advanced heuristics and AMON

Discussion in 'NOD32 version 2 Forum' started by rug, May 16, 2004.

Thread Status:
Not open for further replies.
  1. rug

    rug Guest

    Hello,
    The way I understand it, AMON does not offer ah. May I ask why that is? Is there any plan to add it?
    Also, how much slower is AH compared to the regular heuristic method?

    Thanks in advance
     
  2. rug

    rug Guest

    does no one know the answer to this?
     
  3. Storm

    Storm Registered Member

    Joined:
    Nov 8, 2003
    Posts:
    46
    Hi rug!

    If I understood correctly, activating AH in AMON is possible but might impact performance, especially on older machines

    Greets
    Storm
     
  4. Sandish

    Sandish Registered Member

    Joined:
    Apr 29, 2004
    Posts:
    51
    i´m not sure, but there is a registry key called adv_heur_enable (HKEY_LOCAL_MACHINE\SOFTWARE\Eset\Nod\CurrentVersion\Modules\AMON\Settings\Config000\Scanner)

    If you set it to 1 it could do the trick - i didn´t test it and have no idea if it works. Please keep in mind that working on the registry can end in a damaged system, so do it on your own risk and be very carefull !!
     
  5. sir_carew

    sir_carew Registered Member

    Joined:
    Sep 2, 2003
    Posts:
    884
    Location:
    Santiago, Chile
    I tried this here, and it doesn't work.
    ESET is soon to release a new version that IMON now will scan HTTP scan using its advantages: compressed files, AH, packed files, etc, etc. Thus, if you try to download a infected file detected by AH, IMON will detect this even if the file is in a .rar or .zip package, compressed with UPX... Moreover, it doesn't have impacts on your system.
     
  6. embower

    embower Registered Member

    Joined:
    Dec 19, 2003
    Posts:
    46
    Is a great news! :eek:
     
  7. Mele20

    Mele20 Former Poster

    Joined:
    Apr 29, 2002
    Posts:
    2,495
    Location:
    Hilo, Hawaii
    Are you sure about this? That means AMON is being done away with...correct? There will be no need for AMON if IMON is now to take over the duties of AMON. Or are you saying AMON will continue to detect via signature and "regular"heuristics while IMON will detect via "advanced heuristics"? I already am able to do that with command line scanning via adv. heuristics. So, what is so great about this new IMON?
     
  8. rug

    rug Guest

    I think he means that now IMON will automatically do the adv h. scanning on all downloaded files.
    I still see no evidence that AMON will get AH which makes me wonder why that is? What is a good reason to keep your resident monitor from having capabilities that are available in your scanning engine?

    BTW, THanks to all for the answers you have given so far.
     
  9. sir_carew

    sir_carew Registered Member

    Joined:
    Sep 2, 2003
    Posts:
    884
    Location:
    Santiago, Chile
    I'm saying that IMON will scan HTTP protocol, so the download files will be scanned and due that IMON uses AH and other things, downloaded files will be scanned directly by IMON if you're using HTTP protocol.

     
  10. Mele20

    Mele20 Former Poster

    Joined:
    Apr 29, 2002
    Posts:
    2,495
    Location:
    Hilo, Hawaii
    So you are saying that if I download an application via HTTP that IMON will scan it automatically as it is being downloaded and stop it if it contains a virus? But if I download via FTP then AMON is in charge?

    Or is it that IMON will now scan every single fetch of a web page? Then what does AMON do?

    As you can see, I'm confused about this. :doubt:

    This doesn't make any sense to me. :) Why would I want IMON to do what AMON should be doing? I don't use IMON presently and it doesn't sound like I will want to start using it. It still sounds like you are saying that there will be no need anymore for AMON for the most part. Plus, how is IMON going to scan every single file with no slow down at all? How can IMON do this but if these powers were given to AMON supposedly that would cripple our computer's speed and thus adv. heuristics are being withheld from AMON?
     
  11. sir_carew

    sir_carew Registered Member

    Joined:
    Sep 2, 2003
    Posts:
    884
    Location:
    Santiago, Chile
    Hello Mele20,
    No problem, I'll try to explain it better.

    Well, IMON is the internet protection component of NOD. Currently IMON only scan POP3 protocol, so, if you receive a new worm compressed in zip, with UPX, and only ah detect this, IMON will stop this, because IMON scan every file that are trasmitted by POP3 protocol, using its advantages like AH, compressed files, packed files, etc. But ESET is making a new version that will support HTTP too, in other words, IMON will scan any files that you try to get using HTTP protocol, and due that IMON has some advantages like AH, all downloaded files via HTTP will be scanned using AH.
    ESET will add other protocols like FTP, IMAP in the future, but it's near to release a version that support HTTP. If you want, you can use HTTP scan and not POP3 scan (e-mail).
    Hope you understand.


     
  12. Mele20

    Mele20 Former Poster

    Joined:
    Apr 29, 2002
    Posts:
    2,495
    Location:
    Hilo, Hawaii
    But why are these powers being given to IMON rather than AMON? I still don't understand. AMON should be using adv. heuristics not IMON which should be just for email scanning. I suppose I will just have to see what it is like when it comes out...this is the beta we are talking about right?

    If FTP, etc. will be added in the future then this sounds to me like an abandonment of AMON. Or will AMON scan based on signature and IMON based on adv. heuristics? If this is the case that is stupid. Why not just give AMON the proper powers? Why all the futzing around with IMON? Just give AMON adv. heuristics powers and be done with it!

    If I understand this correctly, I'm going to be very unhappy. Let's hope I am just still confused. :)
     
  13. sir_carew

    sir_carew Registered Member

    Joined:
    Sep 2, 2003
    Posts:
    884
    Location:
    Santiago, Chile
    I don't know what plans have ESET to do in AMON.
    IMON is the protection for Internet and not only Mail, mail is a part of internet, not the total. IMON use signatures, heuristic and ah.
    AMON use signatures and heuristic.

    AMON doesn't need AH, because AMON protect the files that are executed. Most trojans and worm come from Internet and AH is designed to detect those, so if IMON scan all "doors" where the trojans/worms come (for example: HTTP, FTP, IMAP...), there's no need to have ah in AMON. If a new worm detected by ah try to enter to your computer via http, or a backdoor via ftp, then IMON will detect this. If IMON cover all doors that have internet, it will be enought, at least for me. AMON role is detect virus in cds, diskettes that you may has, and the most propagtion method is internet and not media, so if IMON cover all internet, the infection is reduced more than 80 %. If you know that you friend has download a program via p2p, copy this to a cd, and then deliver to you, you can do a full scan using ah.
     
  14. Mele20

    Mele20 Former Poster

    Joined:
    Apr 29, 2002
    Posts:
    2,495
    Location:
    Hilo, Hawaii
    If this is true, then I will be getting any other more NORMAL av! I don't want IMON. I don't use IMON. I want my resident scanner to protect me.
     
    Last edited by a moderator: May 19, 2004
  15. embower

    embower Registered Member

    Joined:
    Dec 19, 2003
    Posts:
    46
    I agree your viewpoint very much :rolleyes:

    Mail is a part of internet, not the total,IMON of now is very incompletely,Only Mail can be scaned.But it original meaning shouldn't be such.

    AMON chiefly useds for the protect the files that are executed,And Other The virus spreads path out of the Internet ;)
     
  16. rug

    rug Guest

    Mele20:
    I think you are confused because all AV have seperate components though you may not see them. For example, Norton has a component to scan email that is seperate from the rest. Since it is constantly running, it is by defenition "resident". Adv Heuristics are currently unsupported by the on access file scanner (for some reason that I have yet to find). Yet IMON does. As a result, what sir_carew is saying, is that if IMON is used to scan incoming files from HTTP (such as webmail like hotmail etc...) you get the added protection of adv heuristics even though AMON does not support it.

    My question has always been why doesnt AMON support AH? I have yet to think of a good reason for this! Its like ESET is discriminating against poor AMON but not including AH in only this one component!
     
  17. Mele20

    Mele20 Former Poster

    Joined:
    Apr 29, 2002
    Posts:
    2,495
    Location:
    Hilo, Hawaii
    I don't think I am confused, but I'm not positive. :) sir_carew's last explanation was very good and clear.

    As for the example you gave of NAV's email scanner running all the time and therefore being resident, I came here from NAV and I did NOT use NAV's email scanner so it wasn't running resident for me! I have not used any email scanner on a regular basis since my first AV which was McAfee 4.2 5 years ago. I did use NOD32's email scanner with version one in the beginning and had a lot of problems and stopped using it. During the beta, I used IMON but then I had NOD32 beta delete the entire sent items folder (because it was unable to tell the difference between a file and folder) which had about 5,000 messages in it. After that awful experience where I lost all that email that I was saving, I have not touched IMON.

    It appears that Eset's intention is to strip AMON of any value and to give all to IMON. That's fine. Eset can do as it pleases but it probably won't have me for customer much longer. If Eset is not going to give AH power to AMON then I don't think I want NOD32.

    Why would I want IMON to protect FTP or HTTP? I don't understand. AMON already protects those, it just doesn't do it as well as it could because it has been intentionally crippled by not giving it AH powers. I have to use Paolo's shell extension in order to give proper power to AMON. I don't see why this is necessary. AMON should be given proper powers. I don't want anything standing "guard" over so called gateways. I want AMON to have proper power. It appears to me that Eset is developing NOD32 exclusively for the lazy and those who can't be bothered to practice safe computing. That is fine, but then this is probably not the AV for me.
     
  18. rug

    rug Guest

    I dont think there is any evidence that AMON is being intentionally crippled. I am not certain why AH is not in AMON but I have seen several comments by eset people that there is a reason for this. What I mean by IMON being resident is that residency is what we label antiviral components that stay in the background. You may choose to run any of the components you wish.

    I dont think there is anything that points to eset's intentions (in terms of stripping AMON of its value). I am not educated enough to know what if any viruses can be intercepted better while they are being transferred through IMON as opposed to when accessed (by AMON).

    Also, as far as I know, the shell extensions you metion have nothing to do with AMON, they deal with the on-demand scanner.

    One thing that I think would make IMON necessry (which I am waiting for) is scanning of imap folders. Since the files may not reside on your own computer, AMON will not be able to help. In other words, as far as I know, AMON's and IMON's functionality are both needed.

    Finally, I would also love AH in AMON
     
  19. mrtwolman

    mrtwolman Eset Staff Account

    Joined:
    Dec 5, 2002
    Posts:
    613
    You have no clue :D AMON is resident guard dedicated to intercept viruses on your local system. You can freely have "AH power" in your AMON but you will have to pay price for this.
    The price you will have to pay: system resources and speed. AMON does not need AH at all. Just try to scan your system with NOD32 with and withou AH and you will see the price.
    All the todays threats are email or internet born, Therefore IMON has AH. Having AH in AMON would be overkill.
     
  20. Mele20

    Mele20 Former Poster

    Joined:
    Apr 29, 2002
    Posts:
    2,495
    Location:
    Hilo, Hawaii
    Ok. Explain to me how I am going to get this trojan or worm or whatever from the internet and either AMON or NOD32 on demand scanner won't protect me. I have never gotten any kind of infection from the internet yet and I am not using IMON. You seem to be saying that both AMON and NOD32 on demand scanner are irrelevant. All infections come from the internet or email so only IMON is needed.

    Give me some specific examples of how IMON will protect me and AMON will not in that situation. What you are saying is that currently because we don't have this new IMON yet, I and none of us are being protected from internet threats. Further, you seem to be saying that other AV which do not have IMON cannot protect their users from internet threats. How did IMON suddenly become this protect all perfectly something that we don't have, but need desperately, because our current NOD32 protection doesn't work?
     
  21. ncs_malaysia

    ncs_malaysia Guest

    as u know.... by default AMON does not detect virus in compressed format while IMON does...!!!

    so... when IMON check file for virus..o_O whn Internet Protocol such as SMTP/POP are used..!!! so no performance issue...

    and whn does AMON scan for virus..?? REAL-TIME monitoring ..!!! every files that u accessed..!!! so, hv performance issue...

    that the reason i believe that ESET does not implement AH in AMON..!!!
     
  22. Mele20

    Mele20 Former Poster

    Joined:
    Apr 29, 2002
    Posts:
    2,495
    Location:
    Hilo, Hawaii
    Who cares if IMON can detect a virus in compressed format? I use NOD32 on demand scanner with Adv. heuristics for that. AMON should be able to detect without unzipping but since it can't, I scan it with NOD32 on demand.

    I still want someone to give me an example of how I am going to get a worm or trojan from the internet and my current set up of NOD32 cannot protect me so I desperately need this new IMON to protect me. I haven't had the slightest need for IMON yet....

    (edited to say that for the sake of this discussion, I am ingnoring the fact that NOD32 with or without IMON ..new or old version.. cannot protect that well against trojans).
     
  23. ncs_malaysia

    ncs_malaysia Guest

    well.... well...
    IMON should act like an FRONT-END defence for u..!!! detect and stop virus before they are enter to ur PC from Internet....

    example... let say if u visit an Warez website which might auto download and installed trojan/spyware into ur PC, then the IMON will be able to detect and stop it before it enter ur system...

    however.., without IMON, the AMON only able to detect the threat whn the trojan/spyware is oredy in ur system.. right..o_O!!!
     
  24. Mele20

    Mele20 Former Poster

    Joined:
    Apr 29, 2002
    Posts:
    2,495
    Location:
    Hilo, Hawaii
    OK you proved my point. I don't visit Warez sites. I don't do P2P. I don't go to porn sites either. :) I have NEVER gotten spyware on my box...either box without my consent. The only spyware I ever had was when my friend told me about Bonzai Buddy and wanted me to try it. I was a newbie then and so I tried it and immediately hated it and got rid of it. Oh, and I tried Gator way back when I was a newbie and got rid of it right away too. But I voluntarily got those two out of being new and ignorant but I knew enough even then to know I wanted them off my box right away. I got Ad-Aware when it was brand new and all the time I have had Ad-Aware and Spy Bot, I have never had anything found (except some false positives). I don't use IE except for Windows Updates and speed testing (because I use MSJVM and not Sun Java). I use Firefox and Mozilla and filter everything through Proxomitron.

    So, looks to me like this new IMON is for those who don't practice safe computing. I didn't think NOD32 was very good at detecting trojans or spyware anyhow. I am constantly being told that I need a dedicated trojan protection application. So, what exactly is IMON going to do if it can't catch trojans and spyware and it can't...not many that is.
    It is just going to cause many users a lot of headaches. It runs at the Winsock level which just invites problems. Now, problems might be ok if it provided some priceless service, but it doesn't.

    I agree that I am not eager to have a trojan get on my system but if I thought I was at much risk I would either get a dedicated trojan application, as has been recommended here countless times and even recommended to me today in another thread (nothing said about IMON protecting me from trojans on the internet), or I would get another instead of NOD32 since it catches a lot more trojans.
     
    Last edited by a moderator: May 19, 2004
  25. ncs_malaysia

    ncs_malaysia Guest

    well.. then perhaps u r looking for an "All-In-One" defence suite...!!!
    As far as I know.. NOD do pretty good in catching ITW Trojans... but I hv to admit that KAV does catch alot more "Malware"...
    but in terms of catching viruses... NOD is better than other antiviruses, IMO ..!!!
    btw, Mele20.. u pratice safe computing.. however.. they are still lots of Viruses/Worms spread through Internet Protocol (especially e-mail) and here is where IMON come into role..!!! sure u will not like the viruses/worms enter ur system to allow AMON or even KAV to detect it.., rite..o_O for me, i prefer NOD to stop the viruses/worms before they are downloaded to my system...
     
    Last edited by a moderator: May 19, 2004
Thread Status:
Not open for further replies.