itman 1,538 Posted August 14, 2019 Share Posted August 14, 2019 (edited) Ver. 12.2.23. Thunderbird e-mail client. With this category missing, I have no way to verify that Eset is actually scanning my incoming e-mails. Edited August 14, 2019 by itman Link to comment Share on other sites More sharing options...
itman 1,538 Posted August 14, 2019 Author Share Posted August 14, 2019 (edited) What concerns me is the below on-line help quoted last paragraph. This would imply that Eset is no longer scanning Thunderbird incoming e-mail: Quote Security report This feature gives an overview of the statistics for the following categories: Web pages blocked – Displays the number of blocked web pages (blacklisted URL for PUA, phishing, hacked router, IP or certificate). Infected email objects detected – Displays the number of infected mail objects that have been detected. Web pages in Parental control blocked – Displays the number of blocked web pages in Parental control. PUA detected – Displays the number of Potentially unwanted applications (PUA). Spam emails detected – Displays the number of detected spam emails. Blocked access to webcam – Displays the number of blocked accesses to web cam. Protected connections to internet banking – Displays the number of protected accesses to websites via the Banking and Payment protection feature. Documents checked – Displays the number of scanned document objects. Apps checked – Displays the number of scanned executable objects. Other objects checked – Displays the number of other scanned objects. Web page objects scanned – Displays the number of scanned web page objects. Email objects scanned – Displays the number of scanned email objects. The order of these categories is based on the numeric value from the highest to the lowest. The categories with zero values are not displayed. Click Show more to expand and display hidden categories. Edited August 14, 2019 by itman Link to comment Share on other sites More sharing options...
Administrators Marcos 4,705 Posted August 15, 2019 Administrators Share Posted August 15, 2019 Would clicking Show more make the email scanner statistics to appear? Link to comment Share on other sites More sharing options...
itman 1,538 Posted August 15, 2019 Author Share Posted August 15, 2019 4 hours ago, Marcos said: Would clicking Show more make the email scanner statistics to appear? It was the first thing I tried. No dice. Nothing further was displayed. Additionally, I tried resetting the statistics. Still no e-mail category. The real question is if Eset is still scanning Thunderbird e-mail which I am having serious doubts about. Link to comment Share on other sites More sharing options...
itman 1,538 Posted August 15, 2019 Author Share Posted August 15, 2019 Reflecting a bit, this issue existed prior to ver. 12.2.23 and started around the time Eset HTTPS ports added the, 0-65535 range to ver. 12.1. "My gut is telling me" this might have hosed the IMAPS and POPS ports usage by Eset's e-mail scanner. Will experiment with excluding the IMAPS ports there and see if that resolves the issue. Link to comment Share on other sites More sharing options...
itman 1,538 Posted August 15, 2019 Author Share Posted August 15, 2019 @Marcos it appears Eset e-mail scanning is no longer scanning Thunderbird IMAPS incoming e-mail. I turned on ThreatSense detailed logging and have zip log entries related to e-mail. Link to comment Share on other sites More sharing options...
itman 1,538 Posted August 15, 2019 Author Share Posted August 15, 2019 51 minutes ago, itman said: @Marcos it appears Eset e-mail scanning is no longer scanning Thunderbird IMAPS incoming e-mail. I turned on ThreatSense detailed logging and have zip log entries related to e-mail. Tried everything I could think of to get T-Bird e-mail scanning to work w/zip results. Need to know if Eset no longer supports e-mail scanning for T-Bird. Link to comment Share on other sites More sharing options...
itman 1,538 Posted August 15, 2019 Author Share Posted August 15, 2019 (edited) Things are worse than I thought. I sent myself an e-mail containing the Eicar test string. Not only did Eset not prior scan the e-mail in Thunderbird. When I opened the e-mail, Eset didn't detect it. Edited August 15, 2019 by itman Link to comment Share on other sites More sharing options...
itman 1,538 Posted August 15, 2019 Author Share Posted August 15, 2019 (edited) Well the below screen shot notes that the ThreatSense engine appears now to only support Outlook or LiveMail e-mail formats. Thunderbird emails use the .mbox extension. Appears Eset previously performed a conversion to .EML format and that was either inadvertently omitted, or done so intentionally. In either case I need to know pronto if this will be fixed or Eset e-mail scanning no longer supports Thunderbird. Edited August 15, 2019 by itman Link to comment Share on other sites More sharing options...
ebill 8 Posted August 16, 2019 Share Posted August 16, 2019 itman, Seems to be working for me with latest version 12.2.23.0 & Thunderbird is the only email client in use on the PC in the screen shot below. mousing across the graph it says 13 emails scanned today. Note: I did need to do "show more" as Marcos suggested but now it seems as you can see its on the "fist" page Link to comment Share on other sites More sharing options...
Administrators Marcos 4,705 Posted August 16, 2019 Administrators Share Posted August 16, 2019 Using IMAPS to fecth email from Gmail with ThunderBird: We should have more information from developers on this next week. Link to comment Share on other sites More sharing options...
itman 1,538 Posted August 16, 2019 Author Share Posted August 16, 2019 (edited) @Marcos did some more testing and found what the issue is. I have Thunderbird set to receive e-mail only in text format. Appears Eset is no longer scanning incoming T-Bird text e-mail. I can live with that since the only thing allowed in text based e-mail are live URL links as far as I am aware of. However, further research needed in this area by Eset. Clicking on those links will force the Win default browser to open and display the web page there. I assume Eset would block anything malicious upon attempted web page access. My other concern was attachments to text e-mail which are also not scanned as verified through testing. I really don't know for fact if those were previously being scanned? However upon opening or attempted saving of the attachment, Eset does detect the malware and deletes the source T-Bird e-mail w/attachment. Eset however does not delete the currently displayed e-mail w/attachment. Correction - Eset does not delete the e-mail or attachment within T-Bird. Edited August 16, 2019 by itman Link to comment Share on other sites More sharing options...
itman 1,538 Posted August 18, 2019 Author Share Posted August 18, 2019 @MarcosI set T-Bird e-mail to html format and it appears Eset is still not scanning incoming e-mail. I use AOL mail. IMAPS server name, imap.aol.com. Port 993. Really starting to appear to me that Eset can no longer perform MITM scanning with its root cert. for AOL mail. Link to comment Share on other sites More sharing options...
Administrators Marcos 4,705 Posted August 20, 2019 Administrators Share Posted August 20, 2019 No problem scanning html email downloaded from AOL: Have you checked if an ESET root certificate has been added as CA in the certificate manager? Have you tried disabling SSL filtering with TB not running and re-enabling it? Link to comment Share on other sites More sharing options...
itman 1,538 Posted August 20, 2019 Author Share Posted August 20, 2019 1 hour ago, Marcos said: No problem scanning html email downloaded from AOL: I use normal password for authentication but did try online auth. No dice. 1 hour ago, Marcos said: Have you checked if an ESET root certificate has been added as CA in the certificate manager? First thing I always check. 1 hour ago, Marcos said: Have you tried disabling SSL filtering with TB not running and re-enabling it? Did it. Still no dice. Here's what I have done: 1. Reinstall Thunderbird - no dice. 2. Reinstall EIS ver. 12.2.23 - no dice. There is something weird going on here. If I try to add the Eicar string to an e-mail and send it, Eset detects it via alert. However what it is detecting is the .tmp file T-bird creates: Time;Scanner;Object type;Object;Detection;Action;User;Information;Hash;First seen here 8/20/2019 2:15:52 PM;Real-time file system protection;file;C:\Users\XXXXX\AppData\Local\Temp\nsmail.tmp;Eicar test file;cleaned by deleting;XXXXXXX;Event occurred on a new file created by the application: C:\Program Files (x86)\Mozilla Thunderbird\thunderbird.exe (91C9ED6047E42F95EAFA27C66A75140A198128C0).;2481FB4EBCC232E0E061B79470B10A9EE1FAC07E;8/20/2019 2:15:51 PM Then it get weirder. The actual T-Bird .eml file is sitting in my user temp directory with the Eicar string removed. This same behavior manifests for incoming e-mail when a malicious attachment is opened, etc.. E-mail is sitting in the temp directory with an empty attachment. All this behavior clearly indicates Eset e-mail scanning is doing nothing and all detections are being made by the real-time scan engine at file creation time. Link to comment Share on other sites More sharing options...
itman 1,538 Posted August 20, 2019 Author Share Posted August 20, 2019 @Marcos , here's my latest theory. Eset e-mail processing is attempted to treat T-Bird e-mail as it does the other plug-in e-mail versions it supports, versus special casing it as done previously by just scanning IMAPS incoming port 993 traffic and deleting it if infected. As posted when it tries to process the e-mail under plug-in processing criteria, it gets "confused" and borks the processing. Link to comment Share on other sites More sharing options...
itman 1,538 Posted August 21, 2019 Author Share Posted August 21, 2019 (edited) @Marcos, I finally found out what the problem it. There is this great web site that will check how secure your e-mail provider servers are: https://www.checktls.com/ . You do have to provide your e-mail address however. Really impressed with AOL e-mail security; they scored 100% across the board. Now for the Eset e-mail scanning issue. As was shown in another thread where the poster was connecting to a Canadian gov. web site, AOL e-mail servers in the U.S. are using an additional root CA certificate in their chaining which defeats Eset MITM certificate use. So I guess I will have to wait till Eset figures out a way around this activity. I can only theorize why it worked for you in Slovakia is that the e-mail servers connected to from there are not employing the additional root CA certificate. Edited August 21, 2019 by itman Link to comment Share on other sites More sharing options...
itman 1,538 Posted August 22, 2019 Author Share Posted August 22, 2019 (edited) I am "throwing in the towel" on this issue. I see absolutely no evidence of port 993 IMAPS inbound e-mail scanning by Eset. At least I resolved that .tmp file issue I mentioned previously . I had a long time ago activated the anti-virus scanning option in Thunderbird under the assumption is was required for Eset to scan incoming e-mail. Well, it turns out that option only applies to POPS scanning as detailed in this article: https://fitzcarraldoblog.wordpress.com/2016/03/17/thunderbirds-defective-method-of-enabling-anti-virus-software-to-scan-incoming-pop3-e-mail-messages/ . For all I know, these are the files Eset was scanning it the past. Edited August 22, 2019 by itman Link to comment Share on other sites More sharing options...
Recommended Posts