Did NOD32 Install Correctly?

Discussion in 'ESET NOD32 Antivirus' started by Hangetsu, Mar 26, 2008.

Thread Status:
Not open for further replies.
  1. Hangetsu

    Hangetsu Registered Member

    Joined:
    Jan 9, 2006
    Posts:
    259
    My machine runs 64 bit Vista Ultimate, and I downloaded and installed the NOD32 v3 64 bit edition. When I look at my processes, I see the Eset Service (ekrn) is operating as 32 bit.

    Shouldn't that component operate at 64 bit? Am I missing something here (which is very possible / likely)?
     
  2. ASpace

    ASpace Guest

    Again :D

    So , if it runs OK (as fast as usual) and detect threats , I don't see a single reason to worry about
     
  3. Hangetsu

    Hangetsu Registered Member

    Joined:
    Jan 9, 2006
    Posts:
    259
    Hey, sorry to dig this back up again, but I'm still confused as to how this is working on a 64 bit machine - For example, how is it scanning 64 bit addressed memory?

    Its running great as usual, but I also want to make sure its protecting me!
     
  4. proactivelover

    proactivelover Registered Member

    Joined:
    Apr 7, 2006
    Posts:
    840
    Location:
    Near Wilders Forums
  5. Hangetsu

    Hangetsu Registered Member

    Joined:
    Jan 9, 2006
    Posts:
    259
    Well, I would hope it detects the EICAR file - My issue isn't with its ability to detect viruses, I just want to better understand how a 32 bit executable / service is managing a 64 bit system.

    With my example above, memory above 3GB (pretty sure anyway) can't be addressed in 32 bits. I just want to make sure there isn't a gap in coverage due to the ekrn.exe service being a 32 bit application. I'm sure its not, and hardware isn't my forte, but I'm curious as to how this works assuming its not proprietary knowledge.

    FYI, the product is ISCA Labs certified for 64 bit Vista, so this is more curiosity at this point than concern.
     
  6. lucas1985

    lucas1985 Retired Moderator

    Joined:
    Nov 9, 2006
    Posts:
    4,047
    Location:
    France, May 1968
    The driver must be 64-bit, the other components can be 32-bit.
    The ekrn.exe service is the core of the scanning engine, you should look for eadrv.sys (IIRC, that's the name of the filesystem filter) and the likes.
     
  7. Hangetsu

    Hangetsu Registered Member

    Joined:
    Jan 9, 2006
    Posts:
    259
    Ugh, duh -- That makes perfect sense. Since ekrn.exe sits in the services list, I took that at face value as being the component that requires the ability to read 64 bit addressing. That's pretty much what was being said before, but I was thinking of it as a driver (vs. the individual sys files). Thanks Lucas!
     
  8. lucas1985

    lucas1985 Retired Moderator

    Joined:
    Nov 9, 2006
    Posts:
    4,047
    Location:
    France, May 1968
    So, eadrv.sys (or whatever the filesystem filter is called) is a 64-bit app? :)
     
  9. Hangetsu

    Hangetsu Registered Member

    Joined:
    Jan 9, 2006
    Posts:
    259
    Not sure how to tell to be honest, but if the ekrn.exe takes advanatage of 64 bit drivers that explains how it does work.
     
  10. lucas1985

    lucas1985 Retired Moderator

    Joined:
    Nov 9, 2006
    Posts:
    4,047
    Location:
    France, May 1968
    Try to find it in the drivers directory.
     
  11. agoretsky

    agoretsky Eset Staff Account

    Joined:
    Apr 4, 2006
    Posts:
    4,032
    Location:
    California
    Hello,

    The program registers 64-bit filter drivers on a system to monitor the activities which occur at those points where threats can be introduced. Those drivers then pass the data back to an engine which contains 32-bit hand-optimized x86 code for actual analysis.

    It is analogous to how the old thunking layer used to operate for getting old 16-bit Windows 3.1 programs to work under 32-bit Windows 95 and Windows NT, although the actual manner in which it operates is not the same.

    Regards,

    Aryeh Goretsky
     
  12. Hangetsu

    Hangetsu Registered Member

    Joined:
    Jan 9, 2006
    Posts:
    259
    Excellent, thank you for the replies all. On a side note, the latest version is running blazing fast on my machine - Well done on optimizing v.3!!
     
Thread Status:
Not open for further replies.