Inbox deleted by Symantic

Symantic AUTO PROTECT FEATURE deleted my TOTAL EMAIL INBOX (Netscape) instead of just the Incoming Email that was infected. The same virus (W32.Netsky.P@mm!enc) has been detected 2 times prior since 5/10/2004 and it was handled correctly by the Symantic VIRUS SCANNER FEATURE in there program (it deleted it ). Also note that the log file shows that 21 times since 4/08/2004 Symantic VIRUS SCANNER FEATURE detected the W32.Netsky.P@mm virus (without the !enc) in incoming email and deleted it correctly. I am also running ZoneAlarm V 5.0.590.015 as a firewall and have their option set to protect my email. Ad-Aware is also current and shows a clean system.

Below is the alert warning info & Log message I received from Symantic Anti virus program: (***'s are used to replace my User & ISP info)

I received a warning box from the Symantic Anti virus program while using Netscape on the web. The message stated that the AUTO PROTECT FEATURE found the (W32.Netsky.P@mm!enc) in my INBOX FOLDER (as opposed to a email message as in the past) and delete it.

Log info:
Source: C:\DOCUMENTS AND SETTINGS\***\APPLICATION DATA\Mozilla\Profiles\default\0uhi4o2b.slt\Mail\pop.***.***.net\Inbox
Click for more information about this virus : W32.Netsky.P@mm!enc


My OS (Windows XP Pro) has all the updates current, as with Symantic's System Works 2003 Professional Edition & Virus Dif. ZoneAlarm was upgraded to the latest version 5 hours prior to this virus problem. Total Anti-Virus system scan was / is also current and no floppy drives or CD's have been used since the last total system scan.

I checked the options for Symantic Anti-Virus Auto Protect Feature and only the Virus / Infected file was to be quarantined / deleted from the email. (NOT THE WHOLE INBOX FOLDER) I don't know what happened but it sure looks like Symantic Anti-VIRUS Auto Protect program missed the incoming virus or reacted in error to it by deleting my Inbox Folder instead of the just the virus..
I also checked in the Norton Protected Recycle Bin and could not find the Inbox folder. I e-mail Symantic tech support group but that will take 3 to 5 days to get to India and back and if like past experiences will prove of little use due to lag time etc.

A side note is that Symantic could have save my butt if that was the proper thing to do (by Deleting my Inbox Folder)..but how did the virus get past the virus protection of the incomeing email in the first place?

Any suggestions to what I should so that this doesn't happen again?
thanks
denny

 

Hello denny,

If you're running the pro version of ZoneAlarm v5.0 - there are a great many users that have reported problems with McAfee and Symantec security suites. Something to look into.

http://www.alanluber.com/pcfearfactor/news.htm

http://forums.zonelabs.com/zonelabs See if any reports concerning Symantec Conflicts and whether they match yours.

If you don't find a definative answer, one course of action is to reinstall your previous ZA version and see if the problem persists.

ZL has issued an update to their initial v5.0 = 5.0.590.015

Regards - Charles

EDIT: Another possibility - users of NIS2002 have had major problems because of a 12th May "Redirector" LiveUpdate http://computercops.biz/forum82.html So far have not seen any references to this problem spreading to other versions.

This problem only gave me a "burp" - run the the AV only.

 

Hello denny,

Forgot to add a way to test the AV w/o having to wait for an actual virus: http://www.rexswain.com/eicar.html

From the site: "Once you have downloaded these files, you might also want to e-mail them to yourself -- then you can see if your anti-virus software detects viruses in incoming e-mail attachments. "

Regards - Charles

 

Hello Charles,
Thanks for the reply. I checked the links you noted and they didn't seem to match my problem. I tried to FYI ZoneAlarm's tech support with my problem in case of any chance something matches there other problems with there new release of ZA 5 and they (auto) informed me that they don't response to the free version of ZA. I since have rechecked all my options in Symantic's SystemWorks 2003 Pro Anti-virus and ZoneAlarms firewall options and can't find why my Outbox Folder was deleted by Symantic. I do think that I will go back to the earlier version of ZA as a precautionary step.
thanks,
denny

 

Charles I forgot to mention that I did download the eicar test file and Symantic did report it as a virus (.com) . However the ziped files I downloaded were not reported as infected until I tried to uncompress them. I thought that Symantic would have caught the test virus file in the incoming email zipped atachment,but it didn't.
denny

 

Inbox deleted by Symantec

The same thing just happened to me. I'm not using ZoneAlarm, but am using Symantec Client Firewall. However, the Inbox was NOT DELETED -- it was merely moved to the quarantine area. If you go to the quarantine area, you can see, clean it and restore it. The attacking virus is W32.Netsky.P@mm!enc.

I tried to restore it without cleaning it -- Symantec simply re-quarantined it again.

 

Thanks for the reply and help. I should have posted this fix when I got the reply back from Symantic on 5/30/04. Sorry all..

Here's the response I received from Symantic. I recovered my Inbox by following the instructions below.
This link will take you to the answer for your problem.
http://service1.symantec.com/Support/nav.nsf/docid/2000051809560906