Mail file scan depends on extension?

[obetz]

Can it be true that NOD32 scans mails only if they have a .eml extension, or did I miss the correct setting?

NOD32 doesn't detect the worm in a *.cnm file but if I rename the file to *.eml, it works.

Oliver

Hi .
NOD32 scans all kind of files but it might not have the technology to open that particular cnm file . I don't know what mail client uses that extention but you don't need to worry at all because :

IMON is the internet monitoring of NOD32 . It scans all kind of HTTP and POP3 traffic so if you use POP3 IMON will pickup the malware even before it is downloaded

AMON is the resident protection . It scans all kind of file created , accessed and executed . If there is something it will be detected immediately . But since the cnm extension doesn't pose any threat to your computer , you don't need to worry . For example if you rename it to EML , it can be opened and post threat , then it is detected

[obetz]

Quote:

Originally Posted by HiTech_boy

Hi .
NOD32 scans all kind of files but it might not have the technology to open that particular cnm file

No, that's wrong. Read again: if I rename the file from foo.cnm to foo.eml, NOD32 detects the test virus.

Do you think that this behaviour is ok?

In my opinion, it's a flaw.

BTW: F-Prot/Win and ClamAV detect the mail attachments in any file. But I want to switch since F-Prot missed two worms in the last weeks.

Quote:

Originally Posted by HiTech_boy

I don't know what mail client uses that extention but you don't need to worry at all because :

IMON is the internet monitoring of NOD32 . It scans all kind of HTTP and POP3 traffic so if you use POP3 IMON will pickup the malware even before it is downloaded

AMON is the resident protection . It scans all kind of file created , accessed and executed . If there is something it will be detected immediately . But since the cnm extension doesn't pose any threat to your computer , you don't need to worry . For example if you rename it to EML , it can be opened and post threat , then it is detected

1. That's no excuse for a bad on demand scanner.

2. I consider stuff like IMON and AMON harmful. All these programs cause a system slowdown and compatibility problems. I prefer to check stuff where it enters my system. Mail as I open it, files as they are downloaded etc.

I accept that for most users it's the only way, but I don't want to use it.

Oliver

[realitybytez]

couldn't you just go to the setup tab of the on-demand scanner (nod32), and either add the .cnm extension to the list of file extensions scanned? or since you're reluctant to use realtime scanning, perhaps you should select the option to scan all files.

or maybe i'm not understanding the problem correctly.

i probably shouldn't comment since i've been using the program for less than a week.

Quote:

Originally Posted by obetz

2. I consider stuff like IMON and AMON harmful. All these programs cause a system slowdown and compatibility problems. I prefer to check stuff where it enters my system. Mail as I open it, files as they are downloaded etc.
I accept that for most users it's the only way, but I don't want to use it.

The sentence in Bold is precisely what IMON and AMON does . AMON and IMON are protection modules that belongs to the whole NOD32 Anti-Threat system . Learn more here :
http://www.eset.com/products/windows.php#control

[obetz]

Quote:

Originally Posted by HiTech_boy

The sentence in Bold is precisely what IMON and AMON does .

The sentence before says also "precisely what IMON and AMON does" (SCNR). I will not allow more programs to jump in my Winsock traffic or file access. Many programs don't work good with "on access" scanners. I just have been reading about Subversion slowdown. I know about problems with Pegasus. There are many others.

Quote:

Originally Posted by HiTech_boy

AMON and IMON are protection modules that belongs to the whole NOD32 Anti-Threat system . Learn more here :
http://www.eset.com/products/windows.php#control

I know what they do. I don't want this for many reasons. If I can't get silent, reliable on demand scanning from NOD32, it's not the right product for me.

Oliver

[obetz]

Quote:

Originally Posted by realitybytez

perhaps you should select the option to scan all files.

I spent some time to find the appropriate switches before I posted here.

nod32.exe foo.cnm /selfcheck+ /list+ /scroll+ /pattern+ /heur+ /scanfile+ /scanboot- /scanmbr- /scanmem- /arch+ /sfx+ /pack+ /mailbox+ /ntfs+ /adware /unsafe /ah /all

should be enough, shouldn't it?

Quote:

or maybe i'm not understanding the problem correctly.

i probably shouldn't comment since i've been using the program for less than a week.

I expect an answer from eset (sent a support request yesterday) - they have to know the reason.

Oliver

[obetz]

Quote:

Originally Posted by obetz

NOD32 doesn't detect the worm in a *.cnm file but if I rename the file to *.eml, it works.
Oliver

sorry - my mistake!

NOD32 doesn't depend on the extension but on the Header lines in the mail file.

I found that NOD32 didn't check for MIME enclosures when the first line was the "wrong" field. Examples:

"Subject", "To", "Date" or "X-Foo" in the first line stopped detection of "Win32/TrojanDownloader.Nurech.NAD" in my case.

Lines starting with "X-Pr", "Rece", "From", "Repl", "Mess", "Retu", "Cont" were o.k.

Rather strange and no strong correlation with RFC2822 and RFC2821.

I sent files and information to DATSEC.

Again, sorry for the wrong report.

Oliver