We have endpoint protection running on desktops, and Thunderbird as an IMAP client. By default, it syncs mailbox folders from the server, so that if there is an infected message in a folder, we will see a report with a "File Path" or "Original Location" such as
...C:\Users\joe\AppData\RoamingThunderbird\Profiles\8l6vx.default\ImapMail\mail.example.ca\INBOX>>Unknown003106A4.data
or ....INBOX>>Unknown0AD1ABB6.data>>Purchase Order.rar>>SKMBT_crypted9705.exe
or ...INBOX>>Unknown00385909.data>>Unknown00000F28.data
The folder INBOX might contain some 5000 messages. If endpoint protection cleans the local copy, it is restored by Thunderbird next time the user reads email.
What is the meaning of "Unknown003106A4.data" ? Is it possible to convert that to a byte offset in the mail folder, and thus find the actual message and attachment and delete it ?
I reported XP, because that is what is on my test system, but we have a variety of Windows versions reporting to a management console, which is apparently unable to whitelist a wildcard pattern from scans like C:\Users\*\AppData\Roaming\Thunderbird\