AMON and packed files

Hello,
Sorry if it thread exist but I can't found that.
I think that NOD is the best AV, I like eset stuff but I'm not agree with some of NOD and ESET:
We know that AMON doesn't scan packed file. I also know that if for example a Bagle variant appear and later appear the same variant compressed with UPX AMON will detect this, because it's spreading and ESET made a special detection, for example: Win32/X.A:UPX. But it isn't the matter.
The problem: AMON detect only specific packed sample (ITW). I've many backdoors, trojans and viruses that first appear uncompressed so NOD detect it, but later appeared the same malware packed with ASPACK, UPX, etc. And only NOD32 Scanner and IMON detect it. Not AMON, because AMON doesn't scan packed files.
I know that check compressed file like .zip isn't necessary because it will damage you only if you decomprees them, but the packed files are auto-extract, so you only need execute them and you will get infected.
I've a spammer that NOD detect, so I've packed it with UPX and execute them and nothing, the spammer has been executed and no alert or access deny from AMON. Only IMON and the Scanner detect them as UPX file infected...
I also know that ESET said that's can slowdown the PC and the use resources, but Why ESET doesn't add the ability to scan packed files as a undefault option in AMON, so the user can decide if enable it or not as KAV and NAV do? I was a user of KAV 4.5 and I has enabled the scan for packed files and I've not feel slowdown for this and my PC is standar.
Thanks for your comprehension!

 

I agree, it is wise to at least include the option to scan compressed or packed files in realtime. NAV just added that in the 2004 edition, and it only works for NT-based systems {Win2K/XP} since it uses an NT-driver, but it is nice to have. Agree with everything you said.

 

I also agree with this. If could be an option...

 

Agreed

 

Hello sir_carew !

Try to change value in registry.
HKEY_LOCAL_MACHINE\SOFTWARE\Eset\Nod\CurrentVersion\Modules\AMON\Settings\Config000\Scanner
Try to change 'target_sfx_enable' and 'target_arch_enable' to 1. Then you must restart windows.


Izi

 

Hello,
I've put advanced heuristic to 1. will amon use ah?
I can't found the entries that you said.
Thanks.

 

Sorry,
I've found those. I'll test your tips, thanks and I hope that this will work!!!

 

Hi!

AH in AMON doesn't work.

Izi

 

Izi,
Sorry, I've modified that, restart windows and I've a backdoor packed with UPX and AMON doesn't detect them, only IMON and Scanner.
ESET, please add such feature to AMON
Thanks

 

All modules use the same registry template, therefore an entry reading advanced heuristics appears in all modules. Since not all the modules support it, this setting is ignored in the case of AMON and EMON.
Obviously is the same with SFX and arhives.

Izi

 

I agree with dvk01.
All viruses I get via internet. HTTP, FTP are planned to be added in IMON. So POP3, HTTP and FTP will be scaned with AH. I hope that ESET will add HTTP in FTP to IMON in near future. Maybe in 2.000.10.

Izi

 

I add my agreement. If this not added by the time my license is up, I will most likely move to KAV. I don't use IMON (for several reasons hyper threading bug is one of them). AMON has been somewhat neutered by Eset since version 2 as IMON does more than AMON. That is absurd and I will not stay with an av company that doesn't realize this fact and fix it. The resident monitor should detect everything. There should be no need for an email scanner as that is simply another layer of protection for those who want it. Those who do not want this additional capability in AMON should be able to turn it off IMO.

Anders agrees with me. He says:

"Everything should of course be detected by the resident protection, and IMON is just a layer of extra protection. For now, more things are detected by IMON due to the advanced heuristics, but hopefully that will be an option in AMON in the future."
http://www.wilderssecurity.com/showthread.php?t=25524

Eset is going to loose a LOT of their users if they continue to eviscerate AMON. In fact, I may not even stay with NOD32 until my license is up because this is so important. To say that giving these powers to AMON will make the computer unusable makes no sense. A computer with KAV or NAV 2004 is not unusable.

Giving IMON HTTP and FTP powers is absurd. Those powers belong to the resident monitor not to a very buggy email monitor that a lot of people don't want or use.

I would like Eset to give a definitive answer on this issue as soon as possible. Can we expect AMON to be given the proper powers or not? If yes, then how soon?

(edited because I was using Firefox and it will not preview and I forgot that and I didn't check the spelling).

 

Why is the ability to scan compressed files and the use of AH been combined in this thread?
they are really 2 different things,the on demand scanner doesn't HAVE to use AH to scan compressed files,so the point that the use of AH in amon making the PC almost unusable is spurious to the initial point of it not being able to scan them(although scanning them would slow amon down it should not have so much an impact)

 

Hello,
NOT, it isn't true, NOD has a unpacker engine independent of the advanced heuristic engine. However AH doesn't use the unpacker engine, it use its own unpacker engine that it's a generic unpacker engine that can scan any packed file including new one.
If you start NOD Scanner without /ah command line it will scan packed files, so ESET can implement scan packed file in AMON without implement advanced heuristic in AMON.
Why you said that AH use 100 % of resource?, I don't believe that, maybe it can slowdown but not the 100 %. Moreover I'm speaking about packed files in AMON not AH. Implement AH is a good idea but isn't urgent, implement packed file scanner on AMON is URGENT, every day appear new packed malware and AMON stay in silence.

 

I don't have any troubles with imon (i don't have HT CPU ). IMON HTTP feature is impressive, it catch eicarcom2.zip (twice zipped file) on http downloading time...

 

Hello Digi, how do you know such information?, do you have a beta version of NOD that have such feature?
I know that ESET will implement that feature in IMON, I think that IMON is impressive and excelent!, if ESET implement such feature soon I'll be VERY happy

 

My friend (from eset) told me... IMON HTTP scanner will use same scaner as IMON POP (adv. heuristic support, archive support etc...) for HTTP dowloaded files.

 

If I understand you correct, there will be two IMON scanners. One for POP3 and one for HTTP.

Izi