Features

Discussion in 'NOD32 version 2 Forum' started by sir_carew, Jan 13, 2004.

Thread Status:
Not open for further replies.
  1. sir_carew

    sir_carew Registered Member

    Joined:
    Sep 2, 2003
    Posts:
    884
    Location:
    Santiago, Chile
    Hello folk,
    Sorry if I bother you, but I consider that the 2 polls that I've made are important for Eset's guys, because they can know what thing the clients.
    I consider that the more important feature to add is AH in AMON, I know that AH can have side effects, for this, it can be added as a not default option in AMON.
    Thanks :D
     
  2. Paul Wilders

    Paul Wilders Administrator

    Joined:
    Jul 1, 2001
    Posts:
    12,472
    Location:
    The Netherlands
    Sir Carew,

    No offense intended - but your first poll has been moved to the Polls Forum, since it's general by nature. This one is specificly aimed at NOD32 features, and therefore will stay up over here ;)

    regards.

    paul
     
  3. sir_carew

    sir_carew Registered Member

    Joined:
    Sep 2, 2003
    Posts:
    884
    Location:
    Santiago, Chile
    I undertand Paul, no problem ;)
    For the people, if you choose "Other", please specify what.
    Thanks.
     
  4. Ainur

    Ainur Guest

    [glow=red,2,300]Behaviour blocking?[/glow] I took it for granted that Nod already had such a feature!!! :eek: :eek: Otherwise, how is it supposed to have stopped the "ILoveYou" worm & other script sh*t ?

    Anyways, Super-heuristics would be good for Nod, but care must be taken not to slow it down - that's the prob.

    And you left out an EXTREMELY important feature, which apparently no AV yet has: a memory scanner for AMON. Some ATs such as TH (Trojan Hunter) have that, but of course for trojans, not virii/worms.
    Normally, all memory-resident guards just reside in memory, but don't scan it: they're just on-(HDD)access scanners, only scanning accessed files.

    A memory scanner for AMON would give it a definite headstart over its competitors as that is the ONLY solution against a virus packed in any runtime packer (even custom-made)!
    And I'm sure such a feature wouldn't even slow down the AV noticeably - look at TH for example: it's lightning fast..
     
  5. bigc73542

    bigc73542 Retired Moderator

    Joined:
    Sep 21, 2003
    Posts:
    23,873
    Location:
    SW. Oklahoma
    There are several av's that scan the memory. Just one that comes to mind is quick heal.
     

    Attached Files:

  6. Ainur

    Ainur Guest

    No, no, no :rolleyes: ALL decent AVs, like Nod32, Dr Web, F-secure, etc.. have a memory scanning for their ON-DEMAND scanners.

    But I was talking about a memory scanner for the memory-resident module (ie. AMON in the case of Nod32) - so far, no AV to my knowledge has that, and only a few ATs such as TH, TDS and maybe BoClean..
     
  7. sir_carew

    sir_carew Registered Member

    Joined:
    Sep 2, 2003
    Posts:
    884
    Location:
    Santiago, Chile
    Hello,
    NOD don't have a Behaviour blocker, however it can detect many VBS, JS scripts and macro virus. NOD detect many of them via heuristic engine or pattern engine like others, but a behaviour blocker work use another method that heuristic and pattern. For example, you or Internet Explorer open a VBS Script, the behaviour blocker will find in this script malicious codes or typical code of viruses/worms/trojans, if find in the code that certain string is used for delete .doc documents, it will stop the script and will show options for stop and delete the script or allow it.
    Note: KAV Script checker isn't a behaviour blocker, it use a heuristic engine apart of the heuristic engine that use KAV Scanner or others, however KAV Office guard is a behaviour blocker. A behaviour blocker can be implement for stop scripts of all type, macro viruses and bath scripts (Intructions) (Including ABAP, however exist few ABAP, corel, etc scripts viruses and isn't necessary)
     
  8. bigc73542

    bigc73542 Retired Moderator

    Joined:
    Sep 21, 2003
    Posts:
    23,873
    Location:
    SW. Oklahoma
    Well you might want to do a little more research on memory scanning. I don't particularly like quick heal but it scans the memory with the on access scanner and so does mcafee These two I am sure about And I am sure there are more. Panda titanium and panda platinum also use the resident on access scanner to scan the memory I would have to do a little research but I am sure I can find that info again. :cool:
     

    Attached Files:

  9. sir_carew

    sir_carew Registered Member

    Joined:
    Sep 2, 2003
    Posts:
    884
    Location:
    Santiago, Chile
    KAV scan the memory too.
    I'll investigate if NOD does this.
     
  10. sir_carew

    sir_carew Registered Member

    Joined:
    Sep 2, 2003
    Posts:
    884
    Location:
    Santiago, Chile
    Hello everyone ;)
    I consider very important that Eset add AH in AMON in the next release. AH not only is effective detecting mass mailing worms, it's also effective detecting new P2P worms and Trojans, so it's very important that on-access scanner like AMON include such feature and not only IMON. I know that the argue of Eset is that this will slow-down the computer, it's a good argue :D, however Eset can made such option as not default and if you enable it, an alert will appear saying that this option can slow-down the computer...
    I've scanned my Hdd with AH and without AH, and the time that take with AH in comparison without AH is insificant.
    I'm posting this, because I personally think that and is the more voted feature :)
     
  11. Mele20

    Mele20 Former Poster

    Joined:
    Apr 29, 2002
    Posts:
    2,495
    Location:
    Hilo, Hawaii
    What the heck is "snooze" AMONo_O?

    I am in a minority. I voted to see improvements in quarantine. NOD handles that poorly and that needs fixing immediately because most of us assume that NOD MOVES the infected file to quarantine like every other av I have ever used does. Instead NOD COPIES the infected file to quarantine and leaves the infected file where it found it! That is awful and dangerous and should have been fixed a long time ago. I came to NOD from NAV and before that PCC and McAfee and Panda and they all properly quarantine the file. I thought that was what NOD was doing...stunned me to learn it wasn't! Also, the on demand scanner should not stop and sit on a an infected file and wait for you to notice...I can't run a sheduled scan as NOD stops everytime it gets to an infected file. It copies to quarantine but then just sits. It should automatically MOVE not COPY the file to quarantine and then go on scanning and at the end give me a report. Then I can go to quarantine and decide what I want to do. That is how every other av handles it. NOD should also.

    I do NOT want AMON to use AH. It is sufficient to have AH as command line scanning. If it is made optional then that is ok with me IF Eset fixes other things first such as the quarantine confusion. I would also like to see "Add behaviour blockers like script checker of NAV" although I use Script Sentry so it really isn't that important, but for those not using Script Sentry I can see where this would be a good thing. I don't use IMON so I could less about scanning outgoing mail...talk about overkill!

       
     
  12. Ainur

    Ainur Guest

    All these AVs' on-demand scanners scan the memory, but it is not so for their memory-resident(/i] guards, which onlyscan the HDD.

    Again, KAV's on-demand scanner scans the memory, but its memory-resident module does NOT..
     
  13. sir_carew

    sir_carew Registered Member

    Joined:
    Sep 2, 2003
    Posts:
    884
    Location:
    Santiago, Chile
    Ainur, KAV Monitor scan the memory. If you've KAV please follow these steps: Enter to KAV CC, stop KAV Monitor, later turn on KAV Monitor and read the log that appear in the right of the screen. It said: Scanning Memory, scanning MBR and start to scan the files.
     
  14. anotherjack

    anotherjack Registered Member

    Joined:
    Jun 13, 2003
    Posts:
    224
    Location:
    Louisiana
    PCU (engine) updates without requiring a restart. Don't like having to reboot the servers to get the latest engine revs.
     
  15. Phil_S

    Phil_S Registered Member

    Joined:
    Nov 13, 2003
    Posts:
    152
    Location:
    UK
    Hmm. That's how NOD does it for me, because I have it configured to copy an infected file to quarantine, and then delete the original file. I don't get a prompt every time it finds an infected file because I've already told NOD exactly what to do with it, and I know if it finds an infected file because it sends me an email!

    I think NOD only stops if you configure it to by selecting "Notify/offer an action" in the settings. I think the variety of actions you can select with NOD is actually more powerful than some other AV software.

    I ran McAfee for several years and that would always halt with a prompt requiring user input before a scan would continue.
     
  16. sir_carew

    sir_carew Registered Member

    Joined:
    Sep 2, 2003
    Posts:
    884
    Location:
    Santiago, Chile
    More option for quarantine are a good suggestion to implement in a next version, more quarantine option for me are: The posibility to delete the file from the original path, submit it to Eset directly without need to write a e-mail message like NAV, and when AMON find a virus, the prompt windows can have a option for quarantine the file too.
     
  17. bigc73542

    bigc73542 Retired Moderator

    Joined:
    Sep 21, 2003
    Posts:
    23,873
    Location:
    SW. Oklahoma
    Ainur I called the support number for panda and mcafee and they say that their resident on access scanners definatly do scan the memory by default.
     
  18. Aggressor

    Aggressor Registered Member

    Joined:
    Nov 21, 2003
    Posts:
    28
    Location:
    here
    sir-carew & bigc>

    U are BOTH wrong! :D

    these AVs' monitors may scan the memory, but ONLY upon startup (like the on-demand scanners), not while running!. Besides, IF they did continuously scan the memory (ie. while running), they would shout about it all over the world, for that would make them impervious to ANY runtime-packed virus/worm, therefore much, MUCH better than Nod32 :eek:
     
  19. Ainur

    Ainur Guest

    Yeah, that's what I meant, gthe mem-resident guards don't scan RAM "while running" (unlike what TH and TDS do). Thx for clearing things up ;)
     
  20. Ainur

    Ainur Guest

    Yeah, that's what I meant, gthe mem-resident guards don't scan RAM "while running" (unlike what TH and TDS do). Thx for clearing things up ;)
     
  21. gunnarj

    gunnarj Registered Member

    Joined:
    Jun 8, 2002
    Posts:
    80

    Ainur,

    I thought your description of what you meant was quite clear.

    I was beginning to think about knockin' my noggin against the wall by the responses you were getting! :D
     
  22. Ainur

    Ainur Guest

    OK thx gun - at least 2 other great minds here, U & Morgoth (jus kidding, no offense intended for the others :D)

    Am I 2 gather U also agree with me concerning this necessary feature for Nod32 (memory-scanning ability for the memory-resident guard) ?

    If so, do you happen 2 know of any AV that works this way against virii/worms just as TH works against trojans?
     
  23. sir_carew

    sir_carew Registered Member

    Joined:
    Sep 2, 2003
    Posts:
    884
    Location:
    Santiago, Chile
    Isn't necessary that an AV scan the memory when the Monitor is running, it's only necessary when the computer start, because scan the loaded file in the memory, and if block and scan all opened files, isn't necessary that all the time the monitor scan the memory.
    Read the following scenario: AV start and scan the memory, if it's infected, AV can fix this. If the memory is OK, no problem, however if you open a infected file and AV stop the infected file, no problem, however if AV don't deny the execution of the file, the memory will be infected, however if a certain monitor SCAN THE MEMORY UPON STARTUP, and later SCAN ALL EXECUTED OR OPENED FILE, the "All the time scan of memory" isn't necessary.
     
  24. sir_carew

    sir_carew Registered Member

    Joined:
    Sep 2, 2003
    Posts:
    884
    Location:
    Santiago, Chile
    A other useful feature to implement is the ability to save the settings in archives like KAV, ZAPRO, Kerio.
     
Thread Status:
Not open for further replies.