login/host/port/ssl?), please help there.

Section on e-mail scanning av

I'm pulling this paragraph because the advice is dangerous and incorrect. If someone wants to rewrite it, that's fine with me:

* Even if your AV program is compatible with Thunderbird, consider turning off your AV program's e-mail scanning but not its autoprotect function. Because email scanning can result in Inbox corruption and computer slowdown or lockup and because it provides no extra protection, many independent experts advise against it, and even some antivirus vendors quietly admit that it provides no extra protection. Malware attachments are not at all dangerous as attachments, only when activated by users opening them. As long as your AV program's autoprotect function (often called "guard" or "shield") is turned on, it will effectively prevent any "infection" by malware your AV program knows about: i.e. it will not let you open and thereby install any known malware program in an e-mail attachment.

Here's what's wrong:

First, 'autprotect' features delete and corrupt inboxes. That's the whole point of this wiki page!

Second, e-mail scanning (I assume you mean a proxy) is less likely than autoprotect to corrupt Thunderbird mail; they act on data before/after it's in a Thunderbird file. In fact, scanning proxies can protect TB mail files from corruption by preventing viruses from getting there in the first place.

Finally, while what is written here about e-mail scanning an interesting idea, it's certainly not widely accepted and should not be given as advice to end users. It's the opinion of a few and belongs in their blogs or postings to forums. - Guanxi

I hope i addressed your concerns in my rewording. - American Finn

I don't think you've adequately addressed the crucial points Guanxi made above. In my experience with NAV, its autoprotect most certainly will delete/lock up your Inbox or other mailbox if it finds a virus inside, regardless of whether you open the attachment, because autoprotect kicks in whenever the mailbox file is accessed. That's why you have to switch off autoprotect to restore a quarantined Inbox. I don't see how running only with autoprotect is going to alleviate this; the only thing that will help is if infected messages are being quarantined before they reach the Inbox. No? --Wintogreen 11:34, 13 Aug 2005 (PDT)

As explained, the extra benefit of turning off email scanning is (mainly) for compatible AV programs: "Even if your AV program is compatible with Thunderbird, consider turning off your AV program's e-mail scanning but not its autoprotect function."

Also, as far as i know, *most* AV programs' autoprotect function does not do anything unless you access an infected email (even though this does not apply to NAV, as you explained), and, in fact, often only if you access its infected attachment.

This is an important point. Is there any vendor documentation to back this up? I.e., something like this Symantec doc for NAV [1]. --wintogreen (14 Aug)
Comment on my own comment here, hope that's not too confusing... I did a bit of testing with NAV's autoprotect using the eicar anti-virus test file [2], which I attached to a message in TB and stored in the Drafts folder. Interestingly, NAV's autoprotect did not do anything to the message or mailbox even though that mailbox was clearly being accessed by TB (when I moved other messages into/out of the folder, compacted, etc.). It only took action when I did Edit as New on the infected message (apparently because this creates a .tmp file in an AppData temp directory). So, autoprotect doesn't seem to kick in always when a file is accessed. It must have certain conditions for doing this, but I don't know what they are. Next time I get a real virus (which could be months!) I'll play around with it some more. Also, I spent a few minutes looking for some documentation about McAfee's "ActiveShield" but only came up with this user's guide (PDF), which gives only very sketchy info. --Wintogreen 01:54, 15 Aug 2005 (PDT)
What happens when you send eicar to yourself? (both with the mail folder excluded and not excluded in Norton's configuration) If you need an email with a real virus, send me a PM; there are lots of them in my junk folder. (I always keep a nice collection of junk because in the past, TB sometimes needed to be retrained.) American Finn 00:00, 16 Aug 2005 (PDT)
As expected, I can't send the test virus to myself. It always gets blocked server side on the way out (even Gmail blocked it outgoing). I also tried sending the eicar file to myself from here, but it also gets blocked server-side and never reaches me. No doubt that's why I haven't even seen a virus in the last 10 months. --Wintogreen 06:22, 17 Aug 2005 (PDT)

And even in the case of NAV, with email scanning disabled, TB makes sure that almost all infected emails end up in the junk folder and are deleted when that is emptied.

Not quite. All incoming mail passes through the Inbox, and even if it gets automatically passed to the Junk folder and then to the Trash, and then if the Trash is emptied, all those junk messages will still remain in the Inbox (merely hidden from view) until you compact folders. This still leaves the Inbox susceptible to being zapped by autoprotect -- depending, of course, on how the AV software's autoprotect works. --wintogreen (14 Aug)

As a result, the following and other serious problems caused by email scanning are avoided: continuous system drain, thousands of unnecessary scanning processes, and dozens or hundreds of potentially dangerous and completely unnecessary surgical operations within the mail folder.

These are incidental to the points Guanxi raised above, but that's OK. (1) Hogging system resources is a legitimate concern for some users, depending on their system and AV software, etc. (2) The scanning processes are "unnecessary" insofar as autoprotect will offer protection, but the real issue here is whether it's best to prevent infected messages from entering the Inbox in the first place. (3) This OE expert [3] claims that scanning incoming mail can cause problems when infected messages are removed (before they reach the mail folder, not from "within" it), due to the "fragility of the OE message store". If true, and true for TB as well as OE, then it's certainly something that users should consider. --wintogreen (14 Aug)

Emptying TB's junk folder is a much, much better way of deleting infected emails than using any AV program to find and delete these same messages, and TB identifies almost all infected emails because they are usually spam.

And in the case of almost all of these infected emails in the junk folder, since the autoprotect function of even badly designed programs like NAV doesn't kick in unless you access the junk folder, turning of email scanning is in fact also beneficial in the case of incompatible AV programs: since almost all infected email will be in the junk folder, NAV very seldom gets a chance to corrupt the inbox even if it would do so if there is no junk mail filtering and it would delete the inbox if one previews an infected email without even opening its attachment. American Finn 01:35, 14 Aug 2005 (PDT)

See what I said above about compacting folders. What happens when you turn off email scanning and allow an infected message to reach your Inbox is that, if TB automatically junks it, you now have TWO copies of the infected message in your system: one in the Inbox and one in the Junk folder. That's not a beneficial result.
As far as I can judge at this point, I can't see any strong reason to advise people to disable email scanning unless it's causing them problems -- frequent Inbox corruption, inability to download mail, severe drag on the system, etc. I don't have a problem including it in the article as an option as long as we point out that autoprotect can also zap the Inbox or other folders; disabling email scanning can't be presented unambiguously as a solution too that problem. I think this can be written up concisely, too, with links to external references where appropriate. It doesn't need a whole separate argument at end the article. --wintogreen (14 Aug)
One further comment: TB 1.5 is going to have an option to let incoming messages be downloaded first as individual files before passing them onto the Inbox, so that they can more easily be scanned (and quarantined if necessary). If AV autoprotect (not email scanning) sniffs these files before they get passed to the Inbox, that would allow autoprotect to effectively keep infected messages out of the Inbox. Let's hope that it works that way! --Wintogreen 01:54, 15 Aug 2005 (PDT)

Sounds great. But i think i still won't allow my AV to scan email, neither incoming messages nor ones already in the inbox or the new temporary folder. First of all, this new option doesn't eliminate the problem of new malware being identified and removed later when it's passed into the inbox. In any case, any outside program messing around in TB is prone to make mistakes. Even if such mistakes will then usually be restricted to the newest messages being downloaded, i can't risk losing even a single important email. Also, i wouldn't want even a single important email to be unnecessarily deleted just because it has a virus attachment. The AV's job is to prevent idiots from opening unannounced attachments, and it will do that even with mail folder exclusion and with email scanning disabled. TB's junk filter and the delete button are the only really safe ways of getting rid of suspicious and/or infected email.

I hope i addressed your other points by my changes in and additions to the article.

One more comment though. The main reason people switch to Thunderbird is security. Users will feel seriously betrayed if the result of switching to a safer program results in important mail being destroyed. That's *very* bad security for most users, much worse than most ever experienced with OE (even though email download scanning and autoprotect monitoring of mail folders can cause problems in OE too), since most users do not know how to get something out of quarantine (even if this article is rewritten well), and most don't have backups of their mail folders, and most of even the ones that do will lose at least some new mail, which is always felt to be the most important mail at the time. The feeling of betrayal is well founded if users were not warned that possible inbox corruption can be safely and easily avoided. These are very strong reasons to *not* wait until people lose mail before telling them about the solution, especially because we are dealing with a Microsoft-like attitude towards users and their security on the part of the AV industry, including unscrupulous marketing that places profits, bells, and whistles much higher than customer interests and security and that makes (very bad) software design decisions. (Another one comes to mind: not including the extra code needed to safely and easily remove malware from system volume information and instead forcing users to senselessly delete all their restore points, which shows that most of the AV industry is apparently just as amateur and sloppy as MS.)

As far as i understand, not letting email being scanned during downloading *and* not letting autoprotect snoop in the mail folder are 100% effective in preventing inbox corruption and other AV program problems with email. This seems to be completely safe because autoprotect will apparently not let malware be loaded into memory even if one tries to launch it from a folder that the AV is configured to not monitor for malware. American Finn 20:45, 15 Aug 2005 (PDT)

If, by "not letting autoprotect snoop in the mail folder", you mean the Inbox, then yes I agree that this should prevent the Inbox from becoming deleted/quarantined or corrupted, since the AV software won't ever have its hands on the TB Inbox at all. (This assumes the Inbox is also excluded from any periodic system scans that a user might do, of course.) Mail folders other than the Inbox could still run into trouble, though, unless they are similarly excluded from AV activity. FWIW, I see that my version of NAV has OE's .dbx files excluded from autoprotect by default.
On a side note, I'm not sure there's significant risk of TB Inbox corruption (as opposed to it being deleted/quarantined) due to routine AV activity. The link I gave above [4] is talking about OE, and even there it's just as assertion that we have to take on faith because the person is supposedly an OE expert. I can't say I've seen many clear cases of this is the forums, and I've read and replied to thousands of forum posts. Would like to see some good evidence that this is an actual problem (like the deleted Inbox problem) and not just a problem in theory. --Wintogreen 06:22, 17 Aug 2005 (PDT)
Here's a credible reference (with Bugzilla links) about AV problems with TB/Mozilla Mail, which I just happened to stumble upon. --Wintogreen 05:43, 20 Aug 2005 (PDT)

---

I am trying to fairly and respectfully address the controversial changes, and I appreciate the author's good will and effort, but I think this has gone too far:

Despite the best of intentions, most of the article is now one person's unusual ideas and long discussions of viruses and antivirus software; much of it is somewhat off topic and, in my opinion as an IT manager for over 10 years, I think almost any IT professional would say it is erroneous and dangerous to end users who might follow it.

I'm not criticizing the author for making the arguments -- the common wisdom has been wrong before -- but innovative ideas and debate belong in the authors' blog or Slashdot or Mozillazine's forums, not in a wiki authored by many people and designed to support end users.

I suggest the following: Revert the article to the version before the changes were made. Propose and discuss the ideas in Mozillazine's forums. Once/if they get general agreement there, post them here in final form (concise, clear and to the point) and we can come to some agreement at that time. - Guanxi 01:00, 25 Aug 2005 (EDT)

---

Guanxi, calling for a removal of everything one author has contributed is not "trying to fairly and respectfully address" the info and help that author provided, especially since the newest form of the article addresses all your objections with information that backs up my claims and advice and shows why your objections and fears are unfounded. You, on the contrary, have not reacted to the new contents i presented in addressing your objections.

Trying to disqualify information provided by referring to one's personal qualifications and job and/or the majority of IT professionals are not valid arguments and not responses to the new contents. In addition, the majority of IT professionals are not a good reference because most are lazy and still only interested in following the pack in saying that the best solution is using exclusively MS products (and checking for updates every 15 minutes). Therefore, using the majority of IT professionals as an argument in a Mozilla forum at best proves the opposite of what you're trying to say. (BTW, i guess everyone realises that i do not consider you lazy or any of the other critical things i'm saying about your colleagues because otherwise you obviously wouldn't be active in a Mozilla project.)

I am no expert, but i quoted experts; it is simply incorrect to claim that the article's current content is "one person's unusual ideas and long discussions of viruses and antivirus software". Didn't you read the quoted security experts and AV manufacturers at the links i provided? The majority of *IT professionals* may disagree with what i wrote about AV program settings (and the reasonableness of using exclusively MS products and not using FF or TB), but that does not make them right, and more importantly, the majority of _independent_ *security and malware experts* probably support my views, not yours.

I'm willing to have the "controversial", minimalist, and efficient (i.e. Mozilla-like) approach to email malware i presented moved to a separate section at the end, which only interested readers will read, but people with the intelligence and courage to choose open source software have the right to hear (and most want to hear!) about a sane and no-nonsense approach to email that frees them of the drug addict mentality and hysteria fostered by the AV industry.

Once we agree on the contents, i am of course also willing to shorten and reorganise the text considerably and am thankful for any help in doing that. 80.186.187.128 22:09, 25 August 2005 (PDT)

not opening attachments for a day

This advice may prevent viruses, but I think it's problematic:

In addition, it is a good idea to wait at least one day before opening any attachment that has been forwarded to give your AV program's manufacturer a chance to provide a perhaps necessary new update.

I think for most people, and especially most working people, that's just impractical. My friends and co-workers would be a little unhappy!

Absolutely. "Sorry, boss, but I can't open that file you sent until the next virus definitions come out. Tomorrow at the earliest." Repeat twice/day. Lose job. --Wintogreen 11:40, 13 Aug 2005 (PDT)

As explained, this extra protection advice applies only to forwarded emails with attachments and only from unknown senders. American Finn 01:18, 14 Aug 2005 (PDT)

I'll try to edit for clarity when I have time. --Wintogreen 14:22, 14 Aug 2005 (PDT)
Sorry for the delay -- work and family keep me busy. The solution will work, but I do not think many would follow the advice. If they want to open it, they want to open it now, no matter where it's from. We could suggest asking someone more knowledgable before opening it, and provide a list of extensions to avoid (.exe, .scr, etc) - Guanxi 22:23, 24 Aug 2005 (EDT)

Thanks, please do. So far, i've only had time to add information, not to shorten, streamline, or clarify it. American Finn 00:21, 15 Aug 2005 (PDT)

I might just let it sit for now, esp. since Guanxi hasn't chimed in yet and since it's going to need rethinking anyway for the 1.5 release, which I hope isn't too far off. --Wintogreen 02:06, 15 Aug 2005 (PDT)