NOD32v4 Novice Questions

Although I have been using NOD32 since 2005 (initially with version 2.x), and version 4 (now 4.0.467) since July 2009 (I skipped version 3.x), I have some "beginning amateur novice" setup questions, which arose when I finally updated my wife's computer from version 2.7 to 4.0.467 earlier this week, and in the process reviewed my own computer's settings.

All of these questions concern settings found in Setup > Enter Entire Advanced Setup Tree.

1) The Advanced Setup tree window has a Default button in the lower right corner. If this button is selected, does this return ONLY the item selected in the tree (e.g. Email clients > Actions) to its default settings, or does it return EVERYTHING in the tree (from Antivirus and antispyware down to Miscellaneous > Email Client Integration) to its default settings?
I think the the answer should be "only the item selected," but I can't find that confirmed in the online Help (although it may be there somewhere).

2) Email client protection > POP3,POP3S > Email Clients includes the following:
Adobe Reader
SpySweeper User Interface (SpySweeperUI.exe)
Java's Javaw.exe
Java's jusched.exe
IEXPLORE.EXE
SeaMonkey.exe
Windows' msiexec.exe
Windows' svchost.exe
and even the installation file for the latest JavaRuntimeEnvironment v6u17 update (which I saved after using it).

On my wife's and my computers, the POP3 email client is Mozilla SeaMonkey (roughly a combination of Firefox and Thunderbird, but unfortunately although NOD32 can integrate Thunderbird it can't, at least not yet, integrate SeaMonkey). In the list above, only SeaMonkey is checked.

Each of the other items listed may have something to do with the internet, but our only actual email program is SeaMonkey. (Outlook Express is on my wife's and my Win2k Sp4 computers, but we've never used it.)
Nevertheless, should any of these unchecked items be checked?
If there is no need to check them, can any of them be deleted from the list? If so, how?

3) In Web Access protection > HTTP,HTTPS > Web browsers, the list is the same as in question 2) above, except that everything is checked except for Java's three entries which are not checked.
In Web Access protection > HTTP,HTTPS > Web browsers > Active mode, only SeaMonkey is checked. (We use MSIE only for Windows Updates.)
Should any additional item in either of these locations be checked or "ticked" (to use Help's language), or Unticked, or marked with cross (X)?

4) I think I recall seeing somewhere, in the Advanced Setup tree, some USB Drive Exclusion settings, but now I can't find them (my notes are incomplete). Does anyone know where they are?
My wife and I do use USB-connected or Firewire-connected external disks, but they are connected and turned on only if we are making or restoring an image backup.

5) On my wife's and my computers, On-Demand Computer Scans are set to use the In-depth profile, for which we have not modified the targets (which now include RAM, all folders and files on partitions C: and D:, and on my computer an additional modular bay disk M:; no external disks are currently connected). Am I correct in thinking that the In-depth profile's defaults will automatically scan not only everything now listed, but also all external disks that are connected via USB 2.0 or Firewire, if the external disk is turned on?

6) Our On-Demand Scan In-Depth profiles are set to NOT enable Smart Optimization, because we do Demand scans at night when the computer isn't doing anything else, and our goal is maximum security with no regard to speed. So for Demand Scans we don't want to enable Smart Optimization's tradeoffs between security (aka efficiency) and speed. Is our understanding of Smart Optimization correct, and our decision not to enable it sensible?

7) User Interface > Alerts and Notifications > Advanced setup, includes the following option:
"On multi-user systems, display notifications on the screen of this user."

7a) The default entry is Administrator. But if (in Win2k Sp4) the Administrator account has been renamed (for security reasons), should this default entry still read Administrator, or should it read the new name of the Administrator account?

7b) What does "multi-user" mean? My wife's and my computers each are single user, meaning that only one physical human uses each computer. But of course on each computer there are the usual minimum of two accounts: Administrator, and Restricted (Limited) User, and most of our computing time is spent in the User account. So if NOD32 needs to notify us of some problem when we are in the User account, and the notification tries (and presumably fails) to display on the Administrator account which isn't in use, what happens?
We would much appreciate a clarification of what this setting should be. Although our computers are linked by a workgroup (peer-to-peer) network (with only one "transfer stuff" folder shared on each computer), there's no domain network or server, and hence no domain administrator, anywhere in sight.

After installing NOD32 v4.0.467 on my wife's computer, we downloaded the latest signatures, and did an On-Demand scan, which found in SeaMonkey email two separate Fake Alert trojans, each in a different "folder." [SeaMonkey email, like Thunderbird, uses the MBOX file system in which many messages located in the same email "folder" (e.g. the Inbox, or Junk mail) are actually in a single file.]
NOD32 v4.0.467 not only cleaned each trojan out of its message but also deleted instead of quarantining the message. No harm done because the log showed that the message was worthless and not worth saving.

However, this message deletion raised a question: Where are the setting(s) that determine what NOD32 does with an infected email message, and also an infected non-email file, after cleaning it?

Tools > Quarantine gives no clues about how infected items get into quarantine. The Help says only that "The real-time protection module quarantines all newly created suspicious files by default, in order to avoid infection." Does that mean that Document, Email, Web Access and Demand-Scan protections --- which (in the Advanced Setup tree) are listed at the same level as Real Time File System Protection rather than under it --- always delete and never quarantine an infected email or file?

I realize that this is a long list of detailed questions, and I will very much appreciate any answers, or comments or suggestions about where to find answers. (I've already looked through the User Manual, but it's likely I have missed at least some answers to these questions.)

Thank you.

Roger Folsom

 

Hello rnfolsom,

When you click "Default" you'll be prompted as to whether you want all settings to revert or only the section you were in at that time.

No need to check them as they won't be generating traffic. They can't be deleted.

The default settings throughout the program are the optimal settings. These parameters should only to be changed to resolve performance or compatibility problems. Web browsers and email clients should never be excluded however.

"Real-time file system protection" > "Advanced Setup" > "Exceptions" button

Yes

The default settings throughout the program are the optimal settings.

Administrator

Specifies a user who will receive system and other notifications on systems allowing more users to connect at the same time. The default setting should be used by both of you. You'll receive only your own notifications.

"Email client protection" > "Email clients" > "Actions"

"Real-time file system protection" > "Setup" > "Cleaning". Depending on where you place the slider determines the actions,.

No


Please let me know if I've overlooked something.

BFG

 

BFG:

First and foremost, thank you very much for your careful responses to my questions. But they have generated some requests for clarifications, and some additional questions.

To facilitate responses, I have included my original post's issue numbers [e.g. 3)] and then numbered my new requests and questions with decimals [e.g. 3.1)].

3) Re Web Access protection > HTTP,HTTPS > Web browsers, you wrote:

RNF RESPONSE: When I wrote my post, I was looking simultaneously at at both my wife's and my computer's NOD32 settings, and didn't then notice that IEXPLORE.EXE was listed (and checked) on her computer but not listed on mine.
[The reason may be that for my Win2kSp4 computer I have adopted (and adapted) some Windows Secrets Newsletter security settings "Protect IE without [XP] SP2 — part two," Issue 42 — 2004.11.18 (18 November 2004), http://windowssecrets.com/comp/041118/
that I never had the courage to put on her computer.]

3.1) In any case, I gather from your final sentence that I ought to add IExplore.exe to my list of browsers (and check it), even though I use it only for Windows updates. Correct?

4) Re Real-time file system protection > Advanced Setup > Exceptions button
RNF RESPONSE: This location reads "USB drive exclusions. This option allows you to exclude objects from being scanned by advanced heuristics on file execution. Advanced heuristics settings for hard drives will be applied to selected devices."

4.1) Does checking something in this location EXclude it, or INclude it? The first sentence could be interpreted either way. Given the second sentence, I think (but am not sure) that the answer is that checking a device's port WILL cause it to be scanned using advanced heuristics on file execution, but I fear that I may have that backwards.

6) Re On-Demand Scan In-Depth Profile Smart Optimization NOT enabled

RNF RESPONSE: I know that's a standard statement, but I found several places (which unfortunately I did not log) where security was weaker than I wanted, so I strengthened it, even though doing so may have slowed On-Demand scans down.
But regardless whether those tightened settings are or are not appropriate for my situation, I still want to know whether my brief description of Smart Optimization --- that it involves tradeoffs between security (aka efficiency) and speed --- is anywhere near correct. It's an attempted summary of Help's first sentence. Help says
"With Smart Optimization enabled the most optimal settings are used to ensure the most efficient scanning level, while simultaneously maintaining the highest scanning speeds.
"The various protection modules scan intelligently, making use of different scanning methods each, applying them to specific file types.
"The Smart Optimization is not rigidly defined within the product.
"Quite on the contrary, the ESET Development Team keeps it flexible implementing new changes continuously which get then integrated into the ESET security solution via the regular updates.
"If the Smart Optimization [is] disabled, only the user-defined settings in the ThreatSense core of the particular modules are applied when performing a scan."

So I now have two questions here, about Help's First and Last sentences.
(To me, the first sentence is implausible if it isn't about tradeoffs but I'm open to another interpretation; sentence two ought to apply to all of NOD32 rather than only to Smart Optimization; sentences three and four remind me of incomprehensibly vague technology advertising claims to which I don't think I could ever attach any meaning; and I'm hoping that with your assistance the last sentence may be understandable.)

6.1) First, does Smart Optimization involve any tradeoffs between security (aka efficiency) and speed, or any tradeoffs between anything and security (aka efficiency)?

6.2) Second, if Smart Optimization is enabled, are the "user-defined settings in the ThreatSense core of the particular modules [whatever that means; I've yet to find a clear definition of 'module'] still applied? In other words, do I lose anything if On-Demand scan is enabled?

6.3) Finally, if the user doesn't lose anything by enabling Smart Optimization, why is the option even there? (Other than that for some mysteriously unknown and therefore not fixable reasons, some users' On-Demand scans don't work if Smart Optimization is enabled.)

7b) Re User Interface > Alerts and Notifications > Advanced setup, which includes the following option: "On multi-user systems, display notifications on the screen of this user," where the default user is the Administrator

RNF RESPONSE: I'm still not clear about what "multi-user" means, although I now think that it means two or more people using the computer simultaneously, rather than two or more accounts.

7b.1) Does "multi-user" include a workgroup (peer-to-peer) network, in which (for example) my wife accesses a shared folder on my computer, while I am also using my computer (and may or may not be viewing the same shared folder)?

7b.2) If so, then assuming each of us is in our User (non-Administrator) account, does that that mean that the notification dies? Or is the notification saved, and seen the next time I or my wife (depending on which computer the shared folder is located) log on as Administrator (which could be several days later)?

8a) Re Where are the setting(s) that determine what NOD32 does with an infected email message after cleaning it?

RNF RESPONSE: My understanding (which may be wrong) is that that location applies only to email clients that have been "integrated" into NOD32 (or else it's NOD32 that has been "integrated" into the email client), including Thunderbird but not SeaMonkey email which is what my wife and I use.
Help says that "The Email protection module supports the following email clients: Microsoft Outlook, Outlook Express, Windows Mail, Windows Live Mail and Mozilla Thunderbird. Email protection works as a plug-in for these programs."

8a.1) If my understanding of that statement is correct, then for an email client (such as SeaMonkey email) listed only in
"Email client protection > POP3,POP3S > Email Clients," I don't see any way to specify what happens to an infected email. Correct?

8a.2) If so, under POP3,POP3S, what is supposed to happen to an infected email after it is cleaned?

8a.3) If I'm wrong and "Email client protection > Email clients > Actions" DOES apply to SeaMonkey mail, a question remains:
That location doesn't include Quarantine as an option, although there is a "Move email to folder" field which currently says "Infected Items," although I can't find that folder anywhere.
Would it be appropriate (if this location does apply to SeaMonkey, or if we were using Thunderbird) to delete "Infected Items" and type "Quarantine" in that field?

8b) Re Where are the setting(s) that determine what NOD32 does with an infected non-email file after cleaning it?

RNF RESPONSE: The help for Cleaning (Slider left for Do Not Clean, Slider middle for Default level, Slider right for Strict cleaning) includes the following warning:
"If an archive contains a file or files which are infected, there are two options for dealing with the archive. In standard mode, the whole archive would be deleted where all the files it contains are infected files. In strict cleaning mode, the archive would be deleted if it contains at least one infected file, regardless of the status of the other files in the archive."

8b.1) Does "standard mode" mean Do Not Clean, Default Level, or both?

8b.2) Second question: My understanding is that NOD32 does not consider a Thunderbird or SeaMonkey MBox file of multiple emails to be an archive. Correct?


Thank you again for all of your very useful help. I'm hoping it will be useful also to others.

R.N. (Roger) Folsom