Endpoint Protection

We have endpoint protection running on desktops, and Thunderbird as an IMAP client. By default, it syncs mailbox folders from the server, so that if there is an infected message in a folder, we will see a report with a "File Path" or "Original Location" such as

...C:\Users\joe\AppData\RoamingThunderbird\Profiles\8l6vx.default\ImapMail\mail.example.ca\INBOX>>Unknown003106A4.data

or ....INBOX>>Unknown0AD1ABB6.data>>Purchase Order.rar>>SKMBT_crypted9705.exe

or ...INBOX>>Unknown00385909.data>>Unknown00000F28.data

The folder INBOX might contain some 5000 messages. If endpoint protection cleans the local copy, it is restored by Thunderbird next time the user reads email.

What is the meaning of "Unknown003106A4.data" ? Is it possible to convert that to a byte offset in the mail folder, and thus find the actual message  and attachment and delete it ?

I reported XP, because that is what is on my test system, but we have a variety of Windows versions reporting to a management console, which is apparently unable to whitelist a wildcard pattern from scans like C:\Users\*\AppData\Roaming\Thunderbird\

do you actually find any item listed as Unknown003106A4.data at the below path ?

C:\Users\joe\AppData\RoamingThunderbird\Profiles\8l6vx.default\ImapMail\mail.example.ca\INBOX\

if the answer is no, then you will proboably have to educate the user to just delete the infected item in the mail box itself to avoid it from getting re-downloaded.

What action did SEP take on it? It should've cleaned/deleted it...

No, there is no item named Unknown003106A4.data. In some cases, there may be an attachment named "Purchase Order.rar", but not all MIME attachments are named. 

The problem with eductating the user is that they don't know which message is infected, so don't know which to delete. I try to tell them to change their settings to at least  not sync their Trash folder, else they could "delete" a message and still get warnings from SEP, but that's an "advanced" option.

SEP takes various actions (clean, quarantine) but it doesn't matter what it does - as I say, the infected file is restored from the server by Thunderbird, and thus reappears in the next scan. Part of our problem is that the SEP management console logs blow up, finding the same virus every day for months. We do have some antivirus on incoming mail, but even the best AV will not find zero-days, while SEP will find them a few days later on the client.

While on the server the folders are split into multiple files for faster access, when Thunderbird syncs folders with IMAP it seems to create  a single Unix-style mailbox file, together with an MSF index file. In the examples above, this Unix file is called "INBOX" and contains 477 messages; for some users, many more (50,000)

The problem is that SEP is only protecting the local malibox and not what's on the server. The malicious attachment on the server is what needs to be remediated. Have you run a scan of it?

The server is on Linux using UW imapd with .mix files. I can't run Symantec natively; we have a Windows licence. I can run other AV products such as ClamAV but face the same problem - tying an infected file to a particular message - unless I write an IMAP API that can parse the mailboxes. Also, since it seems every AV product uses a different name for the same malware, mapping SEP reports to e.g. ClamAV or Kaspersky is an issue.

I have in fact fixed a couple of problem folders by hand, converting the folder to Unix and then parsing it with existing tools to extract attachments and scan them with ClamAV. If that finds one virus in a message, and SEP also finds one virus in the same folder, then it's reasonable to assume it's the same one. But it's time-consuming, in CPU as well as human effort. It would be much better to be able to go straight from an SEP report to a message number and delete it.

first thing first, there is no seperate license from Symantec for SEP which is like classified into windows, Mac and Linux. SEP license is based on the count of seat not depended on O/S. So you are better off to installing SEP on  your mail server. If you are using exchange mail server I would also recommend you to install mail security product, like SMSME or brightmail security. also have you tried to enforce a rule in your mail server as to not to sync trash folder.

I may try to run  SEP on the mailserver and see how that works.

Is there are trial version ? When I click on the "try" button in https://www.symantec.com/pages.jsp?id=campaign-endpoint-protection, which says "for Windows, Mac, Linux and Virtual", I eventually get to a page of download links at https://www4.symantec.com/Vrt/vrtcontroller. All of those seem to be EXE files, rather than e.g. self-extracting zipfiles. The "other trialware products" link is broken.

SEP for Linux is not offered as a trial. If you already have SEP then SEP for Linux should be part of the download ISO

I tried SEP for Linux, which works on my desktop.

With the default settings, at least, that is unable to see UW imapd mail folders of the form folder/.mix*

It is able to see Unix format mail folders (flat files), as created by Thunderbird folder sync, but it does not understand the format - it is not able to remove a virus from an individual message, it just deletes the entire folder. Not very useful. So I can't use SEP on the server to clean existing folders.

To answer my own original question, the report entries such as INBOX>>Unknown00385909.data do appear to correlate to byte offsets, almost. The hex value 0x385909 corresponds to a byte offset about 3000 bytes away from the start of the base-64 encoded attachment; the offset is not fixed but is somewhere in the region 2000-5000 bytes.

I have been able to write a script to extract message attachments into individual numbered files, and then scan the directory with e.g. SEP, identify infected message attachments and remove them manually from the original folders on the server. Not ideal, but it solves my problem of zero-days getting past our incoming email filter and repeatedly triggering desktop SEP every time Thunderbird re-syncs the folder.

good to hear that you have figured out through this one way or the other.