Boot Scan

Discussion in 'NOD32 Early v2 Beta' started by Loki, Jan 9, 2003.

Thread Status:
Not open for further replies.
  1. Loki

    Loki Registered Member

    Joined:
    May 26, 2002
    Posts:
    193
    Location:
    Lake Worth, Florida, USA
    Hello,

    Would it be possible to have NOD32 v2 do a boot time scan on WinXP ? Or is this not important ? Some AV programs do boot scans on Win98 but none that I know of do on an Win NT OS. Since my defragment program can do a boot time defragment on WinXP Pro, why not a boot time scan by NOD32 v2 ?

    Loki :cool:
     
  2. rodzilla

    rodzilla Registered Member

    Joined:
    Jun 15, 2002
    Posts:
    653
    Location:
    australia
    NOD32 monitors memory and hard drive activity constantly

    If you're clean when you shut down then logically you will be clean when you boot up ... so an on-boot scan is overkill.

    If enough users wishlist this then it might be added as an opt-in ... but I'd hate to see such a waste of time and resources added as default.
     
  3. Feivel

    Feivel Registered Member

    Joined:
    Nov 7, 2002
    Posts:
    100
    Location:
    Baytown, TX
    Rodzilla,

    What you say is sensible but on my Win 2000 Pro, NOD32 scans EACH profile on boot. Is there any way to disable that?
     
  4. Loki

    Loki Registered Member

    Joined:
    May 26, 2002
    Posts:
    193
    Location:
    Lake Worth, Florida, USA
    Hi Rodzilla,

    Thanks for the response, my main concern was system files locked by the OS. It's these messages ( error opening (file is locked)[4] ) I was hoping that NOD32 v2 would scan these.

    Loki :cool:
     
  5. rodzilla

    rodzilla Registered Member

    Joined:
    Jun 15, 2002
    Posts:
    653
    Location:
    australia
    > Thanks for the response, my main concern was system files locked by the OS. It's these messages ( error opening (file is locked)[4] ) I was hoping that NOD32 v2 would scan these.

    Those files are in use by and locked (protected) by your operating system, Loki. Perhaps they could be scanned by brute force ... but not with 100% safety ... so we don't even try.
     
  6. rodzilla

    rodzilla Registered Member

    Joined:
    Jun 15, 2002
    Posts:
    653
    Location:
    australia
    > What you say is sensible but on my Win 2000 Pro, NOD32 scans EACH profile on boot. Is there any way to disable that?

    Hmmmm ... I guess you mean AMON is scanning each user profile.

    I don't know if this can be disabled or not ... but even if it could, I would not personally advise it. Switching to an "unscanned" user profile midstream could trigger the very hazards against which AMON's bootup scan is designed to protect you.
     
  7. Hi, Rodzilla, glad to see you back..

    Speaking of those "unscanable" files.. I have no problem with them..

    Is there a way to make those "locked" or unscanable files not show up when doing a manual scan..

    I don't know if I explained this well.. I want to see what NOD32 scanned, but the files that can't be, I don'tt want them on the list..

    Thanks
     
  8. rodzilla

    rodzilla Registered Member

    Joined:
    Jun 15, 2002
    Posts:
    653
    Location:
    australia
    > Hi, Rodzilla, glad to see you back..

    Thanks SS. I'm glad to be able to see. :)

    > Speaking of those "unscanable" files.. I have no problem with them..

    > Is there a way to make those "locked" or unscanable files not show up when doing a manual scan..

    > I don't know if I explained this well.. I want to see what NOD32 scanned, but the files that can't be, I don'tt want them on the list..

    Personally I don't like excluding files from a scan. It opens the door for a file-specific virus to run wild.

    Suppose it becomes widely publicized on security forums and in Usenet newsgroups that the latest PoopScan update false alarms on a commonly-used program ... say, WinZip .........

    Within minutes, dozens of well-meaning self-appoined "virus experts" advise "Temporarily exclude winzip32.exe from your scan until the bugfix is released."

    A few hours later winzip32.exe spams the world as an email attachment from the spoofed techsupport@winzip.c0m address. The email claims it's a bugfix for the PoopScan false alarm, but it's actually a modified CIH virus which auto-forwards the email and its attachment to everyone in the recipients' addressbooks. It spreads like wildfire.

    Most other antivirus programs detect CIH on arrival, but PoopScan ignores the virus ... it's excluded by filename ... and within a few hours, hundreds of thousands of PoopScan/WinZip users have run the attachment.

    Next day the security forums and Usenet are filled with warnings that the phony WinZip "bugfix" triggers (a) four hours after installation or (b) at the next reboot and will trash your hard drive and any susceptible FlashBIOS.

    Most PoopScan users never get to read the warning ... they have nothing on which to read it.

    (I'm not giving virus coders ideas here, btw ... this hypothetical "human engineering" sneak attack was discussed on IRC years ago.)
     
  9. Well, I TOTALLY agree with you.. Let's leave NOD as it is then, your explanation was completetly understandable...

    Other AV's I've eeen just run all the files through. not informing you or not that the file is locked.. Now that I think of it, I'd rather know which files are unscanable, and are are...

    Thanks..
    .........PS.. I assume your surgery went well?
    Forgive me for asking.. I understand if you'd rather be private about it..but it's good to know you're okay..

    Straight Shooter...
     
  10. Feivel

    Feivel Registered Member

    Joined:
    Nov 7, 2002
    Posts:
    100
    Location:
    Baytown, TX
    Rodzilla,

    It is a full blown scan as if I clicked NOD32 and selected to scan each profile. If it were a AMON scan I wouldn't mind as much. It is just that upon boot my computer is virtually unusable until both NOD scans are done.
     
  11. Loki

    Loki Registered Member

    Joined:
    May 26, 2002
    Posts:
    193
    Location:
    Lake Worth, Florida, USA
    Thanks again, so long as AMON is running and will catch anything then I'll not worry too much about those locked files.

    Loki :cool:
     
  12. tosbsas

    tosbsas Registered Member

    Joined:
    Feb 9, 2002
    Posts:
    789
    Location:
    Lima, Peru
    Thats strange - I am on win2k too - no such scan

    Ruben
     
  13. rodzilla

    rodzilla Registered Member

    Joined:
    Jun 15, 2002
    Posts:
    653
    Location:
    australia
    > I assume your surgery went well? Forgive me for asking.. I understand if you'd rather be private about it..but it's good to know you're okay..

    Actually the whole thing has been a bit of a disaster. The initial operation was to be on both eyes and scheduled to take 50-80 minutes, but five minutes into the surgery my blood pressure suddenly dropped below the death threshold and stayed there. The anaesthetist aborted the operation and brought me back to life, with very little surgery done, and on my right eye only.

    Just when everything seemed to be settling down, I contracted an infection which temporarily blinded me. It was like trying to look through a glass of milk. I could detect light and shade, but not much else.

    Now I can see almost as well as I could before the operation, except that my right eye has lost focus. I will need new glasses when it has completely settled down. I have an appointment with the surgeon tomorrow for another checkup. At this stage there is no chance of further surgery ... I'm on the anaesthetic "black list", and the surgery is too complex (and too frightening) for local anaesthesia.

    But ... I can see ... and that's the the main thing.
     
  14. Phil

    Phil Registered Member

    Joined:
    Oct 24, 2002
    Posts:
    248
    Just a thought here. Have you checked your "profiles" in the control center? Here's why I ask. When I first installed the beta, I went through the GUI like a crazy man clicking this, changing that, scanning here and there -- all without reading the help files. Hey! -- it's a beta and we are to TEST it, right! :cool: Every so often, NOD would ask, "so and so has changed, do you want to save?" Sometimes I would say yes, sometimes no. The result was the next time I did a full system scan, it tried to scan everything in sight, up to and including my dog in the next room. :D

    The long and short is it was saving those things I was goofing around with in "profiles" ( a VERY handy feature as it turns out) and it ran the last profile I had loaded, without me knowing it was loaded, when I did the system scan. If you were clicking around like me, you may have *told* NOD to scan those on boot without knowing it. Just a thought, but may be worth checking.

    Phil
     
  15. Feivel

    Feivel Registered Member

    Joined:
    Nov 7, 2002
    Posts:
    100
    Location:
    Baytown, TX
    Phil,

    Your post made me look closer at NOD32 but unfortunately nothing obvious was there. I reset NOD32 to show system tasks and these are the 4 scheduled tasks.

    Log Maintainance every day at 0300,none
    update repeatedly, every hour,none
    Scan all 1800, Thursday,user profile
    Scan C every day at 1900,C only

    In HKLM\Run there is

    nod32kui.exe /WAITSERVICE

    Hopefully this information will be useful so we can figure out my scan annoyance. On a happier note, I just saw IMON work flawlessly. I use mailshield desktop and had a message with the subject RE: movies from an obviously bogus email address. To make it even more obvious the message had an attachment. i had just read about Win32/Sobig.A worm so I downloaded it secure in the fact that I had NOD32 (and my email client is Eudora). Sure enough IMON caught the email and wouldn't allow it to be saved in Eudora until I deleted or quarenteened the worm/virus.
     
  16. Phil

    Phil Registered Member

    Joined:
    Oct 24, 2002
    Posts:
    248
    That's good news about IMON. I just wish it would work with Pocomail. :rolleyes:

    The "systems tasks" is not what I was talking about. Fire up the control center and click the NOD32 module. Click "Run NOD32" and it will pop up the on-demand scanner. Look at the "Profiles" tab. That's where all my mad clicks had been stored. You may want to try setting to default to see if that will change anything. Again, this is just a WILD guess based on what I saw and may not make any difference at all. Have you tried an un-boot-re install?

    Hopefully one the NOD guys will come in with an idea.

    Phil
     
  17. vlk

    vlk AV Expert

    Joined:
    Dec 26, 2002
    Posts:
    618
    Loki,
    if you'd like a real boot-time scan for WinNT/2K/XP/.NET, I'd suggest trying out the new avast! ( http://www.avast.com ).
    It has the feature you're describing (it runs at the same stage as the boot-time chkdsk).

    Vlk
     
  18. Loki

    Loki Registered Member

    Joined:
    May 26, 2002
    Posts:
    193
    Location:
    Lake Worth, Florida, USA
  19. Feivel

    Feivel Registered Member

    Joined:
    Nov 7, 2002
    Posts:
    100
    Location:
    Baytown, TX
    I sort of narrowed my annoyance somewhat. I have three NOD32 services on my computer. They are:

    NOD32 Control Center Service - Disabled - nod32cc.exe" -service (apparently a remenent from a bad uninstall of the pre-beta version but it is disabled anyway)

    NOD32 Kernel Service - automatic - C:\Program Files\Eset\nod32krn.exe

    NOD32 Service - disabled - nod32m2.exe (apparently a remenant since it's disabled no problem there.)

    I have TPF installed (as a sandbox only) and I finally decided to watch the activity upon boot. When the NOD32 Kernel Service (nod32krn.exe) starts, it starts nod32.exe to scan the default profile THEN it starts a second copy of nod32.exe to scan another profile. Between this information and what I posted previously, this annoyance will be solved soon. BTW, i tried disabling NOD32 Kernel Service but all that does is "stall" NOD32 at the splash screen.
     
  20. Feivel

    Feivel Registered Member

    Joined:
    Nov 7, 2002
    Posts:
    100
    Location:
    Baytown, TX
    Been 1 week since anybody said anything about this. Is this problem too difficult to answer? Any answer from ESET is better than no answer. If i wanted no answer, I could have easily stuck with a different vendor (and a shoddier product).
     
  21. Paul Wilders

    Paul Wilders Administrator

    Joined:
    Jul 1, 2001
    Posts:
    12,472
    Location:
    The Netherlands
    Feivel,

    Your remarks do not go unnoticed. Issues concerning the Beta are handled as stated by Eset in this thread in principal. ;)

    regards.

    paul
     
  22. Feivel

    Feivel Registered Member

    Joined:
    Nov 7, 2002
    Posts:
    100
    Location:
    Baytown, TX
    I understand that Paul. I would just appreciate an answer, either a solution or a sorry - we are looking into it or your settings are wrong, from ESET. Aside from that, the Beta seems fine so far.
     
  23. Paul Wilders

    Paul Wilders Administrator

    Joined:
    Jul 1, 2001
    Posts:
    12,472
    Location:
    The Netherlands
    Feivel,

    I agree it would be very nice if Eset Labs would be able to answer to each and every post on this Beta support forum. In practice they have chosen to verify - and possibly reproduce - all remarks concerning the Beta, and if necessary, iron out bugs as reported. Personally, I'd rather prefer Labs to concentrate on technics on their lab, as time and development is precious. Answering to all specific posts over here would no doubt slow down the main goal: a bug free v2.0. Please don't hold a grudge against Eset for setting priorities ;).

    regards.

    paul
     
  24. Feivel

    Feivel Registered Member

    Joined:
    Nov 7, 2002
    Posts:
    100
    Location:
    Baytown, TX
    No grudge at all. Even with thier lack of an answer i do believe they are doing something otherwise I would not have registered NOD32 in the first place.
     
  25. Paul Wilders

    Paul Wilders Administrator

    Joined:
    Jul 1, 2001
    Posts:
    12,472
    Location:
    The Netherlands
    Feivel,

    sounds perfectly to the point to me ;)

    regards.

    paul
     
Thread Status:
Not open for further replies.