May 19, 2008

Avast! Antivirus Version 4.8 Problems

[Updates have been added in brackets where appropriate. The latest update is August 7, 2008.]

In this post I will share some of my initial experiences with avast! antivirus v4.8. Although I am evaluating avast! 4.8 on a Windows 98 system, some of the problems I've noticed would also exist under Windows XP and Vista. I have chosen avast! antivirus as a replacement for Grisoft's AVG, which will no longer support Windows 98. The fact that many people running Windows 98 are also AVG users inspired me to write this post. Perhaps people seeking a new antivirus program will find my observations helpful.

Since I use my computer commercially I am not eligible for the free home version of avast!. A comparison between the home and professional versions indicates they are the same except for the following features only available in the professional version: command line scanner, enhanced user interface, script blocking, push updates, creating tasks, scheduling tasks, and storing scan results. If I don't encounter major problems I can't solve during the trial period I will buy the professional version.

I had no difficulties with avast!'s download and installation. Before installing avast! I booted my computer into safe mode so that AVG would not be running. I uninstalled AVG by running setup.exe in the AVG folder. The setup program provided an option for removing AVG. Then I rebooted and installed avast!. I chose the custom installation and chose not to install the scanning modules for applications I don't have -- Outlook, peer-to-peer networking (P2P), and instant messaging (IM). Near the end of the installation process a wizard configured email scanning.

Avast! with POPFile
Installing avast! reconfigured my four email accounts in Eudora so that they no longer worked. I had anticipated that problem. I use POPFile to examine, sort, and tag my email before it gets to Eudora. I would have been very impressed if avast! had inserted itself into the mail-processing stream without creating a problem. I wasn't sure of the easiest way to restore my Eudora accounts to their prior settings, so I simply restored the eudora.ini file from the Eudora folder in the disk backup I had made before uninstalling AVG. That worked. I could send and receive mail from my various accounts again but the mail wasn't being scanned for viruses. I researched the problem online and found the solution for avast! 4.5 in the POPFile Documentation Project. I updated the avast4.ini file using the instructions on that site, and it worked. I did not change anything in Eudora or in POPFile.

Scan of Internal Hard Disks
I wanted to run a scan overnight. I was curious to see if avast! would identify any viruses that AVG had either missed or ignored. I found three ways to run avast!: by clicking avast! antivirus in the Windows start menu, by double-clicking the desktop icon added during installation, or by right clicking the avast! tray icon and selecting "Start avast! Antivirus". Here's a reduced image of the simple user interface using the default skin, which looks like a media player.


You have to point the cursor at each button and wait for a pop-up description to appear to see what each button does. I tried the alternate skin offered, but it was no more intuitive to me. You still must hover the cursor over each button to see what the button does. I went back to the default skin.

I tried to adjust the sensitivity setting by clicking and dragging the indicator in the pop-up sensitivity graphic. My screen went black. The keys and mouse were inoperable so I had to reboot. Then I discovered the menu that's displayed by clicking the button on the upper left of the simple interface. I set the scan area to local disks, set the scan level to thorough, decided not to scan inside archives, started the scan, and went to bed.

About a half hour after going to bed I was startled to hear a siren and a male voice say "Caution, a virus has been detected." I got up and investigated. The scan had stopped and was awaiting a response to a pop-up window. My plan had been to run the scan, check the results in the morning, and decide what to do about anything that had been found. That plan wasn't going to work if the scan couldn't be run unattended. I examined the pop-up window's options. I think they were: delete, move, and move to chest (i.e. avast!'s quarantine area). I didn't want to do any of those things. I wanted the file's name and location to be logged and the scan to continue. There was a check box that said something like, "Don't show me this message again." I checked the box hoping it would allow the scan to run unattended. Then I clicked "continue" at the bottom of the window without selecting an option for what to do with the file. The alarm went off again and the window came back demanding an action. I told it to move the file to the chest. Then I went back to bed and although more viruses were detected, no more alarms went off. The program automatically moved each file containing a virus to the chest without bothering me.

The thorough scan took about eight hours and twenty minutes to scan about 255,000 files (on a 3.2 GHz Pentium 4 - Northwood, with 1 GB RAM, and two 7,200 rpm Western Digital IDE drives). I can't give an exact duration or file count because both the "last scan results" and "view scan report" were grayed out. (Later I discovered the report file creation feature was not turned on. It can be turned on by going to settings in the simple menu, and then selecting "Report file". There's a check box that says, "Create report file".)

[Update 5/21/08: I ran another thorough scan overnight. Afterward when I used the simple menu to go to Tools, View scan reports, the "View scan reports" menu item was grayed out. I went to Settings, Report file and verified that "Create report file" was checked. I used Windows Explorer to find the report file. I viewed it and the latest scan report had been appended to the file. So the report was created although viewing it was not available in the Tools menu. Here's the path and name of the report on my system: "C:\Program Files\Alwil Software\Avast4\DATA\report\Simple user interface.txt". The report named ten files that could not be scanned because there was not enough storage. The files ranged in size from 289 MB to 4 GB. Over 20 GB of space is free on C: so the storage limitation must be RAM or a logical area programmatically defined in the avast! scanner.]

Seven viruses were detected, all in old emails. There were five copies of "Win32:Beagle-gen@mail" and two copies of "VBS:Kak-A [Wrm]". Avast! did not identify which emails contain the viruses. I restored one of the large mail files from the virus chest back to Eudora. Then I right clicked the file's name in Windows Explorer and selected "scan" from the context menu. Avast! alarmed, said a virus had been detected, and popped up the action window. The options were move/rename, delete, and move to chest. I clicked continue. The alarm went off again and the same window popped up, only this time there was a fourth option, repair. I clicked repair and another window popped up with three choices: repair all, repair, and cancel. I clicked repair all. The windows went away as if the repairs had worked and the problem had been solved. I went back to Windows Explorer and scanned the same file again. The alarm went off and named the same virus that had supposedly been repaired. So "repair all" was deceptive and unreliable. (I have never had success with an antivirus program's repair facility.) This time I selected "repair" rather than "repair all" in the second pop-up, and a message was displayed that said, "The file was not repaired."

I don't like the choices I see for handling old mail files. I can have large mail files kept in avast!'s virus chest, in which case thousands of emails would be inaccessible to Eudora, or I can restore them to Eudora and have them cause problems each time I perform a system scan. I don't have to worry about the viruses becoming active and infecting anything, because if an email containing a virus were ever opened, avast!'s resident shield would catch the virus. A Eudora mail file might contain a thousand emails, but avast! has to delete or move the entire file of a thousand emails, not just the email containing the virus. That's a problem. If avast! could show a block of text from each offending email I could easily perform a search myself, find the email, and delete just that email. If anyone can tell me how to identify which emails contain viruses please leave a comment telling me how. The Eudora files are ".mbx" text files that can be edited with any text editor.

The next day I discovered how to turn off skins. Click the simple interface's upper left button, or right click the skin, to get the menu. Choose settings, then common. There's a check box that can be unchecked to disable skins. Close avast!. Start it again and there's a clear, functional, simple interface. Here's a reduced image of the simple user interface displayed when skins are disabled.


And here's a reduced image of the enhanced user interface that's available in the professional version.


I ran another scan of my fixed drives. This time I selected a sensitivity level of standard rather than thorough. The scan took 48 minutes and 11 seconds to scan 255,935 files and 12,990 folders. Zero infections were found. The standard scan did not find the viruses in the old mailbox text files I had restored from the virus chest.

I have temporarily used the Settings, Exclusions screen to exclude two old mail files from scanning. I'll discover the names of the other mail files I restored on my next thorough scan, then I can exclude those files too. Adding a file or path to the exclusions list does not prevent on-access scanning, so I'm still protected from the old viruses in the excluded files. There's a problem with the design of the exclusions screen. The display area for showing the list of exclusions is not wide enough to show the file names. The display is not resizable and there's no horizontal scroll bar. Items can be added or removed, but the file names can't be seen when the path is long.

[Update 5/21/08: I discovered where you can see the file names in your exclusion list when the path is too long for the exclusions list display. Exclusions are listed in the [Common] section of the avast4.ini file in the avast data folder.]

Virus Chest Keeps Copies of Restored Files
This isn't really a problem, but it is unexpected based on user experiences restoring files from the Windows recycle bin. Files can be removed from the virus chest manually.

[Update 5/21/08: I ran another thorough scan which did not find the old mail files I thought I had restored from the virus chest. I wanted to find them so I could add them to the list of files to exclude from scanning. Apparently I was wrong in thinking I had restored files that were automatically deleted from the virus chest. I have edited the above paragraph to remove the misinformation I had previously posted. To verify that restoring files does not remove them from the virus chest I performed tests using two EICAR test viruses, called EICAR.exe and EICAR.com. When I right clicked on one and selected scan, avast! alarmed and let me move the file to the virus chest. I double clicked on the other file to run it. Avast! alarmed and I moved that file to the virus chest too. I restored both files from the virus chest to their original locations. The virus chest retained copies of the restored files.

I was interested that I had no trouble saving, modifying, copying, or deleting the EICAR files. Investigation revealed why. I right clicked the tray icon and selected "On-Access Protection Control". The Standard Shield was set to Normal sensitivity, which scans executable files that are executed, but not when they are read, modified, or copied. The High setting is stricter, and has various options for further defining the scanner's behavior.]

Voice Alerts
There's a voice announcement every time avast! automatically updates itself that I find quite annoying. Here's how to stop that voice announcement. On the simple menu go to settings, then sounds, then settings. Scroll down the list of sounds until you come to the section called "avast! antivirus". Click on the sound called "Automatic VPS update" to highlight it. Click the arrow on the right edge of the "Name" field and select "None". Click "Yes". The sound list also contains two other avast! voice alerts you can change if you like -- one for when a virus is detected and one for when something suspicious is detected.

Simple Menu Loading Failures
Several times the avast! simple menu has failed to run when I've tried to start it using either the desktop icon or the right-click menu of the tray icon. It seems to work the first time I run it after a reboot, but sometimes subsequent attempts to run it fail, as if it doesn't shut down cleanly. After the avast! simple menu has failed to load I have to reboot before it will run again. The first time it failed I got this error, "The process cannot access the file because program cannot set property into main storage."

The most similar error I found in a FAQ on the avast! web site said, "Unknown error. Program cannot set property into main Storage." The solution began, "Solution described in this FAQ should not be used with the program version 4.7. This error message is displayed when your ODBC drivers are too old, or damaged, or if they aren't installed properly. avast! before version 4.7 uses these drivers by default." The FAQ goes on to describe two solutions -- update the ODBC drivers or use a text editor to change one line in the avast4.ini file from "Database=ODBC" to "Database=XML". I opened my avast4.ini file and found the line in question. It says, "Database=SQLT", so I didn't change it. Apparently version 4.8 uses SQLT instead of ODBC or XML. Other errors I've gotten when running the simple menu include: "avast! splash screen cannot load configuration" and "avast! simple user interface cannot load configuration".

This problem is intermittent and aggravating but something I can live with. The resident scanners for mail, scripts, file access, and Internet access load automatically. I only need the menu for infrequent activities like configuring features, running an on-demand system scan, or viewing the virus chest, logs, or reports. Files, folders, and entire disks can be scanned using the right-click menu in Windows Explorer. The enhanced menu offers task creation and task scheduling which further reduce the frequency at which a menu is needed.

I have an untested theory regarding the menu-loading problem. In the avast4.ini file I noticed a line that says, "ThreadTerminationTimeout=30000". It might be that the program does not shut down quickly and cleanly, thus hanging processes are terminated after a specified time period. It could be that attempting to run the program before all of its processes have timed out results in the menu-loading error. When I wait a few minutes between shutting down avast! and running it again I have not had the problem.

[Update 8/7/08: The avast! shutdown problem seems to be solved. I can now run avast! repeatedly in the same Windows session without problems. See details in the update at the end of this post.]

No Script Blocking in Firefox
The customization screen for script blocking has check boxes for three browsers: Internet Explorer, Netscape Navigator, and Mozilla. The browser I use most often is Mozilla. I also use Firefox and Internet Explorer. The avast! script scanner has a splash screen that appears when I start Mozilla or Internet Explorer, but not when I start Firefox. Script blocking is offered only in avast!'s professional version.

Mail Scanner Repeatedly Registers Itself to Run at Startup
I use a small free utility program called Startup Monitor that displays a pop-up window whenever a program tries to register itself to run at computer startup. I like to control which programs run at startup and Startup Monitor gives me that control. It probably pops up less than once a month. Startup Monitor lets me allow or deny a program's request to run at startup.

Avast!'s mail-scanning program is ashmaisv.exe. The first time that program tried to register itself to run at startup I gave my permission and the program was added to the computer's startup process. That should have been the end of it, however, the program keeps trying to set itself to run at startup. I have had avast! installed for less than two days and ashmaisv.exe has tried to add itself to the startup list at least nine times.

This startup-requesting behavior is the most bothersome problem I've found in avast! thus far. When a program tries to add itself to the startup process I want to pay attention, examine it, and make the right decision. I can't afford to let a trustworthy program desensitize me to the startup alerts by unnecessarily popping up several times a day. I need to find a solution to this problem. I may research it on the avast! site, ask a question in the forum, or write to technical support. I hope the program's behavior is due to an answer I gave to the email-configuration wizard. I checked a box saying I want avast! to scan the mail of any new mail account I set up. If I'm very lucky the fact that avast! must periodically check for new mail accounts is causing this repeated startup registration, and I can change a "1" to a "0" on some line in the avast4.ini file to make it stop. I know, that's wishful thinking.

[Update 5/20/08: This problem appears to be solved. It looks like the only change needed was to change one line in the MailScanner section of the avast4.ini file to say "AutoSetProtection=0". I think that stops ashMaiSv from repeatedly adding itself to startup, but it also means the mail in future mail accounts will not be scanned.

Details for technical folks: I described the problem in the avast! forum and asked if there was a setting I could change in the avast4.ini file to fix it. When I checked the forum a few hours later a member of the Alwil team had answered, saying the behavior I described was caused by the option to protect future accounts and that I could run the wizard again from the start menu and leave that option unchecked. Although I was delighted to get that information, I had hoped someone would tell me which line to change in the avst4.ini file, because running the wizard would likely break my email and POPFile setup again as it had the first time.

Since everything seemed to be working correctly, my plan was to run the wizard again with no intention of keeping its results, but rather to see what setting in avast4.ini it changed to prevent ashMaiSv from adding itself to startup.

I backed up eudora.ini, avast4.ini, and the entire avast data folder (in case the wizard changed multiple files). I booted the computer into safe mode so avast! would not be running. I ran avast!'s Mail Protection Wizard from the Windows Start menu. I left the option to protect future accounts unchecked. The wizard gave me several error messages naming each mail and news protocol, saying that my mail and news would not be protected. Here's one of the errors,

avast!: Mail Scanner Warning
avast! will not be able to protect incoming mail (POP3 protocol)
Error: 10047


I suspected the errors were due to the changes I had made in Eudora so that POPFile would work with avast!. I assumed the errors were wrong, although I planned to verify that mail was being scanned later.

I compared the before and after eudora.ini files, using ExamDiff. Eudora.ini had not been changed. I compared the avast! data folder from before and after running the wizard, using WMatch. Two files had changed -- 400.vps and avast4.ini. I tried to view the 400.vps file and discovered it's a binary file so my viewer didn't work. I opened the file using the hex editor HxD. The text in the first few lines indicate that 400.vps is a virus definition file, thus not relevant to my wizard run. Two lines were different in avast4.ini. The line "AutoSetProtection=1" was changed to "AutoSetProtection=0" and a new line was added related to the NNTP news protocol (which I don't use). I deleted the new avast4.ini and edited the previous avast4.ini, changing "AutoSetProtection=1" to "AutoSetProtection=0".

I rebooted and tested email scanning as follows. I right clicked the avast! tray icon and selected "On-Access Protection Control". I selected the provider "Internet Mail". I clicked the customize button. On the POP and SMTP tabs I checked "Insert note into clean message". Then I clicked OK twice. I opened Eudora and sent a test message to each of my mail accounts. I received the messages and checked to make sure they each had avast!'s notes at the bottom, both the note saying saying the message being sent was clean and the note saying the received message was clean. Each mail had the proper notes verifying that avast! had scanned both outgoing and incoming mails. Finally, I went back to On-Access Protection Control and unchecked the boxes for adding the notes.]

The fact that I describe problems in this post does not mean I dislike avast! antivirus. Every antivirus program has problems. I had problems when I used McAfee, Norton, Bit Defender, and AVG. Problems are a certainty. The question is whether the problems outweigh the usefulness of the program. So far the avast! problems I've noticed are irritations rather than reasons for me to reject the product. Avast antivirus may be the best antivirus program that still works with Windows 98.

I'm fairly happy with avast! antivirus professional after using it for two days. I think it's protecting my computer with minimal impact on the system. If I find more problems worth mentioning, or solutions to problems I have described, I will update this post. If anyone knows how I can isolate which mails in my Eudora mbx files contain "Win32:Beagle-gen@mail" or "VBS:Kak-A [Wrm]" please let me know in a comment. Thanks.

[Update August 7, 2008: I have used avast! antivirus for almost three months. I bought the professional version in July before my trial period expired. I had hoped I would see how avast! handles a virus in an incoming email before I bought it, but I never received a virus by email. My fear is that avast! may demand that the entire in-box file be moved, deleted, or repaired, rather than simply handling the email containing the virus. I still don't know what will happen if I receive a batch of emails and one email contains a virus.

One aggravation with avast! is that about once a day my computer becomes unresponsive while avast! updates itself in the background. The mouse stops working and keystrokes no longer appear. At first I thought the computer was frozen and would have to be rebooted. Now I know to wait. After several seconds avast!'s blue notification slides up on the lower right, telling me the virus database has been updated.

A few days ago I discovered I could no longer run avast! manually. When I double-clicked the icon the splash screen would appear, the memory scan would not start, and I would get the error message: "The process cannot access the file because Program cannot set property into main Storage". Rebooting did not solve the problem. I reloaded my C: drive from a backup created a week earlier, but avast! gave the same error. I sought help on the avast! forum. The recommendation I got was to uninstall avast!, download the newest version, and reinstall it. By using a task manager I was able to make the avast! splash screen terminate. After the splash screen disappeared, a partially-functioning simple user interface came up. The settings menu appeared to work. I turned off the optional memory scan on startup. After that avast! would run without crashing on startup. There still seemed to be problems though, so I decided to uninstall it and install the latest version from scratch. I suspect the program update named Jul2008 had not worked properly and was the cause of my problems.

I uninstalled avast! using both Add/Remove Programs in Control Panel and the avast! uninstall utility.
I then downloaded and installed the newest version. As I was testing the program I noticed the avast! icon in the tray had a red crossbar on it. The on-access protection was disabled. I could not enable the on-access protection, through the icon's menu or through the simple user interface's settings menu. Rebooting did not solve the problem.

I started over. I uninstalled avast! again and installed the newest version. This time everything seemed to work perfectly. The on-access scanning works. The email scanning works (with no changes on my part). Avast! runs on demand and shuts down cleanly. I no longer have the problem of only being able to run avast! once per Windows session. It looks like either Alwil fixed the shutdown problem or my initial avast! installation was flawed. Either way it seems to work fine now.]

Jon Maloney

---------

My software info:
Windows 98 SE (build 4.10.2222)
POPFile v0.22.2
Eudora 4.3.2
Mozilla 1.7.12
Firefox 2.0.0.14
Internet Explorer 6.0.2800.1106
Startup Monitor

18 Comments:

Anonymous ANTIVIRUS SUPPORT said...

I was also facing the same problems , and i think everybody is facing the same problems but you presented all the problems in a very unique manner.

May 21, 2008 at 7:21 AM  
Blogger sus said...

Thank you for a thorough and helpful review. One thing I would ask: Can one easily set up avast to start it rather than on startup? Your response would be very appreciated.

August 11, 2008 at 3:14 AM  
Blogger sus said...

Sorry for typo. I meant to ask how to start avast manually, rather than automatically at startup.

August 11, 2008 at 3:16 AM  
Blogger Jon Maloney said...

Hi Sus,

There are several ways to run avast! manually. Avast! is listed as a program in the Windows start menu accessed by clicking Start on the lower left and selecting Programs. During installation an avast! icon is added to the desktop. And avast! is added to the Windows Explorer right-click menu. You can manually use avast! in Explorer by right clicking a disk, folder, or file and selecting Scan from the pop-up menu.

Avast!'s resident protection that loads on start-up is more important than avast!'s ability to scan manually. The resident protection scans programs before they are allowed to run, incoming and outgoing emails, Internet pages, and the professional version also checks scripts before they run. If you didn't want any of the resident protections, which would make sense if you have another antivirus product running, you could do the custom installation and uncheck each of the resident protection modules. If you had done a regular installation so that the resident scanners are already installed, you can turn them off a couple of ways. You can right click the avast! icon in the tray at the lower right, and select "Stop On-access protection". Or you can run avast! manually, select the Settings menu, choose "Resident protection...", move the slider to "Disabled", and click OK.

August 11, 2008 at 8:01 AM  
Blogger Toad Hall said...

I switched from AVG when I upgraded to Windows XP. I switched to Avira Antivir. I get a thorough scan of 255,000 files in about an hour. Avira stays resident. I also use SuperAntispyware for my anti-malware program. I tried avast and found it slow and too much work. I can play cards and do just about anything while Avira is running. With Avast I had the same issues you had with stopping and making the computer crawl. I have a Ubuntu Linux pc on my workbench and I worked on it while Avast ran.

Good reading. Thanks.

February 25, 2009 at 3:09 PM  
Blogger Jon Maloney said...

Thanks for your comments, Toad. I'm running Avast! Professional on a Windows 98 machine and Avira Antivir on a Windows XP machine. One deficiency that's widespread among antivirus products is their inability (or unwillingness) to tell you anything useful about something bad found in a mail folder. My Eudora mail files are large text files. Whenever Avast! or Avira finds a bad mail they let me know that something was found, but not in any way that helps. If a folder has a thousand emails in it, it's not helpful to say a virus was found in the folder without giving you some way to identify the email. You're not going to delete all thousand mails. And you're not going to move all thousand mails to a quarantine area. They need to provide some information so that the mail can be found -- a date and time, a virus signature string that was found so you can do your own search, or some surrounding text so you can find the mail. It's absolutely useless to say a virus was found with no further info. The only antivirus program I've used that provided additional info was BitDefender. It gave sample text from near the virus so I could find the mail myself.

February 25, 2009 at 3:27 PM  
Anonymous Geoff said...

Jon, absolutely agree with your February 2009 comment about large mail files. Having just tried Avast for the first time, and also got the warning that a VBS:Kak worm had been found in exactly such a file (incidentally dated yesterday, the same day as installing Avast), I am particularly interested in your experiences. However I am not sure from what you originally wrote to what extent you "believe" the worm warming, have acted on it, or suffered from it over the last year? In theory I understand that such a worm can be a real pest - but as other virus checkers have as yet failed to identify it, any chance this might be a glitch with the Avast product? Thanks anyway for your detailed postings.

April 11, 2009 at 5:32 AM  
Blogger Jon Maloney said...

Hi Geoff,

Thanks for commenting. I have never been infected by malware in an old mail file. As I explained in my long post above, I added the old mail files that contain bad stuff to Avast!'s excluded files list so that those files would no longer be scanned during a manual thorough system scan. I also almost never run a thorough scan. The standard scan doesn't check my mail files. This approach has worked fine for me. The old mail files I added to the exclusion list can't get any new malware because I don't store anything in an old mail file. For example, I will never store a new mail in a file of 2007 mails from friends.

I have little risk in leaving malware in my old mail files, because to be infected I would have to open the specific mail and then click the malware's link to activate the malware. As soon as I clicked the malware's link, Avast!'s on-access scanner would block the action and set off a siren. New malware entering my system in emails should be caught by the email scanner. (I have Eudora set not to execute code in emails. In other mail programs malware might be run simply by opening a mail. However, even if your mail program tries to run malware upon opening a mail, Avast!'s on-access scanner should block the execution and set off an alarm.)

Occasionally a new virus definition file will include a definition that matches an old file. In that case you can get an alert on an old file that passed previous scans.

The file you said Avast! found on your system is "VBS:Kak worm". The "VBS" at the front means the file is a Visual Basic Script file.

April 11, 2009 at 9:55 AM  
Anonymous Geoff said...

Hi Jon, thanks for such a swift reply. In fact I should correct one thing I wrote: on checking again with a fresh installation of Avast, the VPS version has a March date (i.e. not yesterday) so it seems clear that this worm is sitting in one of the several thousand old emails in that file (unlike you I am not set up to archive past years). But having just searched everywhere for kak files (apparently this worm installs at least two in order to work) and not finding anything, it seems that the worm is dormant, at least until (if ever) I open the particular old email. And then Avast and your comments will kick in. So the analogy would seem to be "learning to live with the virus". Many thanks Geoff

April 11, 2009 at 12:57 PM  
Blogger Jon Maloney said...

Geoff,

As I'm pretty sure you realize, having a malware file -- trojan, virus, worm, adware, spyware -- on your hard disk is not the same as being infected. To be infected the file must be executed. If an antivirus program alerts you to a file during a scan, then the antivirus program's on-access protection should also recognize the file and stop it's execution if you try to run the file. For that reason I don't consider old, bad files dangerous. Just be certain that whenever you open old emails your on-access antivirus protection is active.

Jon

April 11, 2009 at 2:10 PM  
Anonymous Anonymous said...

Thanks for the great info on Avast. I've installed it on numerous computers before, both it and AntiVir. Think I'm gonna stick with AntiVir. Are there any mail programs that don't store all emails in giant files like Eudora, OE, Outlook, Thunderbird? I know most backup software for servers backs up entire email boxes, but some applications will allow restores of specific emails within those boxes instead of the entire mail box. Or even better, are there other antivirus applications that do what you would like? Scan through an entire email box and show the user the exact email that is infected, give options to just delete or repair it, and not the entire mailbox/mail store?

August 27, 2009 at 10:35 AM  
Blogger Jon Maloney said...

I don't know the answers to your questions of what email programs store mail differently, or what antivirus programs allow handling individual emails.

For a couple of years I used BitDefender. BitDefender didn't handle individual Eudora emails, but it did show a bit of text from the mail containing what triggered the alert. I was able to open the mail file containing that email in a text editor, search for and find the text string, and browse up in the mail file until I found that email's identifying info (date, from, to). Then I opened that mail folder in Eudora, found the bad mail, and deleted it normally from within the mail program. The process wasn't efficient, but at least BitDefender provided enough information to make deleting the specific email possible. I reviewed BitDefender in 2006: BitDefender Antivirus: Review of Problems

I've used F-Secure, McAfee, Norton, BitDefender, Avast!, and Avira Antivir (which I use now). Around 2001 I loved Norton, but Norton products have gotten progressively worse for years, so I doubt if I'll give Symantec any more chances.

Thanks for your comment.

August 27, 2009 at 12:59 PM  
Anonymous Anonymous said...

Thanks for this incredibly detailed post.

I found it after I did the same thing you did and had the same problem. I have loads of mail going back 11 years in Thunderbird, all of which was from before 2005 was imported from Netscape Messenger and a little bit from 1999-2000 was from Outbreak Express.

I uninstalled the now-unsupported AVG Free, and installed Avast! 4.9 free.

I ran a "thorough" scan and it found one instance each of VBS:Kak-A and VBS:Kak-A1, each in HUGE mail files containing mail over five years old.

I don't know if this is for real, but if so, it was missed inbound by a fully updated Norton and failed to be detected in 5,000 scans by Norton (old 1999 version), Norton 2005, and AVG, all of which were fully updated. That doesn't sound right, but, oh well.

Anyhow, how can we find which messages have the worm?!?!?!

Can we open the files in a text editor, then look for certain attributes that would indicate a Java or VBS thing?

Thanks.

April 21, 2010 at 10:33 AM  
Anonymous Anonymous said...

I failed to mention that this is Win 98SE with the highest versions of Thunderbird and Firefox. This OS is why I had to get off AVG Free, which was great while it lasted. No I don't understand why virus definitions can't be updated into an old program running on 98.

April 21, 2010 at 10:35 AM  
Blogger Jon Maloney said...

Thanks for your comments, Anonymous. I don't know of any way to find which specific emails in a large email file contain malware. Given the choice between deleting (or quarantining) a large email store and leaving the malware in the old email, I'll leave the malware in the old email every time.

Having viruses, worms, trojans, etc in old emails on your hard disk is not the same as being infected. In order for them to infect you, you would have to run the malware code that's in the email, either by clicking on the malware link or possibly by opening the email (if your email program automatically runs embedded code when opening an email).

If you keep your antivirus program's resident scanner running, it should detect and block the malware if the malware ever tries to run.

April 21, 2010 at 1:04 PM  
Anonymous Anonymous said...

I googled my problem and it sent me here.
I have a registered paid version of Avast 4.8 professional which expires in 6 years!! but just reciently, I keep getting a periodic splash pop up which sez my copy of a 'trial version' will soon expire - WHAT!! my copy is a legal hard cash paid for edition so why is this splash screen popping up. Scan of PC shows clean [Avast and Malwarebytes which I also paid for ]. I re-registered my Avast and it sez 'OK' all is well but 3 days later this insidious pop up still persists but only once a day. Any help would be welcome

November 21, 2010 at 7:24 PM  
Blogger Jon Maloney said...

If you're a paid registered user of Avast Pro then you need to contact Avast support with your problem: avast! support
http://support.avast.com/. They can verify your paid status and tell you how to fix the problem. Good luck!

Jon

November 21, 2010 at 8:15 PM  
Anonymous Anonymous said...

Like other areas of life, the internet has angels out there, who do more good than dozens and dozens of paid "pros" combined.

Ashraf (dottech.org) is one.

John Maloney is clearly another. The time, effort, and care you have invested is nothing less than magnificent.

Personally, I thank you, and wish you a multi-million-dollar 2011

December 27, 2010 at 3:27 PM  

Post a Comment

Links to this post:

Create a Link

<< Home