Exclusion Issues & Serious Concerns About Self Defense

Discussion in 'ESET NOD32 Antivirus' started by TPS Reports, Nov 16, 2007.

Thread Status:
Not open for further replies.
  1. TPS Reports

    TPS Reports Registered Member

    Joined:
    Nov 16, 2007
    Posts:
    4
    Location:
    Kingdom of George
    UPDATE # 3 Consider me a less than satisfied customer. I purchased a 2-user license of NOD32, primarily for the ability to exclude certain directories (+subdirectories) whenever I wanted to do a manual scan of a given drive. I have 100s of thousands of files that are archived on different drives, that I do not want to repeatedly scan. I do, however, want to be able to manually scan other files on those same drives, whenever I wish. Whenever I list an exclusion (e.g., "D:\DATA\*.*") and then do a manual scan of drive D:\, NOD32 scans all the files in D:\DATA\*.* anyway. In my case, it is an issue of time and resources. I don't want NOD32 spending 3 hours scanning files that I specifically excluded. I uninstalled version 3 and installed version 2.7 = same exact result. ESET might as well acknowledge that the Exclusion feature does not work as advertised. I am disappointed that not one ESET staffer has responded to this thread (over 500 views). I think there is a message there.

    UPDATE #2 - When I originally posted this topic, I thought my problems with "Exclusions"
    would be quickly explained and resolved. This expectation was loosely based on the fact that I had read numerous (recent) threads with responses from posters who appear to be ESET employees (the term "we" was often used in their responses to various problems). If ESET staff are reading this, how about some help? The only response I have received from tech support was an email that said - "Your request for support has been received and will be reviewed shortly. Case #61701 - "exclusion is not working properly" has been created for you." Maybe I am expecting too much? or too soon? I will give this a couple more days then if no response, write it off as a bad choice/waste of money and move on to something that works as advertised. Thanks to Rupert for the initial responses to this thread.

    UPDATE #1
    I tried terminating the ekrn.exe process in Task Manager and it appears to have been terminated. No warning messages that program was locked by system, etc.

    Also, none of the exclusions are working for me now. This is a major pain, because I prefer to do periodic scans but NOT for the older archived files. If the exclusion option was working, it would be a tremendous time saver. I would like to try version 2.7 to see if it works as it is supposed to.

    * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * *
    Hello - I am a new poster to this forum but have perused it many times over the years. It is one of my go-to sources for reliable information. I just purchased a 2-user license for NOD32 (3.0.563) and installed it on my clean system. I have encountered 3 immediate issues that I would like to share with the ESET community and hopefully someone can help in resolution. I also called ESET Tech Support and emailed detailed info to them. I will share their response as soon as I receive it. [I should note, ESET phone support is excellent. I was quickly in contact with a human - no endless loops of recorded menus - and she was extremely courteous.]

    ISSUES:
    1) The scan times were slow. 3.2 hours to scan 740,000 files on (2) 320GB SATA drives. Kaspersky (KAV 7.0) scanned the same drives in 1.23 hours (number of files differed slightly = 728,000). This is not a life or death issue with me, but one of the selling points for NOD32 was the speed advantage, particularly over KAV 7.0.

    2)Exclusions - I have 8 logical drives on the 2 physical SATA HDD in my system. I have some archived files and some music files that don't need to be repeatedly scanned and that I want to exclude. If I opt to exclude " D:\DATA\*.* ", I expect the scanner to skip this directory and all of its subdirectories (24) when I do a manual (custom) scan. It does. This specific option works exactly as it it supposed to. Unfortunately, this is the only one that works. If I exclude " E:\Music\*.* ", then run a scan of drive E:\, the scanner scans every single file in " E:\Music " and every single file in all the subdirectories of " E:\Music\*.* ". This same anomaly occurs for every other exclusion that I choose - EXCEPT for " D:\DATA\*.* ". Tech support seems at a loss for this odd behavior, but is working on the problem. For clarification, my system is set up thusly:

    Windows XP Pro SP2
    SATA Drive 0 = C:\, D:\, E:\, F:\
    SATA Drive 1 = G:\, H:\, I:\, J:\
    AMD X2 3800+
    Comodo Firewall Pro 2.4.18.184
    WinPatrol 12
    Absolutely clean system (no malware)

    This exclusion feature is extremely important to me. KAV 7.0 worked fine on the same system, using various exclusions. (BTW, Norton Ghost image used between installations of KAV and NOD32 to ensure clean slate).

    3)No Self-Defense ? - When NOD32 is setup to display in Advanced Mode, and I go to the menu item "Setup" (upper right hand corner) and click on "Advanced Setup" from the drop-down box, the entire NOD32 program freezes. Nothing can be accessed and the program cannot be minimized or closed. The only way to close the open menus, is to use the Windows Task Manager and end the "egui.exe" process. This actually kills NOD32 and it has to be restarted from the Start>Programs menu. This is a huge concern. KAV 7 (and most other high end antivirus apps) have a self defense mechanism that prevents such easy termination of protection. This is obviously the biggest issue here. I would like the "freeze/lockup" bug addressed, but I am worried that using NOD32 will make me a sitting duck for any malware that focuses on terminating the AV process.

    If anyone else has experienced these problems with version 3 and has a solution, it would be appreciated. I have never used v. 2.7, so don't know if these are teething problems for a major udpdate or not. Thanks for any help.
     
    Last edited: Nov 20, 2007
  2. _Rupert_

    _Rupert_ Registered Member

    Joined:
    Jan 3, 2006
    Posts:
    61
    Location:
    United Kingdom
    Hi TPS_Reports, welcome to Wilders!

    I can't comment on points 1 & 2 because I've downgraded back to v2.7 for the time being.

    However, regarding point 3. The fact that egui.exe can be terminated is a non-issue really, as this is just the interface. When egui has been terminated, the system is still protected against malware. (You can test this by trying to download the EICAR file).

    However there is an issue regarding the self-protection, or lack of..
    The process that is important is "ekrn.exe", if you're running Vista, you'll have to show processes from all users to see this. This can't actually be terminated because it's an NTService that automatically restarts, however, ekrn.exe can be renamed (which is the problem), and then terminated.. and this time due to the name change it naturally doesn't restart.
    When ekrn.exe is killed, all protection is gone (yet the Internet connection remains active!).

    You can simulate this with the following commands:
    Code:
    ren %SYSTEMDRIVE%\PROGRA~1\ESET\ESETNO~1\ekrn.exe renamed.exe
    %systemroot%\system32\taskkill /IM ekrn.exe /f
    
    I am in complete agreement that this behaviour needs to be prevented so NOD can withstand malware that does the above.
    ESET have replied to this concern briefly here.
     
  3. TPS Reports

    TPS Reports Registered Member

    Joined:
    Nov 16, 2007
    Posts:
    4
    Location:
    Kingdom of George
    Rupert - Thanks for that reply. Does version 2.7 protect against the renaming/termination procedure you describe? If so, how do I get a copy of version 2.7 ? And does that change my licensing status in any way? Thanks again.
     
  4. _Rupert_

    _Rupert_ Registered Member

    Joined:
    Jan 3, 2006
    Posts:
    61
    Location:
    United Kingdom
    Hi TPS Reports,

    Unfortunately 2.7 is also vunerable to the same flaw. It functions exactly the same in the self-protection context. Renaming "nod32krn.exe" then allows the process to be permenantely terminated, and unfortunately the rename is not resisted.

    2.7 will not alter your license status. You're free to use either NOD32 v2.70.39, or EAV.
    2.7 can be downloaded with your user name and password here: http://www.eset.com/download/balance.php?dir=/download/win/v2st/ndntenst.exe

    It should be noted that 2.x isn't being developed now (I assume), so 2.70.39 will most likely be the final version in the 2.x family unless a severe bug is discovered and many people are using it (although one could quite rightly argue that a severe bug exists in both versions -- namely the one we're discussing!).

    Hth.
     
  5. TPS Reports

    TPS Reports Registered Member

    Joined:
    Nov 16, 2007
    Posts:
    4
    Location:
    Kingdom of George
    Rupert - Thanks for the link. I downloaded 2.7 and will try it tomorrow. Hopefully, the "Exclusions" option will work on that version. The lack of self-defense will apparently depend on a patch or update.
     
  6. msrourke

    msrourke Registered Member

    Joined:
    Dec 11, 2006
    Posts:
    17
    I have 2.75 on XP SP2. Exclusions does not work for me. I added my firewall's folder with subfolders enabled. I can sit and watch AMON scan the fw's log files as they are updated. I then added the log folder specifically, same deal. So I added each log file individually.... guess what? Yep, still scanned by AMON... :cautious:
     
  7. TPS Reports

    TPS Reports Registered Member

    Joined:
    Nov 16, 2007
    Posts:
    4
    Location:
    Kingdom of George
    msrourke - Thanks for that reply. Looks like a problem that has been around for a while. I wish someone from Eset would respond to this. I purchased my two licenses (direct from Eset). I am hoping they will quickly resolve this issue for all of us.

    EDIT I toned down my original post. Don't want to knock Eset wihout giving them a chance to fix these issues. I'm just a little frustrated.
     
    Last edited: Nov 19, 2007
Thread Status:
Not open for further replies.