IMON disabled with X-Cleaner

Hi guys,
I faced to a little problem and I think this is the best place to get an explanation. When I go to online scan of X-cleaner at http://www.spywareinfoforum.com/xscan.php the applet shows this message :

Errors were detected during verification of your ''Layered service provider'' setting ! You might experience trouble using Internet Application because of this. Attempt repair now ?? If I choose Yes, IMON gets disabled at the next PC reboot. If I choose NO, nothing seems to happen. It gets disabled even if I protect NOD32 configuration with a password.

I know I should choose NO everytime but I thought ESET guys might have a clue on that one because I don't know why I get this message. I've never get it before installing NOD32. Is it something with my configuration ?? Is it a NOD32 bug ?? Please help me.

Regards
Ben

 

The "Layered Service Provider", or "LSP", is something in Windows TCP/IP networking that programs can latch into, allowing them to process TCP/IP data. Think of it as a way for programs to "filter" data. Many antivirus programs and antispyware programs use this. Unfortunately, so do other programs, like some adware/spyware, hijackers, etc.

What is happening is that X-cleaner is finding IMON inserted into LSP chain, but does not know what to make of it. Thinking it may be an "undesirable", it asks you if you want to "repair" it. In the process, it ends up breaking IMON.

 

Can NOD be excluded from an X-Cleaner scan?

 

X-Cleaner (if it's the one I'm thinking about) is a fully automated quick-scan app with no options.

 

And what exactly would keep malware from doing the same thing that x-cleaner has done?

 

Hmm.. I was thinking the same thing. If something can disable IMON it can also disable AMON I think. I know you can't disable NOD32kui/krn (unless the driver is disabled?) but the on-demand scanner can. Hmmm indeed..

 

I would sure like to know about this as well.

 

Maybe Marcos can comment?

 

Still waiting on an answer from someone at ESET

 

You can protect the registry keys that control the LSP stack using RegDefend, and the polling registry/spyware monitors can tell you when things are changing (or have recently changed). Both RegDefend and RegRun watch the key in their default configuration, MJ Registry Watcher does as well and I think that Microsoft AntiSpyware does (see here, the LSP stack is stored under the key HKLM\System\CurrentControlSet\Services\WinSock2)

For NOD to partially protect itself it would need to poll the LSP registry entries periodically to ensure that its LSP modules are still installed and show a warning if they were gone. There are practical limits to what NOD can do to protect itself without implementing enough functionality to become a full blown security suite.

It probably would make sense to at least have a simple startup and periodic check because that would consume relatively few resources and at least warn if the module has fallen out of the stack while the configuration thinks it should be there

 

i would just like to point out that Trend Micro's Anti-spyware also has a similar function which scans the LSP chain, however unlike x-cleaner, u can disable the check.

 

Well this is most typical of things here.......in most threads here the ESET folks will reply to mundane things, make comments, etc., however, when specifically asked about something, will not give an answer. Either that or lock it prematurely.

 

Thank's gottadoit and WSFuser for pinch hitting and answering our questions.

 

Well, either that, or they are off somewhere enjoying the weekend.

 

There are not many threads locked at all in the Nod32 forum.

Cheers

 

Thank's for posing the question. It was a good one.

 

with that question in mind, i have a few more:

which software should protect the lsp chain? nod32, or a third-party tool maybe?
and should all security software have some sort of self-protection (like norton does)?

 

ESET? Me thinks this thread is going to be ignored!

 

Perhaps version3 will incorporate this?

 

Why has this thread been ignored after repeatedly asking for an answer from an ESET representative on this "official" ESET support forum?

 

bump...

 

GuruGuy, enough with the bumping.

I have asked for someone at Eset to reply to this thread.

Blackspear.

 

Blackspear, thank you very much. The purpose of my thread was not to try to catch ESET but just to make sure my configuration was good. So far NOD32 is an excellent product, far superior to any av I have used before. This forum is great but next time I will go directly to ESET customer support to avoid public flaming, my mistake this time.

Again thank you.
Regards
Ben

 

The purpose of your original post is well known to all and you are not responsible for any other poster. We as individuals are solely responsible for our own posts. GuruGuy is bothered by the fact that he has not had a response from Eset yet regarding a question he posed sometime earlier in your thread that was indirectly related. Any upset has nothing whatsoever to do with you.

 

No problem at all.

This is the official Nod32 support forum, and the question you asked is good, and answers ought to be given. Also this way we have a knowledgebase that can be delved into by others with the same questions.

Don’t worry about those trying to aggravate a thread, that is what Moderators are for.

My pleasure.

Cheers