Problem Thunderbird (Imap) and Eset

[noce 0]

Hello,

sometimes my company's computers have a problem with Thunderbird.

 

Here is the problem:

 

1)Open Thunderbird

2)Click on email with attachment to read

3) The preview remain blank and the CPU's usage goes up to max, and i need to kill the process.

 

Seraching in a thundebird log, i've found an error:

05 UID fetch 11585 (UID RFC822.SIZE BODY.PEEK[]>)instead of05 UID fetch 11585 (UID RFC822.SIZE BODY.PEEK[])then the server answers with:04 BAD Junk after body section.

After many attemps  maybe we found the reason in eset, as if it had trouble with our IMAP mail.

 

When i disabled the imap control on eset control panel, Thunderbird was able to load the emails which was previously causing errors.

We never had this problem, before...it's started from nothing.

 

Have you ever had this problem or similar?

Can you help me?

 

P.s

 

We have Eset Endpoint Antivirus, Versione 5.0.2237.1 and Thunderbird 31.4.0.

 

 

 

 

 

 

 

[Marcos 5,143]

What version of the Internet protection module do you have installed?

[noce 0]

Hi, we 've this version:

 

Internet protection module: 1164 (20141111).

[zhladik 0]

I got exactly same problem on one user installation.

 

It seems ESET mail body parser corrupts its data structures and from some point corrupts  body request and Thunderbirs falls to infinite loop with more and more allocated memory with nested  body request (instead of skipping of failed message)...

 

It was very hard to catch, because users PC allways crashed on memory exhausted by Thuderbird (it gots all of 2GB RAM memory at about 1 minute)....I was not there on it and after restart all worked, until user tries to get malformed message. So it tooks several weeks, with lot of stress!!!

 

Config:

Win7CZ all patches, 

EES 5.0.2237.1 actual modules and DB

Thunderbird 31.4.0

Internet protection module: 1164 (20141111). (latest for Bussines V5)

 

I am able to catch malformed message from IMAP server and send it to ESET team with Wireshark catch of whole communication...

But it is visible that ESET IMAP filters corrupt msg header from server, which is rejected by Thunerbird:

 

  19 UID fetch 67367 (UID RFC822.SIZE BODY.PEEK[]>)

  19 BAD Junk after body section

  19 UID fetch 67367 (UID RFC822.SIZE BODY.PEEK[]>)

  19 BAD Junk after body section

  19 UID fetch 67367 (UID RFC822.SIZE BODY.PEEK[]>)

  19 BAD Junk after body section

         ... inifinitely....

 

 

After switching ESET IMAP filter off I will get succesfuly all messages.

Header for this one msg looks this way:

 

 19   UID fetch 67367 (UID RFC822.SIZE BODY.PEEK[]<0.65536>)

* 1109 FETCH (UID 67367 RFC822.SIZE 200579 BODY[]<0> {65536}

 

So it is visible that range of first chunk of msg body "<0.65536>" is choked by ESET IMAP filter and it leaves ">"!!!

Thunderbird repeats this request (same way crippled) until it allocates all memory and crashes OS...

 

 

Header of this message fetched several commands before (cyrillic encoded!!):

 

* 1109 FETCH (FLAGS () UID 67367 RFC822.SIZE 200579 BODY[HEADER.FIELDS (From To Cc Bcc Subject Date Message-ID Priority X-Priority References Newsgroups In-Reply-To Content-Type Reply-To)] {397}

Message-ID: <323781D2D90D2FBC60652C9206598A9E@gsmebel>

From: =?windows-1251?B?0uDy/P/t4CDe8Pzl4u3g?= <kznamya@etm.ru>

To: =?windows-1251?B?wOfg7ODy7uLgIND78erz6/w=?= <vip-art@amber.ru>

Subject: =?windows-1251?B?z/Du4evl7Psg7/DoIOLi7uTlIO7h+uXq8uA=?=

Date: Mon, 16 Feb 2015 17:24:51 +0300

Content-Type: multipart/mixed;

boundary="----=_NextPart_000_1339_01D04A0D.78CDFC20"

X-Priority: 3

 

May be something messed ESET IMAP parser????

[Marcos 5,143]

I'd suggest contacting customer care and testing it with the latest Internet protection module 1177B to see if it makes a difference.

[zhladik 0]

May be its typo? Latest Pre module available in update servers seems to be 1167, not 1177. It seems switching to Test release solved problem, but may be it disapeared because uncommon message which crashes EES IMAP filter was deleted. As I mentioned - crash apeared about three times in last month...on two different machines. My theory is that source of crash is on messages with cyrilic encoding, but I am not sure. We receive russian messages rarely mostly as spam...

 

But even if Test solves problem, is it safe to switch to test updates whole company? We are upset because problem is heavy destructive - crash of whole PC every start of Thunderbird until manual msg remove... Test release is test - so may be there is some risk to use it until offical fixed reelase. I got no info from ESET support yet about planned stable release for this module....

[Marcos 5,143]

Ok, I've received a confirmation from engineers that this issue was fixed in 1167. You can switch to pre-release updates until the module is released for all users.

[zhladik 0]

NOT FIXED YET?!

 

Lot of time from reporting problem. ESET Support confirmed that it is fixed 

in module update in V7 and V8. But still no fix in V5. May be special care 

for bussines version??

 

Let me remind that BUG IS DESTRUCTIVE. Developers made fix. But somwhwere in ESET release 

processes something screeches.

 

BUG crashes PC. Even worse - source of crash - ESET module is hidden. 

 

PLEASE if you can URGE release of Internet module V1167 or newer!!!

 

So if anybody have problem with Thinderbird/whole PC crash which disapears 

after switching IMAP/ESET filter off, let know, that this problem is repaired 

but not released (in V5) more than month!!!.

 

BTW I found corelation ot this with nonlatin alphabets mails (cyrillic, korean).

[neileroberts 0]

It appears that module version 1167 is still not released into the Regular Updates channel. Can you please confirm when this will be done? I am currently running at version 1164.1.

[Marcos 5,143]

Version 1207 is available on pre-release servers. You can switch to pre-release updates until the module is released to regular update servers.