Amon - scan on 'open'/'execute' ?

Discussion in 'NOD32 version 2 Forum' started by impossibletopost, Nov 21, 2003.

Thread Status:
Not open for further replies.
  1. Greetings comrades.

    I have a question about Amon settings - I spent countless hours searching on the web 4 an answer, but to no avail.

    It's about the 'scan on' setting in the 'detection' tab - it has 3 options - 'open', 'execute' and "create", all ticked by default. The instructions also recommend leaving all 3 ticked.

    But what's the real difference between 'open' and 'execute' ? Leaving "open" ticked has the alert window pop-up even when I simply right-click on the infected file or analyze it with TrojanHunter - and TrojanHunter is then unable to open it as it is "locked" by nod32.

    But unticking 'open' whilst leaving 'execute' ticked still alerts me when I try to run an infected executable (but not when I just right-click it or open it with another prog such as TrojanHunter, Notepad, ...). Thus the 'open' option seems rather useless, as there is no harm in right-clicking an infected .exe in text mode, or even opening it in text-mode or scanning it with a trojan detector...

    So the question is, IS THERE ANY REAL USE FOR THE 'OPEN' OPTION ? o_O o_O o_O
    Isn't the 'execute' option enough, and will this option also alert me when I try to execute an infected script (unfortunately, there are no test-scripts, .vbs or .js, available on the net) ?

    Any help of substance will be greatly appreciated
     
  2. jan

    jan Former Eset Moderator

    Joined:
    Oct 25, 2002
    Posts:
    804
    Hey impossibletopost,


    'execute' works just on the executable files under Windows.

    'open' works on opening the files and works also on execution.

    The classic user may not need the 'execute' function as 'open' covers it. Anyway, if e.g. a virus expert want to move the infected files to another directory and doesn't want to execute them - it can be useful.

    Cheers, :)

    jan
     
  3. My intention is to leave out the 'open' option and only keep the 'execute' one.

    But will 'EXECUTE' (not 'open') also work on scripts ?

    When is opening a file considered an 'execution' by Windows? Is it only for .exe & .com files, or are scripts also considered "executable"? Because only files that can be run (exes, scripts) are potentially dangerous, hence the fact that the 'open' option could be useless. Or is it?

    The problem is, there is NO test script (.vbs or .js) on the Net with which to test...
     
  4. In other words,

    will my system be just as safe if I disable the 'open' option and only leave the 'execute' box ticked?
     
  5. DiGi

    DiGi Registered Member

    Joined:
    Jul 24, 2003
    Posts:
    114
    Location:
    in the middle of nowhere
    But there are next checkbox "create" - so - If you are browsing your browser must save js/vbs to disk and then exec it... AMON sould catch that js/vbs on creating file...

    Works same with email worms or unpacking - files with valid extensions are scanned when they are created... (saved to temp or extracted)
     

  6. Yes perhaps, but then again a file can be created by other means, whilst not in Windows: through Linux (which can write on FAT32 partitions), DOS, etc...

    So leaving the 'create' option aside, my questions were:

    1) Does the EXECUTE option trigger a warning upon an infected script file?

    ->
    2) Can the 'execute' option completely replace the 'open' option, and so [glow=red,2,300]will my system be just as safe without the 'open' setting, as long as 'execute' is enabled?[/glow]


    I fear these questions will call on the knowledge & wisdom of a Jedi Master Nod32 Expert... :'(
     
  7. jan

    jan Former Eset Moderator

    Joined:
    Oct 25, 2002
    Posts:
    804
    Hi impossibletopost,

    is there any reason you can't have all three checkboxes - create, open, execute checked?

    Thanks,

    jan
     
  8. Isn't it obvious? If I leave the 'open' option:

    When I do as much as right-click on a file (an infected test-file 4 example) AMON analyses it and pops up its alert window.

    And if I extract this file from an archive and, say, place it on my desktop, then I get THREE successive alert windows:
    1) AMON cannot clean this infiltration. Event occured at an attempt to access the file.
    2) AMON cannot clean this infiltration. Event occured on a newly created file.
    3) AMON cannot clean this infiltration. Event occured at an attempt to access the file. (same as 1))

    ...U see, 3 alerts simply for placing the file on a desktop, without even right-clickingon it!

    Much ado about nothing I say, plus a waste of CPU resources (scanning every right I just right on a file, or everytime another app tries to open it - Hexeditor, Notepad, even TrojanHunter) and VERY annoying :mad:

    Furthermore, leaving this 'open' option on makes it impossible to open the file without even running it. Whenever I try to analyze it with a disassembler or simply open it in text mode or scan it with TrojanHunter (MUCH better suited for Trojans, and can also detect unknown trojans, which no Antivirus tool can) then Nod32 prevents the app from opening the file, even thought I'm not trying to RUN it.

    So U see, the 'open' option seems pretty much useless, but I need confirmation.

    Anyone could answer my 2 simple questions (cf. MY PREVIOUS POST)?
     
  9. Action replay:

    1) Does the EXECUTE option trigger a warning upon an infected script file?

    ->
    2) Can the 'execute' option completely replace the 'open' option, and so
    [glow=red,2,300]will my system be just as safe without the 'open' setting, as long as 'execute' is enabled?[/glow]

    C'mon folks, R these 2 simple questions so difficult to answer that they're even beyond the scope of those who developped the software ? :mad:
     
  10. jan

    jan Former Eset Moderator

    Joined:
    Oct 25, 2002
    Posts:
    804
    Hey impossibletopost,


    OK, the thing is:

    >1) Does the EXECUTE option trigger a warning upon an infected script file?

    An infected script is usually executed via non infected script-interpreter - that's why the execute option does not trigger a warning upon execution an infected script file (if you have open checked - a warning is displayed) - so we recommend to have all three options (open, create, execute) checked - to stay safe.

    ->
    >2) Can the 'execute' option completely replace the 'open' option, and so will my system be just as safe without the 'open' setting, as long as 'execute' is enabled?

    See 1.

    All the best, :)

    jan
     
  11. OK thx 4 the info comrade. :cool:


    So apparently, with the 'open' option there's nothing that can be done about the alert window popping up every time I simply right-click on a suspicious file, or try to open with with a harmless app such as Notepad, or everytime Trojanhunter tries to analyze the same file (and is blocked by nod32), or whenever I simply open a folder containing the file or just select this same file without clicking/right-clicking on it...

    One last question but of the utmost importance: are there any [glow=blue,2,300].vbs or .js TEST-SCRIPTS[/glow] out there to test my AV o_O I haven't been able to find any on the web despite countless hours of searching/googling...
     
  12. jan

    jan Former Eset Moderator

    Joined:
    Oct 25, 2002
    Posts:
    804
    Hi,

    >One last question but of the utmost importance: are there any .vbs or .js TEST-SCRIPTS

    we recommend you to contact EICAR (European Institute for Computer Antivirus Research) at:

    http://www.eicar.org/

    Best wishes, :cool:

    jan
     
  13. NEGATIVE: this site only has test executables
    Since these can be easily found on the Web (in fact, the entire Net abounds with various executable test viruses/worms), this site is useless.

    Perhaps U know of a site or link that could provide test scripts ?
     
  14. A site with antivirus test-scripts (Eicar doesn't provide that) ? Anyone have a usefull link?

    Plz, anyone? :D
     
  15. spm

    spm Registered Member

    Joined:
    Dec 9, 2002
    Posts:
    437
    Location:
    U.K.
    Actually, it seems to me you were advised by Jan to contact EICAR, not just to look at their site. That said, their virus test is essential, rather than useless. It is the official way to test the proper installation of anti-virus programs (but says nothing about their effectiveness against ITW viruses).

    All other so-called 'test' viruses on the net are either live viruses or invalid tests, and in both cases shouldn't be touched.

    I am not aware of any official test script virus - maybe someone else will point you in the right direction (if there is one), but don't expect anyone to refer you to a live script virus (if they do, the moderators will surely step in to cancel their posts promptly).
     
Thread Status:
Not open for further replies.