hello,
i am currently trying your nod32 because its less resource hungry than other scanners.

my system: xp,sp2
nod32: trial 2.50.25 database:1.1432 updated today
settings:
amon running,
detection open,create,execute / files
local disks&media / media
thats all ticked on this page

scanning by extension: EXE

on options-page all ticked.

no exclusions / security all ticked.

the problem:
i have downloaded an file "datei.exe".
when i scan this file with the on demand scanner it says "a variant of win32/agentTV trojan".
when i doubleclick the exe. 2 files in the system folder are created one exe, one dll.
but so the question why doesnt nod32 interfere??
the setting is alert me when something is found, but it only finds this when i manually scan it?

Because you executed a file not detected by a signature. Upon saving to the disk, AMON would have detected it and moved to quarantine to prevent its execution.

thanks for the fast reply,
but i dont get it really.
in the options it says "files scan on open/execute/create"?
so you are saying its only detected when saved/created?
what do you exactly mean by not detected by a signature?
why not?
or i dont get the settings...or the way nod32 works, but shouldnt it autoscan a exe file when its doubleclicked?

So you mean you have datei.exe, which the on-demand scanner says is "a variant of win32/agentTV trojan". Inside datei.exe are two files: datei-1.exe and datei-2.dll.

Your questions are:
Why is datei.exe not caught by AMON when I execute it?
Why is datei-1.exe not caught be AMON when it is created?

datei-2.dll will not be caught because you have the extensions set to EXE only.

{QUOTE-> So you mean you have datei.exe, which the on-demand scanner says is "a variant of win32/agentTV trojan". Inside datei.exe are two files: datei-1.exe and datei-2.dll.

Your questions are:
Why is datei.exe not caught by AMON when I execute it?
Why is datei-1.exe not caught be AMON when it is created?

datei-2.dll will not be caught because you have the extensions set to EXE only. <-QUOTE}
yes, exactly this is the situation.

for the dll its obvious and logical, indeed. for the exes not.

If the exe file was actually detected using AH, it would have been moved to quarantine upon creation. Maybe there was no generic signature for this threat at the time it was saved to the disk.

{QUOTE-> Maybe there was no generic signature for this threat at the time it was saved to the disk. <-QUOTE}
the "detect on create" was not ticked at the time datei.exe was saved to disk, but it is when the 89axmoduleap.exe (or similar) is created when you doubleclick datei.exe and it is NOT detected !

{QUOTE->
but i dont get it really.
in the options it says "files scan on open/execute/create"?
so you are saying its only detected when saved/created? why?
..., but shouldnt it autoscan a exe file when its doubleclicked? <-QUOTE}
{QUOTE-> Your questions are:
Why is datei.exe not caught by AMON when I execute it?
Why is datei-1.exe not caught be AMON when it is created?
<-QUOTE}
so again please, can someone say why is this behavior or does nod32 not work..?

You disabled default AMON settings that ensure protection against new threats and now you complain that you got infected. Come on... AMON uses AH to scan files on create and, if it's evaluated as malicious, it's moved to quarantine. Even if you disable AMON and happen to run a malicious file, the startup file check feature will tell you that an infected file is starting up with Windows.

can someone more competent please answer the questions?

{QUOTE-> can someone more competent please answer the questions? <-QUOTE}

They don't get much more competent than Marcos ;)

I believe spacekris is running tests like this in order to see how "bulletproof" the software really is. If a malicious file somehow manages to sneak in before my antivirus program can detect it, I would like to know that the file will still be stopped once it can be detected.

Why was datei.exe not detect upon execute?

Marcos said, "Because you executed a file not detected by a signature. Upon saving to the disk, AMON would have detected it and moved to quarantine to prevent its execution." Does this mean that files detected by heuristics are caught when they are created, but not when they are executed? ???

Why was datei-1.exe not detected upon creation?

Perhaps datei-1.exe is harmless by itself, but datei-2.dll file is the truly harmful part. Or to put it another way, the "virus code" that gets detected by the heuristics resides in datei-2.dll. Try adding DLL to your AMON extensions and see if that makes any difference.

{QUOTE->
Why was datei.exe not detect upon execute?

[...] [/i] Does this mean that files detected by heuristics are caught when they are created, but not when they are executed? ??? <-QUOTE}
yes,what role does the "detect upon open & execute" play?
it was ticked all the time.
when i execute an exe means doubleclicking,not?
marcos specified only the "create" part.

{QUOTE-> Why was datei-1.exe not detected upon creation?
Perhaps datei-1.exe is harmless by itself, but datei-2.dll file is the truly harmful part. Or to put it another way, the "virus code" that gets detected by the heuristics resides in datei-2.dll. <-QUOTE}
NO.
when i scan the created exe, it is also detected as trojan something!
and THAT is a creation but it is NOT detected!?

{QUOTE->
Why was datei.exe not detect upon execute?
<-QUOTE}

It seems most of you still don't understand how AMON works. Read carefully what AMON says:

{QUOTE-> It seems most of you still don't understand how AMON works. Read carefully what AMON says: <-QUOTE}

http://i2.tinypic.com/qzes1z.jpg

either we are to stupid or you are just not able to explain so that we get it.
how about not giving us riddles, just answering the question?
what is this kind of support? :thumbd:
i have not much time to waste and it seems i am doing.
i am not convinced about the product, sorry.

{QUOTE-> http://i2.tinypic.com/qzes1z.jpg

either we are to stupid or you are just not able to explain so that we get it.
how about not giving us riddles, just answering the question?
what is this kind of support? :thumbd:
i have not much time to waste and it seems i am doing.
i am not convinced about the product, sorry. <-QUOTE}

Marcos is right. Spacekris, yes AMON scans files on execute, too. But on execute AMON doesn't use Advanced Heuristics, doesn't scan RUNTIME ARCHIVES, SELF-EXTRACTING ARCHIVES. That's the key. If you had left "Move to quarantine" upon creation you wouldn't have had any chance to get infected. Your AMON detected it upon creation to disk, but didn't move it to quarantine. Then when you tried to execute that file, AMON scanned it (but without AH, runtime packers, self-extracting archives options) and that's the reason why it slipped through AMON!

{QUOTE-> But on execute AMON doesn't use Advanced Heuristics, doesn't scan RUNTIME ARCHIVES, SELF-EXTRACTING ARCHIVES. That's the key. <-QUOTE}
is there anything we can about that? or will nod32 v3 do anything to improve on that?

Advanced Heuristics is very sophisticated and more time-consuming code emulation. If AMON used AH on execution, your computer would be probably a lot slower. The same with runtime packers and self-extracting files. I am not expert but maybe guys from ESET will make a surprise in new 3.0 version.

@fosius: thank you for the explanation. you brightened it up.

{QUOTE-> @fosius: thank you for the explanation. you brightened it up. <-QUOTE}
same here, i guess we wouldnt to have nod32 slow down our comps too much

Yep, in certain cases operating with files might take even 10 sec. and more with AH enabled for all operations. Also bear in mind that NOD32 uses a startup file check feature which automatically scans all files run at startup with all settings maxed out.