According to this thread: http://www.wilderssecurity.com/showthread.php?t=302977 i am asking myself why Eset does not scan the system32/drivers folder on x64 systems and how capable Eset is to protect x64 maschines...

ESET does scan that folder, the explanation is simple, as those are drivers, 99% is in use :). Somewhat of a pointless test tbh.

And if a malware driver is in use Eset will not scan it too? 8)

-{ Quote: "And if a malware driver is in use Eset will not scan it too? 8)" }-Correct. Direct Disk Access scanning for locked files should be implemented.

-{ Quote: "And if a malware driver is in use Eset will not scan it too? 8)" }-

No, then it will be picked up in operating memory, and removed in either safe-mode, with sysrescue, or a standalone removal tool

-{ Quote: "And if a malware driver is in use Eset will not scan it too? 8)" }-

This would have been my question as well. There are products that work. It might be a good idea to compete with them. :ouch:

There should be a mode where it can scan 100% of all files even if it means in Safe mode or even before Windows boots up!

No doubt there is some of recovery CD you can boot from same as other AV vendors but that is not what I mean!

-{ Quote: "ESET does scan that folder, the explanation is simple, as those are drivers, 99% is in use :). Somewhat of a pointless test tbh." }-

Are you saying,that eset cant scan the drivers because they are in use ,whereas the other products in that thread can?.Or are you saying that it was just lucky that when the other products returned those results ,those drivers just happened not to be in use?.
ellison

I'm saying that some products list them as scanned even though it could not open them because they were in use. This excluding HitmanPro as I know they actually wrote their own filesystem driver. Other than that it's a Windows limitation.

If what you say is correct ,i would be interested in any proof you may have or have heard of) that some of those products that show they have scanned the 64 drivers in the said thread ,haven't really,as they haven't opened them,and what products are you referring too?.I use avast as a primary av.I also use SAS .Do you know whether these products actually scan those drivers ,or are they just reporting that they have scanned ,when in actual fact they haven't?.

Please discuss non Eset software (proof etc) in the already referenced thread

-{ Quote: "Please discuss non Eset software (proof etc) in the already referenced thread" }-

If that's the case im not quite sure why you haven't transferred all the posts in this thread to the referenced thread? unless its ok to make claims about other avs in an eset forum but not be able to reply to those claims in an eset forum?

What is there to be unsure about. Eset forums is to discuss Eset products. Lets see if more can be learned about whether Eset can or can't scan those drivers. Any further posts should be about that.

It can scan them just fine, if you are in safe-mode or using the sysrescue disc. Since ESET uses the Windows filesystem, it's "limited" to the broundries of that filesystem. Unless other vendors use their own FS driver (like HMP) I can't see it working any other way. Mind you, this is all based on my own assumptions.

..although this has nothing to do with x86 or x64 really, it's the same for all files that are in use while scanning :)

-{ Quote: "What is there to be unsure about. Eset forums is to discuss Eset products. Lets see if more can be learned about whether Eset can or can't scan those drivers. Any further posts should be about that." }-

I think we have already ascertained that eset cant scan those drivers in normal windows mode .The thread then evolved by insinuating that other avs cant scan them either but in essence pretend too ...hence my asking for clarification or proof ,hence the uncertainty in my last post.

-{ Quote: "It can scan them just fine, if you are in safe-mode or using the sysrescue disc. Since ESET uses the Windows filesystem, it's "limited" to the broundries of that filesystem. Unless other vendors use their own FS driver (like HMP) I can't see it working any other way. Mind you, this is all based on my own assumptions.

..although this has nothing to do with x86 or x64 really, it's the same for all files that are in use while scanning :)" }-

Thank you for being concise and honest.I don't know whether other avs scan them correctly or are pretending too either ,hence me asking for proof or links.Maybe an av expert can comment/?

-{ Quote: "No, then it will be picked up in operating memory, and removed in either safe-mode, with sysrescue, or a standalone removal tool" }-
That should be the normal procedure for all drivers, yes. Or direct disk access. Normally i think both methods should be used...
But as you said: Eset should scan those files, in memory or not... but Eset does not scan them!

It does for me, it just gives an error when opening. It also removes any EICAR file I put in that folder, so real-time protection is also watching it.

I just scanned the system32\drivers folder in my 32 bit vista laptop and the number of scanned items is 382 and there were no error messages in scan log. So if Eset is showing less items in a 64 bit drivers folder scan I think Eset is not able to scan them. I use defraggler portable which has 64 bit files and Eset has no issues in scanning them. May be a reply from an expert will clarify these.

Hello,

ESET's antistealth technology does allow some types of disk and memory redirection used by malware to be bypassed, but if a file is held open exclusively by the operating system (e.g., other programs are blocked from accessing it) than in order to scan that file (or files) the computer should be started from an ESET SysRescue disc and the file system(s) on the hard drive(s) scanned from there.

Regards,

Aryeh Goretsky

-{ Quote: "It does for me, it just gives an error when opening. It also removes any EICAR file I put in that folder, so real-time protection is also watching it." }-
Yeah but Eicar is not a x64 file... And the errors could indicate that Eset is not able to scan 64 bit files. I think they really should work on this!
TDL4 taught us that x64 rootkits are possible and in the wild and the development of 64 bit malware will grow rapidly due to the fact that x64 systems will push into the marked during the next years..
Especially the gaming computer market, which is massively targeted my Eset, is 64-bit land... I think nearly all new gaming computers selled at the moment are x64 systems.

Indeed the main reason i am interessted in Eset is that i want to protect my gaming machine (x64 setup for sure) but now i am not sure whether this is a good idea or not.

-{ Quote: "Hello,

ESET's antistealth technology does allow some types of disk and memory redirection used by malware to be bypassed, but if a file is held open exclusively by the operating system (e.g., other programs are blocked from accessing it) than in order to scan that file (or files) the computer should be started from an ESET SysRescue disc and the file system(s) on the hard drive(s) scanned from there.

Regards,

Aryeh Goretsky" }-
Hello Aryeh,

i think what you said is not coherent to the posts above.

-{ Quote: "I just scanned the system32\drivers folder in my 32 bit vista laptop and the number of scanned items is 382 and there were no error messages in scan log. So if Eset is showing less items in a 64 bit drivers folder scan I think Eset is not able to scan them. I use defraggler portable which has 64 bit files and Eset has no issues in scanning them. May be a reply from an expert will clarify these." }-

On x86 systems eset is able to scan those drivers in user, for sure think, otherwise it would not be able to protect the computer in real time. I dont think that scanning the computer every day from a liveCD is an option for any user...


-> So far we got no conclusive answer from Eset support whether NOD32 is able to scan x64 files or not. <-

-{ Quote: "
TDL4 taught us that x64 rootkits are possible and in the wild and the development of 64 bit malware will grow rapidly due to the fact that x64 systems will push into the marked during the next years..
Especially the gaming computer market, which is massively targeted my Eset, is 64-bit land... I think nearly all new gaming computers selled at the moment are x64 systems.
" }-


64 bit is the only foreseeable future. With windows 8 coming out most likely by the end of next year a 4 gig limit on RAM will be considered the bare minimum in any system, it basically is now. The only place where one finds less than 4 gigs of ram is the tablet pc category and that is dominated by DROIDS and APPLES of the world (Linux and Unix).

Hello,

ESET's software scans x86 and x64 files and removes (cleans, deletes or takes whatever appropriate actions area available) threats from them as well. It also detects programs which attempt to block detection through memory or disk I/O manipulation (stealth or "rootkit" type behavior) as well.

As previously noted, some files cannot be scanned because they are held open exclusively by the operating system. In these instances, you will need to perform an offline scan (ESET SysRescue disc, mount the hard disk drive in another PC, etc.) to check them for threats.

For removal of the Win32/Olmarik rootkit (also known as Alureon, TDL3, TDL4, TDSS and so forth), you can use the standalone cleaner available from ESET Knowledgebase Article #2372, "Stand-alone malware removal tools (http://kb.eset.com/esetkb/index?page=content&id=SOLN2372)." Additional instructions are available in the video (http://kb.eset.com/esetkb/index?page=content&id=SOLN2372#Win32_Olmarik_removal_video) at the bottom of the page.

Regards,

Aryeh Goretsky

-{ Quote: "Hello,

ESET's software scans x86 and x64 files and removes (cleans, deletes or takes whatever appropriate actions area available) threats from them as well. It also detects programs which attempt to block detection through memory or disk I/O manipulation (stealth or "rootkit" type behavior) as well.

As previously noted, some files cannot be scanned because they are held open exclusively by the operating system. In these instances, you will need to perform an offline scan (ESET SysRescue disc, mount the hard disk drive in another PC, etc.) to check them for threats.

For removal of the Win32/Olmarik rootkit (also known as Alureon, TDL3, TDL4, TDSS and so forth), you can use the standalone cleaner available from ESET Knowledgebase Article #2372, "Stand-alone malware removal tools (http://kb.eset.com/esetkb/index?page=content&id=SOLN2372)." Additional instructions are available in the video (http://kb.eset.com/esetkb/index?page=content&id=SOLN2372#Win32_Olmarik_removal_video) at the bottom of the page.

Regards,

Aryeh Goretsky" }-


Thanks!

Great to hear.

Scanning of x64 drivers by the on-demand scanner will be addressed in upcoming builds of EAV/ESS. Currently they are scanned by other protection modules, however, so already recognized malicious x64 drivers would be detected anyway.

-{ Quote: "Thanks!

Great to hear." }-

No,

this is good to hear:

-{ Quote: "Scanning of x64 drivers by the on-demand scanner will be addressed in upcoming builds of EAV/ESS. Currently they are scanned by other protection modules, however, so already recognized malicious x64 drivers would be detected anyway." }-

That is the first real answer considering the entry post...

Thank you Marcos for clarification!