AMON restrictions and missing feature?

Discussion in 'NOD32 version 2 Forum' started by Gott, Aug 25, 2003.

Thread Status:
Not open for further replies.
  1. Gott

    Gott Registered Member

    Joined:
    Feb 15, 2003
    Posts:
    15
    I testes NOD32 v2.0 a while ago while still in Beta but since decided to go for another antivirus solution.

    Now I had the time to give NOD32 v2.0 Final another chance :)

    I'm really happy to see that most reported beta bugs were fixed and that NOD32 v2.0 seems to be a very good and reliable scanner.

    But since my first tests of the final version weren't overall satisfying I have a few questions:


    Form the product description:


    On my machine AMON was absolutely unable to identify any kind of virus in any kind of archive!
    E.g. AMON does not find eicar in this Testfile:

    http://www.eicar.org/download/eicar_com.zip

    wether on create, nor on access. It only identyfies it after extraction.
    The ondemand scanning engine has no problems finding the virus in the archiv, though.

    Obviously AMON does not use all features of the scanning engine (or I'm doing something very wrong). Could you please tell me which features are missing in AMON?

    I could live with the missing archive support, but NOT with missing support for exe-comprssion, like Pklite, Lzexe, Diet, Exepack, CPAV, UPX, AsPack in AMON.
    It doesn't matter if I select "scan all file extensions", by the way ... already checked that, since the archive extensions aren't scanned by default by AMON! AMON still doesn't seem to scan the content of archives.


    Even weirder: IMON seems to be only able to scan Archives when recieving E-Mails, but for some weird reason not in E-Mails I send!?!
    Is this a bug or is there a reason for this not very logical behaviour?


    To make a long story short:

    Are these missing features due to design or due to wrong configuration on my side?
    Which of the features listed for the NOD32 scanning engine in the produt description are actually present in and used by AMON?
    Any reason for this missing features?
    Most important: Is AMON able to scan files with exe kompression or encryption, especially if those files aren't very common in the compressed form?


    Thank you very much in advance :)
     
  2. igi

    igi Registered Member

    Joined:
    Dec 31, 2002
    Posts:
    1
    AMON isnt able to scan archived files and its right choice.

    Some antiviruses are able to detect viruses in archived files by on-access scanner, but try it. Whole system will be very slow, because every (for example 1 GB long ZIPs with hundreds of EXE files) must be unpacked and tested everytime, when you copy that long files or when you enter to directory (and Windows read icons from files, etc.). Its main reason, why this feature is disabled :D
     
  3. anders

    anders Eset Staff Account

    Joined:
    Oct 25, 2002
    Posts:
    410
    That's by design.

    The resident scanner doesn't scan archives. It would of course produce a bigger performance impact when dealing with archives, and personally I wouldn't have that feature enabled, or recommend anyone to have it enabled if it existed.

    It doesn't scan outbound mail at all, which is quite logical. If you have the antivirus system installed and enabled, no known virus could send any mail, since the virus would be detected by the resident scanner while being executed. Scanning of outbound mail isn't necessary.

    There are support for some compression tools, however, there is of course no product that can deal with all compression/encryption tools.

    If Eset receives undetected samples, or samples that are only detected via heuristics, that are compressed/encrypted, then of course signatures will be added in order to detect it.

    IMON however has the "advanced heuristics" enabled as default. That will do more emulation/inspection of files than normal, and will often successfully decompress/decrypt files that are "protected" by some obscure tool.

    Best regards,
    Anders
     
  4. Gott

    Gott Registered Member

    Joined:
    Feb 15, 2003
    Posts:
    15
    Thank you very much for your answers, they helped me a lot.
    I don't mind the missing archive scanning in AMON that much. I would have liked this as an option (as most other products offer for their resident scanners) but I can live without it.

    I would still love some more detailed information about AMON's ability to scan exe-compressed files.
    Before I "returned" back to NOD32 (as I told you, I tried it some time ago while 2.0 was still in beta) I evaluated Panda AV Platinum 7.04 (and 7.05). And I admid I was very satified with it.
    My decision to evaluate other scanners before making a purchase-decision had one simple reason: Panda was unable to find and old and well known Trojan simply because it was freshly packed using "ASPack" and the ASPacked version of it was very uncommon. Panda's ondemand and onaccess scanner was only able to unpack UPX kompressed files.

    My reason to download the Trial of NOD32 v2.0 was the impressive list of supported exe-packers:

    And I know that IMON as well as the ondemand scanner do support examining the content of those files (which is very good).

    I also know that AMON, while still in beta, did too. I know because running a UPX-compressed programm in the background while AMON was active caused a massive performance impact and made my whole system freeze every few seconds. I even reported this bug in the beta forum, it was confirmed and as I can see in the current final, it was obviously fixed.

    My only concern now is the way it was fixed:

    Was it fixed because the ability to scan the content of exe-compressed files was simply removed from AMON?
    Will a virus, trojan etc. be detected by AMON if it was compressed by any of the supported formats although this compression is not common for this trojan?

    I know for example that Supseven aka Backdoor-G usually is packed and encrypted by ASPack. AMON will find it, it more or less has to because the ASPacked version is very common "in the wild". Will it still be recognized if packed with another of the supported formats?
     
  5. jan

    jan Former Eset Moderator

    Joined:
    Oct 25, 2002
    Posts:
    804
    Hi Gott,

    >Will a virus, trojan etc. be detected by AMON if it was compressed by any of the supported formats although this compression is not common for this trojan?
    I know for example that Supseven aka Backdoor-G usually is packed and encrypted by ASPack. AMON will find it, it more or less has to because the ASPacked version is very common "in the wild". Will it still be recognized if packed with another of the supported formats?

    Yes, it will.

    All the best,

    jan
     
  6. Gott

    Gott Registered Member

    Joined:
    Feb 15, 2003
    Posts:
    15


    I really wanted to believe you, but I still did a test on my own.
    And the result sadly was as I expected and it prooves you wrong, sorry!


    I'll explain my test step by step:

    - I downloaded a very very old trojan: "BackOrifice 1_20"
    - Every Virus Scanner knows it and as soon as I unzip the Archive AMON finds all components and warns me ... as expected.
    - I deleted the extrated files and deactivated AMON
    - I extracted the ZIP-File again and compressed all .exe files using UPX a very common freeware, open source exe-compression tool available here:
    http://upx.sourceforge.net
    - I reactivated AMON and sadly it will NOT find the packed trojan! I can rename and even EXECUTE all components without any problems. That means that I could easily infect every computer protected by AMON with a FIVE year old trojan by simply using exe-compression ... in my eyes this is a serious security risc.
    - Even worse: The trojan is not found using the default settings of the on demand scanner but it will be recognized if I activate exe-compression scan. Why is this very important feature disabled by default? And why isn't it available for AMON at all?


    I'm sorry to say that, but this makes NOD32 not suitable for my needs. Panda AV sadly only supports UPX compression, but it at least supports it throughout all components including the resident scanner.

    If there is any possibility to activate exe-compression support for AMON, please let me know ... if not, I'll have to search for another solution for my little network. :(
     
  7. testg

    testg Guest

    Indeed if what Gott can be verified then it serves a serious problem with the AMON since hell I don't want to get infected by a trojan that just have been repacked.
     
  8. new guest

    new guest Guest

    Much harm, if then is NOD tunes unfortunately no more alternative for me. :'(
     
  9. testg

    testg Guest

    Hmm I see that Babel fish has again hired Yoda to peform translation.
     
  10. webwude

    webwude Guest

    @jan: Is there any possibility, that this, in my point of view, huge gap will be closed in future updates ? I think, this is a major disadvantage, and i think, a lot of users will appreciate, if this option (scan in archives AMON) will be available, even the preformance will decrease a little bit.

    Please response ;)

    ww
     
  11. Gott

    Gott Registered Member

    Joined:
    Feb 15, 2003
    Posts:
    15
    @jan and ESET

    Just wanted to let you know that I ended my short evaluation of NOD32 v2.0 and decided that it doesn't fit my needs.
    I'll now have to make a decision between Panda AV 7.05 (which runs very fast and stable for me but sadly only supports UPX compression) and Bitdefender 7.1 (which ist cheaper and finds virii in most exe-compressed files onaccess and ondemand. But due to this it is slightly slower and I noticed some wierd stability problems).


    I always appreciated ESET's effort to offer a fast, reliable and affordable anti-virus solution and especially your great support even for beta-tester and users of the trail version.

    But right now I'm a little bit disappointed and I think it's just fair to let you know why:

    It's not only this security gap that AMON shares with a lot of other well known onaccess scanners.
    It mainly is because I feel cheated!
    I tried to ask as clearly as possible if AMON is able to scan exe-compressed files or not and you answered with

    Yes, it will.

    and not "Depends on ..." or "Yes, but ..." or "Only if this form is common". I looked at my question and maybe it's not as clear as it could have been since English is not my native language. I still lost some trust in you.

    Another problem is that I think (I'm not sure though) that AMON actually was able to scan those file while still in beta.
    I even reported my performance problems (frequent freezes when running compressed applications) in this forum and I think those were due to the feature that is now missing.
    This means that ESET is aware of the security risc but dropped this feature anyways. Maybe because you weren't able to fix the performance problems?
    But looking at Panda, Bitdefender, GDATA AVK or Kaspersky AV it actually IS possible to offer this (otpional ! ) feature for the resident scanner and still have a decent performance (at least with Panda and Bitdefender). And if you need more performance the user can deactivate it to gain some speed.

    The last thing is your product description. I already quoted it:

    For me this looked like AMON offers all the feature the ondemand scanner offers. Clearly it doesn't!
    There is no option to activate Archive scan (I can live without that) and no option to scan compressed or protected executable files. And AMON doesn't offer any of this by default either!


    I still think that NOD32 is a really good scanner and (if you don't stick to the weird default settings: exe-compression scan simply has to be activated by default!) the on demand scanner offers a very high level of security. I would even continue using it but I simply cannot effort to purchase more than one antivirus solution - one for onaccess scan and one for the ondemand scan. :(
     
  12. jan

    jan Former Eset Moderator

    Joined:
    Oct 25, 2002
    Posts:
    804
    Hi,

    Sorry, it seems like you created a new malware ;)

    When such a new malware occurs we work on it's detection and it will be detected. That refers to my answer :

    Yes, it will. (above)

    The reason for AMON not detecting the archives is that we don't see any real important reason for that. We want to offer the default settings as an effective coincidence between detection, performance of the system and the scanners and other factors. The new packed malware is detected (as I wrote above). if anybody wants to scan archives - it can be done with the on-demand scanner.

    As I wrote:

    When such a new malware occurs we work on it's detection and it will be detected.

    Rgds.,

    jan
     
  13. testg

    testg Guest

    But if a new malware was created by just repacking an old trojan with UPX then what prevents others from creating new malwares by packing non UPX packed trojans with UPX? :eek: Hence if UPX scanner is not included in real time then bascially many new variants can popup by just repacking.
     
  14. Gott

    Gott Registered Member

    Joined:
    Feb 15, 2003
    Posts:
    15

    For me there still is a big difference in "scanning archives" and scanning exe-compressed files. A virus wrapped in a zip files is 100% harm- and useless. An exe-compressed virus is 100% functional. You can copy it, distribute it (on purpose or by accident) and you can EXECUTE it!

    It took me less than 3 minutes to "creat a new malware" that is invisible to AMON. And that time includes a google search for an old trojan.
    Everybody is able to do so by installing UPX (a lot of people already have that installed) and simply run "upx *.exe" on the Trojan. Or "upx -1 *.exe" for another "new malware" or "upx -9 *.exe" for another "new malware" etc.
    It is absolutely unpossible to control exe-compressed virii with signature file updates. You need new signatures for every form of compression.

    I have no programming skills, I have never even seen a "virus construction kit" or any other kind of evil "scrip kiddie" tool.
    I used a popular and broadly available compression tool to create a "new malware" based on a five year old trojan that now is 100% invisible to AMON.


    Most other companies that offer anti-virus solutions are aware of this securitiy problem and offer a more or less efficient compressed exe scan for their resident scanners.
    Kaspersky AV, GDATA AVK and Bitdefender for a very broad range of compression tools for their resident scanners but even Norton AV (in my eyes not one of the best scanners) offers support for old neolite and lzexe compression.
    AMON is one of the few resident scanners that doesn't offer this feature at all!

    And I still think that ESET is also aware of this problem and tried to implement it in AMON in the v2.0 betas.
    For me it looks like you simply weren't able to fix the issues in this feature (the betas that I believe DID offer this feature had problems with short system freezes).
    Performance is a good reason to make this feature optional but not to remove it and make it completely unavailable for the resident scanner!


    I simply don't like the idea that everybody that knows about exe-compression and about google is able to create "new malware" that is totally invisible to AMON in less than a minute [unzip trojan -> "open command window here" -> "upx *.exe"].

    With that in mind and the fact that I actually gave NOD32 a chance because Panda's resind scanner failed to find an ASpack compressed virus and your product description made me believe that AMON is able to detect this kind of malware I strongly recommend to think about offering this as an optional feature in future versions of NOD32!

    And I hope that you will change your product description to be more specific about what the ondemand scanner is able to do and what AMON is able to do.

    When you list a lot of features for the ondemand scanning engine and then say that AMON uses this "adavnced engine" most people will believe that AMON offers all the features listed for exactly this engine!
    Now it's clear that it doesn't although the description (and your "Yes, it will") made me believe otherwise :(
     
  15. jan

    jan Former Eset Moderator

    Joined:
    Oct 25, 2002
    Posts:
    804
    Hi testg,

    >But if a new malware was created by just repacking an old trojan with UPX then what prevents others from creating new malwares by packing non UPX packed trojans with UPX? Hence if UPX scanner is not included in real time then bascially many new variants can popup by just repacking.

    This will be detected too, and in addition the advanced heuristics works with the generic unpacker - more info here.

    All the best, :)

    jan
     
  16. Gott

    Gott Registered Member

    Joined:
    Feb 15, 2003
    Posts:
    15
    So please tell me, why my "variants" of a five year old, extremely well known trojan weren't dected by AMON at all (or by the ondemand scanner using default settings).
    I simply packed them using simple UPX, so what kind of genius trick did I use (obviously by accident) to make them invisble for NOD32?
     
  17. dRag0nMa

    dRag0nMa Registered Member

    Joined:
    Aug 28, 2003
    Posts:
    79
    Location:
    SH China
    it seems that nod32 is well in virus not trojan:)
    i have tested a lot of AV,such as avp.3.5.swiss.edition ,sav.corp.8.x ,sophos ,ca.e-trust, nod32 and so on. and only avp 3.5 can find just trojan compress by upx or aspack but it's realtime protection makes system so slow especially when opening a folder with a lot of .exe files.i think,in order to prevent trojan, we need the third party software not AV.
    now i use nod32 trival and sygate personal firewall free version for my desktop.
    sorry for my ugly English skill:)
     
  18. Mele20

    Mele20 Former Poster

    Joined:
    Apr 29, 2002
    Posts:
    2,495
    Location:
    Hilo, Hawaii
    I'm sorry but I simply don't understand your concern. Why do you want Amon to detect this? No one in their right mind (IMO) would execute a file without first using command line scanning using advanced heuristics which will detect it. Further, no one in their right mind (IMO) uses default settings on any av! I have both Amon and Nod32 set to scan all files. I don't exclude anything and never have with any av I have used. I ALWAYS scan any file downloaded which I intend to execute with not the resident scanner, but the on demand scanner.

    So what is your problem? Am I missing something here? I'm not concerned that NOD32 won't protect me. I think advanced heuristics is great and Paolo's shell extension makes it very easy to use. So, could you please explain your concern better or point out to me what I am missing? Thanks.
     
  19. Gott

    Gott Registered Member

    Joined:
    Feb 15, 2003
    Posts:
    15
    @Mele20

    First of all I was just pointing out, that I don't understand why these default settings were chosen by ESET. I did not say that I only use default settings but I simply think that ESET should change the default settings in future versions since exe-compression is a serious and present security risc.


    I also said, that Im searching for an antivirus solution to protect a small network. I'm currently evaluating different scanners on my home PC.

    If you have to install a product on more than one computer you will soon realise how important it is to have the default settings as close as possible to the settings you think are necessary.


    How great for you, but I have to disappoint you: A lot of people don't!

    If you want to protect a network you need resident scanners that are as secure as the on demand scanner because you cannot trust every single user on the network to scan every single file with the ondemand scanner! I need an onaccess scanner that I can set to the necessary security level and lock it down against deactivation.

    What do you need an ondemand scanner for anyways, if you scan every potentially dangerous file?

    This missing feature in AMON is not only a convinience but also a productivity issue!

    With a resident scanner that offers the same level of protection as the ondemand scanner there simply is no need to scan every potentially dangerous file seperatly. This saves a lot of time and not only in a business environment time is money!

    And there are plenty of solutions out there that DO offer the same level of protection for both scanners: Kaspersky AV, Panda AV, GDATA AVK are only some of them and even Norton and McAfee offer their (extremely weak) archive and exe-compression support throughout all components!


    The NOD32 product description made me believe that AMON does too. Obviously it does not!
    And as I said before: This makes NOD32 not suitable for my needs and not suiteable for most network environments.


    I still didn't make my decision (and I have some time left to finally decide which product to buy) but I'm a little bit disapointed that "jan" for example did not answer most of my questions.


    If exe-compression support for AMON is planned in future NOD32 releases I could wait a little bit longer with my decision since I still think of NOD32 as a fast, reliable and effordable scanner.


    But instead of getting useful answers I only get extremly short replys that assure me that AMON is as secure as it needs to be ... even though I have proven that this is not correct.
    That's pretty disappointing :-(


    P.S.:

    I'm sorry, but this is absolutely stupid. So you're willing to sacrifice a bigger amount of performance because you think it is "safer" to make AMON scan all file-extension instead of potentially dangerous file. I don't think there will be any kind of jpeg-, bmp- or txt-virus anytime soon.
    On the other hand you don't care that AMON is not able to find trojans in compressed-exe files ... sorry, but I think this time I am missing something!
     
  20. Bdiamond

    Bdiamond Registered Member

    Joined:
    Apr 26, 2002
    Posts:
    74
    Location:
    N Carolina, USA
    Are you proposing to use NOD32 as your primary defense against Trojan attacks?

    NOD32 will probably provide very satisfactory protection against a virus but the concept of using it as a serious defense against Trojans is somewhat surprising. What data are you using to support this approach?

    I would be interested in hearing from other members of the forum about the wisdom of such an approach.

    Regards

    Bdiamond
     
  21. Gott

    Gott Registered Member

    Joined:
    Feb 15, 2003
    Posts:
    15
    @Bdiamond

    In fact trojans are the easiest target for packing and re-packing since they mostly are simple server programms and usually don't reproduce by themselfes.
    Using any virus scanner as the only solution against this threat would in fact not be very secure. A firewall to filter inbound and outbound traffic is a very important addition.

    I'm not a fan of additional anti-trojan software since firewall + antivirus scanner + anti-trojan scanner (all as resident background processes) is not only expensive but also ressource intensive.

    A good anti-virus scanner should reduce the threat of trojans to a minimum. And NOD32 most likely would, if AMON was able to find trojans in exe-compressed files.


    But trojans aren't the onyl ones that "benefit" from this security hole, any kind of malicious software that can be repacked or hidden in compresse executable files is a possible threat as long as it won't be detected by the resident scanner. The anti-virus solution should be the most effecient tool against this problem!
     
  22. Mele20

    Mele20 Former Poster

    Joined:
    Apr 29, 2002
    Posts:
    2,495
    Location:
    Hilo, Hawaii
    >If you want to protect a network you need resident scanners that are as secure as the on demand scanner because you cannot trust every single user on the network to scan every single file with the ondemand scanner! I need an onaccess scanner that I can set to the necessary security level and lock it down against deactivation.

    You did say you had a small network. That didn't sink in well. I can see where this could be a problem when using NOD on a network. I have just the one computer so it's a little different. Plus, I now see the time is money aspect where you don't want the users to have to take the time to use the on demand scanner to scan a suspicious file. But I do think that users should be taught and should practice safe computing just as they are taught and should practice safe sex.

    Quote:
    I have both Amon and Nod32 set to scan all files.

    I'm sorry, but this is absolutely stupid. So you're willing to sacrifice a bigger amount of performance because you think it is "safer" to make AMON scan all file-extension instead of potentially dangerous file.

    You know I see absolutely no difference in performance. Never have with any av except KAV which I cannot run on my W98 SE box without a huge performance drain. But I don't see a drain with other av. I've used McAfee 4.2, 7.0, NAV 2001, 2002, 2003, Panda Platinum, F-Secure, PC-Cillin 2003 as well as NOD32. I have tried default settings and then scan all files settings ...switched back and forth and I see no drain except, as I said, with KAV which as everyone knows cannot be run on W98SE unless it is the older version of 3.5 and even then it has problems. NOD32 is so fast compared to all the others there would be no way I could notice a slowdown in it because it scans all files. This is not to say that the others don't cause slowdowns but they cause it because of all the junk they have not because I changed the default scanning in the resident scanner. NOD, so far, has no junk and that is precisely why I use it. Plus, with NOD I don't have install IMON much less use it.

    I don't mind if exe-compression support for Amon is available in future versions as long as I can turn it off.

    What is the point in having an on demand scanner if the resident scanner provides the same level of protection? It seems you want to turn NOD32 into Kaspersky!

    I do agree Jan should be a bit more forthcoming. I would be frustrated also at those brief answers.
     
Thread Status:
Not open for further replies.