Kaspersky
Question

Security Cloud 20 Free & Thunderbird E-mail Client


Userlevel 2
Badge

Kaspersky Security Cloud 20.0.14.1085k

Windows 10 Pro 1909 64Bit

Thunderbird 68.9.0 64Bit

Web pages can be viewed within the Thunderbird e-mail client, but if I browse to a phishing test page it shows phishing protection is not active. I have the browser extensions for Chrome and Firefox which all operate correctly. Is Kaspersky URL / phishing protection configurable for Thunderbird?

Could you also please clarify if, with the default Kaspersky Security Cloud Mail Anti-Virus settings, my e-mails via Thunderbird, are protected? Or do I need to configure the system further? Scan Pop3 and IMAP Traffic is ticked. Allow antivirus clients to quarantine individual e-mail messages is also ticked in Thunderbird.

On the Kaspersky help pages it states - When the Recommended security level is set, Mail Anti-Virus scans incoming and outgoing messages and attached archives, and performs heuristic analysis with the Medium scan level of detail.

Is Security Cloud analyzing URLs within  a received  e-mail (phishing etc.)? Or is it purely analyzing for malware?

Thank you.


10 replies

Userlevel 2
Badge

As further information. In Kaspersky Network Settings Mozilla Firefox and Thunderbird - Scan secure traffic in Mozilla applications is  ticked and Use Windows certificate store (recommended) is also ticked.

Thank you.

Userlevel 2
Badge

Is anyone able to help?

My second post was only providing further details of my set up, not an answer.

The key questions are:

Is my Kaspersky set up correctly for Thunderbird? (I’ve read the help pages)

Am also I protected from phishing e-mails received through Thunderbird?

Is Kaspersky URL / phishing protection configurable for Thunderbird’s in-built web browser? There doesn’t seem to be a Thunderbird extension and test phishing pages are not detected as they are with Firefox.

Any help gratefully received, thank you.

Userlevel 7
Badge +7

Hello @Thoughts,

as you can see, your question is not easy to answer.

Some AV manufacturers use a specific URL, which is stored in their signatures for testing purposes as a phishing site. Other AVs do not recognize the site because it is not dangerous.
Can you provide us with the URL you used for testing?

Addendum:

please try

http://www.kaspersky.com/test/aphish_h

 

Userlevel 2
Badge

The phishing test page I used was: https://www.amtso.org/check-desktop-phishing-page/

If URL is pasted into Firefox (with Kaspersky extension) it is correctly detected and blocked by Kaspersky . If I open the same URL within the Thunderbird browser it’s not detected and opens to the page explaining phishing protection is not configured. As a further test I e-mailed the link to myself and the e-mail was received without a warning and if I clicked on the link, opening it within Thunderbird, it again wasn’t detected or blocked. Only if I opened the link using Firefox was the link correctly detected.

Below is a screen capture of the Web Antivirus warning generated within Firefox.

 

Below is the displayed page when I open the same URL in Thunderbird.

 

 

My concern is phishing detection/protection is not currently fully operational within Thunderbird.

As an update I tested the URL in your comment and that was detected by Kaspersky if opened within Thunderbird.

I look forward to any assistance you may be able to provide.

Thank you.

Userlevel 7
Badge +7

 

As an update I tested the URL in your comment and that was detected by Kaspersky if opened within Thunderbird.

 

...then there could be a problem with scanning encrypted connections of TB.
Unfortunately I can't check this until tomorrow, hopefully another user will have a solution by then.

Userlevel 7
Badge +8

Hello @Thoughts,

To add to @Schulte’s advice:

  • There are no Kaspersky Protection extensions for Thunderbird. 
  • Both links: Kaspersky-aphish_h &  amtso-phishing-page, when emailed to Thunderbird, are detected by Kaspersky & marked as [!! SPAM]

 

 

  • The result for both links, when opened in Thunderbird, from the received emails, invoke the default web browser for the operating system with the following result

 

 

 

  • Furthermore, Web Anti-Virus Report, shows the detections & blocks - see attached report

Please show us images of:

:a:I tested the URL in your comment and that was detected by Kaspersky if opened within Thunderbird.”?

:b: Emails received by Thunderbird, with both links? 

Please post back?

Thank you:pray_tone3:

Flood:whale:

Userlevel 2
Badge

Tests and images as requested.

Image 1 below - Kaspersky Phishing Test URL opened in Thunderbird browser (detected and blocked)

Image 1 above - Kaspersky Phishing Test URL opened in Thunderbird browser (detected and blocked)

 

Image 2 below - AMTSO Phishing Test URL opened in Thunderbird browser (not detected or blocked)


Image 2 AMTSO Phishing Test URL opened in Thunderbird browser (not detected or blocked)
 

Image 3 below - Kaspersky Phishing Test URL sent as e-mail with URL in both subject line and body of e-mail. As you can see (along with the AMTSO URL e-mail below it) neither were marked as spam.

The two tabs you see next to Calendar in Image 3 (Kaspersky Security Cloud & Feature Settings Check - Ph...) are the two web pages of the Thunderbird browser showing the blocked page from the Kaspersky URL and the unblocked page from the AMTSO URL.


Image 3 Kaspersky Phishing Test URL sent as e-mail with URL in both subject line and body of e-mail.
 

If the AMTSO and Kaspersky URLs are opened in Firefox browser, both are correctly detected and blocked.

Firefox AMTSO URL
Firefox Kaspersky URL

Also attached is the Web Report exported from Kaspersky Security Cloud. As you will see Kaspersky AV detects the Kaspersky Phishing URL in both Thunderbird and Firefox. The AMTSO Phishing URL is ‘only’ detected in Firefox it is never detected within the Thunderbird app.

The fact Kaspersky’s Phishing test URL is detected and blocked, if opened in Thunderbird’s browser, is reassuring. I’m just concerned about the non-detection of either e-mail as SPAM and that the AMTSO Phishing test URL is not detected in Thunderbird at all. Shulte mentioned that certain test URL’s are not detected because the AV system doesn’t consider them dangerous (which makes sense) and maybe the AMTSO is one such URL (but it was still detected in Firefox).

As a further test I also sent the test e-mails from unconnected accounts (just to ensure ‘e-mailing myself’ was not a factor) and in every case the Phishing e-mails were ‘not’ marked as spam. As further information Kaspersky Security Cloud was active at all times and had been updated. Also no VPNs were active during testing.

Is there anything I should/could do to ensure phishing e-mails are marked as spam? And is there a reason why Kaspersky detects the AMTSO phishing test URL correctly in Firefox but not in Thunderbird?

Thanks again for any help.

Userlevel 7
Badge +8

Hello @Thoughts,

You’re most welcome:slight_smile: !

  • To clear up any confusion, please clarify what is meant by Thunderbird browser
  • Please provide the Thunderbird browser full name, version & source

Thank you:pray_tone3:

Flood:whale:

Userlevel 2
Badge

Thunderbird 68.9.0 [64Bit] - Latest standard release version from Thunderbird.net. If you look at the first and second images you will see the web pages are displayed ‘within’ Thunderbird itself. Thunderbird has its own in-built web browser (since the beginning I believe) and you are now able to open web pages in Thunderbird’s tabs. Thunderbird was listed in the Web report I attached and each instance was me opening a web page tab. Receiving the phishing test e-mails were not detected by Kaspersky. 

As mentioned; the odd thing is the Kaspersky Phishing test URL ‘is’ detected within Thunderbird (web page), as well as Firefox, whereas the AMTSO Phishing URL is ‘only’ detected in Firefox.

It would seem Security Cloud ‘is’ seeing the web page URL in Thunderbird (for it to block the Kaspersky URL) but the AMTSO URL isn’t triggering it for some reason.

Do you know of any other non-Kaspersky phishing test URLs I could try? If they behave the same as Kaspersky it would point to the AMTSO URL being the reason. If other phishing test URL’s (you know should be detected) are also ignored in Thunderbird it might narrow things down.  

 

Thanks again for any help.

Userlevel 7
Badge +2

Hi @Thoughts, can you record product traces with this situation: “Thunderbird browser showing the unblocked page from the AMTSO URL.”, submit a ticket to technical support via my.kaspersky.com and send me the Incident number via private message? 

How to collect traces: 

https://support.kaspersky.com/15043

  • enable traces
  • restart Kaspersky  product (exit and start again)
  • reproduce the issue once (open AMTSO URL in Thunderbird browser)
  • stop traces

Reply / Ответить