I use Kaspersky but cannot find a setting for "secure scan". Can someone advise where to find this particular feature/setting? Thanks!

The "Thunderbird can't update to the latest version" popup is called a door hanger. You can turn it off in Thunderbird (TB). In TB, go to Tools > Options > Advanced [in the left vertical menu] > General [tab] > click "Config Editor."

Paste "app.update.doorhanger" without the quotation marks into the search box. Change the value for that preference to false by double clicking on the "app.update.doorhanger" row.

Restart TB.

As for Kaspersky Internet Security (KIS), go to KIS's main screen > Settings [the gear in the lower-left] > Additional > Network > Encrypted connection ... section.

As for what to choose, see: https://help.kaspersky.com/KIS/2020/en-US/68219.htm

Personally, I have it set to "Always scan encrypted connections."

For "On errors during encrypted connections scan," I have it set to "Ask." If you then add a site to the exclusion list, Kaspersky will add a Kaspersky certificate for that site. Traffic will still be scanned. Where you would become concerned about allowing a site with a weak or out-of-date certificate, etc., would be where you bank or buy or enter any sensitive data. For simply reading web pages, it would be like visiting an http site rather than an https one. It just depends upon how private you want to be. If you also use Kaspersky's VPN, you should be in pretty good shape regardless in terms of just visiting a site. In my opinion, entering sensitive data should not be done on a site that popped a cert error until the error is corrected by the site.

Firefox will still warn you.

Concerning KIS's Software Updater settings, go to KIS's main screen > Settings [the gear in the lower-left] > Protection > Software Updater.

As for what to choose, see: https://help.kaspersky.com/KIS/2020/en-US/127694.htm

I selected "Enable search for application updates."

I "Set up search mode for updates" to "daily."

I disabled "Automatically download and install updates if you do not have to accept new license agreements." The reason is because Kaspersky tells me TB updates are available before TB does. I manually install TB updates over the top by going to https://www.thunderbird.net/en-US/thunderbird/all/ and downloading the English (US) 64-bit version. Once updated, Kaspersky sees it's updated on KIS's next scan.

Tom Usher, thank you for your helpful advice!

S.

@Tom, Just get rid of Kaspersky scanning anything to do with email. Simple really. It offers no protection improvement but does increase your risk of getting mail failing.

Turn off the silly software update think in Kaspersky, Thunderbird will manage that correctly for itself, not incorrectly like Kaspersky does.

IF you want to see whatever new bugs an update has, install like this

I disabled "Automatically download and install updates if you do not have to accept new license agreements." The reason is because Kaspersky tells me TB updates are available before TB does. I manually install TB updates over the top by going to https://www.thunderbird.net/en-US/thunderbird/all/ and downloading the English (US) 64-bit version. Once updated, Kaspersky sees it's updated on KIS's next scan.

When a new update is released, initially it is offered for download to new users. This gives a few days or a week to see if they appear in support forums with previously undetected issues. Updates are then trickle fed to the install base starting with around 5% of users. This allows the new update to move forward and a mass level of installs to be done to see if there are any issues that might need attention. With Thunderbird 68 there were a couple of doozies, so updates were actually halted until 68.2.1 was released with the fixes needed for things like updating to 64bit versions.

So I would suggest letting Thunderbird doing it's thing on updates and not go into the config editor to force it not to advise you of updates. Eliminate the Kaspersky thing as it is the thing causing issues in this topic. Forcing an update early following a release might be asking for trouble. It might work well most times, when it does not it probably will not be fun at all. You restart Thunderbird after the update and everything is gone type not fun.

Additionally a VPN and SSL/TLS are completely different things. I personally have little issue with using HTTP web sites for many purposes, reading being one of them. But a VPN does not replace an encrypted communication with the web site. The traffic between the VPN end point and the web site is still unencrypted as it is not HTTPS. Using a VPN in this way is similar to taking your money to the bank in an armored car, and deciding to get out and walk the last couple of blocks. Might as well not bother with the armored car

Excellent note, Matt, thanks!

S.

Doc_Sandy said

Tom Usher, thank you for your helpful advice! S.

The app.update.doorhanger setting only suppresses that one aspect of update notifications. Other error notifications may still pop up.

app.update.silent;true is supposed to suppress all update notifications.

app.update.service.enabled was set to false during the following:

Set app.update.silent to true

Set each of the following default times to 10 seconds:

app.update.interval;86400 app.update.promptWaitTime;86400 app.update.timerFirstInterval;30000 app.update.timerMinimumDelay;120 app.update.idletime;60

Restarted TB and waited a minute (No update notifications popped)

Reset time to defaults

Restarted.

@Matt

Matt, Kaspersky definitely offers email protection. If anyone is getting too many false positives, Kaspersky allows tweaking various settings to deal with that. https://help.kaspersky.com/KIS/2020/en-US/68170.htm https://help.kaspersky.com/KIS/2020/en-US/85053.htm

As for the Kaspersky's Software Updater, it only checks the channel you're already on, which is the release channel in my case. I always read release notes before updating anything, know how to roll back, and have full-system backups regardless. So, thank you, but no thank you.

The Software Updater has been great to have and use. It's caused zero problems, including when I first got it and it updated TB automatically. It's very handy and is certainly not "silly." https://help.kaspersky.com/KIS/2020/en-US/127466.htm https://help.kaspersky.com/KIS/2020/en-US/127694.htm

Eliminate the Kaspersky thing as it is the thing causing issues in this topic.

People without Kaspersky have faced the same issue, so exactly how did you determine Kaspersky is the cause? I did read this entire thread before posting. Is there another thread where Kaspersky has been nailed down as the cause? If so, I have no problem submitting support requests/bug reports to Kaspersky.

Concerning the VPN, you appear to have read too much into my statement and took it out of context. I did not suggest the VPN encrypts anything. It does add a level of privacy even with unencrypted traffic.

Some of your reply is useful for those who are novices. However, in my view, some of your reply is way too sweeping and actually misleading.

I believe you mean well; however, there are Kaspersky users who have been spared being hammered by bad email messages/attachments and have also been spared being hit due to out-of-date software. Advising people to disable their Kaspersky for TB and for notifying them of out-of-date and vulnerable software on their system creates liability issues.

Always read release notes before updating anything, know how to roll back, and have full-system backups.

I should also add that Kaspersky Anti-Spam checks for malicious URLs in Thunderbird email messages along with phishing elements. https://help.kaspersky.com/KIS/2020/en-US/68439.htm

Phishing messages are probably the biggest problem right now. It's low-hanging fruit for hackers, etc.

Clicking through to a site known to be malicious by Kaspersky but not necessarily known by the message recipient unless Anti-Spam is enabled, can mean an infected computer.

Hopefully, Kaspersky would catch the malware later by other means. However, why wait? Why take the chance?

I recommend against having Anti-Spam or Mail Anti-Virus disabled unless absolutely necessary.

You say that "People without Kaspersky have faced the same issue, so exactly how did you determine Kaspersky is the cause?" But I have, as yet, seen no posts from non-Kaspersky users in either this or the parallel thread on the subject. (Have I missed one?) There have been numerous posts from Kaspersky users. Further, I had switched from Kaspersky (free) to Avast (free) several days back now - posted not long after. And the problem stopped, immediately. i.e. the problem definitively occurred with Kaspersky installed, but not with Avast installed. Whether the issue is within a sub-component of Kaspersky I have no idea. And I agree that reducing protection is not a price worth paying to avoid a minor irritation. Leaving Kaspersky might be (if you haven't got a paid version and don't want to switch to a free AV).

Hi terrybernstein,

I saw your earlier comments about switching and did take note of it.

There is a comment in this thread where the poster said he or she doesn't have Kaspersky. Also, another poster referenced that comment.

However, the person may have edited the comment since then or or had Kaspersky without knowing or had a remnant of Kaspersky in conflict with Thunderbird.

I'm simply not prepared to say the problem lies with Kaspersky at this point. It may well, but I'd have to be able to rule out people without Kaspersky.

Naturally, Kaspersky and something else independent of it could both be resulting in the door-hanger issue.

However, I could probably test at least Kaspersky's part in it by disabling Kaspersky's interaction with TB and changing my TB settings to force TB to check for an update within a few seconds of opening TB.

My problem is that I've been dealing with security bugs in various platforms, software, and firmware nonstop for many months and am a bit burned out on it. It's interfering with making mandatory progress in other areas.

I'll take a deep breath, though, and give it a shot.

Hi again, terrybernstein,

With TB set to app.update.silent;false and app.update.interval;10 and with Kaspersky disabled concerning Thunderbird (TB), TB popped the door hanger even though TB is up to date per Help > About.

I momentarily disable Kaspersky protection (all of it), restarted TB, and the door hanger still popped again.

I would not submit a bug report to Kaspersky knowing that. Would you?

So, I'm back to app.update.silent;true and with all of Kaspersky's protection enabled.

This is no big deal to me, as I manulally check TB add-ons for updates on a routine basis anyway.

@Tom, You raise more doubtful questions that you answer and I have considered quite seriously how to respond to you, or even if I should. Considering the large quantities of questionable information you presented I feel compelled to respond. But I have no interest in comparing appendages. Security is a serious topic and current “security suite” logic and actions do not hold up well to close examination. It is some 18 years since folks at Netscape identified they had an issue with anti virus programs deleting entire folders of mail. They put some code in place to mitigate the issue, but it is perhaps indicative that the problem identified in the bug report still exists today. See https://bugzilla.mozilla.org/show_bug.cgi?id=116443 Simply because even using that option, the definition gets updated some days, weeks or even months later and the anti virus cavalierly deleted everything because they are scanning inert mail looking for something that is not a real threat. Most helpful. You might say they are removing a threat, that is what Symantec said when asked, but they struggled to identify the real world risk they mitigated by their actions.

You sing the praises of Kaspersky improving security. But we have this bug. https://bugzilla.mozilla.org/show_bug.cgi?id=1549624 Due to the hacking style of the scanning needed updates do not get to the software. So perhaps if the product fixed it’s scanning it would not need a module to notify folks of updates that it effectively prevented in some cases.

Then we have the product changing the certificate store used and locking the preference to prevent it being changed back to what it should be. https://bugzilla.mozilla.org/show_bug.cgi?id=1516255#c6 Starting to sound like a virus like activity to me. I could go on, but suffice to say they are not the white hats they sell themselves as.

How exactly does email scanning provide protection that is not offered in other ways by the product and Thunderbird? To put up with scanning I need an net improvement in security and I think it is a reasonable expectation for everyone.

My opinion is it does not happen and these are the reasons why;

• Thunderbird does not execute scripts in email, so no javascript, no vbscript, no flash. Nothing! it is difficult to infect someone with something from within an email if the page is a static bit of HTML. I have certainly been unable to find anyone that has managed it. Perhaps your mileage differs, I encourage you to demonstrate how a static HTML page can infect you. Not place the code to run on your system, actually do something with it.
• Perhaps there is a vector through remote images. But Thunderbird does not load remote images. You have to decide on that security reduction your own self. Not that I have seen remote images as a serious malware threat. More of a tracking issue really. But remote images come in over HTTP and HTTPS connections, so Kespersky will be scanning them as web traffic.
• An email is a text file. I am yet to see any convincing argument that you can get malware from a text file. Not without trying Very Very hard. Convert it to something else perhaps, but not a text file.
• Attachments in email are also text. Don't believe me look through any email with attachments. You will not find any binary bits, just text. That Word document, or the photo of the family. MIME encode text. Until it is decoded you can do nothing useful with it. You certainly can nor execute it.

Now lets look at the attachment in more detail. First thing before we can access it it has to be decoded. Turn it back into whatever it was that was attached. In the case of Images and text files Thunderbird will do this automatically to display the message, otherwise it only occurs when you act on the attachment to open, view save etc. But the process is to create an "object" you can manipulate, a file. So a decoded file is written to the temp directory. Now we go back to Kaspersky it scans all new files, so the attachment gets scanned at this point and if it is infected the usual rules apply. If it is not it is opened.

So looking at this as a whole, I see no appreciable or identifiable benefit in having email scanning. Where am I going wrong? Clearly you believe I am.

Then you report that the phishing control is nice and really useful. But you are now bringing browser elements to justify email scanning. The URL will be using HTTP or HTTPS, that is traffic that the anti virus should be scanning as it purports to scan all web traffic. So it has nothing at all to do with email and everything to do with the web. Disabling email scanning will not disable scanning of HTTP and HTTPS traffic. If it did the product would be a complete dud. Useless in the extreme for the purpose it was installed. I really think it is not that bad, it just has some issues. One of which is overlaid security that slows the system and offers basically nothing in return.

The Software Updater has been great to have and use. It's caused zero problems, including when I first got it and it updated TB automatically.

Now to your final point about knowing how to roleback. I assume you are familiar with the one profile per install and the new features that actively make using a profile on an old version way more difficult that in the past. Install the old version and you currently get a message that the profile is not suitable for the old version as it has been used with a newer version. That can be forced into use with the profile manger, and that will not change.

Backward compatibility of profiles however is no longer supported, and with significant changes under the hood in the next 12 months. The next release version will convert your profile into something that this current version does not fully understand, so going back will be possible, but at what cost to your profile data? There will not be a list of this changed so you will lose it going back. Loss of contacts is already in there, with a new database storage format for contacts being implemented. So your ability to back out of an update will largely disappear over the coming year, it is time to reconsider your methodologies. Doing a full restore from backup is not the answer to every little thing.

Now you also asked me to point to were this was proven to be kaspersky. I think you have already been informed by at least one user they got rid of Kaspersky and the problem went away. I have no doubt you will be looking for something more concrete, I am not. The empirical evidence of removing the Security suite is sufficient for me. It is not necessarily steps to reproduce that a developer of bug author would want, but then Thunderbird does not have an issue in my opinion so I will not be investing any real efforts into trying to fix Kaspersky’s product. That is their problem, not mine.

Phishing, this is a serious issue, but again you trivialize it by presenting it here as a mail issue. This is something Kaspersy does also in their web site as well. This might be because some 80% of mail users use a web browser to access their email but I does not automatically translate to a mail client like Thunderbird. In their article entitled “What is Phishing and how does it affect email users” they state. “When you click the link in the email, you are taken to a webpage”. That is right a web page in a browser. So do you have effective phishing controls in your browser? I suppose that would depend on what you have installed over and above the safe browsing that Firefox and Chrome employ in their own right. This is also probably one of the reasons the inbuilt Thunderbird phishing detection has remained somewhat rudimentary, the phishing does not actually occur in the email, it is just a vehicle for the link that is to be opened in the browser.

Firefox has it’s own native phishing detection. It is pretty good as I understand it. But I do not claim to be an expert on phishing detectors. https://support.mozilla.org/en-US/kb/how-does-phishing-and-malware-protection-work But no anti virus vendor gets the automatic gong for best, interestingly enough finding comparisons of these things is rather difficult. Could it be none of them are as good as we are being lead to believe? I think so. Each phishing URL is from a list, someone has to get caught for it to get on the list and a new one takes but a minute to create. It is an improvement on nothing, but it is not a good solution really.

Here's a workaround for Kaspersky Internet Security (KIS): Exclude aus.thunderbird.net. Explained:

KIS > Settings > Protection > Mail Anti-Virus and Anti-Spam are enabled at their defaults settings.

KIS > Settings > Additional > Network > Monitor all network ports is selected.

KIS > Settings > Additional > Network > Always scan encrypted connections is selected. "If Kaspersky Internet Security is operating in automatic protection mode, Kaspersky Internet Security automatically terminates any connection that uses an invalid certificate, without displaying any notification." https://help.kaspersky.com/KIS/2020/en-US/68219.htm

KIS > Settings > Additional > Network > Manage Exclusions > Add > aus.thunderbird.net > Add.

aus.thunderbird.net is the domain used by Thunderbird (TB) for updates. Perhaps it has a certificate problem; and, because KIS's default is "automatic protection mode" (https://help.kaspersky.com/KIS/2020/en-US/68151.htm), KIS isn't popping a notification.

You can find/verify the domain in TB config: Tools > Options > Advanced [on the left] > General [tab] > Config Editor > paste app.update.url in the search box app.update.url;https://aus.thunderbird.net/[...].

Paste app.update in the search box. The following should be set as follows if you want TB to check and notify you (in all the ways it apparently can) of available updates: app.update.doorhanger;true app.update.service.enabled;true app.update.silent;false

I'll try to let Kaspersky know all of this so they can see if there's anything still wrong on their end. Maybe the form of the URL, with all its parameters, is giving KIS problems. https://aus.thunderbird.net/update/6/%PRODUCT%/%VERSION%/%BUILD_ID%/%BUILD_TARGET%/%LOCALE%/%CHANNEL%/%OS_VERSION%/%SYSTEM_CAPABILITIES%/%DISTRIBUTION%/%DISTRIBUTION_VERSION%/update.xml

I'll also try to let them know on Bugzilla so they can check if there's a subdomain-certificate problem.

I went to file a Bugzilla report and found that one had already been filed for this issue (on 2019.10.07, I believe). Multiple developers are working on the issue as recently as the last day or two. That bug report cites this community support thread, among others.

Source: https://support.mozilla.org/en-US/questions/1269619?page=3#answer-1266365

I found the Bugzilla: 1586699 - "Thunderbird can't update to the latest version. ... Download a fresh copy..." Alert/Warning/Notice, but "Thunderbird is already up-to-date": https://bugzilla.mozilla.org/show_bug.cgi?id=1586699

It was helpful. If I had read it first, I believe I would have figured this out a long time ago.

Anyway, it appears that adding aus5.mozilla.org to the KIS exclusion would be wise.

I'm going to cross-reference my last two posts here over there on Bugzilla.

I hope Mozilla/Bugzilla will determine there are no cert issues or fix them if there are.

I'll wait for Bugzilla before I decide whether to inform Kaspersky about all of this.

I submitted a bug report to Kaspersky, as the SSL certificates for aus.thunderbird.net and aus5.mozilla.org are both valid.

The update history says I have TB 68.2.0 installed, but I have TB 68.2.2 - check attached picture.

mattias1 said

The update history says I have TB 68.2.0 installed, but I have TB 68.2.2 - check attached picture.

Have a look at http://forums.mozillazine.org/viewtopic.php?f=39&t=3056653

Were you, or are you, still having the door-hanger problem?

You should probably search Mozilla support (and probably Bugzilla) for update-history issues.

If you're still having the door-hanger problem even though you've done the exclusions in Kaspersky, please let me know here.

Thanks and good luck.

I have had the this same issue for the last few versions. I do not use the Kaspersky AV product. I have Malwarebytes in use.

However, after reading through the chain, I did notice something. I have a Sonicwall Firewall in place that utilizes Deep Packet Inspection. Basically, it is acting as a proxy in some cases to decrypt some sites that are visited. Anyways, the thunderbird.net domain was getting blocked for some reason. I whitelisted the domain, and the ability to update via the about screen returned.

I have not had the chance to dig deeper yet. Could be a bad certificate, maybe the Sonicwall doesn't have all of the intermediate certs, many things. But this could be representative of some other users issues. Just wanted to put my results out there for others to look for. If I figure out the specific Certificate issue, I'll update...

I too have this problem, seeing a window saying "Thunderbird can't update to the latest version", but when I go to download the 'latest version', it turns out to be the version I already have (v 68.4.1 64-bit, Build ID 20200108224327, on Win10 Pro v1909 OS build 18363.535). Going into Control Panel, I noticed that another package was installed at the same time as the last TB update, called 'Mozilla Maintenance Service', v68.4.1. Is it this service that prompts the update? Why does this happen even though my downloaded version is already up-to-date? Can there be a problem with determining the version in use? Another thought; if an updated build is made available for the current latest version, would this update process be triggered?