Disable email scanning

Discussion in 'NOD32 version 2 Forum' started by Someguy, Mar 23, 2004.

Thread Status:
Not open for further replies.
  1. Someguy

    Someguy Registered Member

    Joined:
    Mar 23, 2004
    Posts:
    26
    Hi,

    Is it possible to disable email scanning in IMON while still keeping the other functionality of the module.

    Additionally what does the module exactly do besides mail scanning. Does it monitor certain ports for attacks?

    Thanks all,
    Al.
     
  2. Mele20

    Mele20 Former Poster

    Joined:
    Apr 29, 2002
    Posts:
    2,495
    Location:
    Hilo, Hawaii
    Evidently IMON nows does more than monitor email attachments:

    Quote:
    But does IMON only protect a computer from evil e-mails? What
    about worm attacks? Say someone wilth a laptop will connect to my network an infected machine. Will AMON be enough?

    At the moment, IMON does two things. Scans POP3 traffic, and detects some exploits used by worms. If a computer is vulnerable to some "packet exploit", AMON will probably not be enough, since the worm code would most likely be injected directly into memory.

    I do not know which, or how many exploits are detected, however, if you have the latest security updates from Microsoft, you are not vulnerable to the attacks that IMON detects, so.. with the latest updates, disabling IMON should not make you more vulnerable. However, in the future, there might for example be a protection added for an exploit there is no patch for yet...

    Before, however, IMON only scanned POP3-traffic. Back then, there was no risk in disabling it.

    Personally, I suggest that (nowadays) IMON is always enabled for most users. If you don't want it to scan emails, just disable the mail scanning, but leave the rest of it running.

    Best regards,
    Anders

    http://www.wilderssecurity.com/showthread.php?t=24910

    In that same thread a fix from Eset is posted today for the Hyperthreading bug (another reason I don't use IMON). So, perhaps I will decide to try IMON (with the fix) with the email scanning disabled.
     
  3. Someguy

    Someguy Registered Member

    Joined:
    Mar 23, 2004
    Posts:
    26
    Thanks for the response.

    This is part of my question. How exactly do you disable the email scanning without disabling the whole IMON?
     
  4. ragamix

    ragamix Registered Member

    Joined:
    Jun 23, 2003
    Posts:
    17
    Location:
    Bratislava, Slovak republic
    >How exactly do you disable the email scanning without disabling the whole IMON?

    I don't think this is possible. You can only enable/disable IMON as a whole not just parts of it - e.g. the email scanning.. although maybe one suggestion would be to use IMON's exclusion list.. putting your email client on that list might do the trick.. but you'll have to try yourself ;)
     
  5. Mele20

    Mele20 Former Poster

    Joined:
    Apr 29, 2002
    Posts:
    2,495
    Location:
    Hilo, Hawaii
    I have no idea how you disable email scanning but leave the other parts of IMON running. I can't see anywhere in the setup to disable email scanning but leave whatever else there is of IMON running. I don't understand what IMON does outside of scanning attachments in email and causing problems (like any av email scanner). IMON in beta had a ton of problems because of its implementation on the Winsock level. I know that it has been greatly improved from those days, but I still don't see why anyone would use it. If it does things other than scan email attachments, AMON should be doing that seems to me.
     
  6. Paul Wilders

    Paul Wilders Administrator

    Joined:
    Jul 1, 2001
    Posts:
    12,472
    Location:
    The Netherlands
    Using Advanced Heuristics. Below a screen shot from a small part from the virus log; says it all.

    regards.

    paul
     

    Attached Files:

  7. Stan999

    Stan999 Registered Member

    Joined:
    Sep 27, 2002
    Posts:
    566
    Location:
    Fort Worth, TX USA
    Hi Mele20,

    I run IMON on a dual boot Win98SE and WinXP Pro machine without any problems.

    If your ISP doesn't scan for viruses, like a lot of folks worldwide, then IMON is very useful and saves time compared to your method of saving the mail attachments and then scanning it again.

    Just because you don't feel IMON is useful for you, because your ISP scans for viruses, just doesn't apply to everybody. Also, I see no reason to have to go through the process of scanning the attachments again with AH like you do. That seems to be a waste of time.

    I, for one, hope they do add additional features to IMON.
     
  8. Mele20

    Mele20 Former Poster

    Joined:
    Apr 29, 2002
    Posts:
    2,495
    Location:
    Hilo, Hawaii
    I realize that many ISPs still don't scan for viruses and thus IMON email scanning is useful in those circumstances if you get a lot of email attachments that you are expecting. I don't. The few I get are from unknown senders and I delete the entire email without opening it because the source is unknown and I wasn't expecting any email with an attachment. I also never open any email that comes from an unfamiliar source whether or not it has an attachment. Instead, I look at the message source in OE and usually the email is not even addressed to me. I get email addressed to anyone whose email address starts with the same first letter as mine and is addressed to my ISP.

    I'm still not clear though on exactly what IMON does that AMON doesn't when you disable email scanning but leave the rest of the module functioning.
     
  9. Mele20

    Mele20 Former Poster

    Joined:
    Apr 29, 2002
    Posts:
    2,495
    Location:
    Hilo, Hawaii
    Quote:
    ...but I still don't see why anyone would use it. If it does things other than scan email attachments

    Using Advanced Heuristics. Below a screen shot from a small part from the virus log; says it all.

    regards.

    Paul, that log you posted shows email scanning. I understand (I think) how IMON scans email. You didn't answer my question. Exactly what does it do, if you disable email scanning but allow it to run otherwise? (I don't see how you can disable email scanning only but Anders says you can so I guess you can). How exactly is it protecting me outside of email scanning and why does Anders say that AMON will NOT protect me fully?! That is news to me and I don't understand and am seeking clarity about this not about IMON scanning email.
    Thanks.
     
  10. Spoonfed

    Spoonfed Guest

    Personally I would leave it enabled.

    A customers 2000 server runs a mail collection service for all their externally hosted mail boxes. It has a "NOD32" plug in that check the virus when POP3 collection is in process by the local mail server. With Version 1 of NOD it picked up the virus's, but it was the plugin FORCING NOD to scan that picked it up. With NOD32 IMON picks up the virus's WELL before the local Pop3 server even gets to use the plug in to scan (obviously the earlier the better). NOD32 then is set to DELETE ALL infected messages. So it certainly works well. This setup with NOD ver1 has not let ONE virus pass to the client machines for over 1 year, Version 2 i think will be even better at this.
    Their "infection" rate is about 15% of all emails/files scanned by IMON, so they often cop 50+ virus's a day.
     
  11. dvk01

    dvk01 Global Moderator

    Joined:
    Oct 9, 2003
    Posts:
    3,131
    Location:
    Loughton, Essex. UK
    As I understand it AMON only detects on activation of a suspect file so you actually have to do something with the file to detect an infiltration within the file

    IMON as well as email checking also monitors all internet connections at the winsock level and if you have a vulnerability, whether plugged or not and one of the new breeds of worms/trojans/viruses that are memory resident without you actually using the file is discovered for example on a drive by download from a website or one of the blaster variants or similar that float around the net waiting for a vulnerable computer to appear, the IMON will block it without you actually having to prevent the download or whatever

    an example would be the new I worm- twitty that only affects a computer with blackice installed, IMON should be able to detect that & block/destroy it while surfing normally.
     
  12. Fung Kuei

    Fung Kuei Guest

    My employer's network had >15 thousand files infected with PE_Bagle.Q before Trend released the update for this worm.

    An IT guy of my acquaintance told me IMON e-mail component of NOD32 detected and banished PE_Bagle.Q as an unknown Crypto-Virus on his employer's network WITHOUT an update. I am at this moment evaluating NOD32, on his recommendation.

    A warning: I have found a serious deception on the Internet! h**p://www.nod-32.com is a fraud web page, leading not to NOD32 but to BullGuard. I almost fell into this trap because I typed "NOD-32", not knowing at the time the true name of the program.

    edit to disable link to bullgard - snap
     
  13. snapdragin

    snapdragin Administrator

    Joined:
    Feb 16, 2002
    Posts:
    8,415
    Location:
    Southern Ont., Canada
    Thank you Fung Kuei, I am sure the Eset Team would be interested in that link.

    It is the dash inbetween Nod and the #32 ....not nice.

    You can find ESET's home page here: http://www.nod32.com/

    Regards,

    snap
     
  14. Fung Kuei

    Fung Kuei Guest

    Sorry for my BullGuard link mistake Snapdragin. I am only passing through, and I do not know all the rules of this Forum.

    Thank you for the NOD32 link. I downloaded a Trial Version yesterday. I am VERY impressed. (See my "amateur" Detection Report in another recent post.) :)
     
  15. snapdragin

    snapdragin Administrator

    Joined:
    Feb 16, 2002
    Posts:
    8,415
    Location:
    Southern Ont., Canada
    That's ok Fung Kuei, :) the link is still readable, just not clickable now.

    Good luck with NOD...I have it myself and love it!

    Welcome to Wilders,

    Regards,

    snap
     
  16. Mele20

    Mele20 Former Poster

    Joined:
    Apr 29, 2002
    Posts:
    2,495
    Location:
    Hilo, Hawaii
    Supposedly Goran Gluck is a registered reseller of NOD32 and Eset is OK with his "squatting". Even so, I can't see any way to download NOD32 from that page...it just flips you to Bullguard page. Supposedly though according to this http://www.dslreports.com/forum/remark,8904526~mode=flat#8904569
    Gluc's link contains a referral code so he gets paid by Eset for the downloads.

    More information at this http://www.dslreports.com/forum/remark,9765517~mode=flat

    Evidently these fraudsters are doing exactly the same thing to AVG anti-virus using the hphen in the name and the earlier thread saying Gluck is a authorized reseller of NOD32 is incorrect.

    edited to make links clickable - snap
     
Thread Status:
Not open for further replies.