amon not working?

Discussion in 'NOD32 version 2 Forum' started by spacekris, Mar 6, 2006.

Thread Status:
Not open for further replies.
  1. spacekris

    spacekris Registered Member

    Joined:
    Mar 6, 2006
    Posts:
    8
    hello,
    i am currently trying your nod32 because its less resource hungry than other scanners.

    my system: xp,sp2
    nod32: trial 2.50.25 database:1.1432 updated today
    settings:
    amon running,
    detection open,create,execute / files
    local disks&media / media
    thats all ticked on this page

    scanning by extension: EXE

    on options-page all ticked.

    no exclusions / security all ticked.

    the problem:
    i have downloaded an file "datei.exe".
    when i scan this file with the on demand scanner it says "a variant of win32/agentTV trojan".
    when i doubleclick the exe. 2 files in the system folder are created one exe, one dll.
    but so the question why doesnt nod32 interfere??
    the setting is alert me when something is found, but it only finds this when i manually scan it?
     
  2. Marcos

    Marcos Eset Staff Account

    Joined:
    Nov 22, 2002
    Posts:
    14,374
    Because you executed a file not detected by a signature. Upon saving to the disk, AMON would have detected it and moved to quarantine to prevent its execution.
     
  3. spacekris

    spacekris Registered Member

    Joined:
    Mar 6, 2006
    Posts:
    8
    thanks for the fast reply,
    but i dont get it really.
    in the options it says "files scan on open/execute/create"?
    so you are saying its only detected when saved/created?
    what do you exactly mean by not detected by a signature?
    why not?
    or i dont get the settings...or the way nod32 works, but shouldnt it autoscan a exe file when its doubleclicked?
     
  4. alglove

    alglove Registered Member

    Joined:
    Jan 17, 2005
    Posts:
    904
    Location:
    Houston, Texas, USA
    So you mean you have datei.exe, which the on-demand scanner says is "a variant of win32/agentTV trojan". Inside datei.exe are two files: datei-1.exe and datei-2.dll.

    Your questions are:
    Why is datei.exe not caught by AMON when I execute it?
    Why is datei-1.exe not caught be AMON when it is created?

    datei-2.dll will not be caught because you have the extensions set to EXE only.
     
  5. spacekris

    spacekris Registered Member

    Joined:
    Mar 6, 2006
    Posts:
    8
    yes, exactly this is the situation.

    for the dll its obvious and logical, indeed. for the exes not.
     
  6. Marcos

    Marcos Eset Staff Account

    Joined:
    Nov 22, 2002
    Posts:
    14,374
    If the exe file was actually detected using AH, it would have been moved to quarantine upon creation. Maybe there was no generic signature for this threat at the time it was saved to the disk.
     
  7. spacekris

    spacekris Registered Member

    Joined:
    Mar 6, 2006
    Posts:
    8
    the "detect on create" was not ticked at the time datei.exe was saved to disk, but it is when the 89axmoduleap.exe (or similar) is created when you doubleclick datei.exe and it is NOT detected !

    so again please, can someone say why is this behavior or does nod32 not work..?
     
  8. Marcos

    Marcos Eset Staff Account

    Joined:
    Nov 22, 2002
    Posts:
    14,374
    You disabled default AMON settings that ensure protection against new threats and now you complain that you got infected. Come on... AMON uses AH to scan files on create and, if it's evaluated as malicious, it's moved to quarantine. Even if you disable AMON and happen to run a malicious file, the startup file check feature will tell you that an infected file is starting up with Windows.
     
  9. spacekris

    spacekris Registered Member

    Joined:
    Mar 6, 2006
    Posts:
    8
    can someone more competent please answer the questions?
     
  10. Lollan

    Lollan Registered Member

    Joined:
    Feb 2, 2006
    Posts:
    288
    They don't get much more competent than Marcos ;)
     
  11. alglove

    alglove Registered Member

    Joined:
    Jan 17, 2005
    Posts:
    904
    Location:
    Houston, Texas, USA
    I believe spacekris is running tests like this in order to see how "bulletproof" the software really is. If a malicious file somehow manages to sneak in before my antivirus program can detect it, I would like to know that the file will still be stopped once it can be detected.

    Why was datei.exe not detect upon execute?

    Marcos said, "Because you executed a file not detected by a signature. Upon saving to the disk, AMON would have detected it and moved to quarantine to prevent its execution." Does this mean that files detected by heuristics are caught when they are created, but not when they are executed? o_O

    Why was datei-1.exe not detected upon creation?

    Perhaps datei-1.exe is harmless by itself, but datei-2.dll file is the truly harmful part. Or to put it another way, the "virus code" that gets detected by the heuristics resides in datei-2.dll. Try adding DLL to your AMON extensions and see if that makes any difference.
     
  12. spacekris

    spacekris Registered Member

    Joined:
    Mar 6, 2006
    Posts:
    8
    yes,what role does the "detect upon open & execute" play?
    it was ticked all the time.
    when i execute an exe means doubleclicking,not?
    marcos specified only the "create" part.

    NO.
    when i scan the created exe, it is also detected as trojan something!
    and THAT is a creation but it is NOT detected!?
     
  13. Marcos

    Marcos Eset Staff Account

    Joined:
    Nov 22, 2002
    Posts:
    14,374
    It seems most of you still don't understand how AMON works. Read carefully what AMON says:
     

    Attached Files:

    • amon.jpg
      amon.jpg
      File size:
      33.8 KB
      Views:
      166
  14. spacekris

    spacekris Registered Member

    Joined:
    Mar 6, 2006
    Posts:
    8
    http://i2.tinypic.com/qzes1z.jpg

    either we are to stupid or you are just not able to explain so that we get it.
    how about not giving us riddles, just answering the question?
    what is this kind of support? :thumbd:
    i have not much time to waste and it seems i am doing.
    i am not convinced about the product, sorry.
     
  15. fosius

    fosius Registered Member

    Joined:
    Oct 14, 2004
    Posts:
    479
    Location:
    Partizanske, Slovakia
    Marcos is right. Spacekris, yes AMON scans files on execute, too. But on execute AMON doesn't use Advanced Heuristics, doesn't scan RUNTIME ARCHIVES, SELF-EXTRACTING ARCHIVES. That's the key. If you had left "Move to quarantine" upon creation you wouldn't have had any chance to get infected. Your AMON detected it upon creation to disk, but didn't move it to quarantine. Then when you tried to execute that file, AMON scanned it (but without AH, runtime packers, self-extracting archives options) and that's the reason why it slipped through AMON!
     
  16. WSFuser

    WSFuser Registered Member

    Joined:
    Oct 7, 2004
    Posts:
    10,632
    is there anything we can about that? or will nod32 v3 do anything to improve on that?
     
  17. fosius

    fosius Registered Member

    Joined:
    Oct 14, 2004
    Posts:
    479
    Location:
    Partizanske, Slovakia
    Advanced Heuristics is very sophisticated and more time-consuming code emulation. If AMON used AH on execution, your computer would be probably a lot slower. The same with runtime packers and self-extracting files. I am not expert but maybe guys from ESET will make a surprise in new 3.0 version.
     
    Last edited: Mar 8, 2006
  18. spacekris

    spacekris Registered Member

    Joined:
    Mar 6, 2006
    Posts:
    8
    @fosius: thank you for the explanation. you brightened it up.
     
  19. WSFuser

    WSFuser Registered Member

    Joined:
    Oct 7, 2004
    Posts:
    10,632
    same here, i guess we wouldnt to have nod32 slow down our comps too much
     
  20. Marcos

    Marcos Eset Staff Account

    Joined:
    Nov 22, 2002
    Posts:
    14,374
    Yep, in certain cases operating with files might take even 10 sec. and more with AH enabled for all operations. Also bear in mind that NOD32 uses a startup file check feature which automatically scans all files run at startup with all settings maxed out.
     
Thread Status:
Not open for further replies.