What exact benefit do you expect from scanning incoming messages?

Perhaps I misunderstand how malware gets propagated. I thought that the two main ways were (1) downloading from sites on the web (2) mail attachments (3) bogus links in spam etc.

Although it many years ago, I was given to understand that OutLook was a major target of malware writers.

Is this a misunderstanding?

I wrote a long reply to this yesterday and the forum lost it. SO I will try again today.

Look at what you just identifies are sources of a virus. None of them are email other than attachments and they are not really email either.

Let me explain.

Links in email are opened in your browser, just as links from your desktop or links in a document that comes on a thumb drive is opened in a browser. So the issue with links is not "is my mail scanned?" the issue is "Is my anti virus up to protecting my browsing?" The is your call, but my personal opinion is that none of them are, but they mostly do a pretty good job. (chrome and Firefox browsers also use a Google bad locations list, so they are perhaps even safer)

Mail attachments move around the web as text. The original mail specification was for text, and subsequent enhancements that allow attachments have not changed that basic requirement. So when you add an attachment the file is converted to text (and grows about 60% in the process). When Thunderbird gets an email with an attachment it places a pane for attachments and puts a name in the pane, but the file really does not exist. it is this encoded text stream in the email body. Does it contains a virus? The only way to know is to convert this text back into a binary file.

Now your anti virus program intercepts the mail coming in (In some packages, not defender apparently), decodes the MIME attachment, scans the binary file and allows the mail to proceed (In theory) and Thunderbird stores this MIME encoded file as part of the email.

When you click on the attachment and select to open it. Thunderbird decodes the file into it's binary source. Thunderbird builds the file but can not open the file. It has no idea really what the file is or what to do with it other than write it to the temp folder and then ask the registered helper application to do something with it.

Now your anti virus program is scanning file changes, so writing this file to the temp folder will draw attention and a scan. Then the helper application (Say word) opens the file. It is only at this point that say a rogue macro in a doc file can execute, and the file has been scanned and word has warned you the file has macros, do you want them to run. Rogue macro execution is the result of stupidity or a truly blonde moment.

Even if the attachment is executable, is has been scanned upon creation in the temp folder.

Downloading from site on the web. Not as risky as we are lead to believe. Simply browsing the web is about as risky.

You download a program from the web. Your anti virus scans the data stream, it scans the file when it is written, you open the file to run it and your anti virus screams again.

Far more insidious are, DNS poisoning, Drive-by-downloads, where all you do is visit an infected site (which might be yahoo.com or Microsoft.com. Not likely, but possible) and those that find you, such a synoLocker http://www.anandtech.com/show/8337/synology-advises-users-of-synolocker-ransomware Of those three, DNS poisoning are not detected by anti virus, nor are attacks that target unprotected devices (No one has anti virus software running on their NAS) Most home users do not even know it is a fully fledged PC with an operating system.

Outlook is a target. Thunderbird largely mitigates attacks in the boyof an enail as it simply does not allow scripts in email to run. The result is Google maps buttons do not work and many logs email by routers will not expand, but nor can malware get a foothold as soon as you open the mail. Likewise flash does not run in email (it can in RSS feeds.)

Microsoft listened to their customers. They wanted convenient, they wanted simple and they wanted pretty. Unfortunately convenient and simple basically are diametrically opposed to security Outlook in the early part of this century, along with Outlook Express lead the field in convenient, simple and pretty. Unfortunately to allow that cursor that turned into a star for the grandchildren's birthday a script is needed. That + and _ button that expanded parts of the mail needed a script as well. this other bit used an OCX file ( A full blown windows program) so the user got what they wanted. and the spammers and malware writers had a field day. Open a mail from them and you got more contagions that a plague cemetery. Microsoft have spent a decade trying to back away from the Laissez-faire of the windows 95/2000 era but are still having trouble because their customers still want what they wanted in the first place. Simple and convenient. Recall the mess that was UAC in Vista. Microsoft were crucified. Unfortunately the reality was to little to later. But windows 7 came with less. They reduced security.

So yes Outlook was an is targeted particularly one because it was the market leader, there for you get more hits than on another target. But also because Microsoft Mail client will have the least security that Microsoft thing the Industry and customer will let them get away with.

The other reason security is low is internet Service providers. They set their mail in the same way, minimum security. Security means more support calls so greater operating costs.

I once asked in a consultants forum why all business email was not encrypted (S/Mime). The answers I got basically sum up as "'the average mail user in business is to stupid to use it" , and they had no intention of holding the hands of these people when every email they send failed. Their clients would not tolerate the added support costs.

Do I understand you to say that excluding the folder with my profile from scanning by Defender does no harm because anything is scanned after I click an attachment and before it is opened by the helper program?

In other words it is not necessary to scan incoming mail because attachments are scanned when I click on them to open them with a helper.

Correct. Having said that, you should still use your brain before opening an attachment. Don't click on attachments from unknown or questionable sources.

Thank you.

Excluding the TB profile folder eliminated the problems of freezing.

I still have not solved the problem of email with blank subjects and 1969 date, but that is a different thread.