Bug with Quarantine

Discussion in 'ESET NOD32 Antivirus' started by kevin009, May 5, 2008.

Thread Status:
Not open for further replies.
  1. kevin009

    kevin009 Registered Member

    Joined:
    Sep 11, 2007
    Posts:
    32
    Bug with Quarantine.

    I think there is a bug in NOD32 Version.3.0.650.0.

    I found that NOD32 did not quarantine “All” the infected files when the Cleaning is set to Standard Cleaning in “advanced setup tree > Real time file system protection > Setup > Cleaning”
    Some of the copies were deleted without quarantining.

    I did a test with Eicar as follows:

    Created 15 copies of the eicar test file as “eicar1.exe, eicar2.exe, eicar3.exe…. and put the 15 copies of it in a folder. Then set NOD32’s real time protection to Standard Cleaning and opened the folder.
    NOD32 removed all the eicar copies as usual immediately. (Stating that each of the files were quarantined – deleted)

    After all the 15 eicar copies were removed, I opened NOD32’s quarantine, but found that only less than 15 copies of eicar were left in the quarantine (as opposed to the 15 files detected) but when I repeated the same test with the same number of eicar files, the number of files quarantined always was a “random number” but “always less than 15

    NOD32 had deleted some files without quarantining them.

    When I repeated the same test with “Strict Cleaning” the same problem was experienced.

    But when I set NOD32 to “No Cleaning” and did the test (Clicking the “Clean” or “Delete” button 15 times in the Real-time protection threat alert window, all 15 copies were quarantined properly.

    Kindly replicate my test using the “Standard Cleaning and Strict Cleaning” in the real-time protection, and verify whether there is a bug that NOD32 failed to quarantine all the copies.

    If found to be a bug, please reply and confirm it.
    If this is not a bug, then kindly explain the reason why this happened.
     
  2. ASpace

    ASpace Guest

    Re: Bug with Quarantine.

    Why quarantine the same file 15 times . It is the same file :thumb: :D
     
  3. ASpace

    ASpace Guest

    Re: No Antispyware protection o_O

    By the way , it works here - my cleaning level for all modules is Standart (2)
     

    Attached Files:

  4. kevin009

    kevin009 Registered Member

    Joined:
    Sep 11, 2007
    Posts:
    32
    Re: No Antispyware protection o_O

    Yes, that is ok, but I doubt if it will quarantine all the files if more than 15 copies were each different malware "not just eicar"

    Someone has to do the same test with 15 different malware in one folder, then see if it works right or wrong.

    BTW: you have used just 6 eicar copies. It works fine that way, but could fail with more than 10 or 15...

    Additionally, You need to create 15 eicar copies (with Real time protection disabled) then put the eicar copies in a folder and then enable Realtime protection and open the folder. If realtime protection was enabled while creating all these eicar files, then all 15 copies will be quarantined properly in standard cleaning... Did you get my point ?
     
  5. ASpace

    ASpace Guest

    Re: No Antispyware protection o_O


    Yes . All the protections (incl. Real-time file system) were disabled . I created 6 copies because I believe it will be the same with 15 . The files were created then and moved to the Desktop folder . Then all protections were reactivated and after a while , NOD32 automatically picked them up
     
  6. kevin009

    kevin009 Registered Member

    Joined:
    Sep 11, 2007
    Posts:
    32
    Re: No Antispyware protection o_O

    Sorry for the long delay in replying.... let's begin again...

    6 copies .... that much can be quarantined without any problem..
    I was talking about 15 copies... do it again with 15 or more copies... the problem is that if we've got a real virus in our computer which has infected 15 or more files, with NOD32 set to standard cleaning... but if it was not able to clean it, it would attempt to Q all the files, but not all the files would be Q and we would lose the data permanently. That is the main problem...
    Hope you understood me.

    Reply
     
  7. Marcos

    Marcos Eset Staff Account

    Joined:
    Nov 22, 2002
    Posts:
    14,374
    Weird, I can't reproduce the problem here:
     

    Attached Files:

  8. kevin009

    kevin009 Registered Member

    Joined:
    Sep 11, 2007
    Posts:
    32
    For the problem to be reproduced correctly, make sure that realtime protection is disabled first,

    then create 15 or more eicar copies, place them in a new folder. Close it, enable realtime protection (With Standard Cleaning) and open the folder. then after all copies have been removed, check the Quarantine and confirm it.

    Please confirm that you did exactly this way ?
     
  9. ASpace

    ASpace Guest

    Hello again!

    This test can really drive some people crazy . You should understand that with 3 , 6 , 10 , 15 , 50 or 500 samples the program will act the same way . Anyway , I did it for you .

    15 eicar copies + another test with different sample so that you see the same thing happens

    I use Standart cleaning level . Disabled NOD32 v3 protection . Created 15 Eicar test file copies on my Desktop . Re-enabled the protection and after a while all got picked-up + were placed in the Quarantine.

    I did the same thing - with 3 copies of Adware Virtumonde application .

    Here is the proof:

    15 copies on the Desktop

    +
     

    Attached Files:

  10. ASpace

    ASpace Guest

    If you feel there is a problem in your protection , you can temporary revert back to NOD32 v 2.70.39 , which will also keep you safe :thumb:
     
  11. kevin009

    kevin009 Registered Member

    Joined:
    Sep 11, 2007
    Posts:
    32
    Sorry for the delay in replying, was offline for a bit too long... anyway here...

    Probably this Quarantine problem occurs due to a slower machine (processor)
    I am not sure, let's close this Quarantine error anyway. ok

    Now there is a fresh problem with Nod32 3.0.657 (I think it persisted in previous builds)
    Description >
    In Advanced Setup tree, when we go to Antivirus and antispyware tab, then we are offered three options >

    1. Local drives
    2. Removable Drives
    3. Network drives

    I found that if the "Local drives" Check box is unchecked, NOD32 wont monitor anything in realtime protection, not even the Removable drives (CD/DVD/USB flash drives) are monitored.

    Additionally, it is surprising to note that even if Removable drives is unchecked here, NOD32 still scans removable drives.

    Any bug here ? (check on your system and post the results here)
     
Thread Status:
Not open for further replies.