Search Support

Avoid support scams. We will never ask you to call or text a phone number or share personal information. Please report suspicious activity using the “Report Abuse” option.

Learn More

AntiVirus complained about attachment of unread message

  • 1 reply
  • 1 has this problem
  • 9 views
  • Last reply by Matt

more options

I'm trying to understand why Symantec Endpoint Protection ("SEP") 12.1 (Macintosh) on OSX 10.10.5 warned about an attachment when that attachment should never have been downloaded by ThunderBird 38.5.0 ("TB").

I use IMAP for reading mail (no synching, so I presumed message content wasn't downloaded unless I read the message). In TB, I selected a folder that has all my suspect SPAM from yesterday. TB would have interpreted all the messages as new. I have my TB main window set so it doesn't open the selected message (no message viewer portion, just index) unless I intentionally view the message. I selected a particular message (#11 in that folder) and opened it. Immediately after I opened the message, SEP popped up an alert indicating it couldn't fix a particular problem.

I initially thought the alarm must have been triggered by the message I viewed, but that wasn't the case. In my SEP alerts log, I found that the alarm specified a file name that was being used across the Internet for malware yesterday. That file name is the name of an attachment in message #6 of that folder. The alert seemed to indicate this file was in a cache.

I don't suspect that SEP has direct access to my authenticated IMAP connection to my mail server. I believe it had to trigger because of something that TB did. How did SEP get even the name of that file? Did TB download that (not inline) attachment for some reason even though I hadn't viewed its associated message?

When I selected the folder, I understand that TB definitely would get the header info of the messages in the folder for the index window (IMAP FETCH ALL or FAST). But I didn't think it would download the body or the attachments until I view the message. That's a lot of data to transit the network and store on my laptop that I often don't want. If it is true that TB is downloading unseen attachments, it also means that malware may be put onto my computer by TB when I am completely unaware of it. (For those that view their messages sorted by date, the malware-bearing attachment could be in a message with an old date. If you keep at least some older messages around, you may never notice the problematic message.)

(Out of scope here: I presume SEP is being told by the OS that there is a new file once TB downloads the attachment. That's when TB saw it and complained.)

Can someone explain what TB does with regard to attachments of unread messages? Or do I have to dig up how to do IMAP logging to see for myself? If it is the case that the default is to pre-download attachments and bodies, is there an option to disable this? (I didn't see anything relevant at https://support.mozilla.org/en-US/kb/configuration-options-attachments )

If it matters, the mail server is running UW-IMAP. (RIP, MRC)

I'm trying to understand why Symantec Endpoint Protection ("SEP") 12.1 (Macintosh) on OSX 10.10.5 warned about an attachment when that attachment should never have been downloaded by ThunderBird 38.5.0 ("TB"). I use IMAP for reading mail (no synching, so I presumed message content wasn't downloaded unless I read the message). In TB, I selected a folder that has all my suspect SPAM from yesterday. TB would have interpreted all the messages as new. I have my TB main window set so it doesn't open the selected message (no message viewer portion, just index) unless I intentionally view the message. I selected a particular message (#11 in that folder) and opened it. Immediately after I opened the message, SEP popped up an alert indicating it couldn't fix a particular problem. I initially thought the alarm must have been triggered by the message I viewed, but that wasn't the case. In my SEP alerts log, I found that the alarm specified a file name that was being used across the Internet for malware yesterday. That file name is the name of an attachment in message #6 of that folder. The alert seemed to indicate this file was in a cache. I don't suspect that SEP has direct access to my authenticated IMAP connection to my mail server. I believe it had to trigger because of something that TB did. How did SEP get even the name of that file? Did TB download that (not inline) attachment for some reason even though I hadn't viewed its associated message? When I selected the folder, I understand that TB definitely would get the header info of the messages in the folder for the index window (IMAP FETCH ALL or FAST). But I didn't think it would download the body or the attachments until I view the message. That's a lot of data to transit the network and store on my laptop that I often don't want. If it is true that TB is downloading unseen attachments, it also means that malware may be put onto my computer by TB when I am completely unaware of it. (For those that view their messages sorted by date, the malware-bearing attachment could be in a message with an old date. If you keep at least some older messages around, you may never notice the problematic message.) (Out of scope here: I presume SEP is being told by the OS that there is a new file once TB downloads the attachment. That's when TB saw it and complained.) Can someone explain what TB does with regard to attachments of unread messages? Or do I have to dig up how to do IMAP logging to see for myself? If it is the case that the default is to pre-download attachments and bodies, is there an option to disable this? (I didn't see anything relevant at https://support.mozilla.org/en-US/kb/configuration-options-attachments ) If it matters, the mail server is running UW-IMAP. (RIP, MRC)

All Replies (1)

more options

My view is your have the horse by the tail... it is time to let go.

Mail is a text stream, mime encoded. so even if Thunderbird downloaded the mail there is basically Zero risk from a mime encoded attachment.

I suggest you download a mail with an attachment, save it as an eml file and open that in a text editor. See the attachment file. Nope! that is because there is no file. That will be decoded and placed in the file system when and if you chose to open the file or save it.

Does the anti virus product know how to decode the MIME attachment, build a file out of it and scan it. Apparently so. So if your computer has a copy of the attachment file, it is because you anti virus mage it, just so it could scan it.

While I am not sure what predictive downloading occurs in the IMAP cache, I would assume the current open message and a couple more so clicking next unread message does not involve a download wait.

Do norton products scan IMAP accounts. No they do not. Do Norton products scan SSL/TLS/STARTTLS connected POP3 accounts. No they do not. Does norton products scan SSL/TLS/STARTTLS connected SMTP accounts. No they do not.

SO as an email scanner it is rubbish really as it only works with non encrypted connections to pop3 and SMTP mail servers. a very very small percentage these days, and certainly none of the big free providers or most hosting companies or large ISPs.

See Norton support