Problem with archives, runtime packers and Software installers

[kevin009]

I have a problem with NOD32 Version 3.0.621.0 on all archives and software installers. The problem is that such packed files take quite more time to be accessed as well as copied/deleted from the hard disk when NOD32 real time protection is enabled. I wanted to exclude all such archives, software installers and packed files from the real time scanning. Although I found that it was easy to exclude ZIP and RAR like this:

Go to the Entire advanced setup tree > Real time file system protection > Setup > Extensions tab > Exclude archives like ZIP and RAR from real-time scanning.

I can always right-click and scan such archives and runtime packers before opening them, or when the contents of the archive, runtime packer or software installer are extracted, NOD32 can automatically scan them.

But all software installer packages like NOD32 (eav_nt32_enu) Kaspersky anti-virus (kav7.0.1.321en) as well as adobe product installers, etc still take a lot of time to be copied/deleted from the hard disk to the recycle bin. This was not a problem with NOD32 2.7. All these software installer packages have the .exe extension.
I don’t want to exclude .exe files from scanning.

Is it possible to set NOD32 not to scan archives, runtime packers and software installers until their contents are extracted ?

[Marcos]

ZIP/RAR archives (not SFX) are not scanned by the real-time protection at all. Disabling SFX archives in the real-time protection setup should help.

[kevin009]

Hello,
Thanks for replying.
But by default, NOD32 Version 3 is real-time scanning all Files including RAR, ZIP and all software installers which makes the copying much slower when copying and deleting data. To avoid this problem, I excluded RAR and ZIP from Real-time scanning, but I am puzzled what to do with the software installers which use the .exe extension. How to exclude all such installers from real-time scanning.

For example, If we install NOD32 V.3 and use default settings, when we try to copy a ZIP or RAR that takes NOD32 v.3 atleast one minute to on-demand scan, into the hard disk, the copying is really slow if real time protection is enabled. The same problem is there for Executable software installers as described on my previous post.

In the real-time scanning Threatsense options why is there no check-box option for excluding archives, runtime packers and SFX archives from real-time scanning like in the other threatsense options (Like the Antivirus and Antispyware tab) making any changes in the antivirus and antispyware tab threatsense options does not make any changes in the way other modules like realtime scanning and on-demand scanning. why ?

[Marcos]

Could you please provide a link to a rar/zip installer that is scanned by the real-time protection? The real-time protection oinly scans sfx archives on create, disabling that option should help you.

[kevin009]

Sorry,
The ZIP RAR problem was due to an incorrect real time configuration. I wrote the posts wrongly without a proper investigation into the configuration.
I apologize for any inconveniences.

[kevin009]

Now there is a new problem/doubt.

Why is NOD32 V.3.0.621.0 scanning and deleting whole archives even though there are non-infected files in them. I've done many tests by putting an eicar test file in a ZIP along with 3 or more clean files, set the NOD32 context menu scanning option to "No Cleaning" and scanned the archive and upon detecting the eicar, and it quarantined and deleted the whole archive instead of removing only the virus (eicar).

The same thing happened when I set NOD32 to "standard cleaning"

According to the Help file documentation, NOD32 V.3 should delete whole archives only if the scanning is set to Strict Cleaning. Then why is this happening ?

[Marcos]

Quote:

Originally Posted by kevin009

According to the Help file documentation, NOD32 V.3 should delete whole archives only if the scanning is set to Strict Cleaning. Then why is this happening ?

Are you positive that the whole archives containing also some clean files are deleted automatically in strict cleaning mode? You should be prompted for an action in such case as it wouldn't be safe if the program deleted such an archive automatically.

[Bubba]

Quote:

Originally Posted by kevin009

I've done many tests by putting an eicar test file in a ZIP along with 3 or more clean files, set the NOD32 context menu scanning option to "No Cleaning" and scanned the archive and upon detecting the eicar, and it quarantined and deleted the whole archive instead of removing only the virus (eicar)

What was your Cleaning setting for Real-time file system protection when you say this occured on context menu scanning ?

Does your On-demand computer scan log indeed show an item in the Cleaned column ?

Also, what does your log files show for Detected threats at that same time in the Action column ?

[kevin009]

Hi Marcos,
Quote:
Are you positive that the whole archives containing also some clean files are deleted automatically in strict cleaning mode? You should be prompted for an action in such case as it wouldn't be safe if the program deleted such an archive automatically.

Answer: Yes, I’m positive about it. Please look below.

1. Strict Cleaning: When I set the context menu cleaning options to Strict Cleaning, then right clicked this eicar.zip archive packed with the eicar virus and some clean files, then right clicked the archive > Advanced Options > Clean Files. … Then NOD32 quarantined and deleted the whole archive without displaying the virus alert window when eicar was detected.

2. Standard Cleaning: When I set NOD32 context menu scanning to Standard Cleaning, upon the eicar detection, NOD32 displayed the Threat alert window with only two options: “Delete” and “Leave” When I clicked the Delete button, the whole archive was deleted. When I clicked the leave button, the archive was left intact.

3. No Cleaning: Same thing happened as in Standard Cleaning.


Please look at this scan log (same results for Standard Cleaning and No Cleaning) and see for yourself. Here Eicar test file was a part of the deleted object (the deleted object was the whole eicar.zip archive)

NOTE: All other options in NOD32’s entire advanced setup tree were at default except for the “Cleaning options” in the context menu scanning. (changes were made only in the context menu settings – Strict Cleaning, Standard Cleaning, No Cleaning)


Scan Log
Version of virus signature database: 2870 (20080212)
Date: 2/13/2008 Time: 9:45:06 PM
Scanned disks, folders and files: E:\eicar.zip
E:\eicar.zip » ZIP » eicar.exe - Eicar test file - was a part of the deleted object
E:\eicar.zip » ZIP » application.txt - is OK
E:\eicar.zip » ZIP » Application 2.txt - is OK
E:\eicar.zip » ZIP » Caliver.txt - is OK
E:\eicar.zip » ZIP » New Microsoft Word Document.doc - is OK
E:\eicar.zip » ZIP » system.txt - is OK
E:\eicar.zip » ZIP » nentenst.exe » RAR » advheur.nup - is OK
E:\eicar.zip » ZIP » nentenst.exe » RAR » archs.nup - is OK
E:\eicar.zip » ZIP » nentenst.exe » RAR » charon.nup - is OK
E:\eicar.zip » ZIP » nentenst.exe » RAR » engine.nup - is OK
E:\eicar.zip » ZIP » nentenst.exe » RAR » ntbaseen.nup - is OK
E:\eicar.zip » ZIP » nentenst.exe » RAR » pwscan.nup - is OK
E:\eicar.zip » ZIP » nentenst.exe » RAR » utilmod.nup - is OK
E:\eicar.zip » ZIP » nentenst.exe » RAR » main.dll - is OK
E:\eicar.zip » ZIP » nentenst.exe » RAR » mfc42.dll - is OK
E:\eicar.zip » ZIP » nentenst.exe » RAR » mfc42u.dll - is OK
E:\eicar.zip » ZIP » nentenst.exe » RAR » msvcrt.dll - is OK
E:\eicar.zip » ZIP » nentenst.exe » RAR » readme.txt - is OK
E:\eicar.zip » ZIP » nentenst.exe » RAR » setup.exe - is OK
E:\eicar.zip » ZIP » nentenst.exe » RAR » ntstden.nup - is OK
E:\eicar.zip » ZIP » nentenst.exe » RAR » ntineten.nup - is OK
E:\eicar.zip » ZIP » nentenst.exe » RAR » setup.xml - is OK
Number of scanned objects: 23
Number of threats found: 1
Time of completion: 9:45:13 PM Total scanning time: 7 sec (00:00:07)

So can you tell me exactly why it happened. Is it a bug ?





Hi Bubba,
Here are your answers:

What was your Cleaning setting for Real-time file system protection when you say this occured on context menu scanning ?

Answer: it was “Standard Cleaning”

Does your On-demand computer scan log indeed show an item in the Cleaned column ?

Answer: Please look in the above scan log and see for yourself

Also, what does your log files show for Detected threats at that same time in the Action column ?

Answer: It shows the eicar test file as shown in the above log: (E:\eicar.zip » ZIP » eicar.exe - Eicar test file - was a part of the deleted object)

Anything to tell about this ?

[kevin009]

Why hasn't anyone responded to my thread above yet ?