Security Cloud 20 Free & Thunderbird E-mail Client

As further information. In Kaspersky Network Settings Mozilla Firefox and Thunderbird - Scan secure traffic in Mozilla applications is  ticked and Use Windows certificate store (recommended) is also ticked.

Thank you.

Hello @Thoughts,

as you can see, your question is not easy to answer.

Some AV manufacturers use a specific URL, which is stored in their signatures for testing purposes as a phishing site. Other AVs do not recognize the site because it is not dangerous.
Can you provide us with the URL you used for testing?

Addendum:

please try

http://www.kaspersky.com/test/aphish_h

...then there could be a problem with scanning encrypted connections of TB.
Unfortunately I can't check this until tomorrow, hopefully another user will have a solution by then.

Tests and images as requested.

Image 1 below - Kaspersky Phishing Test URL opened in Thunderbird browser (detected and blocked)

Image 1 above - Kaspersky Phishing Test URL opened in Thunderbird browser (detected and blocked)

Image 2 below - AMTSO Phishing Test URL opened in Thunderbird browser (not detected or blocked)

Image 3 below - Kaspersky Phishing Test URL sent as e-mail with URL in both subject line and body of e-mail. As you can see (along with the AMTSO URL e-mail below it) neither were marked as spam.

The two tabs you see next to Calendar in Image 3 (Kaspersky Security Cloud & Feature Settings Check - Ph...) are the two web pages of the Thunderbird browser showing the blocked page from the Kaspersky URL and the unblocked page from the AMTSO URL.

If the AMTSO and Kaspersky URLs are opened in Firefox browser, both are correctly detected and blocked.

Also attached is the Web Report exported from Kaspersky Security Cloud. As you will see Kaspersky AV detects the Kaspersky Phishing URL in both Thunderbird and Firefox. The AMTSO Phishing URL is ‘only’ detected in Firefox it is never detected within the Thunderbird app.

The fact Kaspersky’s Phishing test URL is detected and blocked, if opened in Thunderbird’s browser, is reassuring. I’m just concerned about the non-detection of either e-mail as SPAM and that the AMTSO Phishing test URL is not detected in Thunderbird at all. Shulte mentioned that certain test URL’s are not detected because the AV system doesn’t consider them dangerous (which makes sense) and maybe the AMTSO is one such URL (but it was still detected in Firefox).

As a further test I also sent the test e-mails from unconnected accounts (just to ensure ‘e-mailing myself’ was not a factor) and in every case the Phishing e-mails were ‘not’ marked as spam. As further information Kaspersky Security Cloud was active at all times and had been updated. Also no VPNs were active during testing.

Is there anything I should/could do to ensure phishing e-mails are marked as spam? And is there a reason why Kaspersky detects the AMTSO phishing test URL correctly in Firefox but not in Thunderbird?

Thanks again for any help.

Thunderbird 68.9.0 [64Bit] - Latest standard release version from Thunderbird.net. If you look at the first and second images you will see the web pages are displayed ‘within’ Thunderbird itself. Thunderbird has its own in-built web browser (since the beginning I believe) and you are now able to open web pages in Thunderbird’s tabs. Thunderbird was listed in the Web report I attached and each instance was me opening a web page tab. Receiving the phishing test e-mails were not detected by Kaspersky. 

As mentioned; the odd thing is the Kaspersky Phishing test URL ‘is’ detected within Thunderbird (web page), as well as Firefox, whereas the AMTSO Phishing URL is ‘only’ detected in Firefox.

It would seem Security Cloud ‘is’ seeing the web page URL in Thunderbird (for it to block the Kaspersky URL) but the AMTSO URL isn’t triggering it for some reason.

Do you know of any other non-Kaspersky phishing test URLs I could try? If they behave the same as Kaspersky it would point to the AMTSO URL being the reason. If other phishing test URL’s (you know should be detected) are also ignored in Thunderbird it might narrow things down.  

Thanks again for any help.

Hello Igor

As an update I today re-tested all AMTSO tests in the Thunderbird embedded browser and of the two previously failed tests, Phishing and Drive by, the Drive by test is now correctly detected. This just leaves the phishing page test as the sole AMTSO test not detected by Security Cloud from within the Thunderbird embedded browser.

Regards Thoughts.

Hello Flood

Thank you, I was aware. As mentioned in an earlier post Thunderbird has its own in-built web browser so pages can be viewed completely ‘within’ Thunderbird (as a new tab) rather than needing to switch to an external third party browser.

If Thunderbird’s in-built browser is used, Security Cloud will correctly detect every AMTSO malware test with the sole exception of the Phishing page test.

Below is a copy of the image I posted earlier showing the unblocked AMTSO phishing page as seen within the Thunderbird browser. I tested this again today.

As you can see web pages are opened as tabs directly ‘within’ Thunderbird. FYI, as mentioned in an earlier post, if Kaspersky’s Phising Page test is opened in Thunderbird it ‘is’ correctly detected by Security Cloud. It’s purely the AMTSO Phishing Page test that Security Cloud fails to detect in the Thunderbird browser.

Regards. Thoughts

Hello Flood

Simply use the Thunderbird BrowseInTab extension and web pages open, as a tab, within Thunderbird’s own in-built browser. Nothing is further modified it’s simply using Thunderbird’s standard in-built browser, the same browser it uses to display all content.

https://addons.thunderbird.net/en-US/thunderbird/addon/browseintab/?src=search

As previously mentioned it is solely the AMTSO Phishing page test, Security Cloud doesn’t detect in Thunderbird. Every other AMTSO test and the Kaspersky Phishing page test are correctly detected by Security Cloud in Thunderbird’s browser.

Regard. Thoughts.

Hello Flood

Appreciate your comment, I’ll leave it with the team.

Happy to close this thread.

Regards. Thoughts.

Hi Flood,

Bug 4401418, waiting for analysis by RnD team.