User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.6a) Gecko/20031030 Build Identifier: Thunderbird 0.7 Since viruses are being sent out in e-mail attachments, it would be nice if Thunderbird had the option to scan attachment for viruses using the antivirus software already on the system. Reproducible: Always Steps to Reproduce: does not apply Actual Results: does not apply Expected Results: does not apply does not apply

Requesting INVALID resolution, because it is the work of an AV soft to kill virus, not of a tool like thunderbird. So ?

(In reply to comment #1) > Requesting INVALID resolution, because it is the work of an AV soft to kill > virus, not of a tool like thunderbird. > > So ? It is the job of AV software to kill viruses. However, neither Thunderbird nor Mozilla allo AV to do its job. For all their security problems, Outlook and Outlook Express have hooks which AV software can use to can incoming mail, and reject mail/attachments with viruses. Mozilla/Thunderbird has no such interface, so it is not possible for AV software to remove infected attachments. Furthermore, although it is possible for AV software to scan the mail files on the harddisk, it doesn't do much good: as documented in http://www.mozilla.org/start/1.5/troubleshooting/#virus, users are instructed to *not* can mail files. It is true that attachments won't infect mozilla. However, as we all know, the problem is when users open attachments - be it a word doc or a PNG file (does buffer overflow because of libpng ring a bell?). Technical folks are probably not stupid enough to open attachments without scanning them (except in the case of PNGs, for example); however, as I understand it, Thunderbird is meant for all users. All users include people who indiscriminately open attachments, and rely on AV software to protect them.

One easy solution i could think of for virus scanner integration would be to temporarily drop the email in a temporary directory, launch the scanner via command line to scan the email, and if it is ok, put the email in the inbox, or whatever mail file it belongs in. This would avoid the problems of using proprietary apis to integrate virus scanners with mozilla mail, and would be fairly easy to implement. however, this would be somewhat slower than a tight integration which doesn't require writing each mail to disk and then launching a process to scan the mail. (In reply to comment #2) > (In reply to comment #1) > > Requesting INVALID resolution, because it is the work of an AV soft to kill > > virus, not of a tool like thunderbird. > > > > So ? > > It is the job of AV software to kill viruses. However, neither Thunderbird nor > Mozilla allo AV to do its job. For all their security problems, Outlook and > Outlook Express have hooks which AV software can use to can incoming mail, and > reject mail/attachments with viruses. Mozilla/Thunderbird has no such interface, > so it is not possible for AV software to remove infected attachments. > Furthermore, although it is possible for AV software to scan the mail files on > the harddisk, it doesn't do much good: as documented in > http://www.mozilla.org/start/1.5/troubleshooting/#virus, users are instructed to > *not* can mail files. > > It is true that attachments won't infect mozilla. However, as we all know, the > problem is when users open attachments - be it a word doc or a PNG file (does > buffer overflow because of libpng ring a bell?). > > Technical folks are probably not stupid enough to open attachments without > scanning them (except in the case of PNGs, for example); however, as I > understand it, Thunderbird is meant for all users. All users include people who > indiscriminately open attachments, and rely on AV software to protect them. > >

*** Bug 266429 has been marked as a duplicate of this bug. ***

Many AV products can already scan Mozilla email, although not all can remove individual problem attachments. Bug 116443 deals with this (see comment 147). *** This bug has been marked as a duplicate of 116443 ***

I disagree with this duplication. Providing an interface for a direct plugin from the AV program, including the possibility of removing attachments without discarding the message, is far beyond what is currently proposed for 116443.

*** Bug 334291 has been marked as a duplicate of this bug. ***

(In reply to comment #8) > *** Bug 369847 has been marked as a duplicate of this bug. *** I'm going to reproduce the comments from the bug 369847 here to make sure they are in the context of this bug. I apologize for the spamming. ====================================== Does Thunderbird have an antivirus API and where can I find information on it? If not, has it been considered to develop an antivirus API for Thunderbird? The minimal requirements for such an API would include being able to: * Scan individual e-mail messages every time the user accesses them. * Scan the raw e-mail as well as individual parts/attachments as they are parsed by Thunderbird. * Add, read and modify certain headers in the messages. * Remove individual parts/attachments. * Modify individual parts/attachments, including changing the name and MIME type. * Instruct Thunderbird to remove/delete the entire message (even based on scanning just one part/attachment of the message) and compact the folder. * Instruct Thunderbird to block access to individual parts of the message or the entire message and inform the user of the reason (infected message). ====================================== I'm aware of that setting (Tools->Options->Privacy->Anti-virus), but neither a POP3/IMAP scanner nor individual spool files are a good solution. (Why is this setting under Privacy and not Advanced? What's the privacy implication?) If you look at [http://kb.mozillazine.org/Thunderbird_:_FAQs_:_Anti-virus_Software] then one of the recommendations are "[C]onsider waiting a while before opening the attachment. This gives your AV program's manufacturer a chance to provide a perhaps necessary new update." To do for the entire e-mail (since there is HTML/Javascript-based malware) the message would need to be rescanned every time it is accessed after a virus signature file update. For that an API or a method to plug into / hook into Tunderbird is necessary. Scanning the entire mbox is a waste of CPU and has performance issues if only a few e-mails in a large mailbox are being accessed. We at FRISK Software are interested in developing an F-PROT Antivirus plugin for Thunderbird that would be a part of our product, similar to our current Microsoft Outlook plugin. Thanks, Erlendur. P.S. Also posted to http://forums.mozillazine.org/viewtopic.php?p=2740502 -- Erlendur S. Thorsteinsson www.f-prot.com

The requirements in comment 9 are certainly clearer than the vague initial request. What is a mail "plugin"? Would you be willing to write an XPCOM component? If so it could be dropped into Thunderbird's components directory and would get automatically registered. That would require that we design and call an interface that such a component would implement, and I can't see that happening any time soon with the final push to finish Thunderbird 2 under way.

Given our limited knowledge of XPCOM, so far at least, but assuming general high-level similarities to Microsoft's COM and that this would get the job done I would offer a cautious yes to your question. It's easier for me to explain by referring you to the Microsoft Antivirus APIs for Internet Explorer, Office and Outlook, which we use to support those programs, since we would be willing to put in a similar effort to support Thunderbird. (Note that there are very different requirements for e-mail clients and browsers so it may not be possible to have the same interface for Thunderbird and Firefox. Since Firefox does not support ActiveX we are not too concerned that it lacks an antivirus interface.) Internet Explorer and Office (not including Outlook) use the IOfficeAntiVirus COM interface [http://msdn2.microsoft.com/en-us/library/ms537369.aspx]. The Attachment Manager (OE, MSN, ...) uses the IAttachmentExecute interface, which in turn uses IOfficeAntiVirus. This is a very simple interface and only intended to scan individual files, not e-mail, although OE uses it. Outlook uses the Exchange Client Extensions API [http://support.microsoft.com/kb/199343], which is bloated, intended for much more than just antivirus and has number of usage and performance issues. One component of F-PROT Antivirus is a plug-in/module that implements IOfficeAntiVirus. Another component is a plug-in/module that "extends the Exchange client". These components are DLLs that are installed in certain locations and registered in certain ways. The applications then call our code or provide events that we can respond to, allowing us to scan the files/objects and interact with the application. We had expected to provide a similar effort to better protect our customers that use Thunderbird as we have done to protect IE, Office and Outlook, if a suitable interface is provided by Thunderbird. I understand that you are busy at the moment with the development of v2, but I would like to note that this bug was filed in mid-2004, bug 116443 was filed in late 2001 and bug 58308 was filed in late 2000. [See also http://forums.mozillazine.org/viewtopic.php?t=520287]

I believe on the trunk we now scan attachments for viruses when you open or save them, if you have a virus checker installed in the OS, as part of the new download manager.

Yup, that was implemented in bug 103487. Duping.