AMON is driving me crazy

Discussion in 'NOD32 version 2 Forum' started by Mele20, Aug 14, 2004.

Thread Status:
Not open for further replies.
  1. Mele20

    Mele20 Former Poster

    Joined:
    Apr 29, 2002
    Posts:
    2,495
    Location:
    Hilo, Hawaii
    How do I stop AMON from finding eicar and other harmless renamed viruses that I use for testing in System Restore? What is AMON doing in System Restore anyhow? I had to disable AMON just now as it keeps popping up with a "virus" it has found in System Restore. I could understand if this was the NOD32 scanner finding these during an on demand scan of my C drive but why has AMON decided to go looking around in System Restore? It shouldn't be doing that. AMON never used to do this so what is triggering it and I how do I stop this?

    This is irritating enough when I am on the computer, but when I am away or asleep and AMON goes looking around in System Restore and finds eicar and pops up a virus alert that action wakes my monitor and because I am not there to do anything my monitor will stay on for hours until I finally awaken or come home. I can't have AMON doing this as I don't want my new, really great monitor damaged.

    I know I could zip eicar and the others and then password protect them or I could exclude them but the first one takes time to do and the second isn't helpful either as I want eicar detected if I either right click scan it or do a full on demand scan. I just don't want AMON detecting it in system restore. It should be that NOD32 scanner would detect it there not AMON.

    I am using NOD32 version 2 on XP Pro Sp1a.
     

    Attached Files:

  2. flyrfan111

    flyrfan111 Registered Member

    Joined:
    Jun 1, 2004
    Posts:
    1,224
    It is being detected when your computer goes to add a restore point which is once every 24 hours or once every 10 hours of being on. Just exclude the restore folder. Why are you so upset that NOD is doing it's job?
     
  3. Detox

    Detox Retired Moderator

    Joined:
    Feb 9, 2002
    Posts:
    8,507
    Location:
    Texas, USA
    o_O Thought you said a while back you quit using NOD32 o_O
     
  4. Mele20

    Mele20 Former Poster

    Joined:
    Apr 29, 2002
    Posts:
    2,495
    Location:
    Hilo, Hawaii
    I now recall that AMON did this once before. When it was doing it before I was using the beta. I posted about it here. https://www.wilderssecurity.com/showthread.php?t=36653&highlight=AMON system restore
    AMON was going into System Restore for no reason (no restore point being made at the time) and was finding a false positive.

    Now AMON in the release version of NOD32 is going into System Restore for no reason (it was in there three times finding stuff before I disabled it today). Today's restore point was made at 11:13AM and AMON first alerted on a System Restore file at 3:26PM and no restore point was being made at that time. When I posted about this before when it happened with the beta version, I never got any response here from Eset personnel. I didn't email tech support at the time but I will now. Yes, I can exclude System Restore from AMON scanning but I don't think I should have to do that. I don't think this is normal behavior of AMON since this is not happening when a restore point is being made.

    Detox, I said I probably would move to another av after my license is up (because I don't care for having TWO resident monitors with the emphasis being on the one I don't use). That is not until the end of October. I have not made up my mind yet for sure. I am watching developments with NOD32 and the other av I am interested in and will probably not decide until the last minute. (The other av has some major revisions due in late September/early October and I want to see them before I decide. Plus, I want to see what NOD32 does between now and the end of October).
     
  5. flyrfan111

    flyrfan111 Registered Member

    Joined:
    Jun 1, 2004
    Posts:
    1,224
    If it wasn't making a restore point then possibly a disk defragmenter or windows own optimization may have been accessing the restore folder. AMON does not arbitrarily check files that are not being accessed, so something was accessing it. If you are that upset about it, change the AMON setup properties to not check files as they are opened, only executed or created should be checked, uncheck open, that should solve your problem. And no this setting will not compromise your security, files will still be scanned as they are executed or created just not when they are opened by other programs doing scans and such, such as Adaware, disk defraggers and the like.
     
  6. Mele20

    Mele20 Former Poster

    Joined:
    Apr 29, 2002
    Posts:
    2,495
    Location:
    Hilo, Hawaii
    You are not getting the point. There is something wrong here. I was not running Windows defrag nor was I running any application that would have possibly been scanning system restore or accessing it. If AMON alerts on eicar everytime a restore point is made then why didn't it alert this morning? Or yesterday? Or the day before that? Why didn't AMON alert when I have Spybot scan my computer? AMON is acting in an erratic manner. I want to know why. It should act consistently. AMON did not act this way until recently.

    The Help file says:

    In its default configuration, AMON scans files when they are created, executed, or opened. Changing the default options is not recommended.

    So, I am not eager to change this because there is a problem with AMON. The problem needs to be figured out and then a solution applied. Your suggestion is to avoid the problem by doing something that Eset does not recommend.
     
  7. anders

    anders Eset Staff Account

    Joined:
    Oct 25, 2002
    Posts:
    410
    Something is accessing the system restore folder. AMON doesn't do any scheduled scanning of its own, or anything like that. If you don't want AMON to scan the folder, exclude it using the AMON Exclude-setting. If you want to find out what is accessing the folder, you could for example try running Filemon from www.sysinternals.com and tell it to filter for access to the system restore folder, and leave it running for a while. Though, you probably won't get more info than it being a windows service or something.

    Best regards,
    Anders
     
  8. Mele20

    Mele20 Former Poster

    Joined:
    Apr 29, 2002
    Posts:
    2,495
    Location:
    Hilo, Hawaii
    OK. So something (and I may not ever be able to know specifically what even running the program you suggested) is accessing the System Restore folder and that is causing AMON to scan and alert on the eicar files there. If this is the case, then how come AMON doesn't alert when I do a defrag or when a restore point is being made? Both of those actions access System Restore folder.

    I still think something is wrong here. AMON should be consistent and it is not. It used to be but something changed a couple of months ago so I conclude that some upgrade Eset did is causing this inconsistent behavior.

    I will exclude the folder but that is a bandaid approach.
     
  9. Stan999

    Stan999 Registered Member

    Joined:
    Sep 27, 2002
    Posts:
    566
    Location:
    Fort Worth, TX USA
    AMON doesn't just go around and arbitrarily scan files on its own.
    Also, I don't see where others are reporting this behavior.

    It would seem to me that in the last "couple of months ago" something
    has changed on your machine that is accessing the file and that is
    causing AMON to scan it.
     
  10. flyrfan111

    flyrfan111 Registered Member

    Joined:
    Jun 1, 2004
    Posts:
    1,224
    IF possible could we get an Eset Mod's opinion on disabling AMON checking files as they are opened and leaving executed and created checked? When I have opened, executed and created checked on the laptop I lose about 35-45 mins of battery time. I don't think scanning files as they are opened is totally necessary, they are still being scanned as they are executed or created but Mele20 does have a point that the help file does say the settings should be left as they are. At least on my system unchecking this also decreases defrag times as well as scan times for Ad aware and Spybot and such as they are not executing anything they merely open the file to examine it. I feel this is more like a safety check to pick up viruii before they are executed to find and disable them that much sooner. Am I compromising security? Should I return to the default setting?
     
  11. anders

    anders Eset Staff Account

    Joined:
    Oct 25, 2002
    Posts:
    410
    It's not when the folder is accessed, but when that particular infected file is. Defrag is most likely not touching the same functions, and when you create a new restore point, it's not touching the individual files of the other restore points.

    I still suggest you try filemon though, it might give more info regarding this issue.
     
  12. Mele20

    Mele20 Former Poster

    Joined:
    Apr 29, 2002
    Posts:
    2,495
    Location:
    Hilo, Hawaii
    Thank you for that explanation. I downloaded File Monitor and have it running.
     
Thread Status:
Not open for further replies.