I just wrote a small test program, which does nothing than hijack notepad and write my own code into notepad's process memory and execute it there.
If AMON is enabled during compilation, it block it, but once the executable is on the harddisk, AMON does not block it any longer and I can execute it.

http://www.tindahan.biz/myitems/np.jpg

Virustotal shows:

http://www.tindahan.biz/myitems/vt.jpg

I think, it should be detected by AMON, if I try to execute it, and not only if I try to create it. I can even copy and paste it, it will not be recognized.

And before anybody will tell me to submit it to eset, I DID, weeks ago.

Your sample is detected only by Advanced Heuristics and AMON uses AH only on new and changed files. It should be enough because by default AMON automatically moves these files to quarantine so there is no chance you can execute them (and bypass the AH detection).

{QUOTE-> Your sample is detected only by Advanced Heuristics and AMON uses AH only on new and changed files. It should be enough because by default AMON automatically moves these files to quarantine so there is no chance you can execute them (and bypass the AH detection). <-QUOTE}

Its not the case. Only during compilation, it is blocked. But once the exe is on the harddisk, it is not recognized. Also, if I zip the exe and unzip it to any location, its not recognized. Only if I create it during compilation OR right click it and check it with nod manually.

Btw, I am NOT writing any virus or malware, I just wrote a small test program to see how my antivirus scanner and other software reacts on it.

It must be detected during the unzip process as it's a normal file creation when AMON uses AH for scanning.

{QUOTE-> It must be detected during the unzip process as it's a normal file creation when AMON uses AH for scanning. <-QUOTE}Maybe it is disabled?

softtouch,
Is your AMON set like this (http://www.wilderssecurity.com/showpost.php?p=201881&postcount=16) and this (http://www.wilderssecurity.com/showpost.php?p=201882&postcount=17) ?
and also is detection configured as pictured below, and to scan all files extensions or something else?

Cheers :)

It's a worng screenshot, see additional options on create found on the Options tab.

{QUOTE-> It's a worng screenshot, see additional options on create found on the Options tab. <-QUOTE}yes, additional options on create and actions tabs are shown in the two linked posts.
Screenshot I posted was just for completeness whilst looking at tabs...
I'll stay quiet now :lurking:

Cheers :)

Ok, I have modified the nod32 settings and it is recognized if I unzip it too, but I still can execute it without problem, once it is on the harddisk. AMON does not recognize it during execution. Is there ANY setting I may have missed in nod32 to prevent executing such code?

As it's been said, AMON uses AH on create only. Otherwise your computer performance would become so slow that it would be virtually unuseable. AMON moves files detected by AH on create to quarantine to prevent their execution.

So if my external harddisk contains the file, and I plug into my desktop and ran it, NOD32 (IMON or AMON) will not notify me at all?

{QUOTE-> So if my external harddisk contains the file, and I plug into my desktop and ran it, NOD32 (IMON or AMON) will not notify me at all? <-QUOTE}

This is at least what it does with my test program. I tried this by copying it to a memory stick, plug this into another computer and started it without that nod32 complained.

I do not understand why the option "Scan on Execute" is there if it is not scanned on execute...?

Files are scanned on create and execute. However, AH is used only on create, otherwise your computer would become unuseable. Since everything has been explained, this thread is now closed.