Is it bad to have autodelete on NOD?

Discussion in 'NOD32 version 2 Forum' started by Mike415, Mar 19, 2005.

Thread Status:
Not open for further replies.
  1. Mike415

    Mike415 Registered Member

    Joined:
    Mar 13, 2005
    Posts:
    42
    I ahve my NOD set to delete virsues when it catches them without asking. Now if it wwere a trojan orsomething and it added something to the registry would it bebetter to have it clean the virus instead of delete it? Should I have it set to clean first, then ask/delete?
     
  2. bigc73542

    bigc73542 Retired Moderator

    Joined:
    Sep 21, 2003
    Posts:
    23,873
    Location:
    SW. Oklahoma
    If the trojan is in an operating system file and it deletes it something might quit working ;)

    bigc
     
  3. Blackspear

    Blackspear Global Moderator

    Joined:
    Dec 2, 2002
    Posts:
    15,115
    Location:
    Gold Coast, Queensland, Australia
    I have it set to Clean, if unable to Clean, then Delete and Quarantine. Quarantine enables a file to be restored if on the off-chance that it turns out to be a false positive.

    Hope this helps...

    Cheers :D
     
  4. Mike415

    Mike415 Registered Member

    Joined:
    Mar 13, 2005
    Posts:
    42
    I meant, does it still leave part of the virus in the registry if you have it set to just delete the file, or does it delete the registry entries also? And does the clean setting clean the registry also?
     
  5. flyrfan111

    flyrfan111 Registered Member

    Joined:
    Jun 1, 2004
    Posts:
    1,224
    It depends on whether it is a heuristic detection or a definition detection. A detection by heuristics will generally only delete the offending file. A definition is generally needed for succesfull removal of all registry entries made by a trojan or virus. System restore or a backup could also do the job based on a heuristic detection. Just restore back to a time before the infected file was downloaded or executed. That would require that you knew it was not a false positive, which is the downside of setting NOD to auto delete uncleanable virii. Any heuristic detection is considered uncleanable as NOD doesn't know what changes the file would make so it is just deleted. As Blackspear suggested checking quarantine would allow the file to be kept just in case it is needed later, as well as sending in a copy to both verify it isn't an FP and to allow a definition to be made if it is a real baddie.
     
    Last edited: Mar 20, 2005
  6. Happy Bytes

    Happy Bytes Guest

    flyrfan111, very good post!

    Yes, it's true that you need exact identification of malware before you can clean it in a proper way. Deleting the file is not the problem but there will be remaining registry entries for autostart-registered malware. And to help improving this you should collect heuristical detected files and submit them to our sample (at ) eset (dot) com email. We can then add these files for signature based detection including registry removal.

    Cheers :D
     
  7. fosius

    fosius Registered Member

    Joined:
    Oct 14, 2004
    Posts:
    479
    Location:
    Partizanske, Slovakia
    I am not sure that i understand, when i select to delete trojan nod32 will delete trojan and registry entries connected to it? Or this works only when i select Clean? Because I have never seen that NOD32 is able to clean trojan only delete it..
     
  8. Marcos

    Marcos Eset Staff Account

    Joined:
    Nov 22, 2002
    Posts:
    14,374
    Basicly, there's nothing to clean with Trojans. NOD32 will delete it and also remove it form the Run key in the registry, if possible.
     
  9. fosius

    fosius Registered Member

    Joined:
    Oct 14, 2004
    Posts:
    479
    Location:
    Partizanske, Slovakia
    Thanks, good to see that NOD cleans registry, too..
     
  10. Tintagele

    Tintagele Registered Member

    Joined:
    Mar 15, 2005
    Posts:
    4
    What sometimes happens with viruses that use iFrame launchers is that the virus is deleted but not the iFrame launchers - not necessary, they're useless without a virus to launch, but very few av programs spot them or get rid of them. (Panda does.) However, you can add some protection to this in Internet Explorer/Tools/Options/Security/Internet by disabling 'launch programs with iFrame' - and make sure if you're using Outlook Express that whatever Security level it's using also has 'launch programs with iFrame' disabled.
     
Thread Status:
Not open for further replies.