Phil
January 16th, 2003, 09:19 PM
<quote from Mele20 in the NOD32 forum>
I don't think your test duplicated what happened to me. I did an on demand scan, from within the NOD Control Center ..not from the desktop shortcut, using the scan button. The scanner never stopped on the virus in the sent folder or on the one in the deleted items folder. I never got a popup about them. The scan took 23 minutes and then the summary showed 16 viruses. I knew I didn't have 16 viruses. I could not look at any logs using the beta version. I had only that summary. I ran the on demand scanner many times and everytime it behaved in this fashion. Note that I'm talking about running it from within the NOD control center. It never stopped on any virus and would only display a brief summary at the end saying how many viruses were found..no details and would not let me look at any logs. If I tried to look at the logs that froze NOD32 and and I had to use c/a/d which closed down NOD32. I could scroll back through every single file to find the red highlighted ones, but that was difficult and I would miss some. Plus, of course, once I closed that session then it was saved to the logs which I could not later access and just trying to access them caused NOD32 to freeze leading to c/a/d which closed NOD down completely.
So, instead, when I decided to try and clean or delete the viruses, I ran the on demand scanner again (from within the control center) and I chose to do the scan from the "clean" button rather than from the "scan" button. When I did that, the scanner stopped first on the yaha.N virus and announced in a popup box that it had found this virus in the deleted items.dbx box and then, under that, gave the name of the email, the sender, recipient, name of the virus and the location which was the deleted items box in OE. I was stunned. I thought I had deleted it off my system when IMON first caught it and put in quarantine and then I deleted it. I immediately went to the deleted items box and sure enough it was there unopened. I went back to the scanner's alert box where I was given the option to leave it or delete it. I did not get any popup boxes under the first box!
The path was very explict giving the exact name of the email "What Does NOD32 call this Sucker", the sender, recipient, and the name of the virus in the attachment and the location of the email in the deleted items box. Since the path given was explict for that ONE email ...not the the deleted items box, I chose to hit the button "delete".
The scanner then continued until it stopped next on the email with the virus in the sent items box. Again, ONE popup box only. The box said there was an email found in the sent items box infected with the magistr virus. It went on to give the same explict path for the infected piece of mail as it had with the infected email earlier. It gave the title of the email "Nod32 Not Detecting One Virus", the sender's name, the recipient's name, and the two viruses (that NOD was detecting) in the attachment and the location of the email as being in the sent items folder. Again Amon said it could not be cleaned but could be deleted. So, I deleted it.
I have no idea why I didn't see any popup boxes under the first one. It must have had something to do with the fact that I first ran the scan using the scan button and then was forced to run it again using the clean button.
The on demand scanner behaved differently if I called it from the desktop short cut than if I called it from within the NOD control center. From the desktop short cut it would report that it found 10 viruses. Run from the NOD control center, it would report it found 16 viruses. This was running the scans back to back. Of course, I could not look at the logs, so I do not know what it flagged because I was running it in scan mode where it would not stop on anything it found.
</quote>
Mele20,
As stated in the other forum, I have not been able to reproduce what you saw. As to why, I don't have a clue. There are possible reasons -- I think I remember you saying you are on Win98, I am using XP Pro SP1 -- you could have a corrupt install -- you may have different setting -- this *is* Windows. ;D I did not have any problems reading the log files which tends to make me think you may have had a corrupt install.
As to you having to look through all the files to find the "red" ones, do you have the "all files" option seleted? The only files that show on my sys when scanning are *only* the locked files and the found viruses.
What I find entertaining about this situation is I see some people on other forums strutting and preening and offering their "expert" advice and they don't even USE NOD32 or have not tried the beta. There's nothing you can do about other peoples' kids, I guess. ;D
Again, I don't doubt you saw what you saw, but sometimes memory can be a tricky thing. Eye witnesses are the *worst* possible witnesses in court cases. Should you ever feel brave enough again, it would be most interesting to see your results from a new test now that you know what to look for. Should you decide to not even try, I would certainly understand.
Now, my new tests. I performed MANY tests using all different scanning methods with similar results. For the test I will report here, I did *exactly* what you did above. For the test, I used a zipped Eicar file because if something went goofy, I didn't want to infect myself. For the test, I put the test email in my Drafts "folder" along with some clean emails because the "folder" is really just a single dbx file that contains all the emails. This would replicate your experience with your Sent.dbx and your Deleted.dbx, I am just using a different file to isolate the test. Instead of trying to explain what I saw, I will attach jpg's, that is if I can figure out how to attach them, never having done that before. They are named NOD1, NOD2,NOD3, and (surprise, surprise) NOD4. They are in the order of the popups I saw. There was only ONE test virus, but NOD reported 4 because of the different ways the scanner caught it. This would correspond to you seeing more viruses than actually existed. I hope the screen shots will make this issue a little more clear. The reason for the 4 is it drilled all the way down inside the zip and identified the actual virus for the first popup and then backed all the way out to the dbx file. Again, I hope the pictures will explain.
I will attempt to attach the first popup jpg to this post. This is where it drilled down through the dbx to the email to the zip and then inside the zip. Personal info has been removed.
I don't think your test duplicated what happened to me. I did an on demand scan, from within the NOD Control Center ..not from the desktop shortcut, using the scan button. The scanner never stopped on the virus in the sent folder or on the one in the deleted items folder. I never got a popup about them. The scan took 23 minutes and then the summary showed 16 viruses. I knew I didn't have 16 viruses. I could not look at any logs using the beta version. I had only that summary. I ran the on demand scanner many times and everytime it behaved in this fashion. Note that I'm talking about running it from within the NOD control center. It never stopped on any virus and would only display a brief summary at the end saying how many viruses were found..no details and would not let me look at any logs. If I tried to look at the logs that froze NOD32 and and I had to use c/a/d which closed down NOD32. I could scroll back through every single file to find the red highlighted ones, but that was difficult and I would miss some. Plus, of course, once I closed that session then it was saved to the logs which I could not later access and just trying to access them caused NOD32 to freeze leading to c/a/d which closed NOD down completely.
So, instead, when I decided to try and clean or delete the viruses, I ran the on demand scanner again (from within the control center) and I chose to do the scan from the "clean" button rather than from the "scan" button. When I did that, the scanner stopped first on the yaha.N virus and announced in a popup box that it had found this virus in the deleted items.dbx box and then, under that, gave the name of the email, the sender, recipient, name of the virus and the location which was the deleted items box in OE. I was stunned. I thought I had deleted it off my system when IMON first caught it and put in quarantine and then I deleted it. I immediately went to the deleted items box and sure enough it was there unopened. I went back to the scanner's alert box where I was given the option to leave it or delete it. I did not get any popup boxes under the first box!
The path was very explict giving the exact name of the email "What Does NOD32 call this Sucker", the sender, recipient, and the name of the virus in the attachment and the location of the email in the deleted items box. Since the path given was explict for that ONE email ...not the the deleted items box, I chose to hit the button "delete".
The scanner then continued until it stopped next on the email with the virus in the sent items box. Again, ONE popup box only. The box said there was an email found in the sent items box infected with the magistr virus. It went on to give the same explict path for the infected piece of mail as it had with the infected email earlier. It gave the title of the email "Nod32 Not Detecting One Virus", the sender's name, the recipient's name, and the two viruses (that NOD was detecting) in the attachment and the location of the email as being in the sent items folder. Again Amon said it could not be cleaned but could be deleted. So, I deleted it.
I have no idea why I didn't see any popup boxes under the first one. It must have had something to do with the fact that I first ran the scan using the scan button and then was forced to run it again using the clean button.
The on demand scanner behaved differently if I called it from the desktop short cut than if I called it from within the NOD control center. From the desktop short cut it would report that it found 10 viruses. Run from the NOD control center, it would report it found 16 viruses. This was running the scans back to back. Of course, I could not look at the logs, so I do not know what it flagged because I was running it in scan mode where it would not stop on anything it found.
</quote>
Mele20,
As stated in the other forum, I have not been able to reproduce what you saw. As to why, I don't have a clue. There are possible reasons -- I think I remember you saying you are on Win98, I am using XP Pro SP1 -- you could have a corrupt install -- you may have different setting -- this *is* Windows. ;D I did not have any problems reading the log files which tends to make me think you may have had a corrupt install.
As to you having to look through all the files to find the "red" ones, do you have the "all files" option seleted? The only files that show on my sys when scanning are *only* the locked files and the found viruses.
What I find entertaining about this situation is I see some people on other forums strutting and preening and offering their "expert" advice and they don't even USE NOD32 or have not tried the beta. There's nothing you can do about other peoples' kids, I guess. ;D
Again, I don't doubt you saw what you saw, but sometimes memory can be a tricky thing. Eye witnesses are the *worst* possible witnesses in court cases. Should you ever feel brave enough again, it would be most interesting to see your results from a new test now that you know what to look for. Should you decide to not even try, I would certainly understand.
Now, my new tests. I performed MANY tests using all different scanning methods with similar results. For the test I will report here, I did *exactly* what you did above. For the test, I used a zipped Eicar file because if something went goofy, I didn't want to infect myself. For the test, I put the test email in my Drafts "folder" along with some clean emails because the "folder" is really just a single dbx file that contains all the emails. This would replicate your experience with your Sent.dbx and your Deleted.dbx, I am just using a different file to isolate the test. Instead of trying to explain what I saw, I will attach jpg's, that is if I can figure out how to attach them, never having done that before. They are named NOD1, NOD2,NOD3, and (surprise, surprise) NOD4. They are in the order of the popups I saw. There was only ONE test virus, but NOD reported 4 because of the different ways the scanner caught it. This would correspond to you seeing more viruses than actually existed. I hope the screen shots will make this issue a little more clear. The reason for the 4 is it drilled all the way down inside the zip and identified the actual virus for the first popup and then backed all the way out to the dbx file. Again, I hope the pictures will explain.
I will attempt to attach the first popup jpg to this post. This is where it drilled down through the dbx to the email to the zip and then inside the zip. Personal info has been removed.