NOD32 V2 Beta-2 Bugs

Discussion in 'NOD32 Early v2 Beta' started by spm, Feb 12, 2003.

Thread Status:
Not open for further replies.
  1. spm

    spm Registered Member

    Joined:
    Dec 9, 2002
    Posts:
    437
    Location:
    U.K.
    OK, here's some bugs for v2, Beta-2:

    1. During installation (from scratch), I elected not to install NMS. NMS was still installed.

    2. Disabling NMS via Control Centre is still not persistent. Next time machine is rebooted, NMS is enabled.

    3. (Serious) NOD32 command-line scanner fails to detect eicar test virus when launched by my mail server. The server launches nod32.exe in a hidden window with the following command-line params:

    /all /clean /delete /log+ /quit+ <file>

    where <file> is the filename (which always has a .tmp extension). I have verified the file *does* contain the eicar test virus, and that nod32.exe is actually called. The on-demand scanner log shows that the scan has taken place, the correct command-line was executed, and that *no* infections were found.

    Beta-1 worked correctly, but Beta-2 definitely does not.

    FYI, if I run a manual scan on the .tmp file (by selecting NOD32 from the Explorer context menu), nod32 correctly detects the eicar virus.
     
  2. spm

    spm Registered Member

    Joined:
    Dec 9, 2002
    Posts:
    437
    Location:
    U.K.
    Further investigation on the missed eicar problem reveals that:

    The NOD32 v2 Beta-2 scanner simply fails to find infiltrations in *any* file with a .tmp extension! This is also the case when running the scanner via the Explorer context menu (I was mistaken in my first posting about this, where I claimed this did work). If I change the file extension to something else (say, .eml), the scanner finds the infiltrations.
     
  3. Phil

    Phil Registered Member

    Joined:
    Oct 24, 2002
    Posts:
    248
    Steve,

    Go to setup and either check the option to scan all files or add the ".tmp" extension to the types scanned and give it another go. It works as it should on my system. I think temp file extensions are excluded by default because the are not executable. Please try that and let us know your findings.

    Thanks,
    Phil
     
  4. spm

    spm Registered Member

    Joined:
    Dec 9, 2002
    Posts:
    437
    Location:
    U.K.
    Sorry, Phil, but I did forget to mention in my post that I had in fact tried that. By default, I opt to scan all files. I also tried scanning a list of extensions, with .TMP added, with the same result.

    OK, it's an unearthly hour of the night here, so I'll revisit this again after some shut-eye. I'll let you know if there's any change.
     
  5. Phil

    Phil Registered Member

    Joined:
    Oct 24, 2002
    Posts:
    248
    Please do because that *is* a little strange. I tried it every way I could think of and NOD still flagged it. I even emailed it to myself and I had to disable IMON to even get the email. :rolleyes:

    Next, I let IMON handle the mail and told IMON to delete the "infection" and this was at the bottom of the note:

    <quote>
    A T T A C H E D F I L E S I N L I N E D I S P L A Y

    Attached text follows, filename: att0.txt
    __________ NOD32 1.360 (20030212) Notification __________
    Warning, NOD32 Antivirus System has found the following infiltrations in the message:
    Eicar.tmp - Eicar test file - deleted
    http://www.nod32.com
    </quote>

    Notice I had changed the extension before sending the email. There is NO way you can miss the warning when it pops up. :D :D

    Phil
     
  6. Fedorov999

    Fedorov999 Registered Member

    Joined:
    Sep 13, 2002
    Posts:
    182
    Agree with (1) and (2) at top of thread, I don't want NMS installed or active but it still does it.

    Fedorov.
     
  7. spm

    spm Registered Member

    Joined:
    Dec 9, 2002
    Posts:
    437
    Location:
    U.K.
    OK, it seems to be working fine this morning (except that no alerts are generated when eicar is detected) - eicar is removed, and NOD's warning is added to the incoming message.

    I am still concerned somewhat, though, that NOD32 is somewhat flakey in this respect. In my tests last night - of which there were 19 in all, with a number of reboots - NOD32 consistently failed to detect eicar. I will keep a close eye on things, to see if the problem reappears.

    I would like to compare its behaviour with version 1.0, but unfortunately the /delete command-line switch in version 1.0 does not work at all.
     
Thread Status:
Not open for further replies.