Last checked:

Avira Mail Protection blocks SSL/TLS/STARTTLS-connections

Out of security reasons, Avira Antivirus Premium, Avira Internet Security and Avira Professional Security are blocking incoming Emails via SSL/TLS/STARTTLS secure connections, if they were configured on standard ports. Other ports that fall back on encryption may also be affected.

This usually happens, when for example, the option SSL (TLS/STARTTLS), whenever possible is active in the Email client and the SSL/TLS/STARTTLS is set to use the standard port.

In such a case, an error message appears:

SSL (TLS/STARTTLS)-connection detected. Incoming mails are blocked.


Usually, when sending and receiving Emails through an encrypted connection, Avira Mail Protection is unable to scan them. However, if the standard port is set, Avira product performs the scan and issues the error message mentioned above.

To get the Email traffic working again, you have to check and correct the settings in the Email client. Because there are many Email programs and since their configuration varies, please note the following general rules:

  • Deactivate the option for using encrypted SSL/TLS/STARTTLS connections for incoming and outgoing server

  • Make sure not to use the ports 25 (SMTP), 143 (IMAP) and 110 (POP3) for SSL/TLS/STARTTLS connections


If you usually need to receive Emails via SSL/TLS/STARTTLS connections, you can change the product's installation, to deactivate Avira Mail Protection.

  1. Click on Start → Settings → Control Panel → Add or Remove Programs (or Programs and Features) → the installed Avira product

  2. Press Change, select Modify and click Next

  3. Remove the check-mark for Avira Mail Protection and press Next until Finish

Note:
This completely removes the Avira module for Email scanning, Avira Mail Protection, and it can no longer be used! This means that Emails are no longer scanned before they arrive in your Email client.

  • Affected products
  • Avira Professional Security
  • Avira Antivirus Premium 2013
  • Avira Antivirus Pro
  • Avira Internet Security
  • Avira Internet Security Suite
  • Avira Family Protection Suite
  • Avira Ultimate Protection Suite

Comments

I have used successfully AVIRA for a long time along with my ISP e-mail client in OUTLOOK which reqiuired the use of SSL ports. However, the recent conflict between my ISP required SSL ports and the inability of AVIRA to no longer scan such ports requires me to disable mail scanning in AVIRA. I tried the suggestions in this article without success unless I disable mail scanning in AVIRA. Accordingly, I feel less protected than before and see no option but to abandon my paid AVIRA license and go to another anti-virus program.

This article is worded very strangely. Avira isn't blocking encrypted email traffic to enhance security; this doesn't make any sense. The actual issue is that Avira can't scan encrypted traffic at all, and it blindly looks at traffic on specific port numbers, then can't handle it when it encounters something other than unencrypted traffic.

And disabling encryption on email is "correcting the settings?" I don't think so!

Avira really needs to implement a main-in-the-middle (MITM) solution. Insert a local certificate so you can scan encrypted email traffic, rather than forcing customers to choose between encrypting their email traffic and being able to scan email traffic with Avira. Other AV vendors have been using a MITM solution for years.

I know all about the people who feel that scanning email is unnecessary. I could not care less. It should be an option.

Disabling email encryption just to enable AV scanning of this traffic is a terrible trade-off. I will choose encryption every time (even though I use a VPN).

Please fix this, Avira.

Although saying that the reason for this limitation is "Out of security reasons" sounds like a lame excuse, I'm guessing that's just a way to summarize a complex situation, a situation that people like you think they understand...
The whole purpose of encrypted email traffic is to protect private information from any malicious attempts to access it while it travels through the Internet, like MITM attacks. What you're saying is that Avira should create a module that acts like an attacker. Your statement lacks of common sense and just evidences your ignorant arrogance instead of any real IT security expertise.
Furthermore, you're wrong saying that it would only require a local certificate, I'm assuming that you're comparing it with HTTPS traffic. Email traffic encryption methods do not work precisely as HTTPS, you should read and investigate before publishing such lame critics.
You should also know that other manufacturers are "solving" this with email client plugins, which scan the emails after being decrypted by the email client. This is in fact a better way of accomplishing AV email filtering than MITM nonsense, but the problem for them arrises when email clients are updated and the plugins stop working until they're upgraded (sometimes email traffic gets stuck in the meanwhile).
All These are the reasons for manufacturers to promote gateway email filtering, this type of filtering is not limited to any encryption issues.
The truth is that having a good live/real-time/guard scanning should be enough, rather that wasting client resources having redundant filtering.
Nowadays there are a few manufacturers that have extra modules which are in fact better protection and not just redundant modules, e.g binaries/executables inventory, containment layers, virtualization layers, etc. It is only fair to say that Avira is not one of these manufacturers, they're still working with huge signatures databases and blacklist methods, which result in a high rate of zero day infections.
This last paragraph summarizes what Avira is really missing, let it be clear that I'm not defending them but only responding to your arrogant comment.
And yes, my reply could also be arrogant, the difference is that I do know what I'm talking about and you're just a crank.

Hi Maurizio,

because it is encrypted with SSL it is not readable for humans and computers. This is why Avira can't scan this port and it is blocked to protect you.
If you are forced to use SSL please uninstall the email protection or remove the port from the configuration. Because Avira uses a multiple security features (realtime protection, web protection) you are still safe.

I agree with @crank above
While I understand that encryption is exactly not being able to read the content, there should be some option that email is scanned for example after decrypted, or any other solution.
You can not just leave us with option to either use SSL but no antivirus protection, or no SSL with antivirus protection. A workaround must exist and be in place.

Add new comment

Your report was successfully sent.
There was an error! Please, try again later!