Information Technology
User Services

"Help! Where did my email go?"

For users of Symantec Anti-Virus software, the most recent update, combined with the widespread distribution of the W32.MyDoom worm, has caused some problems with certain email clients, including Netscape and Eudora.

Background:

Netscape 4.7:

C:\Program Files\Netscape\Mail\Inbox

Netscape 7:

C:\Documents and Settings\[username]\Application Data\Mozilla\Profiles\[profile name]\[random filename]\Mail\[account name]\inbox

Eudora:

C:\Program Files\Qualcomm\Eudora\In.mbx

All incoming email goes into this file. Viruses are normally encoded as email attachments, so Symantec Anti-Virus never "sees" them, so as long as you don't decode (click on) the attachment, absolutely nothing happens. Eudora is similar, except that Eudora automatically decodes all attachments and stuffs them into an attachments directory, where Symantec Anti-Virus can "see" the decoded attachment and shunt it into its quarantine directory.

Apparently the latest update to the Symantec Anti-Virus virus definitions...or maybe it is a change in the way the viruses are being distributed...is able to "see" the still-encoded virus when it arrives in the inbox file. It reacts as it always does to a virus, by quarantining the file, sealing it off so that Windows can't access it. This keeps the machine safe from viruses, but it has the nuisance side effect of making the entire email inbox inaccessible. Not only does this make it impossible to read your email, it also makes it impossible to delete the virus-bearing email message!

Eudora users have a slightly different problem. It appears that Symantec Anti-Virus can intercept the virus message before Eudora writes it to the inbox file, so instead of causing the inbox to disappear, Eudora users will find that their email gets "stuck", apparently unable to download the virus email or any subsequent messages. The fix is similar...keep reading...

Repair procedure:

1. Move any messages you CAN see into an alternate folder
2. Shut down the email client.
3. Disable file system realtime protection.
   Open Symantec Anti-Virus. In the left-hand pane, select "Configure", then "File System Realtime Protection." Uncheck the "Enable file system realtime protection" box.
4. Restore the inbox from quarantine
   In the left-hand pane of the Symantec Anti-Virus, select "View" then "Quarantine". Select the file "Inbox" (or "In.mbx" if you use Eudora) in the right-hand pane, then click "Restore", which is the third icon to the right of the drop-down box.
5. Launch your email client. It should be able to find the inbox file this time.
   • NETSCAPE USERS: If you find that your email is still not working properly at this point, you may need to delete the email index file.
     Do a file search for "inbox". In the same directory you should have a file called "Inbox.snm". Delete this file (if you're worried about messing things up, just move it to the desktop and delete it after you get everything working) and restart Netscape, it should rebuild your index file and you should be back to normal.
6. Delete the offending message(s), then empty the mail client's trash file and/or compress the inbox (file menu options).
7. Re-enable file system realtime protection in Symantec Anti-Virus.

To prevent this from happening again, you can exclude "inbox" from the
Symantec Anti-Virus Realtime Protection.

Excluding your email box from anti-virus scanning:

1. Open Symantec Anti-Virus
2. In the left pane, select "Configure" then "File System Realtime Protection."
3. Under "Options", check the box marked, "Exclude selected files and folders." Click the "Exclusions" button, then click on "Files/Folders."
4. Navigate through the file tree and check the box next to your INBOX file. You may need to run a search (outside of Symantec Anti-Virus) to find it. You might also want to exclude your email TRASH file. Click OK.

Special procedure for Eudora users:

Eudora doesn't appear to write messages directly into the In.mbx file. At first this would appear to be a good thing, because it means that viruses get caught before they get written to the emailbox, meaning that the In.mbx file should not be subject to quarantine. Instead, messages are first written to a temporary file, then added to the In.mbx after any incoming mail processing is completed. The problem here is that when a virus bearing email is received, Symantec Anti-Virus will immediately quarantine the temporary file, effectively stopping the download of new messages. It should therefore not be necessary for Eudora users to restore a mailbox, but Eudora users will find that they MUST exclude certain files from File System Realtime Protection. Eudora users should exclude the following DIRECTORY (folder):

C:\Program Files\Qualcomm\Eudora\Spool
...and unless you want to go through the mailbox restore procedure above the next time someone sends you a virus...

C:\Program Files\Qualcomm\Eudora\In.mbx
(actually, exclude all of your *.mbx files)

Note that the exact location of your mail files may vary depending on your installation. The paths listed assume a default installation.

Notes on excluding files from virus scanning

The files you are excluding from real-time virus scanning are specific data files for email. On the one hand, these are the files which are most likely, of any files on your computer, to contain viruses. On the other hand, these files are not executable files, and therefore the chances of viruses infecting your computer directly from those files is essentially zero. In order to become a danger to your computer, the virus must first be decoded into an executable file. When this happens, Symantec Anti-Virus will detect the viruses in the newly-created files. The exception to this rule is the Eudora Spool directory. If you decode a virus file into that directory, it will not be scanned. So don't do that! Luckily, Eudora by default decodes attachments into ../Eudora/attach which is a directory which WILL be scanned. So stopping virus scanning on these particular files should not put your system at risk. It will, however, save you from the hassle of data "lost" to an overzealous virus protection program.