Avast 8.x "Mail Shield Security Exclusion" problem

Do you have a question? Post it now! No Registration Necessary.  Now with pictures!

Threaded View
Using a 3-year license for up to 100 managed Avast! Business Pro
clients on my network. Management is via SOA web console.

I started with Avast! Business Pro 7.x last April.

Beginning around July 1, this year, the Avast! server began pushing
version 8.x client program updates.

Workstations are running Windows XP Pro or Windows 7 Ultimate.

Various mail clients are used, including Eudora 5.x, 6.x, and 7.x;
Outlook Express 6 (XP only), and Thunderbird 2.x.

Email clients are connecting to three different POP/SMTP server sets:
Two of these are on the internet; one is on my LAN.

These servers DO NOT ACCEPT SSL connections. The email clients are NOT
CONFIGURED to use SSL.

Most, but not all, users are running as restricted domain users with
no rights to administer the machine or install software.

Randomly beginning July 1, users on my network are getting Avast!
"Mail Shield Security Exclusion" windows on attempts to connect to
any/all of these POP or SMTP servers. These windows provide options to
save a "permanent exclusion" for these servers. However, using that
option does not reliably save anything.

After attempting such a save, these windows will pop up again on the
same mail client accessing the same server on a random basis, anywhere
from on the very next server access to 24 hours later after a reboot.

In at least one case (Thunderbird 2.x on Windows 7 Ultimate), the
Avast! Mail Shield actually caused a C5 Windows crash while attempting
to access POP servers, and BEFORE it displayed any "Security
Exclusion" windows.

Is anybody seeing this, or anything like this?

Is there a reason why Avast! would need to care about "security
certificates" on a mail server when not using an SSL connection? Why
doesn't Avast! just scan the incoming messages for viruses, period?
Why should it involve itself with the configuration of a mail server
at all?

Thanks for any help.

Ken Dibble
www.stic-cil.org


Re: Avast 8.x "Mail Shield Security Exclusion" problem


Quoted text here. Click to load it

Sounds to me like a corpoorate issue.

You need to enforce only your email server and block the others, use just  
one email client, make all users LUA and all computers and users Domain  
Participants.


--  
Dave
Multi-AV Scanning Tool - http://multi-av.thespykiller.co.uk
http://www.pctipp.ch/downloads/dl/35905.asp


Re: Avast 8.x "Mail Shield Security Exclusion" problem

On Wed, 10 Jul 2013 16:52:49 -0400, "David H. Lipman"

Quoted text here. Click to load it

Thank you.

However:

1. The users are not randomly choosing email servers to connect to.
They don't know how to do that. The servers are:

A. An internet-based email server hosted by a company whom we pay for
the purpose.

B. An internal email server hosted on my LAN.

C. A Time-Warner cable email server.

They are all quite legitimate. The server certificates are still
date-current.

2. That doesn't answer the question, what difference does it make to
an email anti-virus scanner what the credentials of the email server
are? All the anti-virus software needs to do is scan the incoming
messages for malware. They could come from Pluto for all Avast! needs
to know, or care, about it.

Ken Dibble
www.stic-cil.org


Avast 8.x "Mail Shield Security Exclusion" problem

+ User FidoNet address: 1:3634/12.71
On Wed, 10 Jul 2013, Ken Dibble wrote to All:

 KD> 2. That doesn't answer the question, what difference does it make
 KD> to an email anti-virus scanner what the credentials of the email
 KD> server are? All the anti-virus software needs to do is scan the
 KD> incoming messages for malware. They could come from Pluto for all
 KD> Avast! needs to know, or care, about it.

you cannot set up a MitM to be able to scan emails that are traveling in secure
encrypted sessions without having a certificate for both sides... if there is
no MitM, there can be no scanning of emails in those encrypted tunnels...

granted, maybe your setup doesn't use secure encrypted channels to connect to
the email servers your users are using... i have seen the same on the networks
i manage and there is no problem that i can discern...

i dunno if this helps you any, though...

)\/(ark
+++++++++++++++++++++++++++++++++++++++++++++++++++++++
+ The FidoNet News Gate (Huntsville, AL - USA)        +
+ The views of this user are strictly his or her own. +
+ All data is scanned for malware by Avast! Antivirus +
+++++++++++++++++++++++++++++++++++++++++++++++++++++++

Re: Avast 8.x "Mail Shield Security Exclusion" problem

Quoted text here. Click to load it

Also, the domain is a Windows NT-style domain hosted by a Linux server
(ClearOS). I don't know what "Domain Participant" means, but my only
options for users on this domain are "User", "Power User" and
"Administrator". Most, but not all, of the users experiencing this
problem are just "users".

Ken Dibble
www.stic-cil.org


Avast 8.x "Mail Shield Security Exclusion" problem

+ User FidoNet address: 1:3634/12.71
On Mon, 15 Jul 2013, Ken Dibble wrote to All:

 KD> Well, as far as I can tell, Avast! doesn't use a proxy server. We
 KD> used to use Trend Micro; that used a proxy server and each email
 KD> client had to be manually configured to point to it. That is not
 KD> required for Avast! Maybe it's got some way of automatically
 KD> triggering a proxy server just by listening to the various standard
 KD> email ports though.  

not in the traditional sense but AVAST! and others that inject themselves
directly into the stream for monitoring and filtering are performing proxy
tasks in a generaly sense of the term...

for example, on some older machines where AVAST cannot automatically inject
itself into the port 80 traffic, i have to manually configure for proxy use on
port 12080 which is where AVAST silently redirects port 80 traffic...

basically this "injecting itself into the stream" is known as transparent
proxying... it does the same for most all other popular protocols, as well...
on those machines where i have to manually configure web to use 12080, i also
have to configure pop3 to use 12110 and smtp to use 12025 if i want those
streams monitored...

on newer systems where AVAST! can inject itself into the streams automatically
(transparent proxy) i don't have to manually configure anything...

)\/(ark
+++++++++++++++++++++++++++++++++++++++++++++++++++++++
+ The FidoNet News Gate (Huntsville, AL - USA)        +
+ The views of this user are strictly his or her own. +
+ All data is scanned for malware by Avast! Antivirus +
+++++++++++++++++++++++++++++++++++++++++++++++++++++++

Site Timeline