A question regarding NOD32

Discussion in 'NOD32 version 2 Forum' started by owziee, Mar 23, 2004.

Thread Status:
Not open for further replies.
  1. owziee

    owziee Registered Member

    Joined:
    Oct 3, 2003
    Posts:
    74
    Sometimes NOD32 catches viruses before they're added to the signatures. I know it's thanks to the heuristics engine. BUT... does that mean all nod32 users are protected or only those that knows how to scan with AH using the command line?

    If the latter is correct I think nod32 developers should inform their customers that those worms or whatever it is are detected only by using the command line / shell extension & not by default.

    I hope anybody can answer this question. Here's an example http://www.nod32.com/msgs/baglea.htm

    "Win32/Bagle.A is one of a long series of worms that NOD32 detects using a unique “Advanced Heuristics”, which means that all NOD32 users are protected against this worm from the time it was released in the wild. The detection of Win32/Bagle.A using sample is added since version 1.601."
     
  2. Paul Wilders

    Paul Wilders Administrator

    Joined:
    Jul 1, 2001
    Posts:
    12,472
    Location:
    The Netherlands
    owziee,

    You are referring to email-born viruses/worms. This are captured by the IMON. The IMON uses Advanced Heuristics as a standard; no need for command lines in this context.

    regards.

    paul
     
  3. owziee

    owziee Registered Member

    Joined:
    Oct 3, 2003
    Posts:
    74
    Thanks for the quick reply.

    Well I guess I should enable IMON then? I disabled it a while ago after I read somewhere in this forum that AMON was enough. Well maybe it is but since AMON doesn't use AH for several reasons (performance I'd guess) IMON should give better protection against unknown viruses.
     
  4. Paul Wilders

    Paul Wilders Administrator

    Joined:
    Jul 1, 2001
    Posts:
    12,472
    Location:
    The Netherlands
    I would for sure - email for certain still is the main form of infection.

    A matter of choice really. the IMON is part of NOD32 for good reasons.

    regards.

    paul

     
  5. Mele20

    Mele20 Former Poster

    Joined:
    Apr 29, 2002
    Posts:
    2,495
    Location:
    Hilo, Hawaii
    I don't use IMON and I simply use command line adv. heuristics to scan any attachments in email after saving the attachment to disk. This is practicing safe hex. It's easier, of course, to let IMON do the scanning with adv. heuristics, because that is automatic. I have an ISP which scans all incoming mail using Symantec corporate. So, the only mail I need worry about would be internal mail from other Hawaii Road Runner users which is not scanned as it doesn't go through the main gateways. My other email address is from broadbandreports and they use Kaspersky to scan all mail. So, if you have other protection such as I do and you are willing to do command line scanning on any attachment that comes through intact just in case it does contain a nasty that was not caught earlier then you don't need IMON for email attachments. Otherwise, though you probably should use IMON.

    I understood Anders to say yesterday, I believe, that IMON now does more than scan email so there may be other reasons now to use IMON which were not present earlier. He said he recommends that most everyone should turn on IMON and, if so desired, disable the email scanning but use the other parts of IMON. This comment has put me in a sort of quandary as I have found IMON to cause too many problems to want to use it. I need more detailed information about exactly what IMON would be protecting me against, aside from email viruses, before I will consider enabling it. I need to understand better also why IMON is being given responsibilities that appear to be ones that should be given to the resident scanner. I believe one should only need the resident scanner. If Eset is moving away from that concept, then as I have said before, I will be looking at other AV's and evaluating them when my license comes due....but that is some time away so a lot can happen between now and then to influence my decision.


    edited once to correct spelling errors (preview button posts instead of previews)
    edited a second time because it was Anders not Marcos I meant to refer to.
     
  6. anders

    anders Eset Staff Account

    Joined:
    Oct 25, 2002
    Posts:
    410
    Sorry for causing worries. :)

    An advanced user that practices safe hex might manage without resident protection whatsoever, but it's definately not recommended.

    Everything should of course be detected by the resident protection, and IMON is just a layer of extra protection. For now, more things are detected by IMON due to the advanced heuristics, but hopefully that will be an option in AMON in the future. Safe hexing includes scanning with /ah.

    At the moment, IMON filters POP3, and detects some packet exploits used by worms. If your system is up-to-date, and you don't want to scan incoming email, then you don't "need" IMON for now. For "normal" users, I suggest they get as safe as they can be, and hence they should also use IMON. There has been some problems with IMON before, most of which should be solved by now.

    There are at least a few more features planned for IMON, but, none of them are critical for a true safe hex user, but still recommended for everyone else.

    Best regards,
    Anders
     
  7. Mele20

    Mele20 Former Poster

    Joined:
    Apr 29, 2002
    Posts:
    2,495
    Location:
    Hilo, Hawaii
    >Everything should of course be detected by the resident protection, and IMON is just a layer of extra protection. For now, more things are detected by IMON due to the advanced heuristics, but hopefully that will be an option in AMON in the future. Safe hexing includes scanning with /ah.

    Of course. AMON should have the greatest power (or at least equal to that of IMON). Things have been skewed currently because, as you say, of advanced heuristics in IMON. And yes, I use Paolo's adv. heuristics command line scanning of email attachments downloaded to disk, etc. and the on demand scanner can also use /ah.

    Ahh....that will make me happy if we get this option for advanced heuristics in AMON. I do think though that it should be an option as I would not want it on my old W98SE box as that would be hard on that slow cpu. My new XP box is very powerful and I'm toying with the idea of Kaspersky possibly (in the future) for this box unless Eset gives us this option.

    Of course my box is scrupulously up to date! :) Safe hex is like safe sex...no exceptions...ever. I know that IMON is "state of the art" but that is precisely what bothers me ....problems at the Winsock level can be really nasty. I've read here references to a problem with Hyperthreading CPU's and I assume that would include me as I have the Intel 875P chipset. I gather Eset has a fix now, but I would prefer to simply avoid this potential problem by not using IMON.

    Seems to me that if I "needed" anything presently, it might be a trojan scanner to protect against anything injected directly into memory. But the likelihood of my running across something like this on the internet is rather slim as I spend most of my time at a handful of sites and avoid risky sites. I also seldom use Internet Explorer, rather Firefox is my main browser (but it has terrible problems here) and I also use Mozilla a great deal.
     
  8. ronjor

    ronjor Global Moderator

    Joined:
    Jul 21, 2003
    Posts:
    57,751
    Location:
    Texas
    I have Imon disabled on my up to date XP box. It still takes forever to shut down. And sometimes on boot up, my video card gets lost with Imon running.
    I also use Firefox and Calypso for email. Calypso is a very good mail program to use as it can be configured for great security.
    All issues with Imon have not been fixed for all machines.
    I'm hanging in there though! :)
     
Thread Status:
Not open for further replies.