NOD32 Real-time file system protection & File extensions

Hi there,

I am looking for some advice on how to limit or minimize any impact NOD32 Real-time file system protection may have on overall system performance.

By default the ThreatSense engine parameters for Real-time file system protection are set to scan all files. Maybe it is just me but it seems a little over-zealous having NOD32 Real-time file system protection scan every file.

Wouldn't it be more efficient and use less system resources to limit the types of files scanned (i.e. by file extension)?

My rationale is that if NOD32 is only scanning certain types of files then one would expect NOD32 to use fewer system resources and thereby have less impact on system performance than scanning each and every file.

It is possible to define a list of file extensions that NOD32 Real-time system protection scans.

If one unticks the "Scan all files" option in the ThreatSense engine parameter setup dialog for Real-time file system protection then NOD32 populates the extension list with what I assume are the common virus and malware file extensions.

My question is how complete and efficient is this default list?

For example BIN and BAS files are not in this default list; shouldn't they be?

Also INI and {* files are in the list; do they really need to be?

Is there a definitive list of virus and malware file extensions that any NOD32 gurus use to define the types of files that NOD32 Real-time system protection scans?

Thanks in advance.

Laurence.

 

Three parameters that have a big impact on system performance and should be 'unchecked' for real-time protection are :
1. Runtime packers
2. Advanced heuristics
3. Log all objects

Are these parameters unchecked?

Also, please state program version and OS you are using.
Thanks.

 

Hi Thankful,

Yes all 3 of those items you listed are indeed unchecked on the ThreatSense engine parameters dialog box for Real-time file system protection (screenshots attached).

I am running Windows Vista Home Premium SP2 and ESET Smart Security V4.0.474.0.

Regards,

Laurence

 

O.K. Someone with more knowledge than me will have to answer your extension question. You can try running the Beta version of NOD32 (Version 4.2.22.0). It is discussed here:
https://www.wilderssecurity.com/showthread.php?t=261217.

By the way, you posted in the AV forum. There is a separate forum for the suite here:
https://www.wilderssecurity.com/forumdisplay.php?f=89

 

Hi there,

Thanks for the reply.

I posted my question in the ESET NOD32 Antivirus forum because my question was related to ESET's Real-time file system protection.

I was under the impression that the ESET Real-time file system protection elements of ESET Smart Security and ESET Antivirus were identical. If they are not the same then apologies, my mistake.

I don't believe that loading the beta version of ESET Smart Security would actually provide an answer to my question.

In essence my question was:

Regards,

Laurence.

 

I suggest on the extensions box ticking the default button, I agree there is no need to scan every single file.

 

Hi,

I will try to answer your questions.

First, real-time scanning is called like that because it checks every file that you are making changes to in real-time, or the system makes changes to it. Most of AV products do this because it is the most efficient way how to stop malware when it tries to spread in the system.

Second, there is no default extensions list for malware files, because creators can create every extension possible, there would be no meaning to such a list.

Third, if there is some file type with certain extension that you are sure will cause no harm to you system and you think may cause to speed up the system a little, you can add them to the exclusion list.

Also make sure that Advanced heuristics is disabled.

You can also make "gamers" adjustments according to this KB: http://kb.eset.com/esetkb/index?page=content&id=SOLN2229&actp=search&viewlocale=en_US&searchid=1268211852906 to make the system run smoother.

 

Hello timid,

Thanks for the reply.

I am quite up to speed on what Real-time protection actually is but thanks for the heads up.

I have advanced heuristics unticked as shown in the screen shot in the third post of this thread.

You mention that...

I am aware of that however my question related specifically to the list of extensions that NOD32 can be configured to scan when one unticks the "Scan all files" option in the ThreatSense parameter dialog box.

I shall try to rephrase my question.

Q1. Are there any additional file extensions that NOD32 gurus recommend adding to the list of scanned extensions for Real-time file system protection?

Q2. Are there any file extensions that can safely be omitted. For example is it really necessary to scan INI and {* files?

Regards,

Laurence.

 

I tic all and notice no hits in performance on one desktop or 2 good laptops or 1 crappy laptop.

 

Sorry for the misenderstanding.

Afaik there are no other recommendations, other than those which are already included in the list, actually the most important recommendation is to keep Scan all files enabled

Also extension included in the default list from the developers should include most common extensions that have included iinfiltrations in the past.

as trjam mentioned, i guess the problem is not in the fact that all files are scanned, maybe some file is scanned repeatably and is causing the system to slow down. mostly this can happen if you have software that keeps a log file that is updated real time and continously is being rewritten - and so ekrn scanns the file every time.

If you look at the Task manager, how much CPU resources does ekrn.exe take? Also does the system slow down in some particular case? with some application, or is it just your feeling in general?

 

Hello timid,

My system runs without any problem if I have "advanced heuristics" and "runtime packers" disabled. On my system ekrn.exe is at 0 CPU usage the majority of the time.

If I enable "advanced heuristics" and "runtime packers" options then there is a noticeable decrease in system responsiveness and performance. Unsurprisingly CPU usage for ekrn.exe jumps as well.

I asked the question regarding extensions that the Real-time file system protection scans because I wanted to make ESET as minimally intrusive as possible.

For example there is no point scanning LOG files (or most file extensions for that matter) because they are not normally a vector of virus infection.

Of course a virus author could distribute their virus with a .LOG extension but it could not ordinarily be "run" as such on the system. If the .LOG file was renamed somehow with a .EXE extension then at that point ESET's Real-time system protection would kick in and it would be detected.

As I said before having ESET's Real-time file system protection scan each and every file on the system seems overkill.

Regards,

Laurence.

 

who is reccomended to keep scan all files enabled? that is silly and I agree with the OP.

I reccomend perhaps something like this.

scan all files over http protocol
scan all files over email protocol
scan default files over realtime with disabled advanced heuristics.

manual scan any files you deem of extra risk such as files recieved over msn etc.