AMON in Action!

Im trying to play around AMON's ability to follow human instructions (using the given setup and action). This is not because I dont like it. The truth is Im looking forward to using it in my old win98 PC. Only NOD32 is capable of running unto my P150 machine. Very old huh!

Anyway, AMON is

CASE 1

1. setup to scan all file that is "opened, executed, created and renamed". Upon infiltration, the Action is "Phohibit access & show alert window with action options" and "Move newly created files to Quarantine".



next..

 

2. Now, I have a packed file infected with a trojan/virus. Please take a look.



next...

 

3. Extracted this file using Total Commander's utility. AMON moves into action, detecting it. Ta da!



next...

 

The file was quarantined. No further actions taken, but to close the warning window. What happened next?

 

Lo! The file is still there, UNTOUCHED.

Many times have I repeated this move but still has the same result. You can try it by yourself.

MY CONCLUSION

Isn't it AMON in CASE 1 giving us false sense of security by telling us that it quarantined the file (take note that the file is hidden in it's natural occurence)? Could this happen to any other form of infection? maybe YES!

 

Interesting.
Never payed attention to that.

Can you mail me your file so i can test it on my computer?

 

And has the NEWLY created file been moved into quarentine?

As the zip file you have used to test has NOT been newly created then obviously it will still be there.....

Try going through Blackspears settings and then test it.

 

Did you really have AMON enabled the whole time? And you haven't unchecked options in the AMON setup?

I couldn't reproduce this on my PC, and I even tried using Total Commander (just like in your example) to unpack the trojan. The file is detected by AMON (as in your example) and it says it's been quarantined (as in your example), except here it really has been. Only the archive (.zip) is left in the folder, the infected file (.exe) that I tried unpacking from the archive is gone.

The weird thing I noticed when unpacking with Total Commander, the AMON warning window showed this (under "Comment"):

"Event occurred on a new file created by the application: C:\Program Files\Totalcmd\TOTALCMD.EXE. The file was moved to quarantine. You may close this window."

That is different to what it says in your screenshot?

I am guessing something has happened to your AMON setup?

 

Was the file added to the Quarantine? In other words, could it be that the file was copied to quarantine instead of being "moved"?

Are you able to access the folder.htt file? In other words, can you manipulate the file at all (copy, move, open with Notepad, delete)? In other words, is NOD32 prohibiting access to it?

I am not sure why the big NOD32 warning did not give you any choices. Maybe the file was still under control of Total Commander, so this prevented NOD32 from being able to clean/rename/delete the file?

 

That's because he has AMON set to move newly created files to quarantine automatically, in such case there's no need for having any of the buttons available.

In such case, AMON would most likely report an error.

 

NOD32 should be able to control every move/action of a certain program. So most likely that's not the case.

I think NOD32 has difficulty in controlling hidden file (as in "folder.htt"). I have tested this same procedure using "infected EXE" file and AMON got it right.

 

will send you the file ASAP...

 

There was an addition (folder.htt) to my Quarantined files. But still the unpacked file does exist.

Ofcourse NO. But if you don't know that the file still existed, it could create havoc. Assuming a similar situation with a much destructive intention, that will likely be a ...

 

Yes sir!

 

With the new Beta came out, let's see if this issue is resolved... Goodluck v2.7!

 

Oh oh! AMON (v2.7) also failed to move the file "folder.htt" to quarantine. The same issue in its latest beta.

Any words from the ESET team! Would really like to hear from you guys...

To Blackspear:

I suggest you make some adjustments to your setting. Better not checked the "move newly created file to quarantine" in Action setting for the time being. Cause this will only give us users false security. It is better to manually take actions than relying on the setting itself.

 

Winzip against Total Commander Packer...

Hi! In my previous thread Amon in Action, I have a question regarding AMON's failure to quarantine the infected file completely when Total Commander Un/packer is used to extract files. No answer is given yet to this moment.

Regarding this issue, I have found out that when Winzip is used to extract the files (infected file in it, "folder.htt"), AMON encounters no problem at all. My question is this: "Who is in fault here, Total Commander or AMON?"

 

Re: Winzip against Total Commander Packer...

About your previous post , I want to tell you that I have Windows/Total Commander installed on most of my computers . After your first posted , I tested it both with Eicar test file and a trojan hacktool . Both were zipped . I unzipped them with Total Commander and AMON immediately jumped up . After that files were gone (moved to quarantine) . I did this on two computers and I encouraged no issues like the one you report .

When you now tested with WinZip , it seems NOD32 is working so it must be TC issue

 

Re: Winzip against Total Commander Packer...

Hi there! If you are following the issue correctly, you will notice that Im refering to an infected file that is "hidden". In this way, AMON cannot completely quarantine it when extracted using Total Commander unpacker. This is not an issue to Winzip itself. So maybe the way Total Commander handles it is entirely different than Winzip.

But again, AMON should be able to capture it correctly.

 

Re: Winzip against Total Commander Packer...

Just wait . I am jumping to the other computer which have TC . I will test again with Eicar and the hack tool . Will first disable AMON , then I will hide the file(s) , will ZIP them with TC and will extract them . They will be hidden upon extraction . Will report , I promise , just wait some minutes

 

Re: Winzip against Total Commander Packer...

Yes, AMON will be able to handle it properly. But try extracting an infected "folder.htt", and you will know the issue. "Folder.htt" naturally is a hidden file.

 

Re: Winzip against Total Commander Packer...

Well , I did it , it worked with no problem no matter files were hidden .

I don't have anything with name folder.htt . I will have to rename the eicar file with that name . OK , will do it (but I doubt it will be different ) . Anyway , will try it

 

I was able to replicate this behaviour with eicar.com simply by setting its read-only attribute to true before placing it in a zip archive.

While using both winrar and XP's built in unzip AMON failed to delete the file created. Instead of moving eicar.com to quarantine AMON simply made a copy in quarantine, leaving eicar.com where it had been extracted.

Without the read-only attribute AMON moves eicar.com the quarantine when it is extracted.

 

Not good!