Command Line Switches, IMON, Archives, DownLoad Utilities (Long)

Discussion in 'NOD32 version 2 Forum' started by NewNOD, Jun 14, 2003.

Thread Status:
Not open for further replies.
  1. NewNOD

    NewNOD Guest

    I've got several questions and some comments / tips (all came up during my testing of NOD32 v2, but some probably pertain to v1, also).

    First the questions:

    Command Line Switches

    1. When running NOD32 from within a download utility (in this case GetRight 5 or Mass Downloader) to scan a file after download completion, is there a switch to specify a certain profile rather than having to individually set each switch parameter? It would be a lot easier to add "/My Profile" rather than twenty odd individual switches.

    2. Is the set of command line parameters in the help file complete? I didn't see the switch for the new advanced heuristics, so I thought something else might be missing, too.

    Eicar Files

    1. NOD32's IMON function is described on the first page of the main help file as follows (note that the help file for v2 still references EMON?) :
    The NOD32 Control Center is the central management program of the NOD32 Antivirus System. The system consists of the following resident modules and filters:

    AMON – the resident (running in operating memory at all times) or "on-access" antivirus monitor. This program is the most crucial antivirus defense tool.
    NOD32 – (also referred to as the "on-demand" scanner) this is the scanner executed manually by the user, or automatically by the scheduler.
    IMON – this scanner provides the first line of defense by monitoring Internet traffic (smtp, ftp, http and other Winsock protocols).
    EMON – the NOD32 Mail Scanner provides protection from email-borne viruses.

    Since IMON is supposed to monitor ftp, http, and other protocols, and since the SETUP dialogue for IMON lists options to detect runtime packers and archives, shouldn't IMON catch *.zip files containing viruses as they are being downloaded and before AMON or the on-demand scanner kick in (if set to run by a download utility)? If not, what do the runtime packer and archive options for IMON actually do? Do they only function for the SMTP protocol, despite the description of IMON in the help file? The real life example is that neither of the EICAR zip files are caught by any component of NOD32 until the files are already saved to disk and subsequently scanned or extracted (AMON catches the latter).

    2. Related to the question immediately above: since IMON is supposed to be able to monitor http, why is it that the eicar_com.txt file, when opened directly from the website rather than being saved to disk, renders in the browser and then AMON (not IMON) catches it as the page is being written to the browser cache? Seems like IMON, per the description of its abilities, would catch it before AMON detects the write-to-disk.

    3. IMON aside, all modules of NOD32 seem unable to delete archive files (at least not the EICAR zips). The virus inside is detected for both the single-level and multiple-level zip files, but no action (clean, quarantine, rename, delete) can be taken by NOD32. The viruses are simply identified and must be deleted manually by the user. Is this normal behavior, and if so, why are the options to perform these actions on archives even made available in the SETUP dialogues?

    To be sure, the plain file is detected by AMON before it can be saved to the directory of your choice using the browser or a download utility, but this is because AMON detects the web page being written to cache. If cache is turned off, I imagine the file would be completely downloaded and written to the directory of your choice before AMON kicked in; either way is acceptable. Same thing is true of the eicar_.txt file if you choose to save the file to disk rather than having it open directly in the browser (see Item #2 above). I was just questioning why IMON doesn't activate for these downloads based on its functional description.

    Now the Comments/Tips:

    When doing all of this testing, I noticed some things about NOD32's interaction with download utilities' use of file extensions to identify downloads in-progress or unfinished downloads (for instance GetRight has the option of adding .Getright to these files; Mass Downloader adds .Mass and cannot be disabled). Here are some observations that may be helpful to others using GetRight 5 and Mass Downloader (tests were done with and eicar_com.txt):

    1. If you have GetRight set to add its own file extension to unfinished or in-progress files, AMON will pop-up with a warning showing applicable action options (rename, delete, quarantine) upon detecting the virus. If any of these available options are chosen, AMON will say that the action could not be performed. Clicking on "close" to close the AMON warning seems the only alternative at this point. After having closed the AMON warning screen, since AMON warned that it could not take any action against the file, you would expect to find that the file had been written to disk. However, the file never does get written. To test whether just closing AMON would yield the same results, I immediately clicked on "close" (requires two clicks in every instance before the window actually closes...two clicks not just one) and sure enough, the file is not there. Because all of this appears to happen before the file is written to disk, the NOD32 scanner (if set from within GetRight to do so), is never invoked.

    2. If you do not set GetRight to add its own extension, the file actually gets written to disk where you specify, and all the available options appearing on the AMON warning function. If you have the on-demand scanner module set to run from within GetRight, you can choose to either handle the file through AMON or through the on-demand scanner (unlike in Item #1 above, where the on-demand scanner never gets invoked).

    3. When downloading using Mass Downloader, some really strange things happen (remember there is no option to turn off the feature which adds the .Mass extension). Upon detection of the or eicar_com.txt file, both AMON and the NOD32 on-demand scanner are invoked (the latter only if you have it set to run from within Mass Downloader upon download completion). The on-demand scanner will show that the scan path is file has been written yet as AMON has stopped it. Unlike with GetRight, "rename" works and "quarantine" works, but "delete" still does not. However, "rename" functions somewhat oddly in that "rename" can be invoked any number of times until you click on the "close" button to close the AMON warning (also requires multiple clicks to actually close the warning screen). The first file renamed looks like this: drive:\path\ Subsequent clicks of "rename" create files named drive:\path\EICAR.COM.00VMASS,... EICAR.COM.01MASS, EICAR.COM.02VMASS,....etc., etc. (the file name is now in all caps rather than lower case). When scanning these files with the on-demand scanner after successfully closing AMON, only the first file renamed (lower case) is detected as having a virus; all other renamed files (UPPER CASE) do not show up as being infected.

    Using your browser as the downloader results in the same functionality as Item #2, above, because no extra extension is added.

    Either way you handle downloaded files using GetRight (either Item #1 or #2 methodology) seems acceptable. Item #2 is cleaner as it yields more typically expected results if a virus is detected, but if you find that adding the extra extension to unfinished downloads provides a valuable function (I personally like it), just remember all that is required is to click "close" twice and the file never gets written to disk. No need to mess with rename or delete or clean or quarantine, as they won't work anyway. I did a search of my drives after playing with this using the parameter "*.getright" and no files turned up; I just wanted to make sure nothing was being written to a temporary file directory somewhere.

    Using Mass Downloader is another story, but if you understand that goofiness can ensue when clicking around on the AMON warning screen, I guess it can be dealt with appropriately.

    These results were highly repeatable (100%). Also, this only applies to the non-zip EICAR files because AMON nor IMON catch the zips, only the NOD32 on-demand scanner does (see questions under the EICAR questions section above).

    One final note: I have TDS3 on my machine, and even though it's not running in the background, clicking on one of the renamed files (EICAR.COM.00MASS, for instance) automatically loaded TDS3, which then scanned the file. Does TDS3 associate itself with unknown multiple extension file types during installation and then scan them if multiple extension files are executed? I don't remember that being an option settable from within TDS3.

    Whew!!!!!! Thanks for reading.
Thread Status:
Not open for further replies.