Mail file scan depends on extension?

Discussion in 'NOD32 version 2 Forum' started by obetz, Feb 1, 2007.

Thread Status:
Not open for further replies.
  1. obetz

    obetz Registered Member

    Joined:
    Jan 31, 2007
    Posts:
    9
    Can it be true that NOD32 scans mails only if they have a .eml extension, or did I miss the correct setting?

    NOD32 doesn't detect the worm in a *.cnm file but if I rename the file to *.eml, it works.

    Oliver
     
  2. ASpace

    ASpace Guest

    Hi .
    NOD32 scans all kind of files but it might not have the technology to open that particular cnm file . I don't know what mail client uses that extention but you don't need to worry at all because :

    IMON is the internet monitoring of NOD32 . It scans all kind of HTTP and POP3 traffic so if you use POP3 IMON will pickup the malware even before it is downloaded

    AMON is the resident protection . It scans all kind of file created , accessed and executed . If there is something it will be detected immediately . But since the cnm extension doesn't pose any threat to your computer , you don't need to worry . For example if you rename it to EML , it can be opened and post threat , then it is detected :thumb:
     
  3. obetz

    obetz Registered Member

    Joined:
    Jan 31, 2007
    Posts:
    9
    No, that's wrong. Read again: if I rename the file from foo.cnm to foo.eml, NOD32 detects the test virus.

    Do you think that this behaviour is ok?

    In my opinion, it's a flaw.

    BTW: F-Prot/Win and ClamAV detect the mail attachments in any file. But I want to switch since F-Prot missed two worms in the last weeks.

    1. That's no excuse for a bad on demand scanner.

    2. I consider stuff like IMON and AMON harmful. All these programs cause a system slowdown and compatibility problems. I prefer to check stuff where it enters my system. Mail as I open it, files as they are downloaded etc.

    I accept that for most users it's the only way, but I don't want to use it.

    Oliver
     
  4. realitybytez

    realitybytez Registered Member

    Joined:
    Sep 8, 2006
    Posts:
    30
    couldn't you just go to the setup tab of the on-demand scanner (nod32), and either add the .cnm extension to the list of file extensions scanned? or since you're reluctant to use realtime scanning, perhaps you should select the option to scan all files.

    or maybe i'm not understanding the problem correctly.

    i probably shouldn't comment since i've been using the program for less than a week.
     
  5. ASpace

    ASpace Guest

    :eek: The sentence in Bold is precisely what IMON and AMON does . AMON and IMON are protection modules that belongs to the whole NOD32 Anti-Threat system . Learn more here :
    http://www.eset.com/products/windows.php#control
     
  6. obetz

    obetz Registered Member

    Joined:
    Jan 31, 2007
    Posts:
    9
    The sentence before says also "precisely what IMON and AMON does" (SCNR). I will not allow more programs to jump in my Winsock traffic or file access. Many programs don't work good with "on access" scanners. I just have been reading about Subversion slowdown. I know about problems with Pegasus. There are many others.

    I know what they do. I don't want this for many reasons. If I can't get silent, reliable on demand scanning from NOD32, it's not the right product for me.

    Oliver
     
  7. obetz

    obetz Registered Member

    Joined:
    Jan 31, 2007
    Posts:
    9
    I spent some time to find the appropriate switches before I posted here.

    nod32.exe foo.cnm /selfcheck+ /list+ /scroll+ /pattern+ /heur+ /scanfile+ /scanboot- /scanmbr- /scanmem- /arch+ /sfx+ /pack+ /mailbox+ /ntfs+ /adware /unsafe /ah /all

    should be enough, shouldn't it?

    I expect an answer from eset (sent a support request yesterday) - they have to know the reason.

    Oliver
     
  8. obetz

    obetz Registered Member

    Joined:
    Jan 31, 2007
    Posts:
    9
    sorry - my mistake!

    NOD32 doesn't depend on the extension but on the Header lines in the mail file.

    I found that NOD32 didn't check for MIME enclosures when the first line was the "wrong" field. Examples:

    "Subject", "To", "Date" or "X-Foo" in the first line stopped detection of "Win32/TrojanDownloader.Nurech.NAD" in my case.

    Lines starting with "X-Pr", "Rece", "From", "Repl", "Mess", "Retu", "Cont" were o.k.

    Rather strange and no strong correlation with RFC2822 and RFC2821.

    I sent files and information to DATSEC.

    Again, sorry for the wrong report.

    Oliver
     
Thread Status:
Not open for further replies.