Does NOD32 actually prevent infection or just try to clean up the aftermath?

One of the reasons I moved to NOD32 from Symantec is an infection my father got on one of his systems from an e-mail attachment. What was frustrating is that if you scan the file with Symantec's on demand scanner it finds the trojan. But if you run the file, the resident scanner does nothing to stop you.

Anyway, I thought NOD32 would do a better job but I'm starting to wonder. During an on-demand scan of my system it found a number of potential threats. Most of these are not real Malware but are identified as threats since I enabled the potentially unwanted and potentially unsafe options.

For instance it identifies an old copy of Rhinosoft's Serv-U FTP server I had in my download directory. The file is "susetup.exe" and it identified the embedded file "ServUDaemon.exe" as "Win32/ServU-Daemon application". I left the file where it was for now.

Then, as a test I tried to run "susetup.exe" which NOD32 knows contains a potential threat. I was surprised to see that NOD32 raised no objection to this and I was able to run the installer largely unhindered. During the install, it DID raise a warning to "C:\Program Files\Serv-U\~GLH0008.TMP" as "Win32/ServU-Daemon application" and gave me the option to delete it, which I did. However, the installation continued and at least superficially, the server seemed to work. I was able to start the Serv-U GUI and set up a server. I didn't actually test whether the server actually worked, so it's possible that deleting ~GLH0008.TMP may actually interfere with the service and prevent it from taking connections, but I don't know that that's the case.

Interestingly, later on, while doing nothing related, I got another warning. This one for "C:\Program Files\Serv-U\ServUDaemon.exe" as "Win32/ServU-Daemon application" as a result of "Event occurred during an attempt to access the file by the application: C:\WINDOWS\system32\rundll32.exe".

Anyway, this seems strange to me as ServUDaemon.exe would have had to be created at install time and the realtime scanner should therefore have prevented this file from ever getting written to the hard drive or being accessible to the system. Yet there it was...

Which all leads me to wonder if NOD32 (or any antivirus software) is actually effective at preventing malware infections (at least those it claims to know about) or does it let malware get installed and then go about trying to detect and remove it after the fact. If the latter, and this had been real malware (say some nasty rootkit) I'm not at all satisfied NOD32 could be guaranteed to remove the threat. Whenever I've been infected, I always reload an older backup of my system drive to be sure...

Anyone have insight on this?

Thanks!

 

The file would have been detected and quarantined upon create by the real-time scanner as well. If you want, you can enable advanced heuristics on access in ESS/EAV at the cost of higher cpu usage. Having advanced heuristics enabled for newly created/modified files is enough, especially if you perform an on-demand full scan from time to time.

 

Pm sent

 

But it didn't stop "C:\Program Files\Serv-U\ServUDaemon.exe" from being created...

I have advanced heuristics enabled, but I don't know if it's enabled for access or just created/modified. I wasn't aware it could be set up independantly like that. I had enabled pretty much everything. Is that why NOD32 3.0 was running so slowly? It basically made my system unusable. Those results I described were with 3.0. I just downgraded to 2.7 and the performance difference is extreme! What was messed up with 3.0 is it would take WAY longer for the realtime scanner to scan files while being saved, copied or moved than it would take the on-demand scanner to scan the same files. Also, whereas with 2.7, while performing a scan the computer still runs at an acceptable pace, that wasn't true with 3.0.

 

When running an on-demand scan with v.2, advanced heuristics is disabled by default unless you run an in-depth scan. With v3, AH is enabled by default, but you can disable it if you want. Actually the scanning engine has been improved to work with files faster than in v2.

 

I enabled all features for both realtime and on-demand scanning in both 2.7 and 3.0 so this shouldn't make a difference. Also, as I said, with version 3 it was realtime scanning that was even slower than on-demand scanning. So I don't think I buy the idea that it should work faster than 2.7, unless there's some bug that only affects some systems. On my system 3.0 made my PC virtually unusable. I e-mailed tech support but they still haven't gotten back to me...

Also, I still don't understand why NOD32 3.0 would let a file it considers a threat to be written to c:\program files and only warn me about it after the fact when it was accessed by another program...

Thanks!

 

The best would be if you could compress it, protect the archive with the password "infected" and send it to support[at]eset.com with this thread's url in the subject.

 

Which file should I compress? The install file "susetup.exe" or the one installed in program files "C:\Program Files\Serv-U\ServUDaemon.exe">

Thanks.

 

susetup.exe