IMON, Firefox and Higher Efficiency

Discussion in 'NOD32 version 2 Forum' started by Mover, Oct 16, 2005.

Thread Status:
Not open for further replies.
  1. Mover

    Mover Registered Member

    Joined:
    Oct 1, 2005
    Posts:
    165
    I was changing IMONs setting and using the eicar test site to get a feel of how IMON and Firefox function together. I was a little surprised by what was happening when changing the Higher Compatability/Higher Efficiency settings. Below are two tests I ran.

    IMON - SETUP - HTTP - Client compatability - Firefox - Higher compatabily
    The IMON popup warning shows up twice when I try to download eicar.
    I have to press 'Terminate' twice. When trying to open the eicar file in Firefoxs download dialog box, I get the message 'eicar does not exist. It may have been deleted, removed, renamed....' which is great.

    IMON - SETUP - HTTP - Client compatability - Firefox - Higher Efficiency
    The IMON pop warning shows up once and the file gets downloaded to disk !! (partially) even though I press 'Terminate' on the warning popup. I'm able to open the file ... not good

    Isn't 'Higher Efficiency' suppose to scan the entire file before deciding to pass it over to Firefox ? It appears like there is LESS protection when set to this mode with Firefox. Does anyone know why this is happening ? (should it be functioning like this in the first place ?)
     
  2. billaku

    billaku Registered Member

    Joined:
    Oct 16, 2005
    Posts:
    67
    Location:
    Texas Central Coast, US
    I just installed Nod32 using ~ 'Advanced' install and one of the screens was about 'Compatibility'.

    As I recall, there was a slider bar with 'Higher Compatibility' on the left, 'Higher Efficiency' on the right, a mid-setting position with the right 'Higher Efficiency' being the default.

    Could have this totally backward as when now check IMON, all settings are 'Higher Compatibility'.

    Upon install, did move slider to mid-position, but got pop-up warning that moving from 'Higher Efficiency' - if, again, recall
    correctly, could result in Nod32 not being as effective, or similar wording.

    So, did not change the default install 'Higher Efficiency' slider position.

    Anyway, do know there was a slider with a mid-setting to which I moved the setting and did get the pop-up with the
    warning.

    And now I do not see how to set a mid-setting.
    In IMON 'Client compatibility' only seem to be able to switch between 'Higher compatibility' in Red or 'Higher efficiency' in Green.

    And do not know how settings would have gotten to 'H c'?


    But, based on your above results, for now will be leaving at the Red 'H c'.

    Thanks for the post - interesting.
     
  3. rumpstah

    rumpstah Registered Member

    Joined:
    Mar 19, 2003
    Posts:
    486
    Hi billaku:

    The slider bar is only for POP3 (E-mail) configuration and not for HTTP (web traffic) scanning. One would always want POP3 scanning @ Higher Efficiency unless there was a conflict with an e-mail program (i.e. insert_here) or e-mail filter (i.e. SpamBayes).

     
  4. billaku

    billaku Registered Member

    Joined:
    Oct 16, 2005
    Posts:
    67
    Location:
    Texas Central Coast, US
    Hello back at you, rumpstah

    Much thanks for the explanation - now see my confusion.

    So now, did find the slider bar at
    IMON | POP3 | Compatibility setup | Setup...

    Since I use Outlook 2003, IMAP, SpamBayes - does not then affect that email.

    But, again, much thanks for pointing out the slider bar encountered during setup was for POP3 email.
     
  5. rumpstah

    rumpstah Registered Member

    Joined:
    Mar 19, 2003
    Posts:
    486
    Hi billaku:

    No problem. For some the configuration options are great (me included). It can create a myriad of no return for others. ;)

     
  6. Mover

    Mover Registered Member

    Joined:
    Oct 1, 2005
    Posts:
    165
    Actually, I looked into the file that was saved in Higher Efficiency mode. It seems like changes were made to the virus test file. Below is a sceenshot of its contents. All this stuff got into the file.
     

    Attached Files:

    Last edited: Oct 22, 2005
  7. Brian N

    Brian N Registered Member

    Joined:
    Jul 7, 2005
    Posts:
    2,148
    Location:
    Denmark
    I've had no issues with my current settings so far (higher efficiency).

    Marked in red should always be used as it will check those smaller files (mostly trojans) before handing it over to the browser.

    Marked in blue should only be used if you have a slow connection or downloading large files. Best option is just to disable it and use the one marked in red.
     

    Attached Files:

  8. Mover

    Mover Registered Member

    Joined:
    Oct 1, 2005
    Posts:
    165
    Thanks Brian N

    I tried adjusting the settings when I was initially testing with eicar.
    Unfortunately, eicar.com (or part of it) still gets through as I posted
    in a screen shot above, however, it looks like the file has been
    changed substantially from its original state.

    When downloading files other than eicar, NOD32 functions exactly as I
    expect it to.
     
  9. Brian N

    Brian N Registered Member

    Joined:
    Jul 7, 2005
    Posts:
    2,148
    Location:
    Denmark
    Did you remember to clear the browsers cache before testing it again?
    Anyways it stops eicar the second I click one of the links, so no problems here.
     
  10. Chris12923

    Chris12923 Registered Member

    Joined:
    May 31, 2004
    Posts:
    1,097
    When I visit http://www.eicar.org/anti_virus_test_file.htm
    using NOD32 default settings. I get three alerts when I first visit or refresh the page but if I click the link after I have visited the page I only get one alert. This is using Firefox 1.5 beta 2.

    Time Module Object Name Threat Action User Information
    10/31/2005 8:06:47 AM IMON file http://www.eicar.org/download/eicar.com Eicar test file Connection terminated (PC Name)\(Local User)
    10/31/2005 8:06:44 AM IMON file http://www.eicar.org/download/eicar.com Eicar test file Connection terminated (PC Name)\(Local User)
    10/31/2005 8:06:43 AM IMON file http://www.eicar.org/download/eicar.com Eicar test file Connection terminated (PC Name)\(Local User)

    If you download with the higher efficiency setting the file appears to download but it is harmless. Change the .com to .htm and open it. It is the NOD32 IMON connection terminated window.

    Thanks,

    Chris
     
  11. ZGeist

    ZGeist Guest

    When I go to IMON > HTTP > Client Compat -- it seems it is putting everything in red, "higher compatibility mode." Is this normal?
     
  12. Brian N

    Brian N Registered Member

    Joined:
    Jul 7, 2005
    Posts:
    2,148
    Location:
    Denmark
    Yes it is. It's written on top of that list ;)
     

    Attached Files:

  13. ZGeist

    ZGeist Guest

    Hello Brian. Yes I did read that, but I didn't realize it was supposed to drop everything in higher campatibility mode by default. I guess I was in the wrong.
     
Thread Status:
Not open for further replies.