Community Discussions and Support
Virus checker crashes Pegasus Mail

FYI
On the f-prot forum under the thread of:
Pegasus Mail and F-Prot - problem when virus found

http://forum.f-prot.com/index.php/topic,773.0.html

I wrote (2007-11-22, 06:12:27):

"Blackcat and other Frisk developers, I am still wondering, assuming that emails are most likely the main entry point for viruses (?) do AV software developers have an exchange policy with email developers to find the best way to handle certain issues such as the one mentioned above in this thread. A few lines would be great."


Reply of one of the developers today (2007-11-27, 08:35:37)

"Sorry for the late reply. Nope, I am not aware of such an exchange, yet."

 Cheers

Thomas
 

<p>FYI On the f-prot forum under the thread of: <i><b>Pegasus Mail and F-Prot - problem when virus found</b></i> </p><p>http://forum.f-prot.com/index.php/topic,773.0.html <b><i>I wrote </i></b>(2007-11-22, 06:12:27): </p><blockquote>"Blackcat and other Frisk developers, I am still wondering, assuming that emails are most likely the main entry point for viruses (?) do AV software developers have an exchange policy with email developers to find the best way to handle certain issues such as the one mentioned above in this thread. A few lines would be great." </blockquote><p> <i><b>Reply of one of the developers today </b></i>(2007-11-27, 08:35:37) </p><blockquote>"Sorry for the late reply. Nope, I am not aware of such an exchange, yet."</blockquote><p> Cheers</p><p>Thomas  </p>

My AV program - F-Prot - belongs to the same stable as Pegasus Mail; relatively simple, straightforward, not over-encumbered with all those "features" that never get used and generally a Good Thing.

Just like PMail! 

Trouble is, since a new version (v. 6.0) of F-Prot landed, the arrival of a virus seems to cause a conflict.  F-Prot sucks the virus into its vault, leaving Pegasus (I assume) to hunt in vain for its missing .cnm file.  Whereupon it crashes.

 I don't know whether this classes as a problem with PMail or with F-Prot (but I certainly know where the better feedback will come from!) - and I haven't been able to re-check this problem over the past couple of weeks because no virus has arrived on my desktop.

Is this a problem that anyone else has spotted?  Is this something that Frisk need to look at, or PMail?

Chris

<p>My AV program - F-Prot - belongs to the same stable as Pegasus Mail; relatively simple, straightforward, not over-encumbered with all those "features" that never get used and generally a Good Thing. </p><p>Just like PMail! </p><p>Trouble is, since a new version (v. 6.0) of F-Prot landed, the arrival of a virus seems to cause a conflict.  F-Prot sucks the virus into its vault, leaving Pegasus (I assume) to hunt in vain for its missing .cnm file.  Whereupon it crashes.</p><p> I don't know whether this classes as a problem with PMail or with F-Prot (but I certainly know where the better feedback will come from!) - and I haven't been able to re-check this problem over the past couple of weeks because no virus has arrived on my desktop.</p><p>Is this a problem that anyone else has spotted?  Is this something that Frisk need to look at, or PMail?</p><p>Chris </p>

Try excluding the Pegasus directories from the real-time scanning.

 

paul

 

<p>Try excluding the Pegasus directories from the real-time scanning.</p><p> </p><p>paul</p><p> </p>

[quote user="ChrisWright"]

Trouble is, since a new version (v. 6.0) of F-Prot landed, the arrival of a virus seems to cause a conflict.  F-Prot sucks the virus into its vault, leaving Pegasus (I assume) to hunt in vain for its missing .cnm file.  Whereupon it crashes.

[/quote]


I'm surprised that you say it crashes... I've certainly seen odd behaviour in Pegasus Mail when files it expects to be there vanish, but seldom have I seen crashes.

In fairness, what you have here is one application directly interfering with the operation of another. This "file arrogance" is something that has annoyed me about anti-virus programs for a number of years now - the way they believe they can just whip a file that another application is using away from it with no warning. From my perspective, this is clearly a problem in F-Prot, although in their defense, I will say that it's hard to see how else they could behave.

The usual suggestion is to exclude the Pegasus Mail directories from the A/V program's operation, then install an anti-virus plugin, such as Martin Ireland's VirScan, into Pegasus Mail to handle A/V on your mail.

Incidentally, F-Prot is also my preferred A/V package, but I don't permit it to run in real time.

Cheers!

-- David --

[quote user="ChrisWright"]<p>Trouble is, since a new version (v. 6.0) of F-Prot landed, the arrival of a virus seems to cause a conflict.  F-Prot sucks the virus into its vault, leaving Pegasus (I assume) to hunt in vain for its missing .cnm file.  Whereupon it crashes.</p><p>[/quote]</p><p> I'm surprised that you say it crashes... I've certainly seen odd behaviour in Pegasus Mail when files it expects to be there vanish, but seldom have I seen crashes. In fairness, what you have here is one application directly interfering with the operation of another. This "file arrogance" is something that has annoyed me about anti-virus programs for a number of years now - the way they believe they can just whip a file that another application is using away from it with no warning. From my perspective, this is clearly a problem in F-Prot, although in their defense, I will say that it's hard to see how else they could behave. The usual suggestion is to exclude the Pegasus Mail directories from the A/V program's operation, then install an anti-virus plugin, such as Martin Ireland's VirScan, into Pegasus Mail to handle A/V on your mail. Incidentally, F-Prot is also my preferred A/V package, but I don't permit it to run in real time. Cheers! -- David -- </p>

The F-Prot V6 commandline is described in their documentation. It has the -E option to exclude directories or files from its scanning functions. You should Exclude your Pegasus Mail NewMail directory (c:\pmail\mail typically)  or just exclude file type .CNM   I will be updating Virscan documentation shortly.

The Url with this info is:   http://www.f-prot.com/support/windows/fpwin_faq/445.html 

HTH

 

Martin 

<p>The F-Prot V6 commandline is described in their documentation. It has the -E option to exclude directories or files from its scanning functions. You should Exclude your Pegasus Mail NewMail directory (c:\pmail\mail typically)  or just exclude file type .CNM   I will be updating Virscan documentation shortly. </p><p>The Url with this info is:   http://www.f-prot.com/support/windows/fpwin_faq/445.html </p><p>HTH</p><p> </p><p>Martin </p>

I also use F-Prot v6 with PM 4.41 on Windows XP. Very few crashes and none I can relate to F-Prot. But occasionally when I open a mail (whether in the new mail folder or in another folder) I find the message body is totally blank. Once this has happened all other messages open blank until I close and restart PM. I have already stopped FP scanning .cnm files (you can do this via the GUI interface) but this does not cure the problem. I am reluctant to exclude the whole of the PM folders from on-line scanning.

This is so infrequent as not to cause me any worries but does seem to tie in with others problems. Never had it on F-Prot v3.

Thanks for the forum!

Dave

I also use F-Prot v6 with PM 4.41 on Windows XP. Very few crashes and none I can relate to F-Prot. But occasionally when I open a mail (whether in the new mail folder or in another folder) I find the message body is totally blank. Once this has happened all other messages open blank until I close and restart PM. I have already stopped FP scanning .cnm files (you can do this via the GUI interface) but this does not cure the problem. I am reluctant to exclude the whole of the PM folders from on-line scanning. This is so infrequent as not to cause me any worries but does seem to tie in with others problems. Never had it on F-Prot v3. Thanks for the forum! Dave

David et al.,
I am using f-prot for quite some years and can confirm that PM does not like to get its email files removed as it happens when an f-prot detects a virus. It does not crash as such but becomes 'unstable' and shows display errors and I need to shut it down. However, after every infected email I just restart PM and everything is fine again. However, I raised that issue with the Frisk team on their forum also suggesting that there might be a more elegant way? Just in case someone feels like adding a bit more meat to it with more insights I as a layman cannot provide.
Cheers
Thomas (alias Mungo at Frisk)

The Pegasus Mail F-Prot thread at Frisk
http://forum.f-prot.com/index.php/topic,773.0.html

<p>David et al., I am using f-prot for quite some years and can confirm that PM does not like to get its email files removed as it happens when an f-prot detects a virus. It does not crash as such but becomes 'unstable' and shows display errors and I need to shut it down. However, after every infected email I just restart PM and everything is fine again. However, I raised that issue with the Frisk team on their forum also suggesting that there might be a more elegant way? Just in case someone feels like adding a bit more meat to it with more insights I as a layman cannot provide. Cheers Thomas (alias Mungo at Frisk)</p><p>The Pegasus Mail F-Prot thread at Frisk <a href="http://forum.f-prot.com/index.php/topic,773.msg4609.html#msg4609">http://forum.f-prot.com/index.php/topic,773.0.html </a></p>

On 19 Nov 2007 Pegasus Mail & Mercury - Automated Email <NoReply@praktit.se> wrote:

> David et al.,
>
> I am using f-prot for quite some years and can confirm that
> PM does not like to get its email files removed as it happens
> when an f-prot detects a virus. It does not crash as such but
> becomes 'unstable' and shows display errors and I need to
> shut it down. However, after every infected email I just
> restart PM and everything is fine again. However, I raised
> that issue with the Frisk team on their forum also suggesting
> that there might be a more elegant way? Just in case someone
> feels like adding a bit more meat to it with more insights I
> as a layman cannot provide.

WinPMail needs exclusive access to it's files and if you use something like Virscan and exclude the Pegasus Mail directories from the a-v scanning all works quite well.  VirScan can use f-prot to scan the files under program control without problems.

Name of Program: VIRSCAN: Virus Scanning Extension for Pegasus Mail
Location/Filename <URL:mailto:Martin.Ireland@gov.ab.ca?Subject=send_virscan>
<URL:ftp://risc.ua.edu/pegasus/misc/virscan.zip>
Date/Version: Version 1.24 Mar 2001
Author/email contact: Martin Ireland <Martin.Ireland@gov.ab.ca>
Status: Freeware
Documentation: Included in zip file, Virscan.zip
Features: Extension to invoke virus scanning program of user choice when Pegasus Mail saves or views mail message attachments.
Comments: Available for Windows PCs. 16 and 32 bit versions available and tested on Windows 95, 98, and Windows NT Workstation 4.0.
Defaults to NAI's VirusScan engine. Multi-language support included.  

> Cheers
> Thomas (alias Mungo at Frisk)
>
> The Pegasus Mail F-Prot thread at Frisk


On 19 Nov 2007 Pegasus Mail &amp;amp; Mercury - Automated Email &amp;lt;NoReply@praktit.se&amp;gt; wrote: &amp;gt; David et al., &amp;gt; &amp;gt; I am using f-prot for quite some years and can confirm that &amp;gt; PM does not like to get its email files removed as it happens &amp;gt; when an f-prot detects a virus. It does not crash as such but &amp;gt; becomes &#039;unstable&#039; and shows display errors and I need to &amp;gt; shut it down. However, after every infected email I just &amp;gt; restart PM and everything is fine again. However, I raised &amp;gt; that issue with the Frisk team on their forum also suggesting &amp;gt; that there might be a more elegant way? Just in case someone &amp;gt; feels like adding a bit more meat to it with more insights I &amp;gt; as a layman cannot provide. WinPMail needs exclusive access to it&#039;s files and if you use something like Virscan and exclude the Pegasus Mail directories from the a-v scanning all works quite well.&amp;nbsp; VirScan can use f-prot to scan the files under program control without problems. Name of Program: VIRSCAN: Virus Scanning Extension for Pegasus Mail Location/Filename &amp;lt;URL:mailto:Martin.Ireland@gov.ab.ca?Subject=send_virscan&amp;gt; &amp;lt;URL:ftp://risc.ua.edu/pegasus/misc/virscan.zip&amp;gt; Date/Version: Version 1.24 Mar 2001 Author/email contact: Martin Ireland &amp;lt;Martin.Ireland@gov.ab.ca&amp;gt; Status: Freeware Documentation: Included in zip file, Virscan.zip Features: Extension to invoke virus scanning program of user choice when Pegasus Mail saves or views mail message attachments. Comments: Available for Windows PCs. 16 and 32 bit versions available and tested on Windows 95, 98, and Windows NT Workstation 4.0. Defaults to NAI&#039;s VirusScan engine. Multi-language support included. &amp;nbsp; &amp;gt; Cheers &amp;gt; Thomas (alias Mungo at Frisk) &amp;gt; &amp;gt; The Pegasus Mail F-Prot thread at Frisk

Thomas R, thanks for your reply.

FYI. The risc.ua.edu server has been removed from service.

There are many "work arounds" and I am using one myself. However, I feel that more could be done especially from F-Prot's side as any work around needs (often cumbersome) setting up, may fail or open security holes and finally add to the users frustration.
What I suggested at their forum is:

Development suggestions:

  • "Include email client specifics for other more widely used email clients which could be activated or deactivated etc. such as found for Outlook, ....".

http://forum.f-prot.com/index.php?topic=773

We should all work on trying to get things better.[;)]

Cheers

Thomas 

&lt;p&gt;Thomas R, thanks for your reply.&lt;/p&gt;&lt;p&gt;FYI. The risc.ua.edu server has been removed from service. There are many &quot;work arounds&quot; and I am using one myself. However, I feel that more could be done especially from F-Prot&#039;s side as any work around needs (often cumbersome) setting up, may fail or open security holes and finally add to the users frustration. What I suggested at their forum is: &lt;/p&gt;&lt;p&gt;Development suggestions: &lt;/p&gt;&lt;ul&gt;&lt;li&gt;&quot;Include email client specifics for other more widely used email clients which could be activated or deactivated etc. such as found for Outlook, ....&quot;.&lt;/li&gt;&lt;/ul&gt;&lt;p&gt;http://forum.f-prot.com/index.php?topic=773&lt;/p&gt;&lt;p&gt;We should all work on trying to get things better.[;)]&lt;/p&gt;&lt;p&gt;Cheers&lt;/p&gt;&lt;p&gt;Thomas&amp;nbsp;&lt;/p&gt;

[quote user="tmstein"]

Thomas R, thanks for your reply.

FYI. The risc.ua.edu server has been removed from service.

There are many "work arounds" and I am using one myself. However, I feel that more could be done especially from F-Prot's side as any work around needs (often cumbersome) setting up, may fail or open security holes and finally add to the users frustration.
What I suggested at their forum is:

Development suggestions:

  • "Include email client specifics for other more widely used email clients which could be activated or deactivated etc. such as found for Outlook, ....".

http://forum.f-prot.com/index.php?topic=773

We should all work on trying to get things better.[;)]

Cheers

Thomas 

[/quote]

 

You are missing the point I'm trying to make.  All anti-virus software is pretty much broken when it comes to grabbing a file away from an application.  Outlook has pretty much the same problem  when a virus is found in one of the folders that got there before being detected.  We've had whole Outlook mailboxes get corrupted this way.  I've found that McAfee is a bit less obtrusive the some but all of them cause a problem sometimes. The basic problem is that the people building anti-virus software believe it's absolutely correct for them to immediately delete/move/quarantine/etc the file containing a virus as opposed to detecting and preventing the virus from be activated when the user accidentally tries to activate it.  With Pegasus Mail a virus in a message causes no problem at all and could be ignored.  A virus in a message moved to the deleted messages folder is harmless.  A virus program working under the control of the mail program is also goes to work a lot better than one working in opposition to the program.

Sorry about the risc.ua.edu server, it should be the Maine site now.  I have to update my glossary. 

[quote user=&quot;tmstein&quot;]&lt;p&gt;Thomas R, thanks for your reply.&lt;/p&gt;&lt;p&gt;FYI. The risc.ua.edu server has been removed from service. There are many &quot;work arounds&quot; and I am using one myself. However, I feel that more could be done especially from F-Prot&#039;s side as any work around needs (often cumbersome) setting up, may fail or open security holes and finally add to the users frustration. What I suggested at their forum is: &lt;/p&gt;&lt;p&gt;Development suggestions: &lt;/p&gt;&lt;ul&gt;&lt;li&gt;&quot;Include email client specifics for other more widely used email clients which could be activated or deactivated etc. such as found for Outlook, ....&quot;.&lt;/li&gt;&lt;/ul&gt;&lt;p&gt;http://forum.f-prot.com/index.php?topic=773&lt;/p&gt;&lt;p&gt;We should all work on trying to get things better.[;)]&lt;/p&gt;&lt;p&gt;Cheers&lt;/p&gt;&lt;p&gt;Thomas&amp;nbsp;&lt;/p&gt;&lt;p&gt;[/quote]&lt;/p&gt;&lt;p&gt;&amp;nbsp;&lt;/p&gt;&lt;p&gt;You are missing the point I&#039;m trying to make.&amp;nbsp; All anti-virus software is pretty much broken when it comes to grabbing a file away from an application.&amp;nbsp; Outlook has pretty much the same problem&amp;nbsp; when a virus is found in one of the folders that got there before being detected.&amp;nbsp; We&#039;ve had whole Outlook mailboxes get corrupted this way.&amp;nbsp; I&#039;ve found that McAfee is a bit less obtrusive the some but all of them cause a problem sometimes. The basic problem is that the people building anti-virus software believe it&#039;s absolutely correct for them to immediately delete/move/quarantine/etc the file containing a virus as opposed to detecting and preventing the virus from be activated when the user accidentally tries to activate it.&amp;nbsp; With Pegasus Mail a virus in a message causes no problem at all and could be ignored.&amp;nbsp; A virus in a message moved to the deleted messages folder is harmless.&amp;nbsp; A virus program working under the control of the mail program is also goes to work a lot better than one working in opposition to the program. &lt;/p&gt;&lt;p&gt;Sorry about the risc.ua.edu server, it should be the Maine site now.&amp;nbsp; I have to update my glossary.&amp;nbsp;&lt;/p&gt;

Thanks Thomas R.
> You are missing the point I'm trying to make.
No I do not think so ;-) I believe that we pretty much agree.

> The basic problem is that the people building anti-virus
> software believe it's absolutely correct for them to immediately
> delete/move/quarantine/etc the file containing a virus as opposed to
> detecting and preventing the virus from be activated when the user
> accidentally tries to activate it.
What you said here is exactly the point I am trying to make saying that we should talk to the people building anti-virus software and tell them its not okay the way it works (or does not work) - and lets try to find a better way. That's why I posted the message in the F-Prot forum.

So why not trying to make the point you just made also in their forum?
Cheers
Thomas

&lt;p&gt;Thanks Thomas R. &amp;gt; You are missing the point I&#039;m trying to make. No I do not think so ;-) I believe that we pretty much agree. &amp;gt; The basic problem is that the people building anti-virus &amp;gt; software believe it&#039;s absolutely correct for them to immediately &amp;gt; delete/move/quarantine/etc the file containing a virus as opposed to &amp;gt; detecting and preventing the virus from be activated when the user &amp;gt; accidentally tries to activate it. What you said here is exactly the point I am trying to make saying that we should talk to the people building anti-virus software and tell them its not okay the way it works (or does not work) - and lets try to find a better way. That&#039;s why I posted the message in the F-Prot forum. &lt;/p&gt;&lt;p&gt;So why not trying to make the point you just made also in their forum? Cheers Thomas &lt;/p&gt;

[quote user="tmstein"]

Thanks Thomas R.
> You are missing the point I'm trying to make.

No I do not think so ;-) I believe that we pretty much agree.

> The basic problem is that the people building anti-virus
> software believe it's absolutely correct for them to immediately
> delete/move/quarantine/etc the file containing a virus as opposed to
> detecting and preventing the virus from be activated when the user
> accidentally tries to activate it.


What you said here is exactly the point I am trying to make saying that we should talk to the people building anti-virus software and tell them its not okay the way it works (or does not work) - and lets try to find a better way. That's why I posted the message in the F-Prot forum.

So why not trying to make the point you just made also in their forum?
Cheers
Thomas

[/quote]

Total waste of time.  Been there, done that and not about to try busting my head against a brick wall again.  Many people a lot more technically competent than I have provided detailed arguments as to why this is necessary.  They simply do not understand or care, it's not their problem if whole systems crash because the rip the file away.  It's been like this for over twenty years now and I've not seen any sign of change at all on the part of any a-v developer.  They have repeatedly said it was "too tough" (meaning I suspect "it's not profitable" ) when this is addressed.  That's why other software developers have to develop tools to control their anti-virus commandline scanners and turn off the auto-protect.  That's why Martin Ireland developed the VirScan extension to solve this problem with a-v software.  It's a lot better than trying to get the a-v people to change.

 

[quote user=&quot;tmstein&quot;]&lt;p&gt;Thanks Thomas R. &amp;gt; You are missing the point I&#039;m trying to make. No I do not think so ;-) I believe that we pretty much agree. &amp;gt; The basic problem is that the people building anti-virus &amp;gt; software believe it&#039;s absolutely correct for them to immediately &amp;gt; delete/move/quarantine/etc the file containing a virus as opposed to &amp;gt; detecting and preventing the virus from be activated when the user &amp;gt; accidentally tries to activate it. &lt;/p&gt;&lt;p&gt; What you said here is exactly the point I am trying to make saying that we should talk to the people building anti-virus software and tell them its not okay the way it works (or does not work) - and lets try to find a better way. That&#039;s why I posted the message in the F-Prot forum. &lt;/p&gt;&lt;p&gt;So why not trying to make the point you just made also in their forum? Cheers Thomas &lt;/p&gt;&lt;p&gt;[/quote]&lt;/p&gt;&lt;p&gt;Total waste of time.&amp;nbsp; Been there, done that and not about to try busting my head against a brick wall again.&amp;nbsp; Many people a lot more technically competent than I have provided detailed arguments as to why this is necessary.&amp;nbsp; They simply do not understand or care, it&#039;s not their problem if whole systems crash because the rip the file away.&amp;nbsp; It&#039;s been like this for over twenty years now and I&#039;ve not seen any sign of change at all on the part of any a-v developer.&amp;nbsp; They have repeatedly said it was &quot;too tough&quot; (meaning I suspect &quot;it&#039;s not profitable&quot; ) when this is addressed.&amp;nbsp; That&#039;s why other software developers have to develop tools to control their anti-virus commandline scanners and turn off the auto-protect.&amp;nbsp; That&#039;s why Martin Ireland developed the VirScan extension to solve this problem with a-v software.&amp;nbsp; It&#039;s a lot better than trying to get the a-v people to change. &lt;/p&gt;&lt;p&gt;&amp;nbsp;&lt;/p&gt;

Sorry to join this thread rather late, but there are several types of solutions that will avoid this problem.

1.  Employ your ISP upstream AV services
2. Use the AV vendor POP3 proxy option to deliver mail messages to Pegasus Mail. These pieces of software will examine every message for attachments, and any attachments found are subject to AV scanning.

3. disable AV scanning of the Pegasus Mail NewMail directory, especially filetype *.cnm and *.pm$.   For work environments this may be impossible due to policy.

Option 1. only works as well as the ISP maintains current AV signatures. 

Option 2 will avoid collisions as Pegasus Mail will never see virus-ridden messages. The downside is the weakness of AV vendor understanding of,
email message structures and suggested tolerances for standards compliance.  

Option 3. is the least intrusive. Infected email remains safely dormant until a user tries to open or save and attachment. 

 

Martin 

&lt;p&gt;Sorry to join this thread rather late, but there are several types of solutions that will avoid this problem.&lt;/p&gt;&lt;p&gt;1.&amp;nbsp; Employ your ISP upstream AV services 2. Use the AV vendor POP3 proxy option to deliver mail messages to Pegasus Mail. These pieces of software will examine every message for attachments, and any attachments found are subject to AV scanning.&lt;/p&gt;&lt;p&gt;3. disable AV scanning of the Pegasus Mail NewMail directory, especially filetype *.cnm and *.pm$. &amp;nbsp; For work environments this may be impossible due to policy.&lt;/p&gt;&lt;p&gt;Option 1. only works as well as the ISP maintains current AV signatures.&amp;nbsp;&lt;/p&gt;&lt;p&gt;Option 2 will avoid collisions as Pegasus Mail will never see virus-ridden messages. The downside is the weakness of AV vendor understanding of, email message structures and suggested tolerances for standards compliance. &amp;nbsp;&lt;/p&gt;&lt;p&gt;Option 3. is the least intrusive. Infected email remains safely dormant until a user tries to open or save and attachment.&amp;nbsp;&lt;/p&gt;&lt;p&gt;&amp;nbsp;&lt;/p&gt;&lt;p&gt;Martin&amp;nbsp;&lt;/p&gt;
live preview
enter atleast 10 characters
WARNING: You mentioned %MENTIONS%, but they cannot see this message and will not be notified
Saving...
Saved
With selected deselect posts show selected posts
All posts under this topic will be deleted ?
Pending draft ... Click to resume editing
Discard draft