Questions about Trial Version

[handinglove]

Hello everyone,

I just ended my yearly subscription of Norton 2005 and, after some online researching, I decided to give NOD32 a try. What impressed me most in the reviews I read was how light, configurable and efficient the software is supposed to be. However, after a few days interacting with the trial version, I still have a few issues I’d like to see polished before I decide to commit to the full version of the product. First of all, I must say I’m not very impressed with the onboard software help file, or even with the lack of a manual of some sort dedicated to NOD32 (I was even able to find a manual.pdf in Polish on the British site, but none in English!), which is why I ended up posting here as a last resource. My first problem is related with the automatic update feature, which despite being scheduled to operate hourly, is consistently failing to contact ESET servers (messages such as “Error connecting to server u7.eset.com” marked with red icons are filling up the Event Log), even though I can still successfully obtain updates manually. What should I do to enable the automatic retrieval of updates? My second question has to do with the length of an in-depth scan analysis (which should be the equivalent to a full local scan with NAV2005). I have the software tweaked to perform a local scan after a successful signature update, which usually takes me around 15 minutes, but an in-depth analysis of my disk (around 60000 files) requires over four hours (NAV would do it in less than 2), consuming the total capacity of my CPU during most of that period! Hardly acceptable for a piece of software that claims to be as unobtrusive and efficient as NOD32. Is such behaviour normal? Also, is there a way of monitoring a local scan triggered by a successful update, or at least of acknowledging it with a pop-up message?
Thank you for your time!

Windows XP SP2
ZoneAlarm Pro

[webyourbusiness]

Manual:
http://www.eset.com/download/manuals.php

Server connection issues - due to there being an hourly connection, and a round-robin approach being used, plus there are a couple of servers which are:

a. overloaded
b. flaky

and finally:

c. Eset being HONEST about connection failures - and RECORDING THEM...

you will see connection issues. Eset (Marcos) has already said in the forum that there are more update servers on the way.

The suggestion has been made (by me) that a successful connection be recorded after ANY failure to connect - for any reason.

On the time to scan - you should NOT configure NOD32 to scan in the way you described. I and all the other regulars will recommend that you read and then use the information found here:

http://www.wilderssecurity.com/showthread.php?t=37509

You will make your NOD32 installation a lot safer and save yourself a few grey hairs.

[alglove]

From one glove to another...

The "error contacting server..." messages do show that you had trouble connecting to an update server, as webyourbusiness states. What is not obvious (from looking at the logs) is that a successful connection was probably made, immediately thereafter, to another server. This does not show up in the logs, however. For example, if you could not connect to u7.eset.com, you may have connected to u5.eset.com 3 seconds later.

If you see the same server show up with an error every hour, that usually means that this particular server is flaky or overloaded. However, if you see error messages from 6 different servers every hour, that is something to worry about (or your network cable is unplugged).

Regarding the in-depth analysis scan time... what type of CPU do you have in your computer, and what type of hard drive? Unless you have a fairly old computer, 4 hours does seem a bit long.

[Marcos]

As for the long time to complete in-depth analysis, I assume you must have a pretty big bunch of archives and runtime-packed files on your drive. These take much time to emulate (with advanced heuristics /AH/ and runtime packers /RTP/ enabled) so with many such files on disk the delay becomes apparent.

You can disable AH and RTP, but though it will shorten the scan time signifficantly it will also reduce detection capabilities.

Note that NOD32 re-scans all files run at startup after each update automatically, with all settings tweaked to maximum. If a threat is found, it will show up a bubble warning in the right-hand lower corner by the clock. You can schedule a full disk scan, let's say once a week, but running it after each update seems to me needless.

[handinglove]

Thank you all for your input! Glad to know there’s such an active NOD32 community around here.
Regarding server connection issues, I guess things are now working as expected, so no worries about that (perhaps it would be better if successful connections were logged as well).

Quote:

Regarding the in-depth analysis scan time... what type of CPU do you have in your computer, and what type of hard drive? Unless you have a fairly old computer, 4 hours does seem a bit long.

My laptop is equipped with an Intel Pentium M 740 and a 80GB HDD (no partitions) on a PCI Motherboard.

Quote:

As for the long time to complete in-depth analysis, I assume you must have a pretty big bunch of archives and runtime-packed files on your drive.

Unless you consider restore points “a pretty big bunch of archives”, I don’t think I have an excessive number of archives on my hard-drive. But even if I had, what would be the point of buying a product to protect you if you have to disable its more advanced features in order for it to perform efficiently (or at least as efficiently as my last AV)?
Also, I went through Blackspear’s tutorial for installing and tweaking NOD32, as suggested by Webyourbusiness, ending up trying a scheduled scan with many (if not all) of the software features enabled, which I presume would be the equivalent of an in-depth analysis. This time, the analysis took 2h25min, but still consumed many of my CPU resources during the scan, much to my dismay. Is this normal? Is there anything else I can do to obtain a more efficient performance of NOD32?

Cheers

[pc-support]

Quote:

Originally Posted by handinglove

Is there anything else I can do to obtain a more efficient performance of NOD32?

Cheers

1. Defrag your hard drive
2. Ensure you have FULLY removed Norton (see Norton's very own website.)
3. Remember that Norton on a full scan *doesn't* scan every file, only those with certain extensions. NOD does scan EVERY file, including tmp files etc.

[alglove]

Two and a half hours does seem more reasonable, especially given that laptop hard drives tend to be slower than their desktop counterparts. Your CPU is certainly reasonably fast.

That still does not explain why it would take longer than Norton, though the explanations offered by pc-support would certainly make sense. I will have to go find a computer with Norton installed on it to see for myself.

I agree with Marcos that doing a full scan of the hard drive after every update may be a bit much. Marcos is actually one of the main developers at Eset, so he does know the inner workings of the software pretty well.

[Brian N]

Quote:

Originally Posted by pc-support

Remember that Norton on a full scan *doesn't* scan every file, only those with certain extensions. NOD does scan EVERY file, including tmp files etc.

Unless you configure it properly I presume...

[handinglove]

Quote:

1. Defrag your hard drive

Couldn’t be more defragmented.

Quote:

2. Ensure you have FULLY removed Norton

Now that was a lovely piece of advice. Even though it didn’t do much to ensue a swifter scan, it surely had an impact in my Windows booting times. Thanks!

Quote:

3. Remember that Norton on a full scan *doesn't* scan every file, only those with certain extensions. NOD does scan EVERY file, including tmp files etc.

NAV may be awfully resource greedy, but I never had any problem during scheduled local scans. No more than two hours were needed to scan my hard drive thoroughly. Up to now, having tried several local scans with NOD32, I still can’t understand why it requires 3h21min (that’s the last figure) to get through 60000 files using Blackspear’s conservative settings for Control Center Profile (with the command line reading: ‘/adware /ah /all /arch+ /clean /cleanmode /delete /heur+ /log+ /mailbox+ /ntfs+ /pack+ /quarantine /scanboot+
/scanmbr+ /scanmem+ /scroll+ /sfx+ /unsafe /wrap+’). The program appears to dedicate a disproportionate amount of time going through my Thunderbird profile and my Windows restore points. What’s more, it reports “error - unknown compression method” for one of the restore cabinet files, and several “archive damaged” for others (at this point, I just hope NOD32 hasn’t corrupted my restore points).
One simply may argue as Marcos did:

Quote:

You can disable AH and RTP, but though it will shorten the scan time signifficantly it will also reduce detection capabilities.

But again, what’s the point of buying a product to protect you if you have to disable its more advanced features in order for it to perform efficiently? I have considered erasing some older restore points, but I would like to hear some advice before doing it. Again, I decided to try NOD32 for its much praised efficiency and agility, but so far I must confess I’m not very impressed with the latter. At least no enough to buy the full product.
Unless I’m still missing something?

Cheers

[IcePanther]

I can't do much to help but agree the time's strange.

I've got a laptop with approx. 120 000 files (as seen by windows and file defragmenter - OO software) and Nod scans it with all options activated (like in BS's settings, only stored in a profile and scheduled with the profile instead of command-line, allowing me to do a 'silent' scan) detecting approx 500 000 files (with archives/packers) in 50minutes.

It's also a 80GB HDD, and I've an Athlon XP-M 3000+ (1.6 Ghz) - System restore is disabled, but when it was on it didn't have a big impact on scanning times.

I know on some systems ZA can be a real resource hog (it noticeably slowed down my system for instance), you may want to try disabling it while scanning (and network off)

[handinglove]

Hello everyone. I’m opening a second thread since the first one I had here came to a point where I was hardly getting any feedback. I’m currently evaluating the trial version of NOD32 (haven’t given up yet) using Blackspear’s conservative settings for Control Center Profile (with the command line reading: ‘/adware /ah /all /arch+ /clean /cleanmode /delete /heur+ /log+ /mailbox+ /ntfs+ /pack+ /quarantine /scanboot+
/scanmbr+ /scanmem+ /scroll+ /sfx+ /unsafe /wrap+’). Up to now, I’ve tried several local scans with NOD32, and I still can’t understand why it requires 3h21min (that’s the last figure) to get through 60000 files (Norton AntiVirus, my last resident AV, would go through my HDD in less than 2 hours). The program appears to dedicate a disproportionate amount of time going through my Thunderbird profile and my Windows restore points. What’s more, it reports “error - unknown compression method” for one of the restore cabinet files, and several “archive damaged” for others (at this point, I just hope NOD32 hasn’t corrupted my restore points).
At some point, Marco pointed out that:

Quote:

You can disable AH and RTP, but though it will shorten the scan time signifficantly it will also reduce detection capabilities.

But what’s the point of buying a product to protect you if you have to disable its more advanced features in order for it to perform efficiently? I have considered erasing some older restore points, but I would like to hear some advice before doing it. Again, I decided to try NOD32 for its much praised efficiency and agility, but so far I must confess I’m not very impressed with the latter. Unless I’m still missing something? I’d really appreciate some help here!

Cheers

[Marcos]

NOD32 uses a very sophisticated and efficient emulator, it simply takes time to emulate certain runtime packed files. I suggested to disable those options not to make NOD32 less efficient, but just to see if it decreases the scan time.

[steve1955]

have you tried a fresh install,there is something not right here nod should be both faster and less resource hungry than Norton,what other apps are running whilst you are scannining?possible conflict??
from earlier post you did run the registry cleaner for norton off their site(uninstaller!)and the correct one for your ex-product

[handinglove]

Marcos,

The time this reply took was exactly the time of a thorough HDD scan with Blackspear’s conservative settings, but with advanced heuristics and runtime packers off: exactly 3 hours (last time with AH and RTP on was 3h21min). I insist there must be a problem with the scanning of my restore points (that took over two hours of the scan), as suggested by these entries of the log file:

C:\System Volume Information\_restore{B80077B6-9EC2-4BDA-9C96-51015B5D41E0}\RP69\A0029796.EXE »RAR »LuComServerPS_3_0.DLL »GZ »LuComServerPS_3_0.DLL - error - unknown compression method
C:\System Volume Information\_restore{B80077B6-9EC2-4BDA-9C96-51015B5D41E0}\RP69\A0029811.DLL »GZ »A0029811.DLL - error - unknown compression method
C:\System Volume Information\_restore{B80077B6-9EC2-4BDA-9C96-51015B5D41E0}\RP71\A0031253.exe »NSIS »openofficeorg4.cab »CAB »testtar.tar »TAR - archive damaged
C:\System Volume Information\_restore{B80077B6-9EC2-4BDA-9C96-51015B5D41E0}\RP71\A0031279.exe »NSIS »openofficeorg4.cab »CAB »testtar.tar »TAR - archive damaged
C:\System Volume Information\_restore{B80077B6-9EC2-4BDA-9C96-51015B5D41E0}\RP72\A0031790.exe »NSIS »openofficeorg4.cab »CAB »testtar.tar »TAR - archive damaged

What’s more, it kept consuming most of my CPU resources during that time. Again, it is hardly conceivable that a simple local scan could be so slow and painful. If this is the fast and efficient NOD32 at its best, then I'm moving ahead to try another product.

Steve1955, I installed the NOD32 execute file (sent by ESET upon request) according to Blackspear’s setting thread found above. All I had running along with NOD32 during that scan was a copy of Zone Alarm Pro. No conflicts were observed between these two programs.

I’d really appreciate some help here. Thanks!

[IcePanther]

Something strange spottted. You have THREE exe's in your system restore, that each contain openoffice.org cab (probably the open office installation), indeeed something's strange with your restore points.

Could you check the size of the \System Volume Information\_restore{ (id) }\ folder ? I know from experience that windows xp's system restore can act weird sometimes. For example, on a machine of mine, it kept incorporating 768 MB pagefile.sys, multiple times, even if i specified the size of the folder to be maxed out at 1GB. If there are too much complex / huge archives in system restore, that can be a problem and/or lead to longer scan times, especially if they're duplicate(unuseful) as it seems so from that log.

[handinglove]

Thanks for your input, IcePanther. I’ve noticed the corrupted .tar OpenOffice file before, which led me to a reinstall of the program – no issues there. As for the size of the \System Volume Information folder, I’ve went through Microsoft Knowledge Base walkthrough, and tried everything that came to mind, but I still am not allowed to access the System Volume Information folder. Any idea?

[handinglove]

IcePanther,

I checked the system properties, and the system restore tab tells me I'm running 12% (9157 MB) of the total allowed space on disk for this feature. Does this help?

Cheers

[Blackspear]

What happens if you run a "In Depth Scan" instead?

Cheers

[handinglove]

I tried it first time, before scanning with your settings: it went on for over 4 hours . . .

Glad you're over my problem, Blackspear!

Cheers

[alglove]

Quote:

Originally Posted by handinglove

Thanks for your input, IcePanther. I’ve noticed the corrupted .tar OpenOffice file before, which led me to a reinstall of the program – no issues there. As for the size of the \System Volume Information folder, I’ve went through Microsoft Knowledge Base walkthrough, and tried everything that came to mind, but I still am not allowed to access the System Volume Information folder. Any idea?

Try this: http://support.microsoft.com/kb/309531/

[handinglove]

Thanks, alglove, but I had already tried that:

Quote:

I’ve went through Microsoft Knowledge Base walkthrough

Cheers!

[Blackspear]

If it was my system, then I would be turning off System Restore and rebooting to get rid of the previous restore points, as well when Restore was turned back on, I would lower the amount of storage it wants.

Cheers

[handinglove]

Thanks, Blackspear, that's exactly what I was thinking to do. Just waiting for a nudge! I'll let you know how it worked.

Cheers!

[handinglove]

Ok, I disabled system restore, restarted the computer and ran a thorough scan on my disk (~47000 files reported this time) with Blackspear's conservative settings (AH and RTP on): 1h29min. Could anyone please let me know if this more of an accepable time?

Thanks!

[IcePanther]

Hi,

Disabling system restore to get rid of ancient restore points is a good idea, and has shown there was a problem with yours (or it was stuffed), as now the scan has decreased by half its time.

If you don't ever use it (as I don't) you can leave it disabled, but if you use it sometimes, you can re-enable it and lower its maximum to approximately 1GB, that will be sufficient since you don't need to often roolback to a restore point that far away.

FYI : To access the restore folder, if you cannot access the /System Volume Information/ path, you have to first enable view of system files in the Folder Options control panel, then manually enter (or copy-paste from Nod's log) the C:/System Volume Information/Restore{ (id) }/ path. Then select all and do properties to get the real size and number of files in here.

If that's NOD that reports ~47 000 files (not 470 000) then 1h29 seems slow to me (a full scan with all options on my laptop takes 48minutes for ~507 000 reported files), but it can really depend on your hardware :
Since your CPU seems ok, i'd say the HDD (rotation speed, cache size, ATA interface speed) ,or the RAM size (512 MB is a minimum to be comfortable and 1GB really helps with XP)
It can also depend on what you're doing while scanning (doing nothing vs for example using 3D rendering software at the same time).
Also you may want to try turning off ZA while scanning (if you've not done so already), it can be a hog on certain systems.

Just a few guesses, because on the four machines I used NOD, two desktops and two laptops, it always ran very fast.