Anti-virus for Mozilla Thunderbird?

by Michael Alderete on 3/15/2005 · 19 comments

For many years, Rochelle used Netscape Communicator for her email. About a year and a half ago, I switched her to Mozilla Thunderbird, which is the code and user-interface successor to Communicator. For the most part it works very well, but it has one astonishing omission: its anti-virus capabilities are terrible.

This is all the more remarkable given their tagline (“Reclaim Your Inbox”), and the second sentence of their Why Use Thunderbird blurb: “We designed Thunderbird to prevent viruses and to stop junk mail so you can get back to reading your mail.” Thunderbird is positioned as the more user-centric, safer alternative to Microsoft Outlook.

For the most part, that’s well-deserved. Thunderbird isn’t riddled with security problems like Outlook, and it comes with built-in anti-spam features that are quite a bit more effective than those that are built into Outlook.

But the reality is that, even if your email client isn’t itself a security disaster waiting to happen, if you use Windows, you need anti-virus protection, because you’re definitely going to get viruses and worms and trojans in your Inbox, and once they’re in your Inbox, one wrong click and your computer is hosed. And it’s in dealing with these threats where Thunderbird falls down.

In the Thunderbird Help section, this is the only “useful” information about what to do about viruses:

As with any mail program, take proper caution before running any file that you receive in e-mail. Appropriate anti-virus software should also help keep you safer.

With a little more work, you might follow links to a third-party site with an anti-virus knowledgebase article that is by turns unusable, out of date, and a recommendation against Thunderbird. You definitely finish reading that article thinking that no major anti-virus software vendor supports Thunderbird — and you’d be right.

In Rochelle’s case, Norton Anti-Virus has corrupted her Thunderbird Inbox multiple times, causing her to lose all of her messages. (Fortunately she’s mostly using Gmail these days.) I’ve spent hours looking into this, and there is basically no good configuration for using Norton and Thunderbird together. (It does not help that Norton has a truly abysmal user interface.) I’d switch Rochelle to McAffee, except I can’t find good configuration information for that combination, either.

The worst part is the Thunderbird developers seem to take the attitude that the problem is the anti-virus software vendors’ fault. This defect was reported in 2001, and is still marked as open in their defect tracking system. After four years of end users losing email, I would think they might start to realize that they need to work with the commercial anti-virus software vendors to get compatibility.

Failing that, there are some pretty good Open Source anti-virus tools for Windows. How about incorporating one of those into Thunderbird? Or picking one to make the “official” anti-virus software to use with Thunderbird, and giving clear, complete directions for how to install and use it with Thunderbird? (I’ve read good things about ClamWin.)

I can understand the impulse to blame the anti-virus vendors for not working with Thunderbird. Technically, it is their fault. But from the perspective of a Thunderbird user, rather than developer, I just want Rochelle’s Inbox to be protected, both from incoming malware and from the scanners that do the protecting.

Right now, Thunderbird the product can’t provide that. From an end-user’s perspective, that’s Thunderbird’s fault.

Justin March 17, 2005 at 9:02 am

You might want to have a peek at Grisoft’s AVG Anti-Virus. I use their Free Edition on my WinXP machine at home and it works well with Thunderbird (and any other email client) by monitoring all the popular ports used by email, both incoming and outgoing. Norton’s home version of products has been what I personally would label as bloatware for several years now. However, the corporate version of Symantec AV which I’ve deployed on our network at work has proven to play quite nicely with Thunderbird across our desktops.

Bruce Whitfield May 15, 2005 at 12:49 am

Hi…I’ve been using Thunderbird for 2 months now having used Eudora until then….however now I am getting plagued with emails from all sorts of strange places…and my CA antivirus SW can’t find anything in my hardware. I’m submerging in the phoney emails which somehow seem to have originated from ME I guess I just have to dump Mozilla.

Jason July 6, 2005 at 5:34 am

Actually, we have the corporate version of Symantec AV on our network at work, and I can attest that it does not play nice with Thunderbird. I have 3 accounts set up, and it wiped out two of my inboxes. The email wasn’t critical, but I find it obnoxious.

Pascal Duchemin July 14, 2005 at 9:08 am

Same thing as Jason here, version 8.1 of SAV enterprise.

It’s a real pain !

ben December 14, 2005 at 8:50 am

Yeah, I’ve been using Thunderbird with linux for quite some time so viruses were not a problem. Then I started to dual boot with windows and I wanted my thunderbird email from my linux partition. The first virus scan under windows showed 20 viruses, all of them from my thunderbird inbox. I use Symantec AntiVirus, and because Thunderbird has 1 Inbox file, Symantec quarantined my entire Inbox instead of just the messages that had the infected attachments. This is totally a Thunderbird problem. All you have to do to solve it is to un-quarantine your email, but it’s still a hassle.

Jake December 22, 2005 at 9:58 am

I use Thunderbird with AVG as well, and it works seamlessly. Gotta love open source!

Alderete December 23, 2005 at 9:41 am

@Jake: Well, AVG is commercial software, so the “seamless” part of working with Thunderbird is (based on Justin’s comment) more due to open, well-specified protocols than to open source. I assume it works well with any email client that uses POP and SMTP, etc.

@Justin: Doesn’t the free edition of AVG add a little advertisement to the bottom of your email messages? A friend of mine (who uses Eudora with AVG) has stuff like this at the bottom of her messages:

-- No virus found in this outgoing message. Checked by AVG Anti-Virus. Version: 7.0.308 / Virus Database: 266.8.1 - Release Date: 3/23/2005

To me, that’s completely unacceptable. I see enough advertising already, and I am actively trying to get it out of my life, not add more into it.

Denis January 13, 2006 at 10:17 am

you can switch off the avg ad on avg free

jimbob February 9, 2006 at 8:31 am

I agree with Alderete in that you shouldn’t have to have stupid little advertisments pasted onto the end of your emails, but I believe that in both the AVG and Avast! free virus scanners, you can turn this option off (which I do). An additional benefit of turning AV-adverts off is that people can’t target your machine with exploits specifically designed to circumvent those particular virus-scanners, because the lack of adverts makes it look like they’re not there.

BTW AVG and Avast! both work seamlessly for pop3 and imap mail with Thunderbird, Pooka, Columba, Opera, Outlook, and Outlook Express. It’s not difficult to work with Thunderbird, - these two companies did it easily enough. Avast! intelligently knows about Mozilla mailboxes, and can scan and clean individual messages within them.

If you are a pop3 user you could also try clammail (search sourceforge for it), which works nicely with Thunderbird, if you want to be completely open-source…

rob2xx2 September 18, 2006 at 1:11 am

First, in reply to the comments about the AVG “adverts” - I believe these are not adverts but the certification that AVG has checked the mails. If you click on Email scanner properties in AVG, and configure the email scanner, uncheck the boxes labelled “Certify mail” for the incoming and outgoing mail and the messages disappear. These are user choices not adverts (IMHO).

Second, I’ve been using AVG and Thunderbird very well together for a couple of years with no problems such as losing inboxes. However from time to time the email scanner sets itself (or is set by something else) to “not fully functional” and Thunderbird cannot retrieve messages from the server. It seems to want to ignore my ADSL modem and tries to open a dial-up connection that I have installed for those times when I’m on the road and need to use an ordinary phone line. After hours of trying to sort this out I’m not much wiser. The browser connection works fine.

Wes October 2, 2006 at 4:42 pm

I have used SAV Corporate versions 9 and up with Thunderbird for several years with no problems. My mother was switched to AVG free by her local computer support guy after a nasty attachment slipped past the Norton home version and hosed her system. Now AVG is seemingly stripping out all of her attachments and leaving that little signature behind. She believes me when I tell her that its not Thunderbird’s fault (I switched her to TB less than a year ago) but I know most other people wouldn’t hesitate to blame the open source software. I know many, many people who are just waiting for the first thing to go wrong after switching some software to open source, so they can say “See! We should switch back to MS.”

It is important for developers, especially in this crucial stage of adoption/transition, to “make it work” for the end user. Just don’t let it get out of hand. MS, as much as it pains me to say, knew this and did it very well. They just don’t know when to quit, ie has anything from MS ever been ‘final’?

Trapper July 31, 2007 at 4:42 am

The problem with virus checking in Thunderbird is actually not Thunderbird. It the strategy you are using to scan for email viruses. The idea is to scan your email “before” it hits your inbox. You do this by setting up your virus program to scan all incoming email and disable the program from scanning the actual Thunderbird folders. This is not something particular to T-Bird. You need to do this with any email client that saves email as a continuous file rather than individual files. Most quality email progs use this format these days.

If your antivirus program doesn’t have a function to scan email as it’s downloaded and prior to hitting your inbox, get a real antivirus solution that does.

Let’s not be bad mouthing Thunderbird for something you are not doing appropriately in the situation you have.

Alderete August 14, 2007 at 10:07 am

@Trapper: I disagree, and strongly enough to write an entire post about it: “Thunderbird still doesn’t ‘get’ anti-virus protection”:/blog/593.

Ted Doyle October 15, 2007 at 7:27 pm

I can’t believe this debate is till going on as late as August 2007. There is a number of ways to render Thunderbird bulletproof, and the most important was spelt out in the post by Trapper.

As a network admin who spends a fair bit of his life removing, no, wrenching, one particular piece of so called “network security” bloatware from malfunctioning windows boxes, I say clamwin and thunderbird, AVG and thunderbird, F-secure etc etc etc all play nice.

Trapper is right. You are wrong. However the Open source community needs to spend more time addressing the needs of windoze users for spoon feeding. Open Source stuff like mozilla products, clamwin and so forth, need to do what they say on the tin without ANY knowledge on the part of the installer.

The problem arises when the approach is geekstreet: absolutely plain vanilla install and then add a whole bunch of increasingly esoteric add-ons to gain full functionality.

It mayhaps needs to be, instead, main street: absolutely every option on install, and the option to sqwark to a help desk to reduce these if required.


brian clare November 19, 2007 at 11:36 am

Why all this debate about Symantec!!! Why not use a real product (In your workplace that is) Sophos AV products. I retired in April this year, after using their AV for 7 years. NOT ONE issue on any of the servers, desktops on multiple sites over VPN. The engineers laptops used the ‘remote’ version - no probs.

Miguel November 29, 2007 at 12:49 pm

Sorry but AVG is not open source, it’s free, there is a big difference. However it is good to have good free alternatives that works with TB

Nuzman December 5, 2007 at 6:29 pm

Okay, by Symantec locking out e-mails and files, how is that Mozilla’s problem? This is obviously a crappy anti-virus. aying it’s “totally” a Mozilla problem is just plain stupid. If none of the AV developers want to make integrations into the client, how is that the client developer’s fault? Mozilla has always provided very clear and simple documentation for writing modules and add-ons to their applications, so frankly the whole lot of you are freakin’ morons if you think this is somehow magically Mozilla’s fault.

M25 January 7, 2008 at 11:04 pm

To my knowledge AVG (free) doesn’t support IMAP scanning.

Alderete January 8, 2008 at 9:30 am

@Nuzman: I love your comment, because it perfectly illustrates the all-too-common attitude of Open Source zealots. You didn’t actually read the original post, or if you did, all you actually processed was the final line, criticizing Thunderbird, and reacted.

If you read the post (which was written in early 2005), it’s clear I wasn’t happy with Norton either, and I never wrote that the problem was totally Thunderbird’s fault.

But there are plenty of things that are Thunderbird and the Mozilla Organization’s fault. That the description of Thunderbird (at that time) clearly stated it was designed to stop viruses and malware in the Inbox: who’s fault? That there is no built-in or official anti-virus system: who’s fault? That there was no good documentation for this topic: who’s fault?

Open Source developers all too often take the attitude that if it is possible to resolve the issue in the software, then any issues are the fault of the user, not the software, no matter how hard it is for normal people to actually resolve the issue. And, as Nuzman does above, they express that blame quite strongly, in a way that will turn most people off. No wonder Thunderbird doesn’t have the market share that even Firefox does.

Remember the old Avis (rental car) commercials? “We’re #2, so we try harder.” Thunderbird isn’t even #2 in the email client space. How much harder should it be trying?

Comments on this entry are closed.

Previous post:

Next post: