So, is NOD32 still the no.1 antivirus scanner?

-{ Quote: "So, is NOD32 still the no.1 antivirus scanner?" }-

Hi fatpizzaman,

Any reason for asking?

regards.

paul

Probably because of this:

https://grc.com/x/news.exe?cmd=article&group=grc.security&item=46895&utag= .

Let's face it, it's not the smartest way in the world for them to be handling POP3 scanning. Pete

I never even considered NOD32 Antivirus to be No.1. It's a good utility but certainly it's not no.1

Technodrome

In the meantime, I've sent an email to support@nod32.com , requesting the new pop3scan.exe with instructions on how to replace the old one.

I'll be sure to let everyone know how it goes and how long it takes to get a response. Pete

Funny, i don't have any of these temp files !
Oh yeah that's right, i have learned a long time ago to regularly clean my temp file folder. Besides, i'm using Internet Sweeper ! ;)

Bravo, MTM!

Let's fix third party software with more third-party software! lol!

Everyone already knows they can remove the temp files created, Mick, the point is - why are they getting created to start with?

If it were a M$ glitch, I could understand it - but since NOD's offering a 'fix' , then that wouldn't seem to be the case (it's also supposed to not occur anymore when the 'environment' update occurs).

But thank you for that valuable input! Pete

Guys,

Not 10 minutes ago Nod32's Pop3 scanner detected Hybris in an email attachment.

I ran Nod32>clean, but the file wasn't found.

I then saved the file somewhere, and subsequently was alerted by Amon that it was infected. *I clicked 'delete', afterwards I ran Nod32, and no infection was detected.

Fine, you would say.

I then ran NAV, which however alerted me to the fact that C:\Windows\Temp\Nod328335.TMP (or something like that) *was still infected.

So what's the deal?

Once the infected temp file's created, am I still at risk because of it?

Do I need to clean out my Temp directory after a virus has been removed by Nod32, or it will still be active??


Do I need to run 2 virusscanners all the time?? ???

OK, *I answered one question myself: *I added *.tmp to the extensions to be scanned by Nod32 and Amon.

One wonders why this extension isn't included by default, given this program's apparent idiosyncrasies.

I just answered my first stOOOpid question as well:

As the infected attachment has been renamed to *.tmp, it's no problem anymore, I guess.

I will now emigrate to Tierra del Fuego, and change my name... :-/ ;D

Is NAV overdoing it when it still identifies the file as being infected after it has been 'converted' to a temp file?

Hi, Tony!

I hear what you're saying, but having selectable scanning of extensions serves a good purpose for those who don't want all extensions scanned (although I really can't imagine why everyone wouldn't want all extensions scanned - if I'm going to scan, I'm going to
scan! ). Pete

I understand, but what I'm wondering is why NAV identifies the temp file created by NOD32's pop scanner as infected after the file has been deleted by AMON.

I'm puzzled.

Even though the code's in text in the temp file (or at least I think it is - I don't have one to play with here) , NAV is probably still picking up on its' presence.

Tried checking Symantecs' KnowledgeBase? Pete

Not yet, Pete.

It would be nice if Eset would be able to come up with a new POP3 scanner that doesn't create the files in the first place, though.

Are The nod temp files annoying ? *Definitely !
Do they pose a security risk ? No !
ESET has acknowledged that the problem exist, but not a vital one to warrant issuing a new version in a rush. *They said the fix *will be included in the upcoming version.
As for Nav, this is to be considered a false positive the same as code red was in Spyblocker's log file.
Should the temp file be emptied ? *Yes, regularly, regardless of Nod !

Hi Mickey,


Thanks!

I do clean my temps out on a daily basis.
I have a convenient little batch file for that, which I access via a desktop shortcut.

However, the fact that NAV alerted me to this so called infected file, *after Nod32 zapped it was a little disconcerting to me.

However, you have managed to reassure me now. *;D

Hi Tony, I'm not a big Norton fan by any stretch of the imagination, but in this case I would say it's a good call by Norton.
AV's look for signatures. When NOD renamed the extension, it did not change the Code in the file. Norton, for some reason is scanning tmp files, so it picked up the code (virus signature) and warned you. I would not call that a false positive.
I have NOD32, and have always considered it a very good AV. I think this little quirk should be fixed soon, but don't think it's panic time.
Always good to have a backup AV and AT to do manual scans with. Nobody catches everything,

I've always used NAV, and I don't really have the strong feelings that many others here appear to feel whenever the word Norton pops up.. ;)

I recently switched to NOD32 mainly because of problems with NAV 2002's email scan, and because I do believe NOD32 is among the finest you can get.

I will keep NAV updated, and use it as an on demand scanner.

2 things:

I saw a post at the NOD32 board at Becky's where one Phil was sent the new and improved POP3scan module just by asking for it.He now has no more temp files being created

I wonder why as yet it hasn't been made available to everyone generally.

Second, *As my *NOD32 just caught its first virus I have one question:

When the POP3 module alerts you to the presence of a virus in an attachment, it isn't able to destroy or repair it itself, right?

Does it convert the virus in the extension to a temp file straight away to be detected and destroyed by a NOD32 scan, and does that mean that the attachment is rendered harmless as a result?

This isn't clear, and as you can't just rightclick an attachment and have it scanned, I'm wondering how exactly to go about it.

Hi Tony,

-{ Quote: "I wonder why as yet it hasn't been made available to everyone generally." }-

As Mickey has stated, since it does not have first priority (not being a dangerous flaw), Eset is concentrating on the upcoming new build.

-{ Quote: "When the POP3 module alerts you to the presence of a virus in an attachment, it isn't able to destroy or repair it itself, right?" }-

Right.

-{ Quote: "Does it convert the virus in the extension to a temp file straight away to be detected and destroyed by a NOD32 scan, and does that mean that the attachment is rendered harmless as a result?" }-

It does.

regards.

paul

Thank you, Paul!

Nod32 should be so informative... :-/

Thanks a lot for enlightening me on this subject.


Cheers,

My pleasure, Tony.

In case of matters concerning security software like NOD32 in this case: whenever you encounter a problem, feel free to drop me an email. We do have frequent contact with many software vendors - could speed up things.

regards.

paul

Got *the 'fix' for the Temp email folders problem - Paul, you want me to send it to you and let you put it up for d/l? Probably won't be too much of a bandwidth drain. Pete

Great, Pete! *:D

Can I have one, pleaaaase? *;D

Tony - You have mail. The copy I sent you is for the English version of Win9x. Instructions follow:

"1. make sure you are using english version of nod32. if not so, please contact us for appropriate language version of the pop3scan.exe file
2. quit pop3 scanner
3. overwrite the old pop3scan.exe with the attached one. it is located where you installed nod32 (typically c:\program files\eset)
4. start pop3 scanner" Enjoy! Pete

For others who're not sure of the way to go about getting it direct from eSet, do this:

Go to: http://www.nod32.com/support/support.htm

Click on the country in the list that's closest to you or which uses the language of your choice. This will bring you to the 'Technical Support Request' page, which you'll then have to fill out (fill it out and follow all instructions exactly - it's really not that hard).

When you're done, click 'Submit'.

That's it. You'll have it in your email before you know it. Pete

Pete,

Thanks a Mil!

I do have the English version, but I already replaced mine before seeing this post.

I did it slightly differently:
I didn't overwrite the old one, *but closed it down and removed it.
Then put the new one in and rebooted.
It started working right away and didn't even need to be configured.

I owe you one!

Thanks again,

Tony

Pete/Tony,

Do you have a version number of that new pop3scanner? Is it a different version number compared to the existing one?

Thanks, Jan.

Jan,

You can check yourself if you want; just drop us an email.

For the record: we (wilders.org) will not put up this file for download, regardless the O/S. The way as stated above is in general the way to go.

regards.

paul

-{ Quote: "Pete/Tony,

Do you have a version number of that new pop3scanner? Is it a different version number compared to the existing one?

" }-
Hi Jan,

I don't have the old one any more, but no, *it shows the same version number as Nod32.exe does, which is 1.244 (20020412)

It is however 112 kB, which is I believe almost twice as big as the old one.

And I have yet one more question (:D):

This new pop3-scan module doesn't create any more temp files, which is a good thing.

Now I'm wondering:

Before, when got an infected attachment, and Pop3 scan alerted me to it, *it converted it to a temp file, and when running Nod32, it found only this temp file to be infected.

ESET says, that that's the way to proceed: Popscan can't destroy a virus, but can only halt it so to speak by converting it to this temp file (someone stop me if I'm wrong)

Now it doesn't create temp files any more, which makes me wonder if that means that in the case of an infected attachment the new version of Pop3 scan does effectively destroy it.

I see no other logical possibility.

So please enlighten this confused NOD32 user

-{ Quote: "Pete/Tony,

Do you have a version number of that new pop3scanner? Is it a different version number compared to the existing one?

Thanks, Jan." }-
Hi Jan, there is no version number, but size has changed.
Old one was 67kb ( 68,608 bytes)
New is * * * *112kb (114,688 bytes)

Thanks Tony and Mickey *;)

PS: in about a week I have to renew my subscription for another year (I guess I'm going to do that).

Thanks again, Jan.

Hi Tony,

-{ Quote: "Now it doesn't create temp files any more, which makes me wonder if that means that in the case of an infected attachment the new version of Pop3 scan does effectively destroy it. " }-

Have you tried to send yourself the EICAR-test-virus?

Cheers, Jan.

Good idea, Jan.

However, Pop3 scan tells me "eicar.com contains Eicar test file", but gives me no options.

The 'next' button doesn't work.

I just hope it behaves differently in case of a real virus.

Would someone mind testing this as well, please?

Additionally, *when I reenabled AMON, and proceeded to save the attached eicar file it was dealt with straight away.

This is good.

I then sent myself a zipped copy of Eicar, *which wasn't detected by the Pop3 scan module.

Saved it on disk, and Amon didn't detect it either, because of the fact that *.zip isn't included in the extensions to be scanned.

Should I add it, do you think?

Finally I ran Nod32, which did detect Eicar in the zip file, but said that as it was archived, it couldn't clean it.

I take it, that as it's zipped, it's harmless (yes, I'm a real newbie... :D)

Setup Tag:
-{ Quote: "<snip>

In the bottom right hand corner of the Tab, there is a separate Extensions button, which permits editing of the filenames extensions to be scanned." }-

Extension Editor:
-{ Quote: "
Extension editor serves as a tool to define the extensions of the files to be scanned for virus infiltrations.

The current list of the extensions in alphabetical order is displayed in the left-hand side of the window.

The five buttons on the right hand side offer the following functions:

· * * *OK – finishes editing of the extensions and records the actual listing of the extensions
· * * *Cancel – finishes editing without any changes in the list of extensions
· * * *Add – adds the extension from the entry field to the list of extensions in the window
· * * *Delete – removes from the list the extension marked by the cursor
· * * *Default – cancels the actual list of extensions and replaces it with the default

The check box: Scan all files is located in the bottom part of the window. If this check box is selected every file is scanned regardless of its extension. In this case the list of the extensions and the Add and Remove buttons are not accessible. Selection of this option is not recommended in standard situations.

To add a new extension press the button Add. This opens a new window with an entry field where the new extension (maximum 10 characters long) is to be typed. Press the OK button to file the extension into the list of the tested extensions.

The current list of the extensions of the tested files is saved after the button Save located in the Setup Tab is pressed." }-

I have set it to scan all files (regardless of his extension).
PS: I only run NOD32 on-demand.

Hi Tony,


-{ Quote: "However, Pop3 scan tells me "eicar.com contains Eicar test file", but gives me no options." }-

That's by design.

-{ Quote: "The 'next' button doesn't work." }-

This button does work - in case you have received more then one infected email. It will show the "next" infected email you would have received.

-{ Quote: "Saved it on disk, and Amon didn't detect it either, because of the fact that *.zip isn't included in the extensions to be scanned.

Should I add it, do you think?" }-

You could opt for the "scan all files" option.

regards.

paul

Thanks guys, that about anwers all my questions.

I had in fact discovered the 'extensions' radio button, and I had already configured Nod32 to scan all files, but hesitated to do the same with Amon.

In your opinion, does it make any difference in system resources or performance if it runs in the background all the time scanning all files?.

I'm going to check that next.

Thanks!

Settled *;)

-{ Quote: "In your opinion, does it make any difference in system resources or performance if it runs in the background all the time scanning all files?." }-

Not that I have experienced. But give it a try yourself!

regards.

paul