Security Cloud 20 Free & Thunderbird E-mail Client

[Thoughts]

Kaspersky Security Cloud 20.0.14.1085k

Windows 10 Pro 1909 64Bit

Thunderbird 68.9.0 64Bit

Web pages can be viewed within the Thunderbird e-mail client, but if I browse to a phishing test page it shows phishing protection is not active. I have the browser extensions for Chrome and Firefox which all operate correctly. Is Kaspersky URL / phishing protection configurable for Thunderbird?

Could you also please clarify if, with the default Kaspersky Security Cloud Mail Anti-Virus settings, my e-mails via Thunderbird, are protected? Or do I need to configure the system further? Scan Pop3 and IMAP Traffic is ticked. Allow antivirus clients to quarantine individual e-mail messages is also ticked in Thunderbird.

On the Kaspersky help pages it states - When the Recommended security level is set, Mail Anti-Virus scans incoming and outgoing messages and attached archives, and performs heuristic analysis with the Medium scan level of detail.

Is Security Cloud analyzing URLs within  a received  e-mail (phishing etc.)? Or is it purely analyzing for malware?

Thank you.

[Thoughts]

As further information. In Kaspersky Network Settings Mozilla Firefox and Thunderbird - Scan secure traffic in Mozilla applications is  ticked and Use Windows certificate store (recommended) is also ticked.

Thank you.

[Thoughts]

Is anyone able to help?

My second post was only providing further details of my set up, not an answer.

The key questions are:

Is my Kaspersky set up correctly for Thunderbird? (I’ve read the help pages)

Am also I protected from phishing e-mails received through Thunderbird?

Is Kaspersky URL / phishing protection configurable for Thunderbird’s in-built web browser? There doesn’t seem to be a Thunderbird extension and test phishing pages are not detected as they are with Firefox.

Any help gratefully received, thank you.

[Schulte]

Hello @Thoughts,

as you can see, your question is not easy to answer.

Some AV manufacturers use a specific URL, which is stored in their signatures for testing purposes as a phishing site. Other AVs do not recognize the site because it is not dangerous.
Can you provide us with the URL you used for testing?

Addendum:

please try

http://www.kaspersky.com/test/aphish_h

 

[Thoughts]

The phishing test page I used was: https://www.amtso.org/check-desktop-phishing-page/

If URL is pasted into Firefox (with Kaspersky extension) it is correctly detected and blocked by Kaspersky . If I open the same URL within the Thunderbird browser it’s not detected and opens to the page explaining phishing protection is not configured. As a further test I e-mailed the link to myself and the e-mail was received without a warning and if I clicked on the link, opening it within Thunderbird, it again wasn’t detected or blocked. Only if I opened the link using Firefox was the link correctly detected.

Below is a screen capture of the Web Antivirus warning generated within Firefox.

 

Below is the displayed page when I open the same URL in Thunderbird.

 

 

My concern is phishing detection/protection is not currently fully operational within Thunderbird.

As an update I tested the URL in your comment and that was detected by Kaspersky if opened within Thunderbird.

I look forward to any assistance you may be able to provide.

Thank you.

[Schulte]

 

As an update I tested the URL in your comment and that was detected by Kaspersky if opened within Thunderbird.

 

...then there could be a problem with scanning encrypted connections of TB.
Unfortunately I can't check this until tomorrow, hopefully another user will have a solution by then.

[Flood and Flood's wife]

Hello @Thoughts,

To add to @Schulte’s advice:

• There are no Kaspersky Protection extensions for Thunderbird. 
• Both links: Kaspersky-aphish_h &  amtso-phishing-page, when emailed to Thunderbird, are detected by Kaspersky & marked as [!! SPAM]

 

• The result for both links, when opened in Thunderbird, from the received emails, invoke the default web browser for the operating system with the following result

 

• Furthermore, Web Anti-Virus Report, shows the detections & blocks - see attached report

Please show us images of:

🅰 “I tested the URL in your comment and that was detected by Kaspersky if opened within Thunderbird.”?

🅱 Emails received by Thunderbird, with both links? 

Please post back?

Thank you🙏

Flood🐳

[Thoughts]

Tests and images as requested.

Image 1 below - Kaspersky Phishing Test URL opened in Thunderbird browser (detected and blocked)

Image 1 above - Kaspersky Phishing Test URL opened in Thunderbird browser (detected and blocked)

 

Image 2 below - AMTSO Phishing Test URL opened in Thunderbird browser (not detected or blocked)

Image 2 AMTSO Phishing Test URL opened in Thunderbird browser (not detected or blocked)
 

Image 3 below - Kaspersky Phishing Test URL sent as e-mail with URL in both subject line and body of e-mail. As you can see (along with the AMTSO URL e-mail below it) neither were marked as spam.

The two tabs you see next to Calendar in Image 3 (Kaspersky Security Cloud & Feature Settings Check - Ph...) are the two web pages of the Thunderbird browser showing the blocked page from the Kaspersky URL and the unblocked page from the AMTSO URL.

Image 3 Kaspersky Phishing Test URL sent as e-mail with URL in both subject line and body of e-mail.
 

If the AMTSO and Kaspersky URLs are opened in Firefox browser, both are correctly detected and blocked.

Firefox AMTSO URL

Firefox Kaspersky URL

Also attached is the Web Report exported from Kaspersky Security Cloud. As you will see Kaspersky AV detects the Kaspersky Phishing URL in both Thunderbird and Firefox. The AMTSO Phishing URL is ‘only’ detected in Firefox it is never detected within the Thunderbird app.

The fact Kaspersky’s Phishing test URL is detected and blocked, if opened in Thunderbird’s browser, is reassuring. I’m just concerned about the non-detection of either e-mail as SPAM and that the AMTSO Phishing test URL is not detected in Thunderbird at all. Shulte mentioned that certain test URL’s are not detected because the AV system doesn’t consider them dangerous (which makes sense) and maybe the AMTSO is one such URL (but it was still detected in Firefox).

As a further test I also sent the test e-mails from unconnected accounts (just to ensure ‘e-mailing myself’ was not a factor) and in every case the Phishing e-mails were ‘not’ marked as spam. As further information Kaspersky Security Cloud was active at all times and had been updated. Also no VPNs were active during testing.

Is there anything I should/could do to ensure phishing e-mails are marked as spam? And is there a reason why Kaspersky detects the AMTSO phishing test URL correctly in Firefox but not in Thunderbird?

Thanks again for any help.

[Flood and Flood's wife]

Hello @Thoughts,

You’re most welcome🙂 !

• To clear up any confusion, please clarify what is meant by Thunderbird browser? 
• Please provide the Thunderbird browser full name, version & source? 

Thank you🙏

Flood🐳

[Thoughts]

Thunderbird 68.9.0 [64Bit] - Latest standard release version from Thunderbird.net. If you look at the first and second images you will see the web pages are displayed ‘within’ Thunderbird itself. Thunderbird has its own in-built web browser (since the beginning I believe) and you are now able to open web pages in Thunderbird’s tabs. Thunderbird was listed in the Web report I attached and each instance was me opening a web page tab. Receiving the phishing test e-mails were not detected by Kaspersky. 

As mentioned; the odd thing is the Kaspersky Phishing test URL ‘is’ detected within Thunderbird (web page), as well as Firefox, whereas the AMTSO Phishing URL is ‘only’ detected in Firefox.

It would seem Security Cloud ‘is’ seeing the web page URL in Thunderbird (for it to block the Kaspersky URL) but the AMTSO URL isn’t triggering it for some reason.

Do you know of any other non-Kaspersky phishing test URLs I could try? If they behave the same as Kaspersky it would point to the AMTSO URL being the reason. If other phishing test URL’s (you know should be detected) are also ignored in Thunderbird it might narrow things down.  

 

Thanks again for any help.

[Igor Kurzin]

Hi @Thoughts, can you record product traces with this situation: “Thunderbird browser showing the unblocked page from the AMTSO URL.”, submit a ticket to technical support via my.kaspersky.com and send me the Incident number via private message? 

How to collect traces: 

https://support.kaspersky.com/15043

• enable traces
• restart Kaspersky  product (exit and start again)
• reproduce the issue once (open AMTSO URL in Thunderbird browser)
• stop traces

[Thoughts]

Hello Igor

As an update I today re-tested all AMTSO tests in the Thunderbird embedded browser and of the two previously failed tests, Phishing and Drive by, the Drive by test is now correctly detected. This just leaves the phishing page test as the sole AMTSO test not detected by Security Cloud from within the Thunderbird embedded browser.

Regards Thoughts.

[Flood and Flood's wife]

Hello @Thoughts,

Welcome back!

FYI, when we open any links in TB, they open the system default browser.

Test result of Phishing page link, accessed from an email in TB mail client

Thank you🙏

Flood🐳

[Thoughts]

Hello Flood

Thank you, I was aware. As mentioned in an earlier post Thunderbird has its own in-built web browser so pages can be viewed completely ‘within’ Thunderbird (as a new tab) rather than needing to switch to an external third party browser.

If Thunderbird’s in-built browser is used, Security Cloud will correctly detect every AMTSO malware test with the sole exception of the Phishing page test.

Below is a copy of the image I posted earlier showing the unblocked AMTSO phishing page as seen within the Thunderbird browser. I tested this again today.

AMTSO Phishing Page Within Thunderbird Browser

As you can see web pages are opened as tabs directly ‘within’ Thunderbird. FYI, as mentioned in an earlier post, if Kaspersky’s Phising Page test is opened in Thunderbird it ‘is’ correctly detected by Security Cloud. It’s purely the AMTSO Phishing Page test that Security Cloud fails to detect in the Thunderbird browser.

Regards. Thoughts

[Flood and Flood's wife]

Hello @Thoughts,

We’ve read everything you’ve written, more than once. 

As mentioned in our earlier replies, when we use TB, it always opens the system default browser, there is no TB in-built web browser.

Thank you🙏

Flood🐳

[Thoughts]

Hello Flood

Simply use the Thunderbird BrowseInTab extension and web pages open, as a tab, within Thunderbird’s own in-built browser. Nothing is further modified it’s simply using Thunderbird’s standard in-built browser, the same browser it uses to display all content.

https://addons.thunderbird.net/en-US/thunderbird/addon/browseintab/?src=search

 

As previously mentioned it is solely the AMTSO Phishing page test, Security Cloud doesn’t detect in Thunderbird. Every other AMTSO test and the Kaspersky Phishing page test are correctly detected by Security Cloud in Thunderbird’s browser.

 

Regard. Thoughts.

[Flood and Flood's wife]

Hello @Thoughts,

An “addon”, not standard.

browseintab →  “Open and browse any link in a Thunderbird content tab.” 

Content tab & browser are very different. 

If Mozilla/TB had a TB browser, that’s what they’d call it → TB browser. 

Regarding your repeated statements: we know.

Thank you🙏

Flood🐳

[Thoughts]

Hello Flood

Appreciate your comment, I’ll leave it with the team.

Happy to close this thread.

 

Regards. Thoughts.

 

[Flood and Flood's wife]

Hi @Igor Kurzin, 

Prb does not exist with the Kaspersky link, opened in “browser” facilitated by BrowserinTab extension →  @Schulte provided:  http://www.kaspersky.com/test/aphish_h

Prb continues to exist with https://www.amtso.org/check-desktop-phishing-page/ opened in “browser” facilitated by BrowserinTab extension. 

Thank you🙏

Flood🐳+🐋

[Igor Kurzin]

Hi Flood,

Bug 4401418, waiting for analysis by RnD team.

[nihitthakkar]

Hi

Thank you for guiding. There will we great help.