/all Switch Doesn't Function as Expected

Discussion in 'NOD32 version 2 Forum' started by spm, Sep 14, 2003.

Thread Status:
Not open for further replies.
  1. spm

    spm Registered Member

    Joined:
    Dec 9, 2002
    Posts:
    440
    Location:
    U.K.
    It seems to me that the /all NOD32 scanner command-line switch doesn't work as expected (by me, anyway).

    I would expect it to cause NOD32 to scan all of the files asked of it on the command-line, but it doesn't: archives and packed files are still ignored. An easy test is to download the eicar_com.zip file from www.eicar.com and then scan it with the NOD32 command-line scanner. Re-scan the same file after adding the /arch+ switch and see the difference.

    Now, I can live with the issue to a point: by using Paolo Monti's useful Shell Power for NOD32, and changing the command-line switches it passes to NOD32, I can have NOD32's Explorer context menu entry scan zip files.

    However, we also run a network firewall (Kerio WinRoute) which interfaces directly to NOD32 by calling the exported NOD32_ScanFile() function of nod32.dll - this also fails to scan zip archives, for - I am guessing - the same underlying reason.
     
  2. anders

    anders Eset Staff Account

    Joined:
    Oct 25, 2002
    Posts:
    410
    The /all switch will only make it look for renamed executables and such.. It only affects which file extensions are scanned, not "internal scanning". You should still add /pack+ and /arch+ to scan packed files and archives.

    Best regards,
    Anders
     
  3. spm

    spm Registered Member

    Joined:
    Dec 9, 2002
    Posts:
    440
    Location:
    U.K.
    Sorry, what are renamed executables? So, what extensions are scanned when /all is specified?

    Whatever the meaning of /all, if I specify a file on the command line, say C:\path\file.zip, then I expect that file to be scanned. It is not. Not only that, NOD32 reports in the scan results window that the file *has* been scanned when in fact it has not. This is an easy way for a virus to get through.

    If NOD32 doesn't scan one or more of the files passed on the command line, I would expect it to tell me, rather than falsely claim that it has.

    So, the /all switch doesn't mean "all" - perhaps it should be renamed '/some'?? I'm not trying to be facetious here, but NOD32 definitely misleads in this case.
     
  4. anders

    anders Eset Staff Account

    Joined:
    Oct 25, 2002
    Posts:
    410
    With "/all" it "checks" files of all extensions, instead of the standard extensions. It still "checks" if "file.zip" is an infectable format, and scans it for viruses. Though, you still need "/arch+" in order for it to decompress archives it detects. "/all" just means scan all extensions. If you have an infected file named "file.exe", and renamed it to "file.zip" or "file.blah", it would be detected with "/all", but if it's an archive, the files inside it won't be scanned unless "/arch+" is specified.

    I don't think it's THAT weird.

    Best regards,
    Anders
     
  5. spm

    spm Registered Member

    Joined:
    Dec 9, 2002
    Posts:
    440
    Location:
    U.K.
    Anders:

    I appreciate your response, but whether you consider the switch weird or not is missing the point: unless the /arch+ switch is specified NOD32 does *not* (unpack and) scan zip files, but it does falsely claim that it has done so. This is plain wrong, and simply dangerous.
     
Thread Status:
Not open for further replies.
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.