This is very likely because Thunderbird uses mbox files, so one big text file per mail folder. There is experimental maildir support (one file for each email) which is friendlier for AVs: https://support.mozilla.org/en-US/kb/maildir-thunderbird
> One (whatever big) file is always way more 'friendlier' for the AV than a bazillion of files.
Defender will scan the entire file on opening if it's been modified. So for an mbox file, any update to the mbox (e.g. adding a message or marking one as read) will lead Defender to block reading until it's scanned it in full again.
While maildir will increase the baseline costs because opening files in windows is expensive, it will drastically reduce AV overhead, because the AV has a lot less data to scan, and it will only scan files which have been modified.
> Defender will scan the entire file on opening if it's been modified
In that case it would delete the whole mailbox for EICAR. Sound plausible, but I have a WinSvr2022 machine without WinDefender (or any other AV) and Thunderbird there is slow as molasses.
But sure, if adding the path to the exclusions alleviate the problem then it's Defender causing issues.
> because opening files in windows is expensive
Yes, this is the reason I would generally advise against that. Also it mess up NTFS fragmentation bad and while nowadays it's less of an issue for a laptop with oh so fast NVMe drive in it, it's still a problem (especially if you later need to move that folder with a bazillion files in it).
Why, exactly? I have switched to maildir as soon as it was available as experimental feature, and performance gains when compared to mbox were enormous, especially during bulk operations. Switching folders takes <0.1s, with ~100k messages per folder, on Windows 7 64-bit.
The logic is probably as discussed above. Opening files is relatively expensive on Windows, so intuitively, maildir should be worse in terms of performance. I believe there's also some filesystem reasons to prefer avoiding lots of small files but that's beyond my pay-grade.
The reason maildir is faster despite this is the antivirus factor.
The fastest solution is adding an exception so that Defender doesn't scan your Thunderbird email, however that has the trade off that your antivirus isn't able to scan your email.
And while switching folders, which is the major part of UX anyway, is fast, because TB only scans a handful of messages in the view[0], what about other operations which would need to scan the entire mailbox, like searching for something?
[0] why even it does that? beats me, but clearly it does, otherwise you wouldn't see the speed improvement
This. Took me some time until I figured this out. I would definitely not discover this if I was a new user, but I migrated my profile from linux where everything was fast (with the same mailbox) so I was suspicious.
As I understand it, before you open a (potentially dangerous) attachment in another app, it would be saved to your Temp or Downloads folder, where Defender would still have access.
A carefully crafted email (or PDF attachment) that exploits vulnerabilities within Thunderbird's HTML or image rendering (or its PDF.js sandbox) might still pose a risk, but probably less so than any random web page that you open in Firefox, where JS (which should be disabled in Thunderbird by default) is the primary attack vector.
Also, note that there is a setting called "Allow antivirus clients to quarantine individual incoming messages". With this enabled, "Thunderbird first stores each incoming message in a temporary file in the system temp folder" (where Defender would have access). "If the new message file still exists after being scanned by the antivirus software, then it is moved to your Thunderbird Inbox folder file." [1] If this is implemented correctly, it should only impact performance when receiving new emails.
Where the email is stored.
I'd say there is little impact as when a malicious email ends on disk, it was processed and the potential damage has been done already. I trust the server-side filtering and thunderbird security more than file-access protection in defender
In response to both comments: I turned on "Allow antivirus clients to quarantine individual incoming messages" and then added an exception for the folder where Thunderbird is keeping my mail, and it's now noticeably snappier—not instant, but opening my archives folder (~35,000 messages) was previously anywhere from a couple seconds to a couple dozen of seconds, and is now probably a little under a second.
