DMON

Discussion in 'NOD32 version 2 Forum' started by Howard Kaikow, Nov 15, 2006.

Thread Status:
Not open for further replies.
  1. Howard Kaikow

    Howard Kaikow Registered Member

    Joined:
    Apr 10, 2005
    Posts:
    2,802
    http://www.eset.com/joomla/index.php?option=com_content&task=view&id=1095&Itemid=9 states:

    But what does DMON do?

    I've seen what Kaspersky's Office Guard does.
    Where can I learn similar details about DMON?
     
  2. Blackspear

    Blackspear Global Moderator

    Joined:
    Dec 2, 2002
    Posts:
    15,115
    Location:
    Gold Coast, Queensland, Australia
    Exactly what you have quoted; it protects Microsoft Office Documents.

    Cheers :D
     
  3. Howard Kaikow

    Howard Kaikow Registered Member

    Joined:
    Apr 10, 2005
    Posts:
    2,802
    That's not an adequate description.

    Both NAV and KAV have Office protection options, but they are quite diffferent.
    TRy the demo below and you would see what I mean.

    http://www.standards.com/Index.html?OfficeStuffExamples
     
  4. Howard Kaikow

    Howard Kaikow Registered Member

    Joined:
    Apr 10, 2005
    Posts:
    2,802
    I received an emai lnotification that somebody had posted here, but either the post did not make into the forum, or the poster decided to delete the post.

    Without revealing the poster's identity:

    That still does answer my question.

    What does DMON do in addition to AMON?
    My concerns are reflected in http://www.standards.com/Index.html?OfficeStuffExamples.
     
  5. BlueZannetti

    BlueZannetti Administrator

    Joined:
    Oct 19, 2003
    Posts:
    6,590
    Howard,

    Do you have a specific question here?

    With respect to the concerns raised in the link, all three approaches behaved identically (no alert) under the settings that I use, so is the concern raised specifically with respect to NOD32?

    Blue
     
  6. Howard Kaikow

    Howard Kaikow Registered Member

    Joined:
    Apr 10, 2005
    Posts:
    2,802
    The concermn is as stated at the link I gave.

    Several AV programs, including NAV, KAV, and NOD32, have an option to enable, resprectively, NAV's Office plug-in, KAV's Office Guard, and NOD32's DMON.

    when I got KAV last week, I noticed that the enabling of its Office Guard will yield many false positives to which the typical user will have no idea on how to respond. so I wrote the demo using one technique that will cause Office Guard to raise a warning, AND I used IDENTICAL code in the DLL and EXE, which does not raise a warning.

    I was just trying to find out what NOD32 would do if DMON were enabled, and just what protection is DMON offerring when it is enabled.

    The current documentation offers no info.

    Users really do need to know what each option does.
     
  7. NOD32 user

    NOD32 user Registered Member

    Joined:
    Jan 23, 2005
    Posts:
    1,766
    Location:
    Australia
    But the files you are testing with are (probably) not real malware - an alert on something that is no threat is a false postive.

    DMON operates via the API described earlier in this thread - a supporting application call the AV software by this API and passed the document/macro/file to it for scanning during the process of opening but must get back a clean report before the application parses the document. At least that's how it was explained to me. If I'm wrong, somebody please correct me.

    Cheers :)
     
  8. YeOldeStonecat

    YeOldeStonecat Registered Member

    Joined:
    Apr 25, 2005
    Posts:
    2,345
    Location:
    Along the Shorelines somewhere in New England
    So based on your link, your theory, antivirus programs should not include additional layers of protection in other applications..such as POP/SMTP protection, and HTTP protection. Since...after all..somehow it will confuse the user with more options or add FPs? :blink:

    I've never seen it cause issues, or confuse users...and that's across several dozen enterprise edition networks I've installed on. If having more than one option overwhelms some users...excercise the right to choose another product.
     
  9. Howard Kaikow

    Howard Kaikow Registered Member

    Joined:
    Apr 10, 2005
    Posts:
    2,802
    Yes, that's the point. I am demonstrating that the Office Guard in KAV will result in many false positives. Inexperienced users will have no idea on how to respond, and experienced users will just disable Office Guard as a PIA.

    The DLL demo demonstrates that IDENTICAL code used by a Word macro might not be flagged by Office Guard, so most any capable malware author will be able to bypass the Offuce Guard's checks.

    And the EXE demonstrates that IDENTICAL code, run outside of Office, is not flagged. Heck, if particular non-Office dependent code is NOT flagged outside of Office, why in the world is it flagged by Office Guard? Makes no sense. Code is code, be it within Office or outside of Office.

    I expect that I could put more complex Office related code in the demos and achieve the same result, i.e., the DLL and EXE would not be flagged, but the template would be flagged by Office Guard.

    And, Office Guard could not flag DLLs or EXEs because that would cause false positives on 110% of add-ins written for Office.

    Oh well, this provides me with the interesting exercise of wrtiting my own code to bypass the Office Guard checks.

    The MSFT AV API allows AV apps to access files under certain circumstances, but in no way dictates how scanning is accomplished, as one can see by the varying detection rates, false positives, etc, from various aV products.

    Contrast this with MSFT's Defrag API.

    ALL defrag programs use the defrag API. The programms diffeer only in:

    1. The GUI.
    2. The algorithms chosen for laying out the files, but the actual defragging is done by the API.
    3. The efficiency of the implementation.
    4. The impact on other software, e.g., using Perfect Disk, you can still use the Windows built-in defragger, buut with, say, Diskkeeper you cannot (at least it used to be that way).
     
  10. Bubba

    Bubba Updates Team

    Joined:
    Apr 15, 2002
    Posts:
    11,271
    As Blue asked earlier...."Do you have a specific question here ?" as it relates to Nod32 ?

    While the demonstration concerning "Office Guard in KAV" can be a good topic for discussion....Please confine threads in this Forum to matters concerning Nod32. Feel free to start a thread concerning KAV or other products in a more appropriate forum but keep this thread on topic by discussing DMON Please.

    Thanks,
    Bubba
     
  11. Howard Kaikow

    Howard Kaikow Registered Member

    Joined:
    Apr 10, 2005
    Posts:
    2,802
    I was trying to find out what DMON did, and nobody seems to be able to answer that.

    One of my questions was whether DMON worked along the lines of Office plug-in in NAV or Office Guard in KAV.

    Those questions are appropriate for this forum.

    I'd guess that most users do not understand the impact of Office Guard, and my gut, rather large as it is, expects that NOD32 users are in the same boat, as there does not appear to be adequate documentation of just what DMON does.

    In the case of NAV, the Office plug-in was added merely because, at the time, there were a number of apps that could not run if AutoProtect was enabled. Unless something has changed, if NAV's AutoProtect is enabled, there's no reason to enable the Office plug-in.

    Office Guard in KAV is claiming to offer additional protection, but I described its effect in the demos I posted.

    So, all I am after is whether DMON does anything special?
    I've been surprised that nobody has come up with the answer.
     
  12. BlueZannetti

    BlueZannetti Administrator

    Joined:
    Oct 19, 2003
    Posts:
    6,590
    Howard,

    Actually you were asking a couple of questions and by dancing around the main question with vague inferences it was not clear whether you had an operational issue or not.
    That's debateable since to answer the question someone has to know how both products work in detail.

    As to how DMON works, I'm not a NOD32 guru, I'm a user. From the description, I'd assume that it is primarily directed towards malicious VBA macros embedded in Office documents and scans for known and/or likely malware scripts. I can see where DMON might be of use if AMON is set to scan on Execute only, not on access. Again, I'm just a typical user.

    The likelihood of receiving a direct answer is improved by asking a direct question.

    Blue
     
  13. NOD32 user

    NOD32 user Registered Member

    Joined:
    Jan 23, 2005
    Posts:
    1,766
    Location:
    Australia
    DMON is nothing like the others you mention since only DMON is a part of NOD32.
    Your experience with the others you mention is entirely foreign to me. NOD32 has a very low amount of false positives and a very low impact on system performance due to it's low foorprint and highly optimised code making it extremely light and fast.

    Most people using NOD32 are not aware of the issues you mention of others because NOD32 does not have the issues that you speak of.

    Cheers :)
     
  14. lodore

    lodore Registered Member

    Joined:
    Jun 22, 2006
    Posts:
    9,006
    the reason office guard in kaspersky has fp's is because its in the proactive defence module and doesn't relie on signatures. i think you should keep the discussion about nod32 dmon here and post a thread about office guard in kaspersky in the kaspersky forum
    lodore
     
  15. Howard Kaikow

    Howard Kaikow Registered Member

    Joined:
    Apr 10, 2005
    Posts:
    2,802
    The following statement is at the ESET web site.

    The questions is what is done in the "additional layer of protection against threats"?
     
  16. Howard Kaikow

    Howard Kaikow Registered Member

    Joined:
    Apr 10, 2005
    Posts:
    2,802
    That is yet to be determined as I've not yet seen an explanation of what is done in the DMON that is not done in AMON.

    I described what NAV and KAV do to demonstrate their approaches.
     
  17. Howard Kaikow

    Howard Kaikow Registered Member

    Joined:
    Apr 10, 2005
    Posts:
    2,802
    I have been doing that.

    I described what NAV and KAV do to demonstrate their approaches.

    The question boils down to what is done in DMON that is not done in AMON.
    If I ASSuME that AMON is using signatures and some sort of heuristics, then what is left for DMON to do?
     
  18. NOD32 user

    NOD32 user Registered Member

    Joined:
    Jan 23, 2005
    Posts:
    1,766
    Location:
    Australia
    In theory only AMON is necessary however more complete protection is offered through the use of DMON in addition to AMON.

    Cheers :)
     
  19. Howard Kaikow

    Howard Kaikow Registered Member

    Joined:
    Apr 10, 2005
    Posts:
    2,802
    Yes, and my question all along has been just what is done for that "more complete protection"?

    ESET really has to have this documented somewhere.
     
  20. Howard Kaikow

    Howard Kaikow Registered Member

    Joined:
    Apr 10, 2005
    Posts:
    2,802
    I've called ESET.
    Let's see if I can get an answer that way.
     
  21. Howard Kaikow

    Howard Kaikow Registered Member

    Joined:
    Apr 10, 2005
    Posts:
    2,802
    I've gotten a response from ESET, but I sent a follow up to make sure as there were surprises (pleasing to me).
     
  22. BFG

    BFG Registered Member

    Joined:
    Oct 27, 2004
    Posts:
    482
    Location:
    San Diego
    Hello,

    At least for Office 2000, when DMON is enabled and a Microsoft Excell, Powerpoint, or Word document is acessed, they will scanned before being opened. AMON will then scan them AS they are being opened with the same definitions.

    However, if the parameters in the AMON module differ from those being used in DMON, that would meet the definition of "an extra layer of protection".

    BFG
     
  23. Howard Kaikow

    Howard Kaikow Registered Member

    Joined:
    Apr 10, 2005
    Posts:
    2,802
    If the above is correct, IF DMON really scans the file before the file is OPENed, then DMON is not detecting threats in the global templates and add-ins.
     
  24. BFG

    BFG Registered Member

    Joined:
    Oct 27, 2004
    Posts:
    482
    Location:
    San Diego
    Hello,

    According to Microsoft it is correct.

    http://office.microsoft.com/en-us/help/HA010552501033.aspx

    Now, taking your statement as fact, shows once again an "extra layer of protection" when scanning with both modules.

    BFG
     
  25. Howard Kaikow

    Howard Kaikow Registered Member

    Joined:
    Apr 10, 2005
    Posts:
    2,802
    Cannot get to the above link using either IE 6 or Firefox 2.
    Their script is likely improperly testing for cookies.
    I, and most sensible people, not that I am sensible, require prompting for cookies and disallow 3rd party cookies.

    In any case, it does not matter what the MSFT article says.

    It is alleged that DMON does something that AMON does not do.
    ESET has to know what that is.
    The MSFT API just facilitates access to the files, it's got nothing to do with what goes on during a scan.
     
Thread Status:
Not open for further replies.