error Opening (File Locked) [4]

Discussion in 'NOD32 version 2 Forum' started by OmegaNemesis, Aug 28, 2006.

Thread Status:
Not open for further replies.
  1. OmegaNemesis

    OmegaNemesis Registered Member

    Joined:
    Aug 28, 2006
    Posts:
    7
    Ive had NOD32 for quite some time now, following the almighty Blackspear's setup for NOD32 awhile back, but I have yet to ask about this question.

    All of NOD32 On-Demand Scanner's scan on C: drive comes up C:/whateverfolder/whateverfile:error opening (File Locked) [4]

    Is this normal for all of my files to come up with that file locked thing? o_O

    PS - C:/whateverfolder/whatever file does not come up, Im just giving an example, lol :rolleyes:
     
  2. WSFuser

    WSFuser Registered Member

    Joined:
    Oct 7, 2004
    Posts:
    10,632
    that is normal for some (but not all) files. the message simply means that could not be scanned. there could be several reasons such as:

    • theyre system files (like the page and hibernation file)
    • theyre password protected
    • theyre private files from other users
     
  3. OmegaNemesis

    OmegaNemesis Registered Member

    Joined:
    Aug 28, 2006
    Posts:
    7
    hmmm, at least 95% of all my file turns up locked.... dont know how, I have no passwords on my computer and I always do a scan during Safe Mode....
     
  4. WSFuser

    WSFuser Registered Member

    Joined:
    Oct 7, 2004
    Posts:
    10,632
    95%, are u sure? what if u do the scan in normal Windows.
     
  5. Blackspear

    Blackspear Global Moderator

    Joined:
    Dec 2, 2002
    Posts:
    15,115
    Location:
    Gold Coast, Queensland, Australia
  6. OmegaNemesis

    OmegaNemesis Registered Member

    Joined:
    Aug 28, 2006
    Posts:
    7

    This is the same thread I used to setup my NOD32 so, Ive already read all of it.

    EDIT:

    You know what......I think I understand it now. I was gunna post a log but... when running NOD32, in the Sanning Log tab, the files and locations that appear are only the ones that cannot be scanned or are infected? I think I was thinking that those were the files it scanned, my bad.
     
  7. trjam

    trjam Registered Member

    Joined:
    Aug 18, 2006
    Posts:
    9,057
    Location:
    North Carolina
    My problem is Nod32 is only scanning 90 percent of my files, at best, then what the heck are Kas and Bit scanning. I see file names they are scanning that Nod isnt. I am not complaining but really trying to figure out who does a better job. Scan time isnt as important as accuracy. Blackspears, you yourself said that infections could be in our locked files, so.....
     
  8. WSFuser

    WSFuser Registered Member

    Joined:
    Oct 7, 2004
    Posts:
    10,632
    it could be that u have packed executables that NOD32 doesnt support but KAV/BD do.
     
  9. trjam

    trjam Registered Member

    Joined:
    Aug 18, 2006
    Posts:
    9,057
    Location:
    North Carolina
    Fine, but shouldnt they be scanned.
     
  10. trjam

    trjam Registered Member

    Joined:
    Aug 18, 2006
    Posts:
    9,057
    Location:
    North Carolina
    this was sent to me tonight.


    This is actually a DESIGN BUG OF MOST(ALL?) Antivirus & trojan
    scanners. ( ROOTKIT SCANNERS already DO THIS ) This issue is a MORE
    THAN 1 YEAR OLD stuff but i see no fix till now!!!!

    lately i've ONLY tested it on the following AV & few other spyware
    scanner & saw its still NOT fixed!

    Kaspersky Anti-Virus 6.x (latest)
    BitDefender 9 Professional Plus (latest)
    NOD32 (latest)

    OS tested: WINxp sp2

    to keep things simple, let me give you a situation;

    if there is a directory/file a EVIL_USER is willing to hide from
    antivirus scanner all he has to do is fire up a command prompt & run
    the command;

    cacls.exe TORJANED_FILE_OR_DIRECTORY_NAME /T /C /P EVIL_USER:R


    next time EVEN when the administrator starts the antivirus "system
    scan" the TORJANED_FILE_OR_DIRECTORY_NAME will be effectively
    bypassed as the ownership of the directory is just of the user account
    named; EVIL_USER and the antivirus "manual scan" is running just with
    the privilage of ADMINISTRATOR


    by this way a malicious executable can remain hidden in the system
    BYPASSING THE SCAN even when the AV scanner is run by administrator!!!

    BUT there isn't a compulsion that there should be a user with a
    malicious intension to get this condition & bypass the scan.

    there is another DUMB equivalent of the above cacls.exe command;
    Right click a folder, Properties > Sharing Tab >> Check on the tick
    mark of >> Make this Folder Private

    by doing so a user might me thinking he is making a folder
    not_accessable_to_any_other_system_user BUT by doing so... the
    directory gets effectively sciped by a AV scannner vulnerable to this
    trick.


    SOLUTION:
    AV already running with administrative privilage if the system
    administrator is starting manual scan, so what does AV should do is
    excelate its (manual scan) OF THE ANTIVIRUS SCANNER ENGINE/DRIVER (not
    the GUI) privilage to SYSTEM before starting the scan which will
    effectively bypass file permission & be able to scan the locked file
    with any file permission in Windows!

    And one more thing, if during AV scan if a file can't be opened due to
    some processes LOCKING the file.... Instead of going through the
    regular file open process AV should instead directly read the SECTORS
    of the hdd holding the locked file and examine if there is sething
    malicious (which still some AV don't do & instead just report the
    file(s) as locked!)

    am i clearo_O Discussions, welcome!
     
  11. NOD32 user

    NOD32 user Registered Member

    Joined:
    Jan 23, 2005
    Posts:
    1,766
    Location:
    Australia
    The NOD32 task scheduler when used like here runs the scan as NT AUTHORITY\SYSTEM
    Does that answer your question?

    NOTE: IMHO it's well worth using a password for your NOD32 settings.

    Cheers :)
     
    Last edited: Sep 1, 2006
Thread Status:
Not open for further replies.