This is very likely because Thunderbird uses mbox files, so one big text file per mail folder. There is experimental maildir support (one file for each email) which is friendlier for AVs: https://support.mozilla.org/en-US/kb/maildir-thunderbird
This. Took me some time until I figured this out. I would definitely not discover this if I was a new user, but I migrated my profile from linux where everything was fast (with the same mailbox) so I was suspicious.
As I understand it, before you open a (potentially dangerous) attachment in another app, it would be saved to your Temp or Downloads folder, where Defender would still have access.
A carefully crafted email (or PDF attachment) that exploits vulnerabilities within Thunderbird's HTML or image rendering (or its PDF.js sandbox) might still pose a risk, but probably less so than any random web page that you open in Firefox, where JS (which should be disabled in Thunderbird by default) is the primary attack vector.
Also, note that there is a setting called "Allow antivirus clients to quarantine individual incoming messages". With this enabled, "Thunderbird first stores each incoming message in a temporary file in the system temp folder" (where Defender would have access). "If the new message file still exists after being scanned by the antivirus software, then it is moved to your Thunderbird Inbox folder file." [1] If this is implemented correctly, it should only impact performance when receiving new emails.
Where the email is stored.
I'd say there is little impact as when a malicious email ends on disk, it was processed and the potential damage has been done already. I trust the server-side filtering and thunderbird security more than file-access protection in defender
In response to both comments: I turned on "Allow antivirus clients to quarantine individual incoming messages" and then added an exception for the folder where Thunderbird is keeping my mail, and it's now noticeably snappier—not instant, but opening my archives folder (~35,000 messages) was previously anywhere from a couple seconds to a couple dozen of seconds, and is now probably a little under a second.
praseodym|1 year ago
justsomehnguy|1 year ago
One (whatever big) file is always way more 'friendlier' for the AV than a bazillion of files. Especially on NTFS and on Win32.
No, don't try maildir on the Windows.
janci|1 year ago
Jap2-0|1 year ago
(Also: what is the realistic security impact of this? As long as I don't do anything stupid, is it negligible?)
currysausage|1 year ago
A carefully crafted email (or PDF attachment) that exploits vulnerabilities within Thunderbird's HTML or image rendering (or its PDF.js sandbox) might still pose a risk, but probably less so than any random web page that you open in Firefox, where JS (which should be disabled in Thunderbird by default) is the primary attack vector.
Also, note that there is a setting called "Allow antivirus clients to quarantine individual incoming messages". With this enabled, "Thunderbird first stores each incoming message in a temporary file in the system temp folder" (where Defender would have access). "If the new message file still exists after being scanned by the antivirus software, then it is moved to your Thunderbird Inbox folder file." [1] If this is implemented correctly, it should only impact performance when receiving new emails.
[1] https://support.mozilla.org/en-US/kb/privacy-panel-settings-...
janci|1 year ago
Jap2-0|1 year ago
Semaphor|1 year ago