Jump to content
itman

Thunderbirds E-mails No Longer Being Scanned

Recommended Posts

Posted (edited)

Ver. 12.2.23. Thunderbird e-mail client.

With this category missing, I have no way to verify that Eset is actually scanning my incoming e-mails.

Eset_Report.thumb.png.e3b12dd62d7f1bb19ebfea95898775c6.png

Edited by itman

Share this post


Link to post
Share on other sites
Posted (edited)

What concerns me is the below on-line help quoted last paragraph. This would imply that Eset is no longer scanning Thunderbird incoming e-mail:

Quote

Security report

This feature gives an overview of the statistics for the following categories:

Web pages blocked – Displays the number of blocked web pages (blacklisted URL for PUA, phishing, hacked router, IP or certificate).

Infected email objects detected – Displays the number of infected mail objects that have been detected.

Web pages in Parental control blocked – Displays the number of blocked web pages in Parental control.

PUA detected – Displays the number of Potentially unwanted applications (PUA).

Spam emails detected – Displays the number of detected spam emails.

Blocked access to webcam – Displays the number of blocked accesses to web cam.

Protected connections to internet banking – Displays the number of protected accesses to websites via the Banking and Payment protection feature.

Documents checked – Displays the number of scanned document objects.

Apps checked – Displays the number of scanned executable objects.

Other objects checked – Displays the number of other scanned objects.

Web page objects scanned – Displays the number of scanned web page objects.

Email objects scanned – Displays the number of scanned email objects.

The order of these categories is based on the numeric value from the highest to the lowest. The categories with zero values are not displayed. Click Show more to expand and display hidden categories.

 

Edited by itman

Share this post


Link to post
Share on other sites

Would clicking Show more make the email scanner statistics to appear?

Share this post


Link to post
Share on other sites
4 hours ago, Marcos said:

Would clicking Show more make the email scanner statistics to appear?

It was the first thing I tried. No dice. Nothing further was displayed. Additionally, I tried resetting the statistics. Still no e-mail category.

The real question is if Eset is still scanning Thunderbird e-mail which I am having serious doubts about.

Share this post


Link to post
Share on other sites

Reflecting a bit, this issue existed prior to ver. 12.2.23 and started around the time Eset HTTPS ports added the, 0-65535 range to ver. 12.1. "My gut is telling me" this might have hosed the IMAPS and POPS ports usage by Eset's e-mail scanner. Will experiment with excluding the IMAPS ports there and see if that resolves the issue.

Share this post


Link to post
Share on other sites

@Marcos it appears Eset e-mail scanning is no longer scanning Thunderbird IMAPS incoming e-mail. I turned on ThreatSense detailed logging and have zip log entries related to e-mail.

Share this post


Link to post
Share on other sites
51 minutes ago, itman said:

@Marcos it appears Eset e-mail scanning is no longer scanning Thunderbird IMAPS incoming e-mail. I turned on ThreatSense detailed logging and have zip log entries related to e-mail.

Tried everything I could think of to get T-Bird e-mail scanning to work w/zip results.

Need to know if Eset no longer supports e-mail scanning for T-Bird.

Share this post


Link to post
Share on other sites
Posted (edited)

Things are worse than I thought.

I sent myself an e-mail containing the Eicar test string. Not only did Eset not prior scan the e-mail in Thunderbird. When I opened the e-mail, Eset didn't detect it.

Eset_email.thumb.png.1beb942a4fc6c5ae0f7d2a5ef794db31.png

Edited by itman

Share this post


Link to post
Share on other sites
Posted (edited)

Well the below screen shot notes that the ThreatSense engine appears now to only support Outlook or LiveMail e-mail formats. Thunderbird emails use the .mbox extension. Appears Eset previously performed a conversion to .EML format and that was either inadvertently omitted, or done so intentionally. In either case I need to know pronto if this will be fixed or Eset e-mail scanning no longer supports Thunderbird.

Eset_mbox.thumb.png.de7286b52599dbb641ffcc527e0fb2ca.png

 

Edited by itman

Share this post


Link to post
Share on other sites

itman,

Seems to be working for me with latest version 12.2.23.0 & Thunderbird is the only email client in use on the PC in the screen shot below.

mousing across the graph it says 13 emails scanned today.

Note: I did need to do "show more" as Marcos suggested but now it seems as you can see its on the "fist" page

 

image.png.b39874f77e14df68bec0927f71927ec0.png

Share this post


Link to post
Share on other sites

Using IMAPS to fecth email from Gmail with ThunderBird:

image.png

We should have more information from developers on this next week.

Share this post


Link to post
Share on other sites
Posted (edited)

@Marcos did some more testing and found what the issue is. I have Thunderbird set to receive e-mail only in text format. Appears Eset is no longer scanning incoming T-Bird text e-mail.

I can live with that since the only thing allowed in text based e-mail are live URL links as far as I am aware of. However, further research needed in this area by Eset. Clicking on those links will force the Win default browser to open and display the web page there. I assume Eset would block anything malicious upon attempted web page access.

My other concern was attachments to text e-mail which are also not scanned as verified through testing. I really don't know for fact if those were previously being scanned? However upon opening or attempted saving of the attachment, Eset does detect the malware and deletes the source T-Bird e-mail w/attachment. Eset however does not delete the currently displayed e-mail w/attachment.  Correction - Eset does not delete the e-mail or attachment within T-Bird.

Edited by itman

Share this post


Link to post
Share on other sites

@MarcosI set T-Bird e-mail to html format and it appears Eset is still not scanning incoming e-mail.

I use AOL mail. IMAPS server name, imap.aol.com. Port 993.

Really starting to appear to me that Eset can no longer perform MITM scanning with its root cert. for AOL mail.

Share this post


Link to post
Share on other sites

No problem scanning html email downloaded from AOL:

image.png

image.png

Have you checked if an ESET root certificate has been added as CA in the certificate manager?

image.png

Have you tried disabling SSL filtering with TB not running and re-enabling it?

Share this post


Link to post
Share on other sites
1 hour ago, Marcos said:

No problem scanning html email downloaded from AOL:

I use normal password for authentication but did try online auth. No dice.

1 hour ago, Marcos said:

Have you checked if an ESET root certificate has been added as CA in the certificate manager?

First thing I always check.

1 hour ago, Marcos said:

Have you tried disabling SSL filtering with TB not running and re-enabling it?

Did it. Still no dice.

Here's what I have done:

1. Reinstall Thunderbird - no dice.

2. Reinstall EIS ver. 12.2.23 - no dice.

There is something weird going on here. If I try to add the Eicar string to an e-mail and send it, Eset detects it via alert. However what it is detecting is the .tmp file T-bird creates:

Time;Scanner;Object type;Object;Detection;Action;User;Information;Hash;First seen here
8/20/2019 2:15:52 PM;Real-time file system protection;file;C:\Users\XXXXX\AppData\Local\Temp\nsmail.tmp;Eicar test file;cleaned by deleting;XXXXXXX;Event occurred on a new file created by the application: C:\Program Files (x86)\Mozilla Thunderbird\thunderbird.exe (91C9ED6047E42F95EAFA27C66A75140A198128C0).;2481FB4EBCC232E0E061B79470B10A9EE1FAC07E;8/20/2019 2:15:51 PM

Then it get weirder. The actual T-Bird .eml file is sitting in my user temp directory with the Eicar string removed. This same behavior manifests for incoming e-mail when a malicious attachment is opened, etc.. E-mail is sitting in the temp directory with an empty attachment. All this behavior clearly indicates Eset e-mail scanning is doing nothing and all detections are being made by the real-time scan engine at file creation time.

Eset_TBird.thumb.png.0a3585d4291e110b041c4789f3daf977.png

 

 

Share this post


Link to post
Share on other sites

@Marcos , here's my latest theory.

Eset e-mail processing is attempted to treat T-Bird e-mail as it does the other plug-in e-mail versions it supports, versus special casing it as done previously by just scanning IMAPS incoming port 993 traffic and deleting it if infected. As posted when it tries to process the e-mail under plug-in processing criteria, it gets "confused" and borks the processing.

Share this post


Link to post
Share on other sites
Posted (edited)

@Marcos, I finally found out what the problem it. There is this great web site that will check how secure your e-mail provider servers are: https://www.checktls.com/ . You do have to provide your e-mail address however.

Really impressed with AOL e-mail security; they scored 100% across the board. Now for the Eset e-mail scanning issue. As was shown in another thread where the poster was connecting to a Canadian gov. web site, AOL e-mail servers in the U.S. are using an additional root CA certificate in their chaining which defeats Eset MITM certificate use. So I guess I will have to wait till Eset figures out a way around this activity.

I can only theorize why it worked for you in Slovakia is that the e-mail servers connected to from there are not employing the additional root CA certificate.

AOL_Screen_1.thumb.png.01c5d9d647c7586d257480a1e8b396f4.png

AOL_Screen_2.thumb.png.616b8913e7f9c856aa78687ee5a0a328.png

Edited by itman

Share this post


Link to post
Share on other sites
Posted (edited)

I am "throwing in the towel" on this issue. I see absolutely no evidence of port 993 IMAPS inbound e-mail scanning by Eset.

At least I resolved that .tmp file issue I mentioned previously . I had a long time ago activated the anti-virus scanning option in Thunderbird under the assumption is was required for Eset to scan incoming e-mail. Well, it turns out that option only applies to POPS scanning as detailed in this article: https://fitzcarraldoblog.wordpress.com/2016/03/17/thunderbirds-defective-method-of-enabling-anti-virus-software-to-scan-incoming-pop3-e-mail-messages/ .  For all I know, these are the files Eset was scanning it the past.

Edited by itman

Share this post


Link to post
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.


  • Recently Browsing   0 members

    No registered users viewing this page.

×
×
  • Create New...