"Beep, beep!"

Discussion in 'ESET NOD32 Antivirus' started by apacallyps, Dec 6, 2007.

Thread Status:
Not open for further replies.
  1. apacallyps

    apacallyps Registered Member

    Joined:
    Dec 6, 2007
    Posts:
    2
    How's it going. I hope you are doing well.

    First ever post for me.

    My reason is because I'm frustrated with the new .msi installer Eset is using for ESET NOD32 3.0 Antivirus for Win XP/2000/Vista (32-bit). I've used Nod for last few years it's really great. I've had no probs with version 2.7. Then comes along version 3 and I can't download it properly, it won't install, it's phoning home. Rarely ever have I had a problem like this with my other software, except I have it with this new version. I searched the Wilders forum and this person had the exact same problem:

    Windows Installation Failed (need help)
    https://www.wilderssecurity.com/showthread.php?t=191034&highlight=.msi

    In trying to solve the problem this is what I've come up with so far. NOTE: I use Proxomitron and surf the net in a restricted user account. So I want to try out the new version. I visit Eset and download version 3.

    PROBLEM: Started the download and this happens: ÊW=ÛË<t^Ò”ó6ä¤Pk3ÒW"“R¸P*Œ%3AÇIehGœJŒnÑÛSoæy.¸®ÜvšÃ4º¶

    I'm redirected to a garbled page. My download gets corrupt. I switch Proxomitron in bypass mode and the download works. Okay great whatever... I don't understand it, but I've got the (eav_nt32_enu.msi) on my computer.

    Next step. Switch over to Admin account go to install version 3. I get the following message after download:

    WINDOWS INSTALLER- This installation package could not be opened.
    Verify that the package exists and that you can access it, or contact the
    application vendor to verify that this is a valid windows installer package.

    And my firewall alerts me that explorer.exe is making two TCP connections out to IP address 199.7.51.190:80. One attempt is thru port 80 and the other through Proxomitron (different port). Thankfully both attempts were blocked. But they were going to:

    199.7.48.0 - 199.7.63.255
    VeriSign Global Registry Services
    21345 Ridgetop Circle
    Dulles, VA
    US

    I'm think why should they know what antivirus program I'm using? What is this all about. Anyone else get this? Anyways, the installation attempt fails. I close everything. I figure maybe it's a corrupt installer.

    Next thing I try is go back to Eset but this time in Administrator account (I hated doing that by the way!!) go to same Eset download page try the download again. I go through the same process with Proxomitron end up switching to bypass mode, the download works. I download a new (eav_nt32_enu.msi) to my computer.

    Start the new .msi to install and my firewall alerts me explorer.exe wants out again, but instead of the Nod installation giving me a warning and failing (ie, this installation package could not be opened) it's fighting to work this time. After a a couple minutes the EULA agreement pops up and it looks like I can go ahead and install. But, I don't do it. All of this is just too strange and I want to know what this is all about before I go ahead and install this nightmare of an upgrade.

    I should say all my installation attempts were in Admin mode. And something else worth noting is that in my restricted account after downloading the .msi the icon was funny looking like it was not recognized, it had one of those funny icons next to it. But, I flip over to my Admin account and that same .msi icon looks normal (sorry best way I can describe it). I turned on Windows installer service checked all that. Re-registered it. Have latest version 3.1 too. I'm not saying my computer is not part of the problem here, maybe it is, but I keep it running pretty good and generally don't have problems like this. In fact, I can't recall having an installation problem like this before. This problem with Nod version 3 is a first.

    P.S. Lastly, really don't like that firewall alert.:thumbd:

    Thanks for reading, and any comments.

    Best regards,
    apacallyps
     
  2. LowWaterMark

    LowWaterMark Administrator

    Joined:
    Aug 10, 2002
    Posts:
    17,875
    Location:
    New England
    If you read through the forums here, you will see that there are indeed some problems with the new version of NOD32, however, none of the things you described are related to any of those. They are problems on your PC, probably with file associations and content-type handling related to .MSI file type, and also with your Proxomitron settings.

    Whether or not you can download the .MSI file without corruption from your restricted user account is not an issue with NOD32. It's a standard file download operation like any other download available on the Internet. It is however, an .MSI filetype using plain text content-type. It's not surprising that Proxomitron is interfering with the download and that bypassing is needed. It appears your Proxomitron does not know how to handle the MSI file type.

    The first failed download attempt, where the garbage characters start appearing is because instead of saving the file to disk, your PC was try to display its content as if it was a webpage or text file - dumping it all on to your screen instead of saving to a file.

    When you got past that with bypass, the file that ended up downloading was corrupt, but, I can't be sure why. My best guess is that it had parts of it in cache and the subsequent download missed or corrupted some bytes.

    Switching to an admin account and downloading from there with Proxomitron bypassed appears to have download a non-corrupt file since you were ultimately able to run it.

    The connections you saw in your firewall were not a "phone home" or even caused by NOD32 itself. The server at 199.7.51.190 is a VeriSign Certificate Authority. The NOD32 installer is a "signed" installer. It was signed with a VeriSign Certificate and Windows by default will attempt to contact the certificate authority in order to determine if the certificate that signed the executable is still valid. 199.7.51.190 is actually "crl.verisign.com" which is a Certificate Revocation List server. Checking certificate status is actually a very good thing and signing install files is something that a lot of companies do now - and those that don't should, because it ensures that the file is as the signing company meant it to be, i.e. unaltered and unhacked.

    The "funny looking icon" from the download on the restricted account is also because that download was corrupted. Most executable files carry a copy of their icon with them, which is why sometimes some installers you get have icons that are similar to the logo of the company that made them or some other interesting graphic. A corrupt download can easily mean the icon part is corrupted, too.

    So, in summary it appears you can't download this type of file, or at least from this type of server via your restricted account, whether bypassing Proxomitron or not. You can download an uncorrupted installer bypassing Proxomitron from an admin account, so that's good.

    And when you finally run the good copy of the installer, the attempted connection is Windows itself attempting to validate the certificate the installer was signed with, also a good thing.
     
  3. GAN

    GAN Registered Member

    Joined:
    Mar 3, 2007
    Posts:
    355
    Maybe you should try to uninstall Proxomitron and download again or download using another computer. I'm pretty sure this is a problem with Proxomitron and cannot really blame it on eset for this one. It could be that the downloaded file is corrupted for some reason. Especially since changing to bypass make a difference there is a reason to believe that Proxomitron could be the problem. If not Proxomitron i'm pretty sure this is a issue on your computer.

    This is nothing to worry about and is NOT that the application is trying to call home. If you right click the file, select properties and digital certificate you can see that the file is signed with a certificate. This certificate is issued by Verisign. Certificates got something called CRL to check if the certificate is valid and not revoked. If you use a sniffer (or maybe you could see this in your firewall log as well) you should see that the destination address is "crl.verisign.net" and DNS resolve this to a IP address which is used for the purpose explained above. You should see similar behavior with other signed installation packages as well if the certificate got the CRL attribute. This is actually how the certificates work and nothing to do with calling home or something unique for eset. No personal info or logging is done during this process. If you still worry about this then read about digital certificates and CRL.

    I cannot not see any reason to block this and if you have a valid license i cannot see why calling home should be a problem either, but nod32/ess does not call home in case you still worry about this for some reason. If you think eset would call home to collect personal info from your computer i think you are a bit too paranoid:)

    I cannot remember that i read other people have such issue and to me it sounds like some sort of problem on your computer. Do you have other security applications that you could try to disable just to see if the installation run ok or not? Also try to completely disable Proxomitron or uninstall.
     
  4. apacallyps

    apacallyps Registered Member

    Joined:
    Dec 6, 2007
    Posts:
    2
    Thanks, Gan and LowWaterMark.

    LowWaterMark, I give you special thanks for an excellent response to my post! Your comments are what actually got me on the right track and solved things for me. Thanks again.

    Basically, I couldn't download Nod 3 from Eset without getting a corrupt copy. You were right LowWaterMark. It was Proxomitron interfering with the download. I had my Proxomitron set in "advanced mode" the highest security setting available in Sidki's configuration set (www.geocities.com/sidki3003/prox-news.html). As a result Proxo was interfering with the MSI file type. BUT, I after setting Proxo in "minimal mode" (lowest security setting) the download worked. Problem 1 solved.

    Problem 2. I Switch over to my Administrator account to install Nod 3. I get the following message after download:

    WINDOWS INSTALLER - This installation package could not be opened. Verify that the package exists and that you can access it, or contact the application vendor to verify that this is a valid windows installer package.

    Solution: A fresh copy of Nod 3 (non-corrupted) allowed the installation to go forward. Problem 2 solved.

    Problem 3. In my restricted account the Nod 3 .msi installation icon looked funny like it was not recognized by my computer, it had one of those funny icons next to it. But, when I flipped over to my Administrator account that same .msi icon looked normal. It had the proper .msi icon (sorry best way I can describe it). What caused the non-recognition of the .msi file was due to security reasons I had previously blocked access to my msiexec.exe file by adding the user "everyone" to the files permissions and setting it to "deny". Once I removed the user everyone the Nod 3 .msi file was recognized and looked normal again. Problem 3 solved.

    All three problems solved. Thanks again to LowWaterMark and Gant.

    Now here are a list of some of my concerns with the new Nod 3. This actually qualifies as bad news. I'm sorry to say I am very disappointed with version 3. I installed it this morning. Went through all the options. Used it for a while...but, did not feel comfortable with the changes. The interface actually gave me a headache! This just in: I unninstalled it and eagerly UPGRADED back to version 2.7.

    More, if you can stomach it:

    1.) I know I said this before, but the first thing that bothered me was right when I clicked to install Nod 3 my firewall alerted me that MSIEXEC.EXE and EXPLORER.EXE wanted out to IP address 199.7.51.190:80. One attempt was thru port 80 and the other through Proxomitron (different port). Thankfully both attempts were blocked. They want to go here:

    199.7.48.0 - 199.7.63.255
    VeriSign Global Registry Services
    21345 Ridgetop Circle
    Dulles, VA
    US

    Okay, so Gan and LowWaterMark said that the server at 199.7.51.190 is a VeriSign Certificate Authority. They say the NOD 3 installer is a "signed" installer. It was signed with a VeriSign Certificate and Windows by default wanted to contact the certificate authority in order to determine if the certificate that signed the executable is still valid. This seems correct, but still why are MSIEXEC.EXE and EXPLORER.EXE going to VeriSign? MSIEXEC.EXE...(Windows Installer) is used to install applications and programs and EXPLORER.EXE is the Windows Program Manager or Windows Explorer. This program is important for the stable and secure running of your computer and most times it's recommended your firewall block it's access out. Anyone know the reason why these two files are required by Verisign? And besides, we need our password to download Nod 3 from Eset already as a security precaution. Naw... I don't buy it. This is a form of data collection. Verisign is in the business of data collection. All these big companies are and Nod has joined them..

    2.) ThreatSense.Net
    We have an option to send information to Eset about your computer to help them improve virus protection. A lot of people turn this off because they are concerned about privacy. One thing different in Nod 3 is everywhere you go now there is some settings called ThreatSense! You can hardly make a distinction anymore between ThreatSense.NET (the option to send info to Eset) and other settings with the name ThreatSense on it. It's all blended together now and convoluted. Very easy for beginners to check the wrong button and make a mistake. One could easily end up sending info to Eset thinking they had disabled the option. My suspicion is Eset is just fine with this.

    3.) Web Browsers
    ESET NOD32 Antivirus contains the Web browsers feature, which allows the user to define whether the given application is a browser or not. If an application is marked as a browser by the user, all communication from this application is monitored regardless of the port numbers involved in the communication.

    Don't understand this. If we leave this unchecked does that mean browsers are not scanned only the port?

    4.) Email Clients
    POP3 protocol scanning is an important part of email communication security. ESET NOD32 Antivirus allows the user to define what applications are used as email programs, in order to ensure that the communication stream with the email server is checked for the presence of malicious code.

    Same as above.

    5.) The setting - Protocol Filtering - No help for it.

    6.) If you uncheck all update options in Schedular because you prefer updating manually, you get a popup warning and a red icon from Nod 3 saying "your system is exposed to risk" and "installation out of date." The only way to get rid of this red icon and warning is to turn back on the automatic "dial up connection" update. Your forced to leave automatic update on. Grrrr..

    7.) It's always bothered me that the Nod windows don't stay the same when you resize them.

    8.) Cannot view files being scanned in Amon anymore.

    9.) Nod 3 interface gives me a headache because the real setting are behind the useless interface. More unnecessary clicks.

    SUMMARY
    Nod32 is my favorite antivirus program. I've used it for several years. I mean, version 2.7 is just awesome! However, my conclusion is we are witnessing the beginning of the end for our beloved program fella's. Just like when Kerio 2.5 decided to change everything they ruined an awesome firewall and turned it into junk. I see the same thing happening to Nod with this new version 3. Why oh, why, did they go and ruin things? All they really had to do was tweak version 2.7... everyone was happy with that version. I don't care what anyone says they are getting very comfortable with data collection. You wait.. it will get worse... just give it time. These corporations have this need now to "fix" things every six months or so even when something ain't broken. It's tragic. What ever happened to just leaving a good thing alone! The customers pay our money but always lose out. Like I said... it only gets worse from here. There. Is. No. Escape.

    I've upgraded to from Nod 3 to Nod version 2.7.

    Thanks.

    Best regards,
    apacallyps
     
  5. GAN

    GAN Registered Member

    Joined:
    Mar 3, 2007
    Posts:
    355
    You can see lot of examples where this happen. One example is if you create a small program and use the windows API then even if your program is the one that actually have the code to start the connection attempt it could be explorer that your firewall report as the program that try to make the connection attempt. There is some tools that is able to monitor more then just outgoing traffic that could show what is actually going on. If this really worries you i'm sure such a tool would give you a lot more questions to ask because then you might see a lot of things you find strange. An msi file is just an installation package and msiexec.exe is the executable required to run this installation package. As said before this is toally normal and nothing to worry about. If you still prefer to block this communication that is really up to you, but the way it works the only way to find out if the certificate is still valid is to contact verisign since the cert. is signed by their root ca. In theory you could say that it's safer to allow such communication to make sure the certificates is valid and not revoked.

    For eset who cares if they want to know when you download the software they created? If you have a valid license then you have nothing to worry about and it's really up to eset if they want to know when you download the software. Why is this a problem? So far i never heard any story where eset share this information with other companies or any kind of abuse.

    Verisign is not collecting data.....you really don't know what verisign is about and how the certificates/CRL work. If you still don't believe me then install a sniffer and analyze the traffic to make sure this is because of CRL and nothing more.

    No offence, but you sound very paranoid. If you really knew about all the logging on the internet and logging that most ISP's does you would probably choose to not be on the internet at all. There are a lot of other stuff that you should worry about before eset/verisign. Any site you visit, anything you download, services you use etc. Not only on the internet, but using you cell phone or whatever kind of electronic equipment you got. They all collect some information and is able to track you.

    You are probably right it should be possible to disable this once in the GUI instead of finding the setting several places, but i think you worry about nothing if this is once again about privacy.

    Considering how many new threats there is each day i believe this warning is very accurate, but if you have a dialup connection then i understand if you want to do it manually without any such warning.

    I forgot to tell you in my previous post, but i find 2.7 to be much better then 3.0 in any way so i would never recommend 3.0. Since there is a lot of posts about that i guess you already seen such comments from others already. If you like 2.7 then don't upgrade to 3.0 since 2.7 do the same job and is much better i think.
     
    Last edited: Dec 7, 2007
Thread Status:
Not open for further replies.