AMON in Action!

Discussion in 'NOD32 version 2 Forum' started by mecute, Oct 13, 2006.

Thread Status:
Not open for further replies.
  1. mecute

    mecute Registered Member

    Joined:
    Oct 9, 2006
    Posts:
    51
    Im trying to play around AMON's ability to follow human instructions (using the given setup and action). This is not because I dont like it. The truth is Im looking forward to using it in my old win98 PC. Only NOD32 is capable of running unto my P150 machine. Very old huh!

    Anyway, AMON is

    CASE 1

    1. setup to scan all file that is "opened, executed, created and renamed". Upon infiltration, the Action is "Phohibit access & show alert window with action options" and "Move newly created files to Quarantine".

    AMON_setup1.png

    next..
     
  2. mecute

    mecute Registered Member

    Joined:
    Oct 9, 2006
    Posts:
    51
    2. Now, I have a packed file infected with a trojan/virus. Please take a look.

    totalcmd.png

    next...
     
  3. mecute

    mecute Registered Member

    Joined:
    Oct 9, 2006
    Posts:
    51
    3. Extracted this file using Total Commander's utility. AMON moves into action, detecting it. Ta da!

    AMON_in_action1.png

    next...
     
  4. mecute

    mecute Registered Member

    Joined:
    Oct 9, 2006
    Posts:
    51
    The file was quarantined. No further actions taken, but to close the warning window. What happened next?
     
  5. mecute

    mecute Registered Member

    Joined:
    Oct 9, 2006
    Posts:
    51
    totalcmd_2.png

    Lo! The file is still there, UNTOUCHED.

    Many times have I repeated this move but still has the same result. You can try it by yourself.

    MY CONCLUSION

    Isn't it AMON in CASE 1 giving us false sense of security by telling us that it quarantined the file (take note that the file is hidden in it's natural occurence)? Could this happen to any other form of infection? maybe YES!
     
  6. eisefr

    eisefr Registered Member

    Joined:
    Nov 23, 2004
    Posts:
    153
    Location:
    Germany
    Interesting.
    Never payed attention to that.

    Can you mail me your file so i can test it on my computer?
     
  7. pc-support

    pc-support Registered Member

    Joined:
    Mar 10, 2005
    Posts:
    285
    Location:
    Edinburgh, UK
    And has the NEWLY created file been moved into quarentine?

    As the zip file you have used to test has NOT been newly created then obviously it will still be there.....

    Try going through Blackspears settings and then test it.
     
  8. kjempen

    kjempen Registered Member

    Joined:
    May 6, 2004
    Posts:
    379
    Did you really have AMON enabled the whole time? And you haven't unchecked options in the AMON setup?

    I couldn't reproduce this on my PC, and I even tried using Total Commander (just like in your example) to unpack the trojan. The file is detected by AMON (as in your example) and it says it's been quarantined (as in your example), except here it really has been. Only the archive (.zip) is left in the folder, the infected file (.exe) that I tried unpacking from the archive is gone.

    The weird thing I noticed when unpacking with Total Commander, the AMON warning window showed this (under "Comment"):

    "Event occurred on a new file created by the application: C:\Program Files\Totalcmd\TOTALCMD.EXE. The file was moved to quarantine. You may close this window."

    That is different to what it says in your screenshot?

    I am guessing something has happened to your AMON setup?
     
  9. alglove

    alglove Registered Member

    Joined:
    Jan 17, 2005
    Posts:
    904
    Location:
    Houston, Texas, USA
    Was the file added to the Quarantine? In other words, could it be that the file was copied to quarantine instead of being "moved"?

    Are you able to access the folder.htt file? In other words, can you manipulate the file at all (copy, move, open with Notepad, delete)? In other words, is NOD32 prohibiting access to it?

    I am not sure why the big NOD32 warning did not give you any choices. Maybe the file was still under control of Total Commander, so this prevented NOD32 from being able to clean/rename/delete the file?

    o_O
     
  10. Marcos

    Marcos Eset Staff Account

    Joined:
    Nov 22, 2002
    Posts:
    14,376
    That's because he has AMON set to move newly created files to quarantine automatically, in such case there's no need for having any of the buttons available.

    In such case, AMON would most likely report an error.
     
  11. mecute

    mecute Registered Member

    Joined:
    Oct 9, 2006
    Posts:
    51
    NOD32 should be able to control every move/action of a certain program. So most likely that's not the case.

    I think NOD32 has difficulty in controlling hidden file (as in "folder.htt"). I have tested this same procedure using "infected EXE" file and AMON got it right.
     
  12. mecute

    mecute Registered Member

    Joined:
    Oct 9, 2006
    Posts:
    51
    will send you the file ASAP...
     
  13. ronjor

    ronjor Global Moderator

    Joined:
    Jul 21, 2003
    Posts:
    57,802
    Location:
    Texas
    Wilders does not encourage nor want malware files being exchanged on this forum. Please use private emails for such activity.
    Thanks for your help.
     
  14. mecute

    mecute Registered Member

    Joined:
    Oct 9, 2006
    Posts:
    51
    There was an addition (folder.htt) to my Quarantined files. But still the unpacked file does exist.

    Ofcourse NO. But if you don't know that the file still existed, it could create havoc. Assuming a similar situation with a much destructive intention, that will likely be a ... :ouch:
     
  15. mecute

    mecute Registered Member

    Joined:
    Oct 9, 2006
    Posts:
    51
    Yes sir!
     
  16. mecute

    mecute Registered Member

    Joined:
    Oct 9, 2006
    Posts:
    51
    With the new Beta came out, let's see if this issue is resolved... Goodluck v2.7! ;)
     
  17. mecute

    mecute Registered Member

    Joined:
    Oct 9, 2006
    Posts:
    51
    Oh oh! AMON (v2.7) also failed to move the file "folder.htt" to quarantine. The same issue in its latest beta. :thumbd:

    Any words from the ESET team! Would really like to hear from you guys...

    To Blackspear:

    I suggest you make some adjustments to your setting. Better not checked the "move newly created file to quarantine" in Action setting for the time being. Cause this will only give us users false security. It is better to manually take actions than relying on the setting itself.
     
  18. mecute

    mecute Registered Member

    Joined:
    Oct 9, 2006
    Posts:
    51
    Winzip against Total Commander Packer...

    Hi! In my previous thread Amon in Action, I have a question regarding AMON's failure to quarantine the infected file completely when Total Commander Un/packer is used to extract files. No answer is given yet to this moment.

    Regarding this issue, I have found out that when Winzip is used to extract the files (infected file in it, "folder.htt"), AMON encounters no problem at all. My question is this: "Who is in fault here, Total Commander or AMON?"
     
  19. ASpace

    ASpace Guest

    Re: Winzip against Total Commander Packer...

    About your previous post , I want to tell you that I have Windows/Total Commander installed on most of my computers . After your first posted , I tested it both with Eicar test file and a trojan hacktool . Both were zipped . I unzipped them with Total Commander and AMON immediately jumped up . After that files were gone (moved to quarantine) . I did this on two computers and I encouraged no issues like the one you report .

    When you now tested with WinZip , it seems NOD32 is working so it must be TC issue

    :thumb:
     
  20. mecute

    mecute Registered Member

    Joined:
    Oct 9, 2006
    Posts:
    51
    Re: Winzip against Total Commander Packer...

    Hi there! If you are following the issue correctly, you will notice that Im refering to an infected file that is "hidden". In this way, AMON cannot completely quarantine it when extracted using Total Commander unpacker. This is not an issue to Winzip itself. So maybe the way Total Commander handles it is entirely different than Winzip.

    But again, AMON should be able to capture it correctly.
     
  21. ASpace

    ASpace Guest

    Re: Winzip against Total Commander Packer...

    Just wait . I am jumping to the other computer which have TC . I will test again with Eicar and the hack tool . Will first disable AMON , then I will hide the file(s) , will ZIP them with TC and will extract them . They will be hidden upon extraction . Will report , I promise , just wait some minutes ;)
     
  22. mecute

    mecute Registered Member

    Joined:
    Oct 9, 2006
    Posts:
    51
    Re: Winzip against Total Commander Packer...

    Yes, AMON will be able to handle it properly. But try extracting an infected "folder.htt", and you will know the issue. "Folder.htt" naturally is a hidden file.
     
  23. ASpace

    ASpace Guest

    Re: Winzip against Total Commander Packer...

    Well , I did it , it worked with no problem no matter files were hidden .

    I don't have anything with name folder.htt . I will have to rename the eicar file with that name . OK , will do it (but I doubt it will be different ) . Anyway , will try it ;)
     
  24. jackm

    jackm Registered Member

    Joined:
    Nov 8, 2006
    Posts:
    22
    I was able to replicate this behaviour with eicar.com simply by setting its read-only attribute to true before placing it in a zip archive.

    While using both winrar and XP's built in unzip AMON failed to delete the file created. Instead of moving eicar.com to quarantine AMON simply made a copy in quarantine, leaving eicar.com where it had been extracted.

    Without the read-only attribute AMON moves eicar.com the quarantine when it is extracted.
     
  25. CtlAltDelete

    CtlAltDelete Registered Member

    Joined:
    Dec 18, 2005
    Posts:
    64
    Not good!
     
Thread Status:
Not open for further replies.