AMON and packed files

Discussion in 'NOD32 version 2 Forum' started by sir_carew, Mar 27, 2004.

Thread Status:
Not open for further replies.
  1. sir_carew

    sir_carew Registered Member

    Joined:
    Sep 2, 2003
    Posts:
    884
    Location:
    Santiago, Chile
    Hello,
    Sorry if it thread exist but I can't found that.
    I think that NOD is the best AV, I like eset stuff but I'm not agree with some of NOD and ESET:
    We know that AMON doesn't scan packed file. I also know that if for example a Bagle variant appear and later appear the same variant compressed with UPX AMON will detect this, because it's spreading and ESET made a special detection, for example: Win32/X.A:UPX. But it isn't the matter.
    The problem: AMON detect only specific packed sample (ITW). I've many backdoors, trojans and viruses that first appear uncompressed so NOD detect it, but later appeared the same malware packed with ASPACK, UPX, etc. And only NOD32 Scanner and IMON detect it. Not AMON, because AMON doesn't scan packed files.
    I know that check compressed file like .zip isn't necessary because it will damage you only if you decomprees them, but the packed files are auto-extract, so you only need execute them and you will get infected.
    I've a spammer that NOD detect, so I've packed it with UPX and execute them and nothing, the spammer has been executed and no alert or access deny from AMON. Only IMON and the Scanner detect them as UPX file infected...
    I also know that ESET said that's can slowdown the PC and the use resources, but Why ESET doesn't add the ability to scan packed files as a undefault option in AMON, so the user can decide if enable it or not as KAV and NAV do? I was a user of KAV 4.5 and I has enabled the scan for packed files and I've not feel slowdown for this and my PC is standar.
    Thanks for your comprehension! :)
     
  2. Randy_Bell

    Randy_Bell Registered Member

    Joined:
    May 24, 2002
    Posts:
    3,004
    Location:
    Santa Clara, CA
    I agree, it is wise to at least include the option to scan compressed or packed files in realtime. NAV just added that in the 2004 edition, and it only works for NT-based systems {Win2K/XP} since it uses an NT-driver, but it is nice to have. Agree with everything you said. *puppy*
     
  3. rdsu

    rdsu Registered Member

    Joined:
    Jun 28, 2003
    Posts:
    4,456
    I also agree with this. If could be an option... ;)
     
  4. Eliot

    Eliot Registered Member

    Joined:
    Aug 8, 2003
    Posts:
    854
    Location:
    Arkansas, USA
    Agreed *puppy*
     
  5. izi

    izi Registered Member

    Joined:
    Jan 19, 2004
    Posts:
    354
    Location:
    Slovenia
    Hello sir_carew !

    Try to change value in registry.
    HKEY_LOCAL_MACHINE\SOFTWARE\Eset\Nod\CurrentVersion\Modules\AMON\Settings\Config000\Scanner
    Try to change 'target_sfx_enable' and 'target_arch_enable' to 1. Then you must restart windows.


    Izi
     
  6. sir_carew

    sir_carew Registered Member

    Joined:
    Sep 2, 2003
    Posts:
    884
    Location:
    Santiago, Chile
    Hello,
    I've put advanced heuristic to 1. will amon use ah?
    I can't found the entries that you said.
    Thanks.
     
  7. sir_carew

    sir_carew Registered Member

    Joined:
    Sep 2, 2003
    Posts:
    884
    Location:
    Santiago, Chile
    Sorry,
    I've found those. I'll test your tips, thanks and I hope that this will work!!! :D
     
  8. izi

    izi Registered Member

    Joined:
    Jan 19, 2004
    Posts:
    354
    Location:
    Slovenia
    Hi!

    AH in AMON doesn't work. :(

    Izi
     
  9. sir_carew

    sir_carew Registered Member

    Joined:
    Sep 2, 2003
    Posts:
    884
    Location:
    Santiago, Chile
    Izi,
    Sorry, I've modified that, restart windows and I've a backdoor packed with UPX and AMON doesn't detect them, only IMON and Scanner.
    ESET, please add such feature to AMON :)
    Thanks
     
  10. izi

    izi Registered Member

    Joined:
    Jan 19, 2004
    Posts:
    354
    Location:
    Slovenia
    All modules use the same registry template, therefore an entry reading advanced heuristics appears in all modules. Since not all the modules support it, this setting is ignored in the case of AMON and EMON.
    Obviously is the same with SFX and arhives.

    Izi
     
  11. dvk01

    dvk01 Global Moderator

    Joined:
    Oct 9, 2003
    Posts:
    3,131
    Location:
    Loughton, Essex. UK
    We have had this discussion a lot of times, but if AMON uses advanced heuristics then you get an almost unuseable computer

    AH takes 100% of the processing power and as AMON is always running in the background, if it used all your processing power you would soon complain.

    the only sensible way, without disabling the computer and just making it into a dedicated antivirus scanner is to use the right click extension scanner https://www.wilderssecurity.com/showthread.php?t=9776 to check any suspect files that are on the computer that haven't been through IMON and it's email scanner
     
  12. izi

    izi Registered Member

    Joined:
    Jan 19, 2004
    Posts:
    354
    Location:
    Slovenia
    I agree with dvk01.
    All viruses I get via internet. HTTP, FTP are planned to be added in IMON. So POP3, HTTP and FTP will be scaned with AH. I hope that ESET will add HTTP in FTP to IMON in near future. Maybe in 2.000.10.

    Izi
     
  13. Mele20

    Mele20 Former Poster

    Joined:
    Apr 29, 2002
    Posts:
    2,495
    Location:
    Hilo, Hawaii
    I add my agreement. If this not added by the time my license is up, I will most likely move to KAV. I don't use IMON (for several reasons hyper threading bug is one of them). AMON has been somewhat neutered by Eset since version 2 as IMON does more than AMON. That is absurd and I will not stay with an av company that doesn't realize this fact and fix it. The resident monitor should detect everything. There should be no need for an email scanner as that is simply another layer of protection for those who want it. Those who do not want this additional capability in AMON should be able to turn it off IMO.

    Anders agrees with me. He says:

    "Everything should of course be detected by the resident protection, and IMON is just a layer of extra protection. For now, more things are detected by IMON due to the advanced heuristics, but hopefully that will be an option in AMON in the future."
    http://www.wilderssecurity.com/showthread.php?t=25524

    Eset is going to loose a LOT of their users if they continue to eviscerate AMON. In fact, I may not even stay with NOD32 until my license is up because this is so important. To say that giving these powers to AMON will make the computer unusable makes no sense. A computer with KAV or NAV 2004 is not unusable.

    Giving IMON HTTP and FTP powers is absurd. Those powers belong to the resident monitor not to a very buggy email monitor that a lot of people don't want or use.

    I would like Eset to give a definitive answer on this issue as soon as possible. Can we expect AMON to be given the proper powers or not? If yes, then how soon?

    (edited because I was using Firefox and it will not preview and I forgot that and I didn't check the spelling).
     
  14. steve1955

    steve1955 Registered Member

    Joined:
    Feb 7, 2004
    Posts:
    1,384
    Location:
    Sunny(in my dreams)Manchester,England
    Why is the ability to scan compressed files and the use of AH been combined in this thread?
    they are really 2 different things,the on demand scanner doesn't HAVE to use AH to scan compressed files,so the point that the use of AH in amon making the PC almost unusable is spurious to the initial point of it not being able to scan them(although scanning them would slow amon down it should not have so much an impact)
     
  15. dvk01

    dvk01 Global Moderator

    Joined:
    Oct 9, 2003
    Posts:
    3,131
    Location:
    Loughton, Essex. UK

    Because as we understand it and please correct us if we (I AM) are wrong, the ability to scan deeply inside packed files only comes witth AH

    I understood AMON to only activate though when a file is accessed and check it so it will check compressed /packed files when they are uncompressed and find any baddies in them then.
     
  16. sir_carew

    sir_carew Registered Member

    Joined:
    Sep 2, 2003
    Posts:
    884
    Location:
    Santiago, Chile
    Hello,
    NOT, it isn't true, NOD has a unpacker engine independent of the advanced heuristic engine. However AH doesn't use the unpacker engine, it use its own unpacker engine that it's a generic unpacker engine that can scan any packed file including new one.
    If you start NOD Scanner without /ah command line it will scan packed files, so ESET can implement scan packed file in AMON without implement advanced heuristic in AMON.
    Why you said that AH use 100 % of resource?, I don't believe that, maybe it can slowdown but not the 100 %. Moreover I'm speaking about packed files in AMON not AH. Implement AH is a good idea but isn't urgent, implement packed file scanner on AMON is URGENT, every day appear new packed malware and AMON stay in silence.
     
  17. DiGi

    DiGi Registered Member

    Joined:
    Jul 24, 2003
    Posts:
    114
    Location:
    in the middle of nowhere
    I don't have any troubles with imon (i don't have HT CPU ;)). IMON HTTP feature is impressive, it catch eicarcom2.zip (twice zipped file) on http downloading time... :D
     
  18. sir_carew

    sir_carew Registered Member

    Joined:
    Sep 2, 2003
    Posts:
    884
    Location:
    Santiago, Chile
    Hello Digi, how do you know such information?, do you have a beta version of NOD that have such feature?
    I know that ESET will implement that feature in IMON, I think that IMON is impressive and excelent!, if ESET implement such feature soon I'll be VERY happy :D
     
  19. DiGi

    DiGi Registered Member

    Joined:
    Jul 24, 2003
    Posts:
    114
    Location:
    in the middle of nowhere
    My friend (from eset) told me... :) IMON HTTP scanner will use same scaner as IMON POP (adv. heuristic support, archive support etc...) for HTTP dowloaded files.
     
  20. izi

    izi Registered Member

    Joined:
    Jan 19, 2004
    Posts:
    354
    Location:
    Slovenia
    If I understand you correct, there will be two IMON scanners. One for POP3 and one for HTTP.

    Izi
     
Thread Status:
Not open for further replies.