4.0.437 WinXP/Win2K3 Crashing Over Network Access

Hi,

I updated to the latest version and it seems to now crash my WinXP machine when trying to access .exe files (or I suppose other executable programs) over lan on my Win2k3 Server.

The desktop just freezes as if it is trying look for the file on the network and eventually it give an error of some such "cannot find blah blah..". I CRTL+ALT+DEL to end task to force it stop sometimes.

It seems to be fine if I copy the file over to a local drive then run.

I unticked the option for scan on "file open" under realtime protection (Both WinXP and Win2k3) and that seemed to semi fixed it.

I've tried unintalling and reintalling with the same affect.

Opinions?

TIA
- Nick

 

maybe you have Network drive option selected in Realtime file protection (Advanced Setup)?

 

By default it is on, surely if it creates problems like this it shouldn't be?

Also the option was always there for previous v4's, so why would it be doing this now if I've only had problems as of late?

 

it might be on by default as in the majority of cases it does not cause problems. If there are issues then it can be turned off. I can see no reason to scan a network drive when that should be a job for an AV sitting on the server.

 

But what if your WinXP client also connects to network drives that are not protected with realtime AV protection? Turning off scanning of network drives is dangerous in that case.

E.g. you can have a network share on a Linux server with Samba, or on a server in the remote LAN that you connect via a VPN connection. IT professionals often connect to various heterogeneous networks and access the shared folders that are not under their control. Turning off scanning of network drives can be dangerous in such cases.

I also encounter annoying problems with accessing network drives in NOD32 AV 4.0. I'd say that it's a major issue. It shows that Eset has done a very poor testing of NOD32 AV 4.0.

-- rpr.

 

isn't the client running a current AV?

 

If you are connecting to a friendly network, then it should be protected - the local protection should prevent a malicious program from being installed on the local drive.

This is effectively what web surfing is - yet you don't attempt to scan the drive of the remote web server you are accessing.

Well I've had zero problems with 4.0 on our network and our our clients' networks. I understand that doesn't solve your problem, nor am I suggesting your problem doesn't exist, but I think the statement that Eset has done a poor job of testing is inaccurate - there is no way they can test every situation - have to contacted their support directly to see if they can help you find a solution?

T

 

NOD32 AV has the web access protection which scans data streams while a HTTP client (a web browser) access data over HTTP from a web server.

NOD32 AV also has the real-time file system protection which is activated on various file operations (see below). If you open the advanced setup tree in NOD32 AV you can see the following options for the real-time file system protection:

Media to scan:
- Local drives - Enables control of all local hard drives
- Removable media - Enables checking of removable media
- Network drives - Scans all mapped drives

Scan on:
- File open - Enables / disables scanning of opened files
- File creation - Enables / disables scanning of newly created or modified files
- File execution - Enables / disables scanning of executed files
- Diskette access - Enables / disables scanning triggered by accessing the floppy drive
- Computer shutdown - Enables / disables checking during the computer shutdown

(I have copied the explanations from the NOD32 AV 4.0.437 help.)

So, if the scanning of network drives is disabled, the files opened, created or EXECUTED from mapped network drives won't be scanned. I'd say that it is dangerous to disable that option if you are not sure that the file server has a good real-time AV file system protection.

On the other hand if scanning of network drives is enabled on a client and the file server also has real-time AV file system protection, then problems occur as explained in this and some other threads. You can also read about such problem I explained two months ago in a previous thread.

In my case even disabling the scanning of network drives on the client side hasn't solved the problem. To solve it I would need to disable the real-time file system protection in NOD32 AV v4 on the server, which is totally unacceptable.

-- rpr.

 

If you are not sure that some network drive might contain malware why would even want to execute .exe from it let alone connect to it?

If AV is on the server then there is no need, whatsoever, for client to scan it as well.

As for the other issue you mentioned did you try excluding VIM from scanning?

 

Cudni, what about corporate users that take their laptops home and connect to file shares in their home network? What if their home PCs have a weak or no AV protection? There are users that double-click a file carelessly if its name sounds interesting even though the file is on a shared folder. Have you ever seen an old trick where a virulent file is named like "very_funny.ppt.exe"? Do you know that the Windows Explorer doesn't show the file extension by default?

Regarding excluding VIM from scanning, I've excluded "C:\Program Files\Vim\vim72\gvim.exe" from scanning on the client side but it doesn't help.

(BTW, I think that excluding an executable file from scanning can be dangerous as you actually leave that exe unprotected from infection by a virus.)

-- rpr.

 

what if there is malware on the share that an AV does not detect. Scanning would not help. For the ones that AV knows about the moment it shows in memory or elsewhere on the comp it will be taken out no matter where it started from. Having an AV is just an aid in the fight against malware and by itself it does not stand a chance. Your machines will not be infected because you made an educated decision and excluded an .exe or because the network share is not scanned by several clients.