I'm evaluating NOD32, and am not sure about AMON...

Discussion in 'NOD32 version 2 Forum' started by HandsOff, Apr 9, 2006.

Thread Status:
Not open for further replies.
  1. HandsOff

    HandsOff Registered Member

    Joined:
    Sep 16, 2003
    Posts:
    1,946
    Location:
    Bay Area, California
    Hi,

    I have finally booted NAV out of my computer, and am currently running the 30 day evaluation of NOD32. For that matter NPF got the boot too, so maybe I should ask is there a particularly good firewall that works with NOD32, or is completely unrelated. Since I had Norton's firewall and antivirus accessed through the same controls I guess I think of AV's and FW's as working together...

    But my main question is about the settings. During settup the installer indicated that AMON was of criticle importance to NOD32's ability to prevent infestations. Well, this is not good, because I don't know that I could ever get used to that short delay every time I access a file (which I do constantly). Do people actually use this feature? The delay is only a second or two, but it annoys me so I turned it off. Heck, I didn't have Trojan Hunter's realtime sheild on, ect...I wonder how it would handle that? Is it going to check TH checking a suspicous program.

    I could add that Trojan Hunters does not cause any delay at all, but I'm sure it doesn't check as many files, or check them as extensively. Actually, I really don't know...since it causes no delay, I just set it and forget it.

    On the other hand, I think NAV rose from the dead to interfere with AMON. I can't resist telling this to the people here (that mostly hate NAV already). AFTER uninstalling the NAV, and NPF, I searched the registry and found over 3000 entries that were left behind. I deleted most of them. My computer is still running, what do you know?

    Since NOD32 makes a point of being a fast scanner, I have to point out that Norton was just as fast, perhaps faster. This is based on a scan that took NOD32 46 minutes to complete, so enough files to get a pretty complete idea. And this was without AMON running and without checking archives, or selfextracting files, or ADS and using normal hueristics, without adware checking or dangerous program checking (whatever that is).

    As a practical matter, an AV has to fast and efficient, or I'm not going to use it, or its complete feature set that often. The scanning speed is probably OK, but is NOD32 complete without AMON? And what about all those other MONS? Is there some fat I can cut?

    The profiles for different scanning conditions is a great feature! There controls are very useable, except, I have not delved in to the MON's to see what they are all about. The trial has just begun (today!)


    -HandsOff
     
  2. Notok

    Notok Registered Member

    Joined:
    May 28, 2004
    Posts:
    2,969
    Location:
    Portland, OR (USA)
    You might still have NAV drivers left installed, that happened to me the last time I installed and uninstalled NAV. Enable "Show hidden device drivers" in device manager to see. After that you can also set exclusions for any other scanners you have installed to prevent it from checking everything TH checks. Lastly, enabling "Optimize scanning" in AMON will make it so it only checks each file once until it's modified.

    As for firewalls, I've not really heard of anyone having problems with any specific one. I personally went with Look'n'Stop.
     
  3. WSFuser

    WSFuser Registered Member

    Joined:
    Oct 7, 2004
    Posts:
    10,632
    AMON is NOD32's resident shield and i would not recommend u disable it. also u say u it causes a delay and that the on demand scanner is slow? nod32 is one of teh fastest and lightest AVs i can think of. i would suspect remnants of Norton causing such issues, or maybe its just ur hardware/config.

    as for the other shields, theres IMON, nod32's pop3 and http scanner. u can disable it but i find it a unique and effective feature.

    EMON - if u dont use outlook, then u can disable this.

    DMON - if u dont have MS office, u can disable this. even if u do have office, u can disable it if u wish, it just scans documents.

    keep in mind that disabling nod32's shield may not cause significant boosts in performance and it doesnt hurt to keep them enabled. also check ur settings against Blackspears recommended setting (see the sticky)

    as for firewalls, like Notok, i too use looknstop but any firewall will do fine.
     
  4. Blackspear

    Blackspear Global Moderator

    Joined:
    Dec 2, 2002
    Posts:
    15,115
    Location:
    Gold Coast, Queensland, Australia
    I would recommend using the Norton Removal Tool as well as Repairing Winsock as described HERE and then repairing IMON as described in post number 40 HERE

    After this you shouldn't see any delay when using AMON, and it is something that I would recommend to be left turned on.

    Let us know how you go...

    Cheers :D
     
  5. Albinoni

    Albinoni Registered Member

    Joined:
    Feb 17, 2005
    Posts:
    709
    Location:
    Perth, Western Australia
    Just a Q to ask here why drivers. I thought only drivers are used when your running an installed piece of hardware like say a AGP Card, Sound Card etc. But NAV is a software not hardware so how will there be drivers.
     
  6. HandsOff

    HandsOff Registered Member

    Joined:
    Sep 16, 2003
    Posts:
    1,946
    Location:
    Bay Area, California

    Hi Notok-

    Much information in few words from you, as usual. I have not re-evaluated the speed issue since having rooted the last (i believe) remains of Norton programs. But, seriously, 3000 entries left in my registry? I don't know whether to be impressed or upset. I've said only half jokingly in the past, 'If a user can't even stop it, what chance does malware have?

    The questions that remain are, Is it normal for AMON to cause the slight delays that I noticed, and is NOD32's protection built around this feature?

    I will check on the driver issue now. I'd be a little surprised to see any after all the searching, but you never know.
    *********************************
    ACK! I just checked "Non-plug and Play Drivers" and there are 11 names that sound suspiciously like Norton or Symantec names. The problem is under properies they do not say what the drivers are for. I guess I can google the names if there is no better way. Also, I noticed a driver called "Netbios over TCP". Would that be something to remove, do you know. It's probably not important, but I understand Netbios is not a good thing to have enabled. I reallize this is the NOD32 forum, so I don't expect a detailed answer, just a push in the right direction.

    *********************************

    - HandsOff
     
    Last edited: Apr 10, 2006
  7. Notok

    Notok Registered Member

    Joined:
    May 28, 2004
    Posts:
    2,969
    Location:
    Portland, OR (USA)
    Hehehe :) I would check out the Norton Removal Tool that BlackSpear linked, it generally does the trick. And no, leave NetBios, just disable it in the network properties if you don't need it. If it turns out something else on your system needs it, you might be hard pressed to get it back.

    Pretty much all antivirus programs install a file system filter driver. This basically sits on top of your file system driver and intercepts calls to the file system to scan the file before letting the call pass. Some other security software does the same thing, and your firewall does basically the same for your network traffic. It pretty much has to use a driver to work at that level.
     
  8. HandsOff

    HandsOff Registered Member

    Joined:
    Sep 16, 2003
    Posts:
    1,946
    Location:
    Bay Area, California
    WFUser-

    Thanks for that and your other comments. I mentioned it because I, too expected it to be a lot faster than Norton, but then, Norton gets a bad rap, I think when it comes to protection. Norton does have side issues that mar an otherwise good (IMHO) product. For instance, I have tried a significant number of AV's and the only one I found noticibly faster was Kaspersky (with the settings I chose) Some of the ones that enjoy a good reputation are so slow it's rediculous. Now that I am onto the exclusion for things like my pictures, I can appreciate the value of AMON a lot more.. but there is one thing. Is anyone but me confused by the wording in the object exclusion setup? (see attachment)

    Also, maybe I'm wrong to, but I always worried about Word a great deal when I had it installed. I never did quite get a handle on how to set it up so as not to be so Macro friendly.

    Anyways, Thanks for the advice, it is prooving to be quite valuable!

    Note to Albioni: I kind of wonder about that too sometimes. It seems to be a level for files deeper than we normally see - I never really heard about these until recently when "kernal level drivers" became something that I did know, but wanted, just the same :)

    - HandsOff
     

    Attached Files:

  9. HandsOff

    HandsOff Registered Member

    Joined:
    Sep 16, 2003
    Posts:
    1,946
    Location:
    Bay Area, California
    I just had to add this, for some comic relief:

    I went to the Symantec site and followed all of the links until I got to the point that said none of the removal tools would work for me, I had to remove everything manually. There is a five page long procedure they outline for doing this. Your going to love what they say to the poor soul who just did everything in the the instructions, and still could not remove everything, and this is a direct quote (I couldn't make this up!)

    --------------
    If you cannot delete the file Navshext.dll, read the document Error: "Cannot delete navshext.dll . . ." when deleting the Norton AntiVirus 2002 program folder and then return to this document.
    4. Close Windows Explorer.
    5. If you could not delete one or more of the files or folders listed in these steps, then restart your computer and repeat steps 1 through 5. If you still cannot delete the folders, then you do not need to delete them.
    --------------

    Hahahaha! Isn't that the same as if my mechanic told me, 'I can fix your car, however if it turns out that I can't, then you don't need it fixed!'


    -HandsOff!
     
  10. Think-eDesign

    Think-eDesign Registered Member

    Joined:
    Mar 26, 2006
    Posts:
    29
    Location:
    Logan City
    I wouldn't advise that. EMON doesn't just scan Outlook files. I have always used Thunderbird myself & EMON certainly scans both incoming & outgoing Thunderbird emails.
     
  11. SSK

    SSK Registered Member

    Joined:
    Nov 28, 2004
    Posts:
    976
    Location:
    Amsterdam
    AFAIK IMON is doing that, not EMON :)
     
  12. WSFuser

    WSFuser Registered Member

    Joined:
    Oct 7, 2004
    Posts:
    10,632
    in that picture, how did you open the dialog box that says "Object to exclude from scanning"; did u click on Change or Add?
     
  13. Chris12923

    Chris12923 Registered Member

    Joined:
    May 31, 2004
    Posts:
    1,097
    He clicked "add".

    Thanks,

    Chris
     
  14. WSFuser

    WSFuser Registered Member

    Joined:
    Oct 7, 2004
    Posts:
    10,632
    thats what i suspected

    @handsoff - click "change" instead and then check subfolders.
     
  15. HandsOff

    HandsOff Registered Member

    Joined:
    Sep 16, 2003
    Posts:
    1,946
    Location:
    Bay Area, California
    Hi WFU et all-

    I'm very sorry it's taken so long for me to get back to see your replies. been doing a bit of remodeling here...

    I gather that you get a different dialog if you choose change or add? Not to be hard headed here, but shouldn't the dialog make sense either way? Which is not to say that it doesn't make sense, exactly...ambiguous I guess is the word.

    I do understand your recommendation to use change and add subfolder...doe the way that I did it have the same effect?

    -----

    Anyways, NOD 32 is performing very well now. I am still concerned that there are some drivers listed that look like they are from NAV, but there is no longer any sign that they are doing anything. No delays at all with AMON. It's as though it isn't even there...only I know it is because I've seen it spring into action with something I extracted (that NOD flagged as containing containing malware within an archive).

    Which leads to another question:

    NOD32 recommends it be set to wait for instructions on what to do if it detects something. At first I was thinking this might be unsafe because couldn't the threat be spreading, or causing some problems? I guess you'd say no because AMON would stop it....but would it? especially, if it were not detected be signatures? But also, I'm not sure what the side effects of waiting might be. If, for example, I am running a back up of hundreds of GB's and something is detected early on, would the back up just stop...basically wasting a lot of time?

    I'm sure there must be reasons for that recommendation, but I was thinking why not fix or remove saving to quarentine, if appropriate? Doe's that have any disadvantages---is it just as safe?

    Anyway other than that NOD32 looks very strong so far!


    -HandsOff
     
  16. WSFuser

    WSFuser Registered Member

    Joined:
    Oct 7, 2004
    Posts:
    10,632
    add lets you add another folder to the list. change allows u to change the settings for a folder u already excluded.
     
  17. HandsOff

    HandsOff Registered Member

    Joined:
    Sep 16, 2003
    Posts:
    1,946
    Location:
    Bay Area, California
    That makes sense-

    Yes, I figure it makes sense to exempt the over 10,000 image files that I am constantly editing, and re-organizing. Probably I will do the same thing to my thousands of mp3 files. As far as I know these are not inherently dangerous file types, plus most of them have not been obtained via the internet.

    This is one area where the scanning profiles will be of use. As I see it, one should try to do complete scans every so often, but by narrowing the scope of the scan one can create scans that are oppropriate for different situations that won't take so long as to be impractical. I know no one likes to leave some files unscanned, but not doing so will mean less scans will be performed. A trade off. Anyone else doing this?

    -HandsOff (Patiently waiting for time-saving scanning advice)
     
  18. alglove

    alglove Registered Member

    Joined:
    Jan 17, 2005
    Posts:
    904
    Location:
    Houston, Texas, USA
    To be honest, I do not know what the effect on your backup program would be. I believe that as long as that warning message is up, NOD32 keeps that file locked. If there is no reply to the warning message, I believe that the message will disappear, but the file will remain locked. How the backup program handles that probably depends on the backup program itself.

    Fixing/deleting and moving to quarantine is certainly a viable option. The main downside is that it removes the possibility of user intervention when the file is detected. In other words, you are not given the option to say, "Wait! Leave that file alone!" Even so, you still have the ability to restore the file from quarantine with a simple right-click, so it is usually not that big a deal.
     
  19. HandsOff

    HandsOff Registered Member

    Joined:
    Sep 16, 2003
    Posts:
    1,946
    Location:
    Bay Area, California
    Alglove-

    That makes perfect sense, I knew there had to be a downside to it. Maybe the default settings are better...hard to decide!

    It would probably be useful if NOD32 would wait, but only for a limited time, then remove. Then you have the best of both worlds. Maybe it could be implimented as "HandsOff Hand Off."

    Oh, by way of updating my NAV situation, I ploddingly looked up the names of the Norton nonplug and play stuff (to be sure I wouldn't be turning of something with just a similar name, there were 6, and most were set to active, on-demand.

    I disabled them all, and after reboot they remained disabled. I suppose at this point I could attempt to uninstall those 6 drivers completely? Oh, heck, I should just do it, and get it over with, huh?


    -HandsOff
     
  20. alglove

    alglove Registered Member

    Joined:
    Jan 17, 2005
    Posts:
    904
    Location:
    Houston, Texas, USA
    Yeah, if your system runs fine with those non-plug and play drivers disabled, you can probably go ahead and uninstall them. It's not like they are going to be used by anything.
     
  21. HandsOff

    HandsOff Registered Member

    Joined:
    Sep 16, 2003
    Posts:
    1,946
    Location:
    Bay Area, California
    Yes, Norton seems to be history now, however, since I had to manually delete 3000+ values in the registry that Norton left behind...why stop now when only six things remain. The uninstall left all kinds of files in documents and settings and Program files too. It's almost as though they were saying, 'since you are uninstalling us we're going to quit helping you in any way! Good luck finding all the pieces Bwwwwaaaaah."

    Hey, this is great! I can start capping on Norton like everyone else!!!


    -HandsOff
     
Thread Status:
Not open for further replies.