Solved: Re: Harmony Endpoint <> Mozilla Thunderbird

IZoom · ‎2021-03-25

Hi guys,

I have issue - when I install endpoint (recommended / latest) and run Thunderbird on various windows versions, epam_svc.exe uses 25-60% CPU while Thunderbird not responding.

defined exclusion to Anti-Malware on access scan for "C:\users\*\AppData\Roaming\Thunderbird\Profiles\" (
https://wiki.mozilla.org/Thunderbird:Testing:Antivirus_Related_Performance_Issues)
The Thunderbird profile is not huge - ~20 GB, 622 files
internal log viewer shows nothing (not literally)
sysinternals procemon points lot of EPMA_SVC pointing to thunderbird profiles even the exclusion is set
windows various versions (from 7 till 10 enterprise latest build, fully patched)
cpda.log does not show unusual activity.
AntimalwareBlade.log some strange messages:
[warni] Unhandled callback event EVENT_MAILBASE [AMEngine::Kav::KavScanner::KavCallbackMethod], nothing else unusual

Do you have it working / tested with Thunderbird?

IZoom · ‎2021-04-01

This helps: excluded from AntiMalware - on access - scan mail messages.

We are trying to isolate problem now with removing previous generic exclusions and define new in AntiMalware blade only for thunderbird.exe process.

I'll keep you posted.

View solution in original post

PhoneBoy · ‎2021-03-27

I would open a TAC case here.

IZoom · ‎2021-03-28

Thanks man. I'll keep you posted about solution

HSPPA · ‎2021-06-01

Please, take into consideration these additional notes:

Thunderbird "Deleted Items" folder is corrupted after the endpoint installation.
Thunderbird "Sent Items" folder, is corrupted also.

IZoom · ‎2021-04-01

This helps: excluded from AntiMalware - on access - scan mail messages.

We are trying to isolate problem now with removing previous generic exclusions and define new in AntiMalware blade only for thunderbird.exe process.

I'll keep you posted.

MikeB · ‎2021-04-01

thank you for sharing this information. It helps a lot

stl · ‎2021-06-16

Hi

I have the same problem - how can I exclude "scan mail messages" in cloud-based Harmony Endpoint -> Policy - > Threat Prevention -> Exclusion Center?

There is no "AntiMalware - on access - scan mail messages". I can exclude process (like thunderbird.exe) only.

Regards

Chris

jgarcias · ‎2021-11-18

Hello,

Same problem here.

Did you solved the issue or still using the workaround of disabling scan mail messages?

Thanks

stl · ‎2021-11-18

Hi

I'd exluded process "thunderbird.exe" in this setting:

Scan all files upon access .. -> Add Location -> Process Name (full path to thunderbird.exe)

jgarcias · ‎2021-11-18

Hello,

OK, I wouldn't like to exclude the whole process so I think I'm going to open a TAC case to check it...

Thanks

stl · ‎2021-11-18

Hi

Please let me (and us 😉) know, what they proposed/did.

IZoom · ‎2021-11-18

I had opened TAC. Result was in Thread prevention -> Exclussion center -> Exclussion settings - > Process exclussion (on-access only) -> thunderbird.exe

jgarcias · ‎2021-11-18

So the solution from the TAC was exclude "thunderbird.exe" from being analyzed? It seems a workaround....

Did they tell you if in a future release could fix the problem to not exclude it from protections?

IZoom · ‎2021-11-18

correct, this was answer from TAC. Yes, they did tell me they don't plan to fix it for the future releases as this is known bug of thunderbird, which is minor email client. Many other vendors fixed it by default exception not visible to admins.

the security is not broken too much as the mails are scanned on network level and the attachments are scanned on touch. Just the core thunderbird.exe is excluded.

jgarcias · ‎2021-11-18

OK, thanks for your answer

Are you a member of CheckMates?

Harmony Endpoint <> Mozilla Thunderbird