Boot Scan

Hello,

Would it be possible to have NOD32 v2 do a boot time scan on WinXP ? Or is this not important ? Some AV programs do boot scans on Win98 but none that I know of do on an Win NT OS. Since my defragment program can do a boot time defragment on WinXP Pro, why not a boot time scan by NOD32 v2 ?

Loki

 

NOD32 monitors memory and hard drive activity constantly

If you're clean when you shut down then logically you will be clean when you boot up ... so an on-boot scan is overkill.

If enough users wishlist this then it might be added as an opt-in ... but I'd hate to see such a waste of time and resources added as default.

 

Rodzilla,

What you say is sensible but on my Win 2000 Pro, NOD32 scans EACH profile on boot. Is there any way to disable that?

 

Hi Rodzilla,

Thanks for the response, my main concern was system files locked by the OS. It's these messages ( error opening (file is locked)[4] ) I was hoping that NOD32 v2 would scan these.

Loki

 

> Thanks for the response, my main concern was system files locked by the OS. It's these messages ( error opening (file is locked)[4] ) I was hoping that NOD32 v2 would scan these.

Those files are in use by and locked (protected) by your operating system, Loki. Perhaps they could be scanned by brute force ... but not with 100% safety ... so we don't even try.

 

> What you say is sensible but on my Win 2000 Pro, NOD32 scans EACH profile on boot. Is there any way to disable that?

Hmmmm ... I guess you mean AMON is scanning each user profile.

I don't know if this can be disabled or not ... but even if it could, I would not personally advise it. Switching to an "unscanned" user profile midstream could trigger the very hazards against which AMON's bootup scan is designed to protect you.

 

Hi, Rodzilla, glad to see you back..

Speaking of those "unscanable" files.. I have no problem with them..

Is there a way to make those "locked" or unscanable files not show up when doing a manual scan..

I don't know if I explained this well.. I want to see what NOD32 scanned, but the files that can't be, I don'tt want them on the list..

Thanks

 

> Hi, Rodzilla, glad to see you back..

Thanks SS. I'm glad to be able to see.

> Speaking of those "unscanable" files.. I have no problem with them..

> Is there a way to make those "locked" or unscanable files not show up when doing a manual scan..

> I don't know if I explained this well.. I want to see what NOD32 scanned, but the files that can't be, I don'tt want them on the list..

Personally I don't like excluding files from a scan. It opens the door for a file-specific virus to run wild.

Suppose it becomes widely publicized on security forums and in Usenet newsgroups that the latest PoopScan update false alarms on a commonly-used program ... say, WinZip .........

Within minutes, dozens of well-meaning self-appoined "virus experts" advise "Temporarily exclude winzip32.exe from your scan until the bugfix is released."

A few hours later winzip32.exe spams the world as an email attachment from the spoofed techsupport@winzip.c0m address. The email claims it's a bugfix for the PoopScan false alarm, but it's actually a modified CIH virus which auto-forwards the email and its attachment to everyone in the recipients' addressbooks. It spreads like wildfire.

Most other antivirus programs detect CIH on arrival, but PoopScan ignores the virus ... it's excluded by filename ... and within a few hours, hundreds of thousands of PoopScan/WinZip users have run the attachment.

Next day the security forums and Usenet are filled with warnings that the phony WinZip "bugfix" triggers (a) four hours after installation or (b) at the next reboot and will trash your hard drive and any susceptible FlashBIOS.

Most PoopScan users never get to read the warning ... they have nothing on which to read it.

(I'm not giving virus coders ideas here, btw ... this hypothetical "human engineering" sneak attack was discussed on IRC years ago.)

 

Well, I TOTALLY agree with you.. Let's leave NOD as it is then, your explanation was completetly understandable...

Other AV's I've eeen just run all the files through. not informing you or not that the file is locked.. Now that I think of it, I'd rather know which files are unscanable, and are are...

Thanks..
.........PS.. I assume your surgery went well?
Forgive me for asking.. I understand if you'd rather be private about it..but it's good to know you're okay..

Straight Shooter...

 

Rodzilla,

It is a full blown scan as if I clicked NOD32 and selected to scan each profile. If it were a AMON scan I wouldn't mind as much. It is just that upon boot my computer is virtually unusable until both NOD scans are done.

 

Thanks again, so long as AMON is running and will catch anything then I'll not worry too much about those locked files.

Loki

 

Thats strange - I am on win2k too - no such scan

Ruben

 

> I assume your surgery went well? Forgive me for asking.. I understand if you'd rather be private about it..but it's good to know you're okay..

Actually the whole thing has been a bit of a disaster. The initial operation was to be on both eyes and scheduled to take 50-80 minutes, but five minutes into the surgery my blood pressure suddenly dropped below the death threshold and stayed there. The anaesthetist aborted the operation and brought me back to life, with very little surgery done, and on my right eye only.

Just when everything seemed to be settling down, I contracted an infection which temporarily blinded me. It was like trying to look through a glass of milk. I could detect light and shade, but not much else.

Now I can see almost as well as I could before the operation, except that my right eye has lost focus. I will need new glasses when it has completely settled down. I have an appointment with the surgeon tomorrow for another checkup. At this stage there is no chance of further surgery ... I'm on the anaesthetic "black list", and the surgery is too complex (and too frightening) for local anaesthesia.

But ... I can see ... and that's the the main thing.

 

Just a thought here. Have you checked your "profiles" in the control center? Here's why I ask. When I first installed the beta, I went through the GUI like a crazy man clicking this, changing that, scanning here and there -- all without reading the help files. Hey! -- it's a beta and we are to TEST it, right! Every so often, NOD would ask, "so and so has changed, do you want to save?" Sometimes I would say yes, sometimes no. The result was the next time I did a full system scan, it tried to scan everything in sight, up to and including my dog in the next room.

The long and short is it was saving those things I was goofing around with in "profiles" ( a VERY handy feature as it turns out) and it ran the last profile I had loaded, without me knowing it was loaded, when I did the system scan. If you were clicking around like me, you may have *told* NOD to scan those on boot without knowing it. Just a thought, but may be worth checking.

Phil

 

Phil,

Your post made me look closer at NOD32 but unfortunately nothing obvious was there. I reset NOD32 to show system tasks and these are the 4 scheduled tasks.

Log Maintainance every day at 0300,none
update repeatedly, every hour,none
Scan all 1800, Thursday,user profile
Scan C every day at 1900,C only

In HKLM\Run there is

nod32kui.exe /WAITSERVICE

Hopefully this information will be useful so we can figure out my scan annoyance. On a happier note, I just saw IMON work flawlessly. I use mailshield desktop and had a message with the subject RE: movies from an obviously bogus email address. To make it even more obvious the message had an attachment. i had just read about Win32/Sobig.A worm so I downloaded it secure in the fact that I had NOD32 (and my email client is Eudora). Sure enough IMON caught the email and wouldn't allow it to be saved in Eudora until I deleted or quarenteened the worm/virus.

 

That's good news about IMON. I just wish it would work with Pocomail.

The "systems tasks" is not what I was talking about. Fire up the control center and click the NOD32 module. Click "Run NOD32" and it will pop up the on-demand scanner. Look at the "Profiles" tab. That's where all my mad clicks had been stored. You may want to try setting to default to see if that will change anything. Again, this is just a WILD guess based on what I saw and may not make any difference at all. Have you tried an un-boot-re install?

Hopefully one the NOD guys will come in with an idea.

Phil

 

Loki,
if you'd like a real boot-time scan for WinNT/2K/XP/.NET, I'd suggest trying out the new avast! ( http://www.avast.com ).
It has the feature you're describing (it runs at the same stage as the boot-time chkdsk).

Vlk

 

I sort of narrowed my annoyance somewhat. I have three NOD32 services on my computer. They are:

NOD32 Control Center Service - Disabled - nod32cc.exe" -service (apparently a remenent from a bad uninstall of the pre-beta version but it is disabled anyway)

NOD32 Kernel Service - automatic - C:\Program Files\Eset\nod32krn.exe

NOD32 Service - disabled - nod32m2.exe (apparently a remenant since it's disabled no problem there.)

I have TPF installed (as a sandbox only) and I finally decided to watch the activity upon boot. When the NOD32 Kernel Service (nod32krn.exe) starts, it starts nod32.exe to scan the default profile THEN it starts a second copy of nod32.exe to scan another profile. Between this information and what I posted previously, this annoyance will be solved soon. BTW, i tried disabling NOD32 Kernel Service but all that does is "stall" NOD32 at the splash screen.

 

Been 1 week since anybody said anything about this. Is this problem too difficult to answer? Any answer from ESET is better than no answer. If i wanted no answer, I could have easily stuck with a different vendor (and a shoddier product).

 

I understand that Paul. I would just appreciate an answer, either a solution or a sorry - we are looking into it or your settings are wrong, from ESET. Aside from that, the Beta seems fine so far.

 

No grudge at all. Even with thier lack of an answer i do believe they are doing something otherwise I would not have registered NOD32 in the first place.