/all Switch Doesn't Function as Expected

Discussion in 'NOD32 version 2 Forum' started by spm, Sep 14, 2003.

Thread Status:
Not open for further replies.
  1. spm

    spm Registered Member

    Joined:
    Dec 9, 2002
    Posts:
    437
    Location:
    U.K.
    It seems to me that the /all NOD32 scanner command-line switch doesn't work as expected (by me, anyway).

    I would expect it to cause NOD32 to scan all of the files asked of it on the command-line, but it doesn't: archives and packed files are still ignored. An easy test is to download the eicar_com.zip file from www.eicar.com and then scan it with the NOD32 command-line scanner. Re-scan the same file after adding the /arch+ switch and see the difference.

    Now, I can live with the issue to a point: by using Paolo Monti's useful Shell Power for NOD32, and changing the command-line switches it passes to NOD32, I can have NOD32's Explorer context menu entry scan zip files.

    However, we also run a network firewall (Kerio WinRoute) which interfaces directly to NOD32 by calling the exported NOD32_ScanFile() function of nod32.dll - this also fails to scan zip archives, for - I am guessing - the same underlying reason.
     
  2. anders

    anders Eset Staff Account

    Joined:
    Oct 25, 2002
    Posts:
    410
    The /all switch will only make it look for renamed executables and such.. It only affects which file extensions are scanned, not "internal scanning". You should still add /pack+ and /arch+ to scan packed files and archives.

    Best regards,
    Anders
     
  3. spm

    spm Registered Member

    Joined:
    Dec 9, 2002
    Posts:
    437
    Location:
    U.K.
    Sorry, what are renamed executables? So, what extensions are scanned when /all is specified?

    Whatever the meaning of /all, if I specify a file on the command line, say C:\path\file.zip, then I expect that file to be scanned. It is not. Not only that, NOD32 reports in the scan results window that the file *has* been scanned when in fact it has not. This is an easy way for a virus to get through.

    If NOD32 doesn't scan one or more of the files passed on the command line, I would expect it to tell me, rather than falsely claim that it has.

    So, the /all switch doesn't mean "all" - perhaps it should be renamed '/some'?? I'm not trying to be facetious here, but NOD32 definitely misleads in this case.
     
  4. anders

    anders Eset Staff Account

    Joined:
    Oct 25, 2002
    Posts:
    410
    With "/all" it "checks" files of all extensions, instead of the standard extensions. It still "checks" if "file.zip" is an infectable format, and scans it for viruses. Though, you still need "/arch+" in order for it to decompress archives it detects. "/all" just means scan all extensions. If you have an infected file named "file.exe", and renamed it to "file.zip" or "file.blah", it would be detected with "/all", but if it's an archive, the files inside it won't be scanned unless "/arch+" is specified.

    I don't think it's THAT weird.

    Best regards,
    Anders
     
  5. spm

    spm Registered Member

    Joined:
    Dec 9, 2002
    Posts:
    437
    Location:
    U.K.
    Anders:

    I appreciate your response, but whether you consider the switch weird or not is missing the point: unless the /arch+ switch is specified NOD32 does *not* (unpack and) scan zip files, but it does falsely claim that it has done so. This is plain wrong, and simply dangerous.
     
Thread Status:
Not open for further replies.