AMON doesn't scan EICAR infected archive while copying

Discussion in 'NOD32 version 2 Forum' started by Emil, Apr 6, 2004.

Thread Status:
Not open for further replies.
  1. Emil

    Emil Registered Member

    Joined:
    Apr 5, 2004
    Posts:
    41
    Location:
    Romania
    From the forum I have understud that there is no necessary need AMON to have an unpacker. B U T I've recorded a CD with Nero Express. The objects were EICAR test files, in different form, with un/know extensions plus packed files. NOD spring and warn me about unpacked files while of burning. Packed files were recorded without any warning... :(
    So, thing again what could happens with an user without any AV installed (and, of course, you know there are many without a elementary PC higiene who could be a pottentially infection sources), which copy these files in his (above described) computer...:(
    I don't suggest anything. I tell you what I need:AMON to remain the same light fighter and automatically activate a option for scanning packed files only in the moments of operations as: right click on the mouse, copy, cut, using transfer within recording (on any kind of external or fixed support), attaching e-mails.

    So, let me know how could I be covered in this area?
     
  2. mrtwolman

    mrtwolman Eset Staff Account

    Joined:
    Dec 5, 2002
    Posts:
    613
    To state it one more time again: you are protected by AMON. Packed infected file is pretty harmless until extracted. and in this moment AMON will intercept it. There is for a good reason no need to scan packed files with AMON.


    And Eicar file is no virus, just for safe testing of your antivirus.
     
  3. Emil

    Emil Registered Member

    Joined:
    Apr 5, 2004
    Posts:
    41
    Location:
    Romania
    I know what is EICAR. Because is the almost known "virus", I've decided to do these test with it.

    But your answer is no longer complete. Please let me know what will happens with the really infected archives:
    1. opened from the recorded CD by a "newby", like meo_O (BUT without AV protection). Could be that PC infected? Yes/No...
    2. received as attachment (on a PC with an AV without POP3 scanning or simply without AV). Could be that PC infected? Yes/No...
    3. ...and keep in mind that the station where these infected archives are from, is M Y NOD32 PROTECTED PC!!

    4. So, is not a sadly thing that NOD, which have this wonderful AH engine, to don't use it? and I said, automatically activation of this engine (which I've understud is separately by main engine), on some certain situations...
     
  4. Paul Wilders

    Paul Wilders Administrator

    Joined:
    Jul 1, 2001
    Posts:
    12,472
    Location:
    The Netherlands
    As soon as the archive are actived without AV protection: yes.

    Same answer as mentioned above ;)

    You can enable archive-scanning in the On Demand Scanner*, perform a full system scan. Infected archives will be recognized and if instructed, deleted. Bear in mind you'll loose the complete archive when doing so. Going for a 'scan' instead of a 'clean' full system scan will point you to possible infected archives.

    You can apply Paolo Monti's Advanced Heuristics (see the sticky post above ;)

    edit - *: typo; AMON replaced by On Deman Scanner

    regards.

    paul
     
  5. Emil

    Emil Registered Member

    Joined:
    Apr 5, 2004
    Posts:
    41
    Location:
    Romania
    OK
    Thanks, Paul!

    I know that I could replace AMON with NOD in certain situation but let me know: it is normal? It seems as a lame good fighter...
    After I'll burn the CD I have to do a ''little" scan. OR, before to burn something, I have to create a folder special for my compilation, so I could scan it first. Waste of time.
    Paul, here is not as in developed country, where everybody could transfer entire Mo's through network (so, IMON is wonderful-but outgoing email are not scanned by AMON). We'll make, for a long time, CD copies of our work (and who have a CD burner is happy...).

    I think that my particullary need is not so... particullar, especially in East countries.

    EVERYTHING I WOULD LIKE TO KNOW IS: THERE, i.e. ESET, IS ANY INTENTION TO MAKE SOME ESSENTIALLY CHANGES IN AMON, I MEAN AUTOMATICALLY SWITCH TO AH OR INTEGRATED UNPACKER WHEN RIGHT CLICK, COPY, CUT, MOVE, ATTACH/OUTGOING, BURN CD OF ARCHIVES?? YES/NO/OTHERS-LET ME KNOW

    Thanks a lot!

    Emil
     
  6. anders

    anders Eset Staff Account

    Joined:
    Oct 25, 2002
    Posts:
    410
    As far as I know, yes. I have no clue as to when that will be implemented though.. Probably not within the next couple of months.

    Best regards,
    Anders
     
  7. Emil

    Emil Registered Member

    Joined:
    Apr 5, 2004
    Posts:
    41
    Location:
    Romania
    Ok Anders.

    Your answer put me in waiting. I've taken the "pulse" of some server administrators. They have no experience with NOD on the companies servers, because the owners bought AV's by x or y amateur advices, before they (admins) to be employed there. BUT particullary they like NOD32 and they agree the professional problem described above. Fixing this problem, you would have a real succes in Romania. Even myself, in the moment in which I am conviced, I'll begin a passional advertiser ;)

    Thanks a lot for any second lost with me (hopfully will have fruits).

    As soon as possible I'll open another thread about NOD32's scheduling tasks that could not be manually stopped.

    Emil
     
Thread Status:
Not open for further replies.