doing a semi-regular system scan for changes, I got an alert that their was a new file in w2k \system32\imon1.dat 43 bytes of text. google finds vague references to this file usually in a malware context. the file itself scans clean in nod32 and total virus scans. did nod32 create that file? if so, should it have left it in \system32? what is it doing, and any harm if manually deleted?? I asked the same question to eset support and so far (at more than 24 hours) and no reply)_not intended as negative criticism of nod32, I've been using it happily a few years now on several pc.

hi poogimmal!

this file is definitely from nod32
this file was updated(recreated) after every update/upgrade
this file contains one or more e-tag's and timestamp's
this e-tag is submitted at every update to the eset server...
...maybe to identify a client as nod version
...maybe to count the updates/upgrades
...maybe to count how many nod installations are runnin
...maybe someone from eset is willing to clarify that... :dry: ;D

-{ Quote: "hi poogimmal!

this file is definitely from nod32
this file was updated(recreated) after every update/upgrade
this file contains one or more e-tag's and timestamp's
this e-tag is submitted at every update to the eset server...
" }-

thanks for the "confirmation" of what I was thinking. if you are 100% correct then it is curious in that, I've had nod32 on this box 2+ years, it updates automatically almost daily, and I scan system for changes and new files semi_frequently and on an irregular basis, and I'm pretty sure (99.9% sure) I've never had imon1.dat reported before as either new or changed file. otherwise, yes, it appears to be an %ETAG with a "time-stamp" || and... I have a licensed version on a 2d w2k box here, and just searched it and it finds no imon*.dat anywhere on its c\ || so it's not updated or recreated on every machine after every update. meanwhile, still no reply from eset re my support msg, this topic. it's the weekend, so I'll see if & when I get an "official" reply (hopefully) this coming week.

-{ Quote: "
this file is definitely from nod32
" }-
How do you know?

-{ Quote: "this file was updated(recreated) after every update/upgrade
" }-
Ehm, how come I don't know about such a "feature" ?

-{ Quote: "this file contains one or more e-tag's and timestamp's
this e-tag is submitted at every update to the eset server..." }-
How come nobody from ESET's developers know about e-tag? Nothing like this is submitted to ESET.

-{ Quote: "
...maybe to identify a client as nod version
...maybe to count the updates/upgrades
...maybe to count how many nod installations are runnin
...maybe someone from eset is willing to clarify that... :dry: ;D" }-

-{ Quote: "How do you know?

How come nobody from ESET's developers know about e-tag? Nothing like this is submitted to ESET." }-

yikes! marcos, you are also confirming my "curious" reply above re me not finding imon1.dat on my other nod32 protected w2k. hummm, so I guess I'll delete imon1.dat and hold it until further notice, and monitor my system files more often. hard to image anything mal* created it on this box, which has strong protection, practices safe hex, and scans clean even booted from LiveCD. So, I like to assume that nod32 *did* legitmately create that file, but I assume, as moderator, your post has the more infomative data.
I wonder if it could have anything to do with already having nod32 installed, and then downloading another copy to put on another machine??

-{ Quote: "yikes! marcos, you are also confirming my "curious" reply above re me not finding imon1.dat on my other nod32 protected w2k. hummm, so I guess I'll delete imon1.dat and hold it until further notice, and monitor my system files more often. hard to image anything mal* created it on this box, which has strong protection, practices safe hex, and scans clean even booted from LiveCD. So, I like to assume that nod32 *did* legitmately create that file, but I assume, as moderator, your post has the more infomative data.
I wonder if it could have anything to do with already having nod32 installed, and then downloading another copy to put on another machine??" }-

Send it to support @ eset.com along with a link to this thread so that I can have a look at it.

-{ Quote: "Send it to support @ eset.com along with a link to this thread so that I can have a look at it." }-

I sent ESET msg the other day, got reply this am.

"Update for Case #9257 - "imon1.dat"

An ESET Customer Care Representative has updated this case with the following
information:

Hello,

If your NOD32 is up to date you should be fine. I would leave it.

Thank you,
Eset Technical Support

It's a response from the guys in the US, I work for Slovak ESET's headquarter. If you send it to support @ eset.com I'll get it.

-{ Quote: "How do you know?" }- http://img218.imageshack.us/img218/5411/imonqh1.th.gif (http://img218.imageshack.us/my.php?image=imonqh1.gif)
using sysinternals process explorer on a runnin nod32

-{ Quote: " Ehm, how come I don't know about such a "feature" ?" }- dunno...
-{ Quote: " How come nobody from ESET's developers know about e-tag? " }- dunno...look at the pic above the marked line... http://www.rokop-security.de/style_emoticons/default/confused.gif

-{ Quote: " Nothing like this is submitted to ESET. " }-
i'm sorry about that - as far as i can see YOU ARE RIGHT - the e-tag was sent from the server to the client...ehm, a lil mixup...

I would trust Marcos over Sysinternals. This is obviously something that isn't suppose to be there. I've had Nod on this computer for two years and I don't have imon1.dat.

Marcos, please let us know what you come up with.

-{ Quote: "I would trust Marcos over Sysinternals" }-I would like to believe this is not about trusting one individual over another considering I also have imon1.dat created Sunday, September 24, 2006, 6:23:10 AM located in my system32 folder with the below contained within.-{ Quote: "%ETAG="145adc1a-390-456f1be5"%TIME=1166793466
%ETAG="217f826-1ee38-d12da100"%TIME=1164982595
%ETAG="4c830a-aaf9-b7482340"%TIME=1165497201
%ETAG="65e7fe-1b8e5-456feaeb"%TIME=1165156175
%ETAG="65e7ff-1a000-456feaf2"%TIME=1165156177
%ETAG="8a429d-6800-5204f5c0"%TIME=1166926595
%ETAG="fede3-4ae78-43d49a22"%TIME=1165324912
%ETAG="fede7-5a71-43d49a22"%TIME=1165326279" }-It's garbage to me and only because of this thread did I care to look. Whether it's Eset's file or not I have no clue but via notepad instead of Sysinternals my imon.dll file makes reference to imon1.dat even tho that still does not make me suspicious of Eset :blink:
-{ Quote: "S c a n n e r ÿÿÿÿZwQuerySystemInformation ZwQueryObject n t d l l . d l l p r _ i m o n . d l l % N A M E = " ? T H I S C O M P U T E R " % I T Y P E = " C O M P " % % N A M E = " ? P W A T T A C K " % % I T Y P E = " A T T A C K " % % S R C I P = " % d . % d . % d . % d " % I N F E C T E D = % A C T I O N = A 1 < T O T A L > < I N F E C T E D > < C L E A N E D > < F I L E N A M E > | * | # m m e : D O N T S H O R T E N T I M E E T A G \ i m o n 1 . d a t %%ETAG="%s"%%TIME=%u
p a s s i v e _ h o s t _ l i s t chunked deflate gzip 8bit identity User-Agent: X-NOD32-Mode: If-Range: If-None-Match: If-Match: ETag: Content-Location: Location: Transfer-Encoding: Content-Encoding: Connection:" }-YMMV,
Bubba

-{ Quote: "It's garbage to me and only because of this thread did I care to look. Whether it's Eset's file or not I have no clue but via notepad instead of Sysinternals my imon.dll file makes reference to imon1.dat even tho that still does not make me suspicious of Eset :blink:" }-I am sure that anybody in this thread wasn't suspicious about eset (inc me. I am sorry if you or anyone else got that impression.)

-{ Quote: "I am sure that anybody in this thread wasn't suspicious about eset (inc me. I am sorry if you or anyone else got that impression.)" }-So there's no further mis-understanding on your part or others....my use of "suspicious" was not negatively directed at no one in this thread....least of which Eset.

Back on topic....this file was of interest to member poogimmal and if\when Eset determines the legitimacy of this file as it relates to Nod32....I'm sure a comment will be made.