Question about heuristics

Is there a difference in heuristics between mail being scanned and the rightclick-scan of a file?

The reason I'm asking is that a mail got:
Time   Module   Object   Name   Virus   Action   User   Info
16-9-2003 19:42:13   IMON   email message   from: "sender" <sender@his.ISP> to: <me@my.provider> with subject mapisvc32 dated Mon, 15 Sep 2003 15:16:50 -0500    probably unknown NewHeur_PE virus      ComputerName

A rightclick scan of the folder the file is in doesn't produce any results.

 

Are you talking about Shell Power for NOD32 2.0 from Paolo Monti? If yes then check your "setup" parameters.


tECHNODROME

 

I am not using that, Technodrome.
This is what happened:
IMON scans the mail and gives me a warning. I decided to collect the mail anyway. Saved the attachment in a special folder and scanned that with a rightclick-scan and nothing came up.

The program in the attachment was a history cleaner if that is any help.

I don't mind getting an unnecessary warning now and then. I'm just puzzled about the difference in heuristics between the two.

Probably something in my settings, but I don't know where.

 

Check your settings in IMON setup. IMON utilizes Advanced Heuristics unlike AMON or NOD's on demand scanner which provides the default right click scan. So there can be a difference in heuristics between IMON and the other scanners if AH is enabled in IMON's set up (which I think it is by default). The on demand scanner can use AH but only if run from the command line with the proper "tag."

In contrast, the shell extension Technodrome refers to is an add-on provided by Paolo Monti which provides a right click menu for scanning a file with AH. There's a sticky thread at the top of this forum which links to the download on his site (ESET Italy). Perhaps you already know that, but just thought I'd add that.

 

IMON uses powerful "advanced heuristics" but right scan or On Demand don’t (unless awake from command prompt with –AH switch) .
Anyway, this could be some new unknown virus or Trojan detected by NOD32s "advanced heuristics".

You should send this file to samples@nod32.com.


tECHNODROME

 

"...but right scan or On Demand don’t (unless awake from command prompt with –AH switch)"

This is not true - Nod have profiles - and one of them is "Profile for testing from Explorer's Context Menu'... Just start Nod from context menu, change profile (after scan) and save changes... (like: adv. heuristics enabled, scan all files incl. archives)... Next start will scan everything as you wish...

 

Hmmm... Unless you install the shell add-on provided by Paolo Monti/or run nod32.exe via commad prompt I don't think you are able to so.


tECHNODROME

 

I have Nod32 czech, default installation - NO addons... And I HAVE shellicons... "Scan with Nod"... After starting nod with this menu it runs in "Started from Explorer" profile. I can change it and save... And all works fine.

If is this only in czech language I don't know...

 

Well maybe chez version has adv. heuristics incorporated in GUI. ? English version doesn't...

Can you post a screen shot from it?


tECHNODROME

 

Yes, scanning with NOD 32 from the Explorer context menu is available in the default install.

But that's not the same as scanning from the explorer menu with advanced heuristics. That's not a default feature. Paolo's download adds that option to the context menu. Or one could set it up to do so without Paolo's add on I suppose if one knows how. But the native install scan from context menu triggers NOD 32 in the regular scan mode, not in the advanced heuristics mode. Otherwise there would be no reason for Paolo to provide his shell extension.

Copied from his post in his thread:

"An excerpt from the documentation

"The new NOD32 scanner which comes with NOD32 v. 2.0 offers a new, powerful heuristic option to identify unknown Win32 malware (this option is included in the new IMON – Internet MONitor also). This new feature is very powerful, but on account of its nature it will notably slowdown the speed of the scanning process.
For this motive this option cannot be enabled directly in the environment of NOD32 scanner, but it can be used only if the scanner is explicitly launched with the /AH (Advanced Heuristic) option on command line.

The purpose of this shell extension is to supply a shortcut for users that want to run a scanning with Advanced Heuristic enabled directly from the context menu of Explorer."