ACCC Home Page ACADEMIC COMPUTING and COMMUNICATIONS CENTER
Accounts / Passwords Email Labs / Classrooms Telecom Network Security Software Computing and Network Services Education / Teaching Getting Help
 

Restoring Quarantined Mailboxes (Symantec AntiVirus vs. Eudora and other email programs)

 

There are now two problems in the way that Norton/Symantec AntiVirus works with Eudora and several other email programs including Netscape and Mozilla. The first, disappearing mailboxes, is independent of Eudora or NAV or SAV version, and applies both to Windows and Macs. The second, having your email downloads crash with an error message complaining that the Eudora spool directory doesn't exist, appears only to be a problem with Eudora for Windows and SAV version 9 and 10. (I haven't heard or seen on the Web any references to this being a problem for Macs or other email programs.) The mailbox problem is explained here. The download problem is explained in Aborted Download Problem.

Note to Mac Users: The details of the explanation for the disappearing mailbox problem are for Windows, but everything works pretty much the same on Macs. The viruses and worms that Norton AntiVirus Version 9 and 10 catches are pretty much the same on Macs too -- Windows ones. So Mac users don't generally have to worry about repairing viruses -- they just have to delete them. (Previous versions of Mac NAV didn't catch Windows viruses. Your Windows colleagues would appreciate if you upgraded to Mac NAV 9 and couldn't distribute any Windows viruses any more.)
 
   
 
     
Background
 

Forget this; I just want to fix it. I use Windows; I use Mac OS X.

Most personal computer email programs store the email messages in each of your mailboxes in a single mailbox file with the file extension .mbx. For example, Eudora's In mailbox is a file called: In.mbx

When you check your email with Eudora with POP, all your new incoming email messages are written into your In.mbx file. Viruses and worms in email messages usually come as attachments, encoded for sending and delivery. You can't use an encoded attachment and it can't hurt you while it's still encoded, so it doesn't matter whether an attachment is a virus or not at that point while it's still encoded. Only when Eudora decodes the attachment and puts it in your attachment directory does Norton or Symantec AntiVirus see that it is a virus or worm and quarantine it.

But there has been some change in the way that the NAV/SAV virus definitions work that allows them to recognize viruses and worms in stored email messages. That's still not a problem for viruses, because they always come as attachments and so they probably won't be in your mailboxes, but worms sometimes arrive as part of email message bodies -- not as attachments. So you might have a worm or two in your mailboxes and NAV/SAV can now recognize them.

When the antivirus program finds a worm in a message in your In mailbox and quarantines the worm, it must quarantine the entire mailbox file. The antivirus program doesn't have any choice; it can't quarantine a single message within the file.

You will probably still have the mailbox, but it will not where Eudora can get it. (Unless you have NAV/SAV set to automatically delete files it can't repair. Worms can't be repaired, so NAV/SAV would automatically delete your mailbox in that case. That would be a very bad thing.) So it will appear to you that your entire In mailbox has disappeared. This is not a good thing.

Turning off NAV/SAV's Realtime File Protection (NAV and SAV 8) or Auto-Protect (SAV 9) would keep this from happening, but that isn't the answer. What you'll do is tell NAV/SAV not to do realtime file scanning only on mailbox files.

If you use Eudora with IMAP:

If you use Eudora with IMAP, you don't use your In mailbox, so you won't have the In mailbox problem. Also, most of your mailboxes are kept on the server -- your Inbox mailbox and all your other mailboxes that are under <Dominant> in the Mailboxes window. So even if one of those .mbx files were quarantined, Eudora could build them again from the copies of the email on the server, but you would have the same problem again, when the file is rebuilt. So you should do step 2, tell Norton/Symantec AntiVirus not to scan your .mbx files to protect the email that you have copied to local mailboxes and deleted from the server and to keep Eudora from having to rebuild the local copies of your other mailboxes.

If you use Netscape or another email program:

Netscape also has this problem with vanishing mailboxes, as does Mozilla, and, I'm sure, other email programs. The solution is similar, but you'll have to figure out what file extension, if any, you email program uses for mailboxes. If it doesn't use any (like Mozilla), then you'll have to exclude the entire directory the mailboxes are kept in. Not a happy solution.

 
     
Windows Solution:
 

First, make a backup of Eudora and your Eudora attachments.

The solution is actually quite simple but does require several steps to be carefully followed to avoid losing any email.

This first step will make sure that you can bring Eudora back to the way it is currently if this procedure fails.

  1. Close Eudora and make a complete backup copy of the entire folder where your Eudora email is stored. If you have a Eudora icon, right-click on it and select Properties. The target in the Target: field on the Shortcut tab is the directory where your mailboxes are stored. Or right-click on Eudora in the Start menu to get the same information.

  2. Make a backup of your Eudora attachment folder, which is often C:/Attach
    The location of the Attachment folder is a Eudora Option: Tools -> Options . . . -> Attachments

  3. Open the folder where your Eudora email is stored is stored and rename In.mbx to In-old.mbx and rename In.toc to In-old.toc This will make sure that you will not lose any email you received in Eudora after your In mailbox was quarantined by Norton Antivirus. Eudora will create a new In.mbx file as soon as it finds you old one missing, and all new email you have downloaded will be in this new In.mbx file. Renaming them will prevent them from being overwritten when your remove your old In.mbx file from quarantine.

Second, tell Norton/Symantec AntiVirus not to scan .mbx files.

This step is needed to prevent the mailbox you're about to restore from being quarantined again and prevent you from having the problem again.

  1. Open SAV.
  2. Click on Configure from the list of items in the left side of the SAV window.
  3. Click on File System Realtime Protection SAV 8 or File System Auto-Protect SAV 9.
  4. Check Exclude selected files and folders in the Options section, then click the Exclusions button.
  5. In the Exclusions dialog box, check Check file for exclusion before scanning and click the Extensions button.
  6. In the Selected Extensions box, type: mbx in the blank field, then click the Add button. MBX will be added to the list of excluded extensions.
  7. Click OK three times to return to the main SAV screen, then click Exit to close SAV.

If you have a Startup Scan or a Custom Scheduled Scan, you will have to exclude the .mbx files from them also. It's the same for either:

  1. Open SAV.
  2. Click on Custom Scans or Startup Scans in the list of items in the left side of the SAV window.
  3. Click on the name of the scan you want to exclude mailbox files from.
  4. In the Scan's main screen on the right, click the Edit... button.
  5. In the Scan box, click the Options... button.
  6. In the Scan Options window, click in the box beside Exclude files and folders and then click the Exclusions button.
  7. In the Exclusions box, click the Extensions button.
  8. In the Selected Extensions box, type: mbx in the blank field, then click the Add button. MBX will be added to the list of excluded extensions.
  9. Click OK four times to return to the Scan's main screen.
  10. Click in the white area on the left to go back to the main SAV screen, then click Exit to close SAV.

Finally, restore your quarantined In box.

  1. In SAV, from the list of items with + signs next to them in the main SAV window expand the View menu.
  2. Click on Quarantine.
  3. Scroll down through your quarantined items until you find In.mbx and click on it to highlight it.
  4. Click the Restore button. It looks like a pill bottle with an arrow pointing to a paper document, the third icon to the right of the dropdown list at the top of the Quarantine window. This will restore the In.mbx file back to the folder where SAV took it from -- the directory where your Eudora mailboxes are stored.

You should now be able to open Eudora and see all of the email that was in your In mailbox when it was quarantined. The mail you received after your In box was quarantined will be in another mailbox called In-old. If you want to move these messages back to your In mailbox, you can drag and drop them.

 
     
Mac OS X Solution:
 

If you thought that the Windows problem was bad, the Mac problem was worse. On the Mac, NAV automatically deleted the notebook if it found a worm or virus in it. According to Symantec, they have released virus definitions that have solved this problem with Mail.app (February 19, 2004) and with Entourage X/2004, Eudora 6.x, Netscape 7, and Mozilla 1.8 (June 18, 2004). So run LiveUpdate and your notebooks will be quarantined, not deleted.

Note: Norton AntiVirus for Macintosh 8.0.x and earlier only detects Mac viruses, including Word and Excel Macro viruses, which affect both Windows machines and Macs. But that doesn't include Windows-based viruses that are sent through email. Norton AntiVirus for Macintosh 9.0.x detects and repairs Windows-based viruses in Mac OS X. Good netizens will upgrade to NAV for Mac 9.0 now.

Also, if you run Virtual PC, SoftWindows, or SoftPC, which emulate the Windows environment on a Mac, you need to run Windows antivirus software in your virtual Windows OS. NAV for the Mac won't protect it. That's not a problem for anyone at UIC, because you can get NAV/SAV for Windows at no charge.

To restore your inbox from Quarantine

Symantec warns that you should restore your inbox from quarantine before you open your email program again, because your email program will recreate your In mailbox again. I don't know how you'd know that your mailbox was missing, but I suppose if you found it missing, you could move everything new out of your In mailbox and delete it, then quit.

  1. Open Norton AntiVirus for Macintosh.
  2. On the Tools Drawer on the left, click Quarantine.
  3. Click the lock to make changes.
  4. Type your password, then click OK.
  5. Click the infected inbox file that was quarantined.
  6. Click Restore.
  7. Close the Quarantine window.
  8. Quit Norton AntiVirus for Macintosh.

After you restore your In mailbox, open Eudora, find the message that had the infected file, delete it, and empty your trash. (When you delete the infected file from your inbox, the next time Norton AntiVirus scans the inbox will not be deleted.) Look for a message that has an unknown attachment, or something else that looks strange to you. Your In mailbox probably needed pruning anyway.

You might want to consider

Because most of the email viruses and worms are for Windows, they are not likely to harm you. You could consider turning off Automatic Repair of viruses and then dealing with the email viruses yourself.

If you turn off Automatic Repair, Norton will ask you whether you want to repair/quarantine viruses when it finds them. You can then say no when it finds viruses in your email, and you can just delete the message and, of course, empty the trash. Don't do this unless you know you'll actually delete and empty reliably. If you say yes when Norton asks you whether you want to repair a virus, it will quarantines the file with the virus rather than deleting it.

  1. On the Apple menu, click System Preferences.
  2. Under Other, click Norton Auto-Protect.
  3. Next to Automatic Repair, click Off.
    If you cannot click Off, click the padlock in the lower-left corner of the window. Type your password, and then click OK.
  4. On the System Preferences menu, click Quit.
  

2007-6-19  CSO
UIC Home Page Search UIC Pages Contact UIC