AMON in Action!

While not the same thing as the problem AMON has with read only files, I found another related quirk in AMONs treatment of infected files.

With "move to quarantine" disabled and "prohibit access & show alert" enabled.

When AMON detects eicar.com and while the "Threat detected" dialog is visible and prompting for action (and prohibiting access) it is possible to both rename the file and change the file attributes (tested from right-click properties and command prompt.)

Of course it would also be possible to accomplish this even with "move to quarantine" enabled if the file is read only as AMON does not actually move the file, only copying it.

I can't think of a way that this could be used to circumvent AMONs protection just now, however I didn't expect this kind of access to be possible.

Again, this is not the same as AMONs issue with read-only files.

Cheers.

 

This sounds seriously alarming! Am I missing something or is this a huge vulnerability in NOD32?

I really wish some of the NOD32 representatives would chime in here.

 

I couldn't do what you describe . I tested yesterday . No matter how many times I tried , AMON pop-up immediately after clicking in the infected file or right clicking . After the pop-up I couldn't do anything with this file , Windows was irresponsible . Anyway , that is why it is always better to have "Move newly created file to quarantine" enabled

 

Send you PM.

 

That's another thing! See! With "hidden or read-only" attribute, AMON is unable to completely move the infected file to quarantine. Yes, it made copies to quarantine but "NOT move to Quarantine".

 

The problem is solved in version 2.7 Nice job eset...

This thread is closed.