Email Scan Messing Up Emails

[Bogey62 0]

I am using Smart Security 7.x (latest version) and I am performing a daily scan of my system.

 

Part of this scan includes the directory on my hard drive that holds all of my Emails from various POP3 accounts that are read by Thunderbird v31.2.0.

 

Sometimes, after a scan is complete, some of my Emails will be scrambled. Some have the subject from another Email, but the contents of an unrelated Email when I go to read it. Others will have the body of the Email converted to hundreds of lines of MIME code. Once they are scrambled, they are lost forever.

 

How can I prevent these scrambled Emails short of not scanning the Email directory at all on my daily scan?

 

I have ESET set to move infected Emails to the Infected folder in Thunderbird v31.2.0 and also appending the virus name, etc.

 

I also have ESET watching IMAP ports 143, 585 and 993; additionally, it is looking at POP3 ports 110, 465 and 995, as well as POP3S port 995, but it never marks any Email as containing a virus or malicious code, yet on my daily scan of the Email directory it does sometimes show an Email that it wants to delete.

 

Any help would be greatly appreciated.

[rugk 397]

At first a basic question: In the scan profile you use for the email scan, you have enabled to scan emails?

And where does it corrupt the emails? Directly when receiving (so that there is a problem with protocol filtering) or at the on-demand scan?

About the one scan where it wants to delete something: Can you please provide us with a screenshot of the message which appears?

[Marcos 5,074]

I'd bet I've already replied to this topic but it seems I forgot to post it or something weird happened. Please answer my questions:

- Did you enable email files in the on-demand scanner profile you uses for scanning files?

- Are you able to reproduce the issue and supply us with a file (mailbox) that gets corrupted after being scanned by ESET?

 

I assume that upgrading to v8 wouldn't make any difference but you could definitely try it at least because it provides better protection against threats than v7.

[Bogey62 0]

At first a basic question: In the scan profile you use for the email scan, you have enabled to scan emails?

And where does it corrupt the emails? Directly when receiving (so that there is a problem with protocol filtering) or at the on-demand scan?

About the one scan where it wants to delete something: Can you please provide us with a screenshot of the message which appears?

I'm not sure exactly what you're asking for in the first question... I have a Daily Scan setup called "Bill Scan". It scans my C: and E (Data) drives in their entirety (including the dir on the E: drive named Emails, which includes all sub-dirs for my various Email accounts).

 

I also have ESET setup to scan the ports needed for POP3 mail in its advanced firewall section.

 

The Emails are never corrupted when receiving, they are corrupted during the on demand daily scan that I have setup. They are almost always newer Emails and never older or really old Emails. I have tried to see if they are corrupted if they came in during the hour that it takes to run the on demand daily scan, but that doesn't always seem to be the case.

 

If I don't scan the Email dir during my daily scan then I never have corrupted Emails.

 

My concern is that ESET may not be catching any of the bad Emails (virus/malware) by just scanning those ports. It doesn't popup anything saying it detected a bad Email and it never places them in the "Infected" folder of the corresponding Email account (Yahoo/Verizon).

 

However, if I run the scan on the Email dir during the normal daily scan (the one that sometimes corrupts Emails), it will detect bad Emails at times and ask to delete/quarantine them, etc. The screen shot you requested would not be for an individual Email, it would be a screen shot of the entire scan log for the hard drives with the Emails path highlighted just as it will do for any file it finds suspicious on the hard drive.

Edited October 20, 2014 by Bogey62

[Bogey62 0]

I'd bet I've already replied to this topic but it seems I forgot to post it or something weird happened. Please answer my questions:

- Did you enable email files in the on-demand scanner profile you uses for scanning files?

- Are you able to reproduce the issue and supply us with a file (mailbox) that gets corrupted after being scanned by ESET?

 

I assume that upgrading to v8 wouldn't make any difference but you could definitely try it at least because it provides better protection against threats than v7.

 

Yes. Under ThreatSense/Objects I have Email files checked. I also just changed the Cleaning method to No Cleaning instead of Automatic. Maybe this will popup an individual requester when it finds a bad Email and allow me to choose what I'd like to do.

 

Supply a single Email? I could do this the next time it happens.

Edited October 20, 2014 by Bogey62

[rugk 397]

I'm not sure exactly what you're asking for in the first question... I have a Daily Scan setup called "Bill Scan". It scans my C: and E (Data) drives in their entirety (including the dir on the E: drive named Emails, which includes all sub-dirs for my various Email accounts).

 

Yes. Under ThreatSense/Objects I have Email files checked.

This was exactly what I asked...  

 

And I think ESET like to get more than one email, but you can start with one email.

 

About the email scanning with protocol filtering you have to know this: If you access your emails with POPS/IMAPS then you have to enable SSL-scanning in ESET otherwise ESET will not be able to scan the encrypted communication.

 

However, if I run the scan on the Email dir during the normal daily scan (the one that sometimes corrupts Emails), it will detect bad Emails at times and ask to delete/quarantine them, etc. The screen shot you requested would not be for an individual Email, it would be a screen shot of the entire scan log for the hard drives with the Emails path highlighted just as it will do for any file it finds suspicious on the hard drive.

Does it detect everytime the same threats?

However I think it could be good to provide such a screenshot. If you really get so many malware through your emails it would be at least good to know what threats exactly ESS detected.

[Bogey62 0]

Sorry for the dumb question...

 

Is there a way to attach a ZIP file containing screen shots of my config, assuming that would be helpful?

[Bogey62 0]

 

I'm not sure exactly what you're asking for in the first question... I have a Daily Scan setup called "Bill Scan". It scans my C: and E (Data) drives in their entirety (including the dir on the E: drive named Emails, which includes all sub-dirs for my various Email accounts).

 

Yes. Under ThreatSense/Objects I have Email files checked.

This was exactly what I asked...

 

And I think ESET like to get more than one email, but you can start with one email.

 

About the email scanning with protocol filtering you have to know this: If you access your emails with POPS/IMAPS then you have to enable SSL-scanning in ESET otherwise ESET will not be able to scan the encrypted communication.

 

However, if I run the scan on the Email dir during the normal daily scan (the one that sometimes corrupts Emails), it will detect bad Emails at times and ask to delete/quarantine them, etc. The screen shot you requested would not be for an individual Email, it would be a screen shot of the entire scan log for the hard drives with the Emails path highlighted just as it will do for any file it finds suspicious on the hard drive.

Does it detect everytime the same threats?

However I think it could be good to provide such a screenshot. If you really get so many malware through your emails it would be at least good to know what threats exactly ESS detected.

 

I enabled the SSL filtering, but now it messes up my custom Yahoo page. I will check the box to ignore scanning the browser, right?

 

Thunderbird is now set to scan SSL and I added Exceptions for all the Email accounts as they popped up after enabling the filtering.

 

Does this sound correct?

 

And...

 

No, it's different Emails each time and many times it detects no threats in the Email folder.

 

BTW, thank you for taking the time to help me out with this issue.

Edited October 20, 2014 by Bogey62

[rugk 397]

Sorry for the dumb question...

 

Is there a way to attach a ZIP file containing screen shots of my config, assuming that would be helpful?

You can even attach the picture itself.

 

Click on "Full editor" or "More Reply Option" and there you'll find the upload part.

[rugk 397]

Thunderbird is now set to scan SSL and I added Exceptions for all the Email accounts as they popped up after enabling the filtering.

 

Does this sound correct?

Ehm... no.

 

At first you should try to find out how you access your mails. Only if you access them through POPS/IMAPS then it makes sense to enable SSL scanning at all.

You should find this in the thunderbird settings.

 

And what exactly have you selected?

If you selected "Always scan SSL protocol" there shouldn't be any prompts at al.

BTW you can reset the certificate settings somewhere under SSL settings.

[Bogey62 0]

 

Thunderbird is now set to scan SSL and I added Exceptions for all the Email accounts as they popped up after enabling the filtering.

 

Does this sound correct?

Ehm... no.

 

At first you should try to find out how you access your mails. Only if you access them through POPS/IMAPS then it makes sense to enable SSL scanning at all.

You should find this in the thunderbird settings.

 

And what exactly have you selected?

If you selected "Always scan SSL protocol" there shouldn't be any prompts at al.

BTW you can reset the certificate settings somewhere under SSL settings.

 

 

OK, Thunderbird accesses Yahoo mail via a POP server:

 

plus.pop.mail.yahoo.com

 

Port: 995

 

Connection Security: SSL/TLS

 

Authentication: Normal Password

 

 

Yes, I selected Always Scan SSL Protocol. But, I just set all of the Protocol Settings back to defaults.

 

Sorry about my ignorance to all of this. I just want to ensure that ESET is properly scanning my incoming Emails via Yahoo Mail Plus and Verizon properly under Thunderbird.

[Bogey62 0]

Here are the configs I have set that pertain to this issue.

 

I can screen shot the Protocol Filtering, which I reset to defaults, if you'd like.ScreenShots_1.zip

Edited October 20, 2014 by Bogey62

[Bogey62 0]

The rest of the screen shots...ScreenShots_2.zip

[rugk 397]

In the screenshot-pack 1 you log all scanned objects. Has this a reason?

And from which module are the ThreatSense-settings in your second screenshot-pack?

[Bogey62 0]

In the screenshot-pack 1 you log all scanned objects. Has this a reason?

And from which module are the ThreatSense-settings in your second screenshot-pack?

I just recently clicked the log option thinking it might help to debug the issues I am having with Emails. I can certainly uncheck that option.

 

The ThreatSense settings in the second pack are from clicking on the Email Client Protection "ThreatSense Parameter Setup" button in ScreenShot_008.jpg.

[Bogey62 0]

Any new ideas?

[rugk 397]

Do you have submitted some emails to Marcos?

[Marcos 5,074]

As a preventive measure, I'd recommend disabling scanning of email files (which is by default). The best would be if you could provide me with good inbox and inbox.msf files that allegedly get corrupt after being scanned by ESET. I understand that they may contain personal information and therefore you might need to create a test account to reproduce it without any personal messages.

[Bogey62 0]

As a preventive measure, I'd recommend disabling scanning of email files (which is by default). The best would be if you could provide me with good inbox and inbox.msf files that allegedly get corrupt after being scanned by ESET. I understand that they may contain personal information and therefore you might need to create a test account to reproduce it without any personal messages.

I will continue to scan the Email directory and when I get some corrupted Emails, I will make a copy of the Inbox files. Next, I will delete all Emails that aren't corrupted and only leave the corrupted one(s) to forward to you.

 

Does that sound like a plan?

 

If I disable scanning then what good is that other than not potentially corrupting some of them? I will still be open to bad Emails coming through, right?

[rugk 397]

If I disable scanning then what good is that other than not potentially corrupting some of them? I will still be open to bad Emails coming through, right?

Normally the emails should be scanned through the protocol filtering. But as you said there are sometimes some alerts on the on-demand-scan, but not on the protocol filtering, so maybe there is an issue. (or that is just the thing that corrupts the emails - a false positive?)

Edited October 24, 2014 by rugk

[Marcos 5,074]

Thunderbird hold indexes of messages in the corresponding msf file so if malware is found in a mailbox and is removed, messages are not re-indexed which may cause issues.

[Bogey62 0]

 

If I disable scanning then what good is that other than not potentially corrupting some of them? I will still be open to bad Emails coming through, right?

Normally the emails should be scanned through the protocol filtering. But as you said there are sometimes some alerts on the on-demand-scan, but not on the protocol filtering, so maybe there is an issue. (or that is just the thing that corrupts the emails - a false positive?)

 

 

Back to the protocol filtering... should I go back to that? I don't believe it was ever implemented correctly on my side since I didn't have ESET set to filter SSL.

 

==========

Thunderbird accesses Yahoo mail via a POP server:

 

plus.pop.mail.yahoo.com

 

Port: 995

 

Connection Security: SSL/TLS

 

Authentication: Normal Password

==========

 

So, should I go back and set Protocol Filtering / SSL / Always Scan SSL Protocol? Especially considering that the connection security for Yahoo mail is SSL/TLS?

[Bogey62 0]

Thunderbird hold indexes of messages in the corresponding msf file so if malware is found in a mailbox and is removed, messages are not re-indexed which may cause issues.

 

That sounds like a good possibility for what's going on when Emails have the correct sender and subject, but the body is all messed up.

 

Would the setting:

 

Email Client Protection / Special Settings / Disable Checking Upon Inbox Content Change

 

make any difference if I enabled it?

[Bogey62 0]

Today I set ESET 8 to auto-clean while scanning.

 

It found and deleted three Emails from one of my accounts in Thunderbird.

 

The Inbox for that account was now scrambled, as described earlier in this thread.

 

I copied the entire folder from the corrupted account to a second location and then started deleting personal Emails from the original folder so that I could send it in for inspection by Marcos.

 

After deleting a ton of personal Emails, but leaving the scrambled ones intact, I closed and restarted Thunderbird. All of the corrupted Emails were now fixed!

 

I am assuming that Thunderbird somehow knows how to re-index the folder after those Emails were deleted by ESET 8.

 

I never bothered to try this, to my recollection, because my computer is in Sleep mode when not in use and I rarely restart Thunderbird.

 

The only thing different now than earlier when I started this thread is that I upgraded from ESET 7 to 8.

 

Maybe this is a fluke, but I will try this method again if a folder gets corrupted in a subsequent scan.

[scottls59901 1]

Today I set ESET 8 to auto-clean while scanning.

 

It found and deleted three Emails from one of my accounts in Thunderbird.

 

The Inbox for that account was now scrambled, as described earlier in this thread.

 

I copied the entire folder from the corrupted account to a second location and then started deleting personal Emails from the original folder so that I could send it in for inspection by Marcos.

 

After deleting a ton of personal Emails, but leaving the scrambled ones intact, I closed and restarted Thunderbird. All of the corrupted Emails were now fixed!

 

I am assuming that Thunderbird somehow knows how to re-index the folder after those Emails were deleted by ESET 8.

 

I never bothered to try this, to my recollection, because my computer is in Sleep mode when not in use and I rarely restart Thunderbird.

 

The only thing different now than earlier when I started this thread is that I upgraded from ESET 7 to 8.

 

Maybe this is a fluke, but I will try this method again if a folder gets corrupted in a subsequent scan.

You might try a reboot, and wait 15min before doing your daily on-demand scan- This allows windows to release all files...

This cuts several minutes off my on-demand scan times.

 

I also do a no-activity reboot at the end of the day, and wait 45min before shutdown.

My system comes up Much faster after cold startup, but sometimes I have to reboot after waiting 35min   before browsers... work correctly?

This isn't just with my ESS v8, but also with my old KIS2014- I feel it may have something to do with Trusting changes...?