antivirus software not deleting messages
hey, i am working with both thunderbird 68.4.2 and outlook. on both i have the kaspersky ksos installed. both are configured to allow the antivirus to scan the incoming emails and traffic. on the outlook side of things the antivirus scans through the email and warns me if it was anything attached and attempts to delete it.on the thunderbird side of things i dont get any warnings at all and the pop3 downloads continues as normal. after a while, i get notified that in c:\users\user\appdata\roaming\thunderbird etc..... there is a trojan X. points to inbox and inbox.msf.... option a) i press delete as it should have access to the database but nothings happens. the mail or attachment is still there. option b) i go in, in some kind of safe mode, and i delete the file which afterwards tottally destroys the index and messages although there, they disappear from the inbox list...
suggestions?
All Replies (3)
When you download emails they are stored in mbox text files. Each email is written to that file one after the other in the order downloaded, so oldest will be at the top.
re: points to inbox and inbox.msf
'inbox' (no extension) is an mbox text file that contains all emails you see in the 'Inbox' folder. 'inbox.msf' is just an indexing file used by Thunderbird to locate and display the emails located inthe 'inbox' mbox file. 'inbox.msf' file does not contain emails.
If you delete the 'inbox' (no extension) file then you are deleting all emails that are currently in the Inbox.
Deleting the 'inbox.msf' file is not a problem as it would be rebuilt on restarting Thunderbird and show everything that is in the 'inbox' mbox file.
Anti-Virus products are not very savvy when it comes to understanding that one mbox file can contain a lot of emails. It only knows that somewhere in that text file something is not right. AV products are well known for deleting emails because the user allows it to occur. Perhaps the user does not fully understand what they are permitting.
I would advise: If you allow any Anti-Virus to scan any Thunderbird file or folder, you should make sure the 'Anti-Virus' product is 'not allowed to fix' the issue; AV should just inform you of the problem and where the problem resides.
What do you do when the AV says you have a problem with eg: Inbox (no extension) mbox file?
- Create a folder on desktop and call it eg: 'TB AV check'
In Thunderbird
- Select 'Inbox' to see list of emails.
- Select first email to highlight.
- Use keys: 'Ctrl' + 'A' to highlight all emails.
- Right click on highlighted emails to see drop down menu
- Click on 'Save as'
- Locate and select the 'TB AV check' folder
- click on 'Select Folder' button
All emails will be saved as individual files with a .eml extension in the 'TB AV check' folder.
- Run a scan on 'TB AV check' folder.
This time because each email is a separate file, the AV will locate the specific email that is the problem.
Note the title of that file as it will be the 'Subject' of the bad email.
In Thunderbird
- Locate that email in the Inbox and delete it.
- Empty the 'Trash'
- Right click on 'Inbox' and select 'Compact' to fully remove all traces of deleted emails.
The index.msf file should get rebuilt automatically.
- Now allow AV to delete that bad email in the 'TB AV check' folder.
- Then you can delete all the other emails in the 'TB AV check' folder and then empty the computer 'Recycle Bin'.
This process will ensure you fully remove the bad email.
Ti ṣàtúnṣe
so basically "unzip" lets say the file to separate emails... lets hope it works because when ever i do the compacting, i always loose something... usually if i have 100 mails in inbox, afterwards i can only see 60 of them... and most of the time the search fails afterwards. meaning i search and find the mail, but when i click on it, it goes blank....
other scenario is that search "stops" at a random date. say that i want to see the mails sent to me by you. i will get either the most recent ones up
to 2 months old or the very first ones say, the ones in 2017....
almost never a complete list...
i have uploaded 2 pics... first is the kaspersky settings, which state that it will scan my emails both in and out with max settings, and IS ALLOWED to scan all ports for pop3, smtp, imap etc etc. second pic is tb setting which allows kaspersky i think to perform scans and quarantine emails. sadly, although expecting, never to download such emails and instantly delete them, this never happens...
PS. just realized that i will unpack about 25000 emails to find only 10 or 12.. (business mail) :-|
re :when ever i do the compacting, i always loose something.
Normally: When you delete an email, it gets 'marked as deleted' and hidden. But in reality it is still in the Inbox, this means it i easy to undelete a message.
When you compact a folder, a copy of the file is made and the 'marked as deleted' emails are removed and the file is rewritten. It's a bit like having one document where each paragraph is an email, so all the marked to be removed paragraphs are edited out and you end up with a cleaner, smaller document.
However, if the file is corrupted, it may be difficult to determine the markers and additional mail could get lost. Corrupted files can occur if: eg: AV products have attempted to fix the file or if compacting is not done on a regular basis. Corrupted files can also display emails that have already been deleted, so when they are removed it looks like you lost emails when they were in reality supposed to be gone already.
re :and most of the time the search fails afterwards. meaning i search and find the mail, but when i click on it, it goes blank....
This means something was removing emails and only the header in an index file exists. The email itself no longer exists. AV products do not usually do anything with index files as they do not contain emails. It does make you wonder if the AV really is removing some emails, but the info gets put into an index, so it looks like you have emails when you do not, hence why compacting appears to remove more emails than you think or why clicking on a search result is not able to display the email body. When an email is deleted the index gets updated, when compacting occurs the index file gets updated, but if an AV product messes with the mbox file, the index is not updated and so thinks it might exist. The other reason is the global database is out of date and still holds references to emails that are deleted. You can rebuild the global index so it is up to date: