Hello,

Would it be possible to have NOD32 v2 do a boot time scan on WinXP ? Or is this not important ? Some AV programs do boot scans on Win98 but none that I know of do on an Win NT OS. Since my defragment program can do a boot time defragment on WinXP Pro, why not a boot time scan by NOD32 v2 ?

Loki 8)

{QUOTE-> quoting: Loki link=board=36;threadid=6138;start=0#40750 date=1042158511]
Hello,

Would it be possible to have NOD32 v2 do a boot time scan on WinXP ? Or is this not important ? Some AV programs do boot scans on Win98 but none that I know of do on an Win NT OS. Since my defragment program can do a boot time defragment on WinXP Pro, why not a boot time scan by NOD32 v2 ?

Loki 8)
<-QUOTE}

NOD32 monitors memory and hard drive activity constantly

If you're clean when you shut down then logically you will be clean when you boot up ... so an on-boot scan is overkill.

If enough users wishlist this then it might be added as an opt-in ... but I'd hate to see such a waste of time and resources added as default.

Rodzilla,

What you say is sensible but on my Win 2000 Pro, NOD32 scans EACH profile on boot. Is there any way to disable that?

Hi Rodzilla,

Thanks for the response, my main concern was system files locked by the OS. It's these messages ( error opening (file is locked)[4] ) I was hoping that NOD32 v2 would scan these.

Loki 8)

> Thanks for the response, my main concern was system files locked by the OS. It's these messages ( error opening (file is locked)[4] ) I was hoping that NOD32 v2 would scan these.

Those files are in use by and locked (protected) by your operating system, Loki. Perhaps they could be scanned by brute force ... but not with 100% safety ... so we don't even try.

> What you say is sensible but on my Win 2000 Pro, NOD32 scans EACH profile on boot. Is there any way to disable that?

Hmmmm ... I guess you mean AMON is scanning each user profile.

I don't know if this can be disabled or not ... but even if it could, I would not personally advise it. Switching to an "unscanned" user profile midstream could trigger the very hazards against which AMON's bootup scan is designed to protect you.

Hi, Rodzilla, glad to see you back..

Speaking of those "unscanable" files.. I have no problem with them..

Is there a way to make those "locked" or unscanable files not show up when doing a manual scan..

I don't know if I explained this well.. I want to see what NOD32 scanned, but the files that can't be, I don'tt want them on the list..

Thanks

> Hi, Rodzilla, glad to see you back..

Thanks SS. I'm glad to be able to see. :)

> Speaking of those "unscanable" files.. I have no problem with them..

> Is there a way to make those "locked" or unscanable files not show up when doing a manual scan..

> I don't know if I explained this well.. I want to see what NOD32 scanned, but the files that can't be, I don'tt want them on the list..

Personally I don't like excluding files from a scan. It opens the door for a file-specific virus to run wild.

Suppose it becomes widely publicized on security forums and in Usenet newsgroups that the latest PoopScan update false alarms on a commonly-used program ... say, WinZip .........

Within minutes, dozens of well-meaning self-appoined "virus experts" advise "Temporarily exclude winzip32.exe from your scan until the bugfix is released."

A few hours later winzip32.exe spams the world as an email attachment from the spoofed techsupport@winzip.c0m address. The email claims it's a bugfix for the PoopScan false alarm, but it's actually a modified CIH virus which auto-forwards the email and its attachment to everyone in the recipients' addressbooks. It spreads like wildfire.

Most other antivirus programs detect CIH on arrival, but PoopScan ignores the virus ... it's excluded by filename ... and within a few hours, hundreds of thousands of PoopScan/WinZip users have run the attachment.

Next day the security forums and Usenet are filled with warnings that the phony WinZip "bugfix" triggers (a) four hours after installation or (b) at the next reboot and will trash your hard drive and any susceptible FlashBIOS.

Most PoopScan users never get to read the warning ... they have nothing on which to read it.

(I'm not giving virus coders ideas here, btw ... this hypothetical "human engineering" sneak attack was discussed on IRC years ago.)

Well, I TOTALLY agree with you.. Let's leave NOD as it is then, your explanation was completetly understandable...

Other AV's I've eeen just run all the files through. not informing you or not that the file is locked.. Now that I think of it, I'd rather know which files are unscanable, and are are...

Thanks..
.........PS.. I assume your surgery went well?
Forgive me for asking.. I understand if you'd rather be private about it..but it's good to know you're okay..

Straight Shooter...

Rodzilla,

{QUOTE-> quoting: rodzilla link=board=36;threadid=6138;start=0#41087 date=1042256791]
>Hmmmm ... I guess you mean AMON is scanning each user profile.
<-QUOTE}

It is a full blown scan as if I clicked NOD32 and selected to scan each profile. If it were a AMON scan I wouldn't mind as much. It is just that upon boot my computer is virtually unusable until both NOD scans are done.

{QUOTE-> quoting: rodzilla link=board=36;threadid=6138;start=0#41086 date=1042256359]

Those files are in use by and locked (protected) by your operating system, Loki. Perhaps they could be scanned by brute force ... but not with 100% safety ... so we don't even try.

<-QUOTE}

Thanks again, so long as AMON is running and will catch anything then I'll not worry too much about those locked files.

Loki 8)

{QUOTE-> quoting: Feivel link=board=36;threadid=6138;start=0#41224 date=1042303283]
Rodzilla,

{QUOTE-> quoting: rodzilla link=board=36;threadid=6138;start=0#41087 date=1042256791]
>Hmmmm ... I guess you mean AMON is scanning each user profile.
<-QUOTE}

It is a full blown scan as if I clicked NOD32 and selected to scan each profile. If it were a AMON scan I wouldn't mind as much. It is just that upon boot my computer is virtually unusable until both NOD scans are done.

<-QUOTE}

Thats strange - I am on win2k too - no such scan

Ruben

> I assume your surgery went well? Forgive me for asking.. I understand if you'd rather be private about it..but it's good to know you're okay..

Actually the whole thing has been a bit of a disaster. The initial operation was to be on both eyes and scheduled to take 50-80 minutes, but five minutes into the surgery my blood pressure suddenly dropped below the death threshold and stayed there. The anaesthetist aborted the operation and brought me back to life, with very little surgery done, and on my right eye only.

Just when everything seemed to be settling down, I contracted an infection which temporarily blinded me. It was like trying to look through a glass of milk. I could detect light and shade, but not much else.

Now I can see almost as well as I could before the operation, except that my right eye has lost focus. I will need new glasses when it has completely settled down. I have an appointment with the surgeon tomorrow for another checkup. At this stage there is no chance of further surgery ... I'm on the anaesthetic "black list", and the surgery is too complex (and too frightening) for local anaesthesia.

But ... I can see ... and that's the the main thing.

{QUOTE-> quoting: Feivel link=board=36;threadid=6138;start=0#41224 date=1042303283]
It is a full blown scan as if I clicked NOD32 and selected to scan each profile. If it were a AMON scan I wouldn't mind as much. It is just that upon boot my computer is virtually unusable until both NOD scans are done.
<-QUOTE}

Just a thought here. Have you checked your "profiles" in the control center? Here's why I ask. When I first installed the beta, I went through the GUI like a crazy man clicking this, changing that, scanning here and there -- all without reading the help files. Hey! -- it's a beta and we are to TEST it, right! 8) Every so often, NOD would ask, "so and so has changed, do you want to save?" Sometimes I would say yes, sometimes no. The result was the next time I did a full system scan, it tried to scan everything in sight, up to and including my dog in the next room. ;D

The long and short is it was saving those things I was goofing around with in "profiles" ( a VERY handy feature as it turns out) and it ran the last profile I had loaded, without me knowing it was loaded, when I did the system scan. If you were clicking around like me, you may have *told* NOD to scan those on boot without knowing it. Just a thought, but may be worth checking.

Phil

Phil,

Your post made me look closer at NOD32 but unfortunately nothing obvious was there. I reset NOD32 to show system tasks and these are the 4 scheduled tasks.

Log Maintainance every day at 0300,none
update repeatedly, every hour,none
Scan all 1800, Thursday,user profile
Scan C every day at 1900,C only

In HKLM\Run there is

nod32kui.exe /WAITSERVICE

Hopefully this information will be useful so we can figure out my scan annoyance. On a happier note, I just saw IMON work flawlessly. I use mailshield desktop and had a message with the subject RE: movies from an obviously bogus email address. To make it even more obvious the message had an attachment. i had just read about Win32/Sobig.A worm so I downloaded it secure in the fact that I had NOD32 (and my email client is Eudora). Sure enough IMON caught the email and wouldn't allow it to be saved in Eudora until I deleted or quarenteened the worm/virus.

{QUOTE-> quoting: Feivel link=board=36;threadid=6138;start=0#41458 date=1042351458]
Phil,

Your post made me look closer at NOD32 but unfortunately nothing obvious was there. I reset NOD32 to show system tasks and these are the 4 scheduled tasks.

Log Maintainance every day at 0300,none
update repeatedly, every hour,none
Scan all 1800, Thursday,user profile
Scan C every day at 1900,C only

In HKLM\Run there is

nod32kui.exe /WAITSERVICE

Hopefully this information will be useful so we can figure out my scan annoyance. On a happier note, I just saw IMON work flawlessly. I use mailshield desktop and had a message with the subject RE: movies from an obviously bogus email address. To make it even more obvious the message had an attachment. i had just read about Win32/Sobig.A worm so I downloaded it secure in the fact that I had NOD32 (and my email client is Eudora). Sure enough IMON caught the email and wouldn't allow it to be saved in Eudora until I deleted or quarenteened the worm/virus.
<-QUOTE}

That's good news about IMON. I just wish it would work with Pocomail. ::)

The "systems tasks" is not what I was talking about. Fire up the control center and click the NOD32 module. Click "Run NOD32" and it will pop up the on-demand scanner. Look at the "Profiles" tab. That's where all my mad clicks had been stored. You may want to try setting to default to see if that will change anything. Again, this is just a WILD guess based on what I saw and may not make any difference at all. Have you tried an un-boot-re install?

Hopefully one the NOD guys will come in with an idea.

Phil

Loki,
if you'd like a real boot-time scan for WinNT/2K/XP/.NET, I'd suggest trying out the new avast! ( http://www.avast.com ).
It has the feature you're describing (it runs at the same stage as the boot-time chkdsk).

Vlk

;D

I sort of narrowed my annoyance somewhat. I have three NOD32 services on my computer. They are:

NOD32 Control Center Service - Disabled - nod32cc.exe" -service (apparently a remenent from a bad uninstall of the pre-beta version but it is disabled anyway)

NOD32 Kernel Service - automatic - C:\Program Files\Eset\nod32krn.exe

NOD32 Service - disabled - nod32m2.exe (apparently a remenant since it's disabled no problem there.)

I have TPF installed (as a sandbox only) and I finally decided to watch the activity upon boot. When the NOD32 Kernel Service (nod32krn.exe) starts, it starts nod32.exe to scan the default profile THEN it starts a second copy of nod32.exe to scan another profile. Between this information and what I posted previously, this annoyance will be solved soon. BTW, i tried disabling NOD32 Kernel Service but all that does is "stall" NOD32 at the splash screen.

Been 1 week since anybody said anything about this. Is this problem too difficult to answer? Any answer from ESET is better than no answer. If i wanted no answer, I could have easily stuck with a different vendor (and a shoddier product).

Feivel,

Your remarks do not go unnoticed. Issues concerning the Beta are handled as stated by Eset in this thread (http://www.wilderssecurity.com/showthread.php?t=6113) in principal. ;)

regards.

paul

I understand that Paul. I would just appreciate an answer, either a solution or a sorry - we are looking into it or your settings are wrong, from ESET. Aside from that, the Beta seems fine so far.

{QUOTE-> quoting: Feivel link=board=36;threadid=6138;start=15#43300 date=1043029275]
I understand that Paul. I would just appreciate an answer, either a solution or a sorry - we are looking into it or your settings are wrong, from ESET. Aside from that, the Beta seems fine so far.
<-QUOTE}

Feivel,

I agree it would be very nice if Eset Labs would be able to answer to each and every post on this Beta support forum. In practice they have chosen to verify - and possibly reproduce - all remarks concerning the Beta, and if necessary, iron out bugs as reported. Personally, I'd rather prefer Labs to concentrate on technics on their lab, as time and development is precious. Answering to all specific posts over here would no doubt slow down the main goal: a bug free v2.0. Please don't hold a grudge against Eset for setting priorities ;).

regards.

paul

No grudge at all. Even with thier lack of an answer i do believe they are doing something otherwise I would not have registered NOD32 in the first place.

Feivel,

sounds perfectly to the point to me ;)

regards.

paul

Hi Feivel.

we are checking it and I'll get back to you.

rgds, :)

jan

Thanks Jan :)

Hey Feivel,

>I sort of narrowed my annoyance somewhat. I have three NOD32 services on my computer. They are:

>NOD32 Control Center Service - Disabled - nod32cc.exe" -service (apparently a remenent from a bad uninstall of the pre-beta version but it is disabled anyway)

>NOD32 Kernel Service - automatic - C:\Program Files\Eset\nod32krn.exe

>NOD32 Service - disabled - nod32m2.exe (apparently a remenant since it's disabled no problem there.)

Although this doesn't seem to be a very common problem – it’s possible your “over installation” got corrupted. The NOD32 Control Center Service should not be there when using the Beta. If you want to have it clean - the following could help (I'm sorry it seems to be such complicated :)):

- uninstall the Beta version
- install the current version
- uninstall the current version with the Eset Uninstaller (Start>Programs>Eset>Uninstall)
- installation the Beta version

>I have TPF installed (as a sandbox only) and I finally decided to watch the activity upon boot. When the NOD32 Kernel Service (nod32krn.exe) starts, it starts nod32.exe to scan the default profile THEN it starts a second copy of nod32.exe to scan another profile. Between this information and what I posted previously, this annoyance will be solved soon. BTW, i tried disabling NOD32 Kernel Service but all that does is "stall" NOD32 at the splash screen.

I'd need to know what entries do you have in NOD32 System Tools>Scheduler/Planner

Please don't try disabling the NOD32 Kernel Service - it's a main service that communicates with the GUI.

regards, :D

jan

Jan,

These appear in scheduled tasks (with show system tasks enabled)

Log Maintainance every day at 0300,none
update repeatedly, every hour,none
Scan all 1800, Thursday,user profile
Scan C every day at 1900,C only

I will do the uninstall and reinstall when I return home later.

Uninstalled the beta and there was no uninstall for the previous version. Reinstalled the beta and the 3 services are still appearing but only the Kernel is auto (like before). There is no profile scan on reboot but I didn't create any profiles yet. That is also when the problem appeared last time so apparently it is related to profiles (or I just make them wrong).

{QUOTE-> quoting: Feivel link=board=36;threadid=6138;start=15#43618 date=1043168761]
Uninstalled the beta and there was no uninstall for the previous version. Reinstalled the beta and the 3 services are still appearing but only the Kernel is auto (like before). There is no profile scan on reboot but I didn't create any profiles yet. That is also when the problem appeared last time so apparently it is related to profiles (or I just make them wrong).
<-QUOTE}

Sounds like your old version is locked in like a tick. It hapens occasionally.

1. Uninstall the beta.

2. Quit AMON and the POP3 Scanner, and the Control Center if you can. (Click on the icons and select "Quit".)

3. Boot into Safe Mode.

4. Delete the folder C:\Program Files\Eset\ and all its contents.

5. Reboot the PC normally. Ignore warnings (if any) about NOD32 components not being found ... Windows _should_ rectify this itself.

6. Install the beta.

I'm fairly sure this will get rid of the problem.

Rodzilla,

I uninstalled the beta (yet again), booted into safe mode and deleted c:\program files\eset. The old services still appear BEFORE I reinstalled the beta but they are disabled. When I reinstalled the beta, the kernel service was added and is set to auto as it should be. Same observation as before regarding the profiles.

{QUOTE-> quoting: Feivel link=board=36;threadid=6138;start=30#43798 date=1043251419]
Rodzilla,

I uninstalled the beta (yet again), booted into safe mode and deleted c:\program files\eset. The old services still appear BEFORE I reinstalled the beta but they are disabled. When I reinstalled the beta, the kernel service was added and is set to auto as it should be. Same observation as before regarding the profiles.
<-QUOTE}

I think there may be a very important part of the process you are missing.

Uninstall the beta -- boot

INSTALL THE CURRENT RELEASE VERSION -- boot.

NOW, UNINSTALL THE RELEASE VERSION -- boot.

Check to see if now you see the Control Center or anything related to NOD running. If so, ESET will have to assist, If not --

Now, reinstall the beta. You should be good to go. I think you missed the part about installing and then uninstalling the release version to get rid of those processes.

HTH
Phil

{QUOTE-> quoting: Feivel link=board=36;threadid=6138;start=30#43798 date=1043251419]
I uninstalled the beta (yet again), booted into safe mode and deleted c:\program files\eset. The old services still appear BEFORE I reinstalled the beta but they are disabled. When I reinstalled the beta, the kernel service was added and is set to auto as it should be. Same observation as before regarding the profiles.
<-QUOTE}

Hmmmm ... if you deleted c:\program files\eset\ then there should have been nothing left to load ... disabled or not.

Check to make sure you don't have a second copy (or part thereof) on your HD. I was stumped for a long time by a similar problem until I finally found that the user still had both the skeleton of an old NOD32 trial version and a copy of McAfee still active in a directory named "Antivirus".

If that fails, try Phil's suggestion. (The reboots are very important!)

Rodzilla,

Nothing loaded untill AFTER I installed the beta. The only problem at the moment is the old services and the wrong way I create profiles (or possibly a beta problem?).

Phil,

I will follow your instructions since they sound as if they might work. Also, you write

I think you missed the part about installing and then uninstalling the release version to get rid of those processes.

Not exactly :)

> Nothing loaded untill AFTER I installed the beta. The only problem at the moment is the old services and the wrong way I create profiles (or possibly a beta problem?).

VERY strange! ... the old services must be coming from somewhere else, because that code is not in the beta.

Not strange Rodzilla, I guess I am not explaining properly. The 2 services other than the kernel are remenants from the old install that remained. They are disabled so they are not causing any problem at all. Later this morning I will follow Jan and Phil's advice to uninstall, reboot, install the release version, reboot, uninstall the release version, reboot, install the beta (thank god I removed that MS shutdown bug from SP3). In any case, that will remove the 2 disabled services BUT the scanning profile annoyance will most likely return as soon as i create an extra profile. Is that clear now? The problem is NOT the extra services that are disabled, it is the scanning of profiles that I did not schedule.

I found the bug!!!!!!! it was NOT in the profile creation or caused by the 2 disabled services (left over from a previous install). the bug was in the create scheduled task routine. To be more specific, it was at the point where you make a selection in case the task didn't run as scheduled. The default choice is WAIT TILL NEXT SCHEDULED INSTANT and everything runs fine and no unexpected scans on boot. The second choice is where the problem lies, the choice is PERFORM THE TASK AS SOON AS POSSIBLE, the schedule is performed at the proper time AND also upon reboot. The third choice I haven't tried but I am afraid too because it might have the same undesired effects as choice number 2.

Sorry Phil and Rodzilla but I did NOT remove those 2 old (disabled) services yet. Jan's statement led me to believe (and the fact that they were disabled), that they had NOTHING to do with this problem.

{QUOTE-> quoting: Feivel link=board=36;threadid=6138;start=30#44017 date=1043340885]
I found the bug!!!!!!! it was NOT in the profile creation or caused by the 2 disabled services (left over from a previous install). the bug was in the create scheduled task routine. To be more specific, it was at the point where you make a selection in case the task didn't run as scheduled. The default choice is WAIT TILL NEXT SCHEDULED INSTANT and everything runs fine and no unexpected scans on boot. The second choice is where the problem lies, the choice is PERFORM THE TASK AS SOON AS POSSIBLE, the schedule is performed at the proper time AND also upon reboot. The third choice I haven't tried but I am afraid too because it might have the same undesired effects as choice number 2.

Sorry Phil and Rodzilla but I did NOT remove those 2 old (disabled) services yet. Jan's statement led me to believe (and the fact that they were disabled), that they had NOTHING to do with this problem.
<-QUOTE}

Glad you got it sorted out!

Now I will know what to tell the next guy who asks!

(This forum is a two-way street.) :)

Considering nobody has mentioned this problem besides me, maybe everyone uses the default selection of wait till next time. Then again, could be a bug specific to Windows 2000 or a software conflict? Then again, it could just be a quirk with my computer. If NOD32 wasn't so good, do you think I would have went through these hoops for it? Either way NOD32 is still (and probably for a looooong time will stay) the best AV on the market.