no script checking??, false alarm?! and NO SELF PROTECTION! :(

Discussion in 'NOD32 version 2 Forum' started by iNsuRRecTioN, Sep 5, 2003.

Thread Status:
Not open for further replies.
  1. iNsuRRecTioN

    iNsuRRecTioN Registered Member

    Joined:
    Sep 5, 2003
    Posts:
    303
    Location:
    Germany
    Hi there,

    first I must say that NOD32 especially the v2 version is a good and fast antivirus scanner with a high ability (potential).
    Greetings to the coders and to eset, congratulation.
    But... ;)

    When I start the attached file "eicar.html" NOD32 doesn't warn me or stop the script(s).
    I think that is bad, because it seem to be NOD32 doesn't scan scripts...
    Thats only a test virus script, but when there is a dangerous script in it, you lose!
    (the js says that script checker doesn't check the second script..script checker is from Kaspersky AV and this file, modified by me, too. And the script(s) are blocked by KAV script checker!)
    I have the german v2 of NOD32.
    Please add an "script checker" or something simular with heuristik or advanced heuristik..
    The KAV script checker use heuristik to detect such viruses, etc.. put into html (he use not the signatur files..)

    Second, when I start the NOD32 on-demand scanner with advanced heuristik, always I get a message that a NewHeur_PE Virus probably found in RAM (work space/Arbeitsspeicher, I have the german version of NOD32v2).
    This virus message doesn't show up, when I scan without advanced heuristik,
    but I want scan with that sometime, also please code an update for the advanced heuristik component.
    Ooooh "cool" there are now another error.., I want copy the scanner log from NOD32 Control Center, but when I rightclick on the scanner log and click on copy selected (markiertes kopieren) or copy all (alles kopieren), then the NOD32 Control Center freeze and I can only close it with the task manager or in the taskbar rightclick and then close.
    Then comes the windows popup, that the application is freeze and I must click on terminate now!
    (nod32kui.exe doesn't response)
    Only export as file function correct...

    And there is another big problem:
    NO SELF PROTECTION!!! Very very bad! :doubt:
    NOD32 runs 2 apps in the background, the nod32kui.exe and the nod32krn.exe..
    But these tasks don't protect each other...
    I test it, because maleware and so on often terminate antivirus program tasks and sometimes even delete it...
    And the same here... :(
    I kill the task nod32krn.exe and then I delete it...and nothing happens..no warning..
    NOTHING! nod32kui.exe stills run at the taskbar and the symbol still indicates that all right and all function normal.
    ------> very BAD.

    Sorry, but a good AV have to protect itself from unloading and deleting...

    And then I'm surprised about the memory usage..
    Why both tasks use up to 25-26 MB of RAM(12-13 MB each) o_O
    I test to reduce the mem usage with the APM from DiamondCS and then only 5-6mb are used!
    nod32kui.exe 3 mb and nod32krn.exe 2-3 mb...
    Thats comical...lol
    Please bring an update of NOD32v2 that have better memory usage/memory control, because as soon as I reduce the mem use with APM (use less mem) it worked, too!!
    And after hours the mem usage of NOD32 isn't far more..


    Also some suggestions:
    Please implement a user custom option, that I can enter a time, the splash screen show up at startup, because I think thats a little too long :p
    And please implement an option, that I can decide, whether the AMON scans packed/encrypted files (not archives) or not...!!!
    Archives not soo important and reduce the performance and scan speed,
    but packed/encrypted files are very very important!

    AND I miss an option to create a boot disk, better an boot CD like AVK11/12 (AntiVirenKit 11/12 von Gdata) it does. (b.t.w. the DOS NOD32v2 version is not available..!)
    The bood CD from AVK have full access to all drives and NTFS, too!
    Such an utility are very useful and are missed bye the NOD32v2(and v1) AntiVirus version.
    Sites like www.wintotal.de makes tests and says the same..
    Test v2: http://www.wintotal.de/Tests/nod32v2/nod32v2.php

    thx so much

    bye

    iNsuRRecTioN

    PS: I ren the eicar.html in eicar.html.txt because of the board limitations..
     

    Attached Files:

  2. Vigy

    Vigy Registered Member

    Joined:
    Aug 13, 2003
    Posts:
    17
    Hi iNsuRRecTioN,

    The file you attached does not contain any virus-like code. Because it is interpreted by a web browser, all it does, is write a text on screen. Nothing else. (EICAR is a DOS program interpreted by cmd.exe or command.com)

    >NewHeur_PE Virus probably found in RAM

    Have you scanned all your HD drives?

    - I think the problem with the freezing has been fixed, but I'm not sure
    - try to download the latest version

    >But these tasks don't protect each other...

    If there will be an existing virus what will do so, it will be added to virus base, and from that day NOD will be able to detect the virus and will deny access to the file (before it can treminate anything).

    >Why both tasks use up to 25-26 MB of RAM(12-13 MB each)

    On my system it's NOD32KRN.EXE 2MB RAM/7MB SWAP (VM), NOD32KUI.EXE 6MB RAM/2MB SWAP (VM).
    If you want to reduce these numbers, just turn off what you don't need (graphics mode,emon,imon etc.)

    >Please implement a user custom option, that I can enter a time, the splash screen show up at startup, because I think thats a little too long

    - so turn it off ! Control Center->NOD32 System Tools->Setup->Do not disply splash screen at startup (checkbox)

    >(b.t.w. the DOS NOD32v2 version is not available..!)

    I'm not sure, but I think the DOS version is the last thing they are thinking of...

    >AND I miss an option to create a boot disk, better an boot CD like AVK11/12 (AntiVirenKit 11/12 von Gdata) it does.

    - and what OS is on that CD? NTFS R/W access could be with Linux, but
    what about those users, who never worked with it?

    If you have more questions, just ask. I think, Jan will give you more answers.

    regards,

    Vigy
     
  3. JimIT

    JimIT Registered Member

    Joined:
    Jan 22, 2003
    Posts:
    1,035
    Location:
    Denton, Texas
    That's right, it does boot w/Linux.


    INsUrrecTioN:

    NOD32 doesn't use that much memory on this box. Might want to tweak a bit. ;)
     
  4. iNsuRRecTioN

    iNsuRRecTioN Registered Member

    Joined:
    Sep 5, 2003
    Posts:
    303
    Location:
    Germany
    Yes, I know, but that is only a test string and when NOD32 don't detect this,
    he detect non other script viruses and so on...

    There is no freeze problem, while scanning and I have the latest version!

    There are many virus, trojans, and so on, that search for antivirus and will kill that in mem.
    Also there is a need for that and eset can implement protection functions.
    It is easy to implement such a routine, that control the other task or control itself and load again itself into memory or load the other task again into memory!
    But when I must wait until analyse this virus, added it to virus base and bring it public,
    it is not a so good AV app.

    no, have nothing to do with my question.
    1. I don't want to turn the graphic interface off
    and 2. emon is by default of (because no IMAP)
    and imon must be activatet (winsock scanner!)
    3. I wrote that it can handle it better with the mem usage and I can reduce the mem usage with no problems...also there should optimize there mem handling, controlling and usage.

    I know about the turn off option, but I want see the splash, but shorter time, do you understand??! :D

    But there are the only chance to scan and clean the system without windows,
    when an malware unable to stop, clean, delete or what ever under windows
    and when the mbr or so infected by an virus!

    Test it by yourself, load the testversion and then you can create such a boot disk with the newest virus base and engine updates..

    So and now please optimize, not discuss :D

    thx

    iNsuRRecTioN
     
  5. testg

    testg Guest

    I recall that in Version 1 there was an option that disabled the process from being unloaded unless you specify the password...but it's missing in Version 2...too bad.

    Yes a component protection is a good idea especially with the Anti-AntiVirus programs out there. Even BoClean protects their own components.
     
  6. anotherjack

    anotherjack Registered Member

    Joined:
    Jun 13, 2003
    Posts:
    224
    Location:
    Louisiana
    I just tried the scenario you suggest and here's what I found (Win2K, 2.000.6 engine, 20030911 defs):

    1. Logged in as local administrator
    2. Was able to kill the NOD32KUI process in Task Manager
    3. COULD NOT kill the NOD32KRN process, even as admin - Access denied
    4. I COULD copy / rename / move EICAR.COM at will without any problems
    5. Could NOT RUN EICAR.COM, got "Access Denied" message

    So, it looks like you can kill the GUI, but not the actual AMON process. It's still out there doing its job, albeit a a reduced level of efficiency. Once NOD32KUI was restarted, operation was back to normal.
     
  7. Vigy

    Vigy Registered Member

    Joined:
    Aug 13, 2003
    Posts:
    17
    Yeah, you can kill the nod32kui.exe because it runs as an application. But nod32krn.exe runs as a service, so when you want to shutdown it, you must go thru control panel-admin tool-services (or something like that). You cannot kill it from the Task Manager.

    You can do with the infected file what you want - what you checked/unchecked in amon settings (open,execute,...). When you terminated the NOD32kui.exe you couldn't control the kernel service (nod32krn.exe)

    Rgds

    Vigy
     
  8. iNsuRRecTioN

    iNsuRRecTioN Registered Member

    Joined:
    Sep 5, 2003
    Posts:
    303
    Location:
    Germany
    hi,

    thats my info:

    NOD32 Systeminformation
    Version:   1.510 (20030916)
    Datum:   Dienstag, 16. September 2003
    Antivirus-Datenbank Build:   3921

    Information über zusätzliche Komponenten
    Modul Advanced Heuristik, Version:   1.003 (20030805)
    Modul Advanced Heuristik, Build:   1032
    Modul Archivunterstützung, Version:   1.003 (20030903)
    Modul Archivunterstützung, Build:   1056

    Information über installierte Komponenten
    NOD32 für Windows NT/2000/XP - Basismodul
    Version:   2.000.6
    NOD32 für Windows NT/2000/XP - Internetsupport
    Version:   2.000.6
    NOD32 für Windows NT/2000/XP - Standardmodul
    Version:   2.000.6

    Betriebssystem Info
    Plattform:   Windows XP
    Version:   5.1.2600 Service Pack 1
    Version Common Control Komponenten:   5.82.2800
    RAM:   512 MB
    Prozessor:   AMD Athlon(tm) Processor (1477 MHz)


    And I can kill both processes, nod32kui.exe and nod32krn.exe.
    No access denied or anything!

    And when the nod32kui.exe is not running, the amon scanner and so on, don't work correctly!

    solong...bad and bye :mad:

    Please fix and optimize...

    thx

    bye

    iNsuRRecTioN
     
  9. DiGi

    DiGi Registered Member

    Joined:
    Jul 24, 2003
    Posts:
    114
    Location:
    in the middle of nowhere
    How did you kill nod32krn.exe (without going to Services -> Stop...)?
     
  10. iNsuRRecTioN

    iNsuRRecTioN Registered Member

    Joined:
    Sep 5, 2003
    Posts:
    303
    Location:
    Germany
    @DiGi, yes simple taskmanager and then kill task...

    no access denied or anything else!

    bye

    iNsuRRecTioN
     
  11. Vigy

    Vigy Registered Member

    Joined:
    Aug 13, 2003
    Posts:
    17
    I know that it is not possible to kill NOD32KRN.EXE by the standard windows task manager. You can kill only NOD32KUI.EXE this way.

    The only way to unload NOD32KRN.EXE file from the memory is via SERVICES and Win9X process handling tools (PrcView.exe)

    Vigy
     
  12. webwude

    webwude Guest

    Some good recommendations indeed.
    Maybe worth to have a look a t it.

    Btw., no answers to my wishlist ... is there any possibility to get an answer, if this will be available in futere release ?

    - option to enable Avanced Heuristic with the OnDemand Scanner and AMON
    - option to scan outgoing mails (IMON)
    - option to enable scanning in archives / UPX / otherwise packed files with AMON

    ww
     
  13. iNsuRRecTioN

    iNsuRRecTioN Registered Member

    Joined:
    Sep 5, 2003
    Posts:
    303
    Location:
    Germany
    @ Vigi and sorry! not DiGi: It is possible, simple strg+alt+del then taskmanager and you can kill both nod32krn.exe and nod32kui.exe without problems or message!

    AND YES, it is loaded as an service with windows!

    I use windows xp pro sp1 with all updates..

    so long and I'm right see at thread: http://www.wilderssecurity.com/showthread.php?t=14496

    also mods and coders and eset, please fix, enhanced and add new options to nod32v2 :rolleyes:

    thx

    bye

    iNsuRRecTioN
     
  14. SaracenBlade

    SaracenBlade Guest

    I recently read an item from a mathematician saying with all the combinations of firmware, XP patches, and XP updates, he could create more than 1.5 million XP environments. They would all be "Windows XP" computers, but no 2 would be the same.

    Like many of you guys, I can't kill the NOD32KRN.EXE service from the task manager (Administrator/XP Pro SP1 + all MS updates) but that is on MY computer. iNsuRRecTioN's computer might behave differently. If he can kill NOD32KRN.EXE on HIS computer, it should be investigated.
     
  15. iNsuRRecTioN

    iNsuRRecTioN Registered Member

    Joined:
    Sep 5, 2003
    Posts:
    303
    Location:
    Germany
    yes, it have to be investigated!

    I have german windows xp pro sp1 with all updates available, the same to IE 6.0 SP1.
    And NOD32 V2 Version German as show above..

    And I log on as Administrator with Administrator rights..

    bye

    iNsuRRecTioN
     
  16. puff-m-d

    puff-m-d Registered Member

    Joined:
    Feb 13, 2002
    Posts:
    4,449
    Location:
    North Carolina, USA
    Hello all,

    I can kill both the krn and ui from the task manager... on win xp pro with all patches....

    Regards,
    Kent
     
  17. iNsuRRecTioN

    iNsuRRecTioN Registered Member

    Joined:
    Sep 5, 2003
    Posts:
    303
    Location:
    Germany
    Hello there,

    any changes yeto_O
     
  18. nameless

    nameless Registered Member

    Joined:
    Feb 23, 2003
    Posts:
    1,184
    Here's another variation for those running Win2K or WinXP: Click Start > Run, or open a command window, and submit this command line:

    net stop "NOD32 Kernel Service"

    The NOD32 kernel (nod32krn.exe) goes bye-bye.

    Try the same "net stop" thing with Kaspersky. You'll get a big middle finger when you do.

    To make matters even more pathetic, I find that I can't get NOD32's resident protection enabled again unless I reboot (that is, no amount of screwing around in the "NOD32 Control Center" can bring it up again, and starting nod32krn.exe doesn't help, either). This is because of an issue with the filter driver, amon.sys. It gets stuck in "stopping" mode, and can't be reset until after a reboot.

    I have also found that I can kill nod32krn.exe with this command-line utility.

    But hey, it does win lots of VB100 awards. :rolleyes:
     
  19. tax_troll

    tax_troll Guest

    IMO, if you don't use a sandbox or other utilities that can stop such commands, you deserve to have the process stopped. There are ways to screw permissions and terminate protected processes anyway.. :blink:

    Yes, please make NOD32 bloatware like KAV & NAV.. :rolleyes:

    Not.
     
  20. Phil_S

    Phil_S Registered Member

    Joined:
    Nov 13, 2003
    Posts:
    152
    Location:
    UK
    Agreed. I'd also have to question why anyone using XP pro is routinely running as an administrator account anyway. I always log on as a user with limited privileges unless I need admin rights for a specific task - even then, some can be completed by running as another user from within the limited account.

    Surely always running under admin privileges defeats the object of using an NT/XP system in the first place, and is just asking for trouble?
     
  21. whodunnit

    whodunnit Guest

    Think about the logic you've used here... Complaining that a small change to NOD32 will make it "bloatware" (which it wouldn't anyway), and in the same breath advocating the use of sandboxes or "other utilities". So it is not desirable to add a sensible protection feature to NOD32, because that would be "bloat", but it makes sense to turn around and install other crap on the system?

    And you know, "deserve" is a funny word, and I don't care for the way you've used it here. You sound like a Microsoftie... Everyone who didn't install the Blaster patch because they were a clueless newbie, and everyone who thought they installed it but got bitten by a Windows Update bug, and everyone who installed it and had problems with the patch and had to remove it, all "deserved" to get hit by the Blaster worm. Everyone who doesn't get a flu shot "deserves" to get sick. Everyone who doesn't buy a 4x4 "deserves" to drive into a tree when it snows. Perhaps you need a dictionary.

    Yes, it is possible to get around protection mechanisms. And there are also ways around sandboxes and "other utilities" also. No security is perfect. Congratulations for discovering and stating the obvious.

    Good points. :rolleyes:

    Not.
     
  22. sig

    sig Registered Member

    Joined:
    Feb 9, 2002
    Posts:
    716
    If I may say, MS Blaster is a poor example, since a basic security measure like a firewall (even the often criticized XP ICF) would have blocked the means of infection, regardless if the patch was present or didn't take. ;) But that's another subject.
     
  23. dos

    dos Registered Member

    Joined:
    Oct 17, 2003
    Posts:
    43
    Ooohhh look, the KAV fanboys from dslreport forums are here. Yipee! :rolleyes:
     
  24. Paul Wilders

    Paul Wilders Administrator

    Joined:
    Jul 1, 2001
    Posts:
    12,472
    Location:
    The Netherlands
    Don't know about that - but if they are, they are welcome. Provided they keep in mind this is the NOD32 forum, and issues should be focussed on NOD32 as a rule. Discussing KAV can be done over on the other antiviruses forum.

    regards.

    paul
     
  25. nameless

    nameless Registered Member

    Joined:
    Feb 23, 2003
    Posts:
    1,184
    Paul is right; speaking only for myself (and I assume I'm the one you were going after), I'm no KAV "fanboy". Saying "brand A has a problem, which brand B does not" does not make one a "fanboy" of brand B. Give me a break.

    Actually, NOD32, not KAV, is my primary, real-time AV utility. Just because I point out (what I perceive as) a deficiency in the product doesn't mean I'm trying to pull it down, much less prop up a competitor. (And believe me I have plenty of criticism for KAV, too. In fact, I don't even find it usable as a real-time scanner.)

    I think that rather than being sarcastic, dismissive, and indignant in response, reasonable negative comments regarding NOD32 should be welcomed. After all, if there's something wrong, wouldn't you want to know about it? And if there isn't, then the criticisms will be shot down.

    Regarding the termination of the various NOD32 applications... We all know that if a user with sufficient privileges is logged in (not necessarily an Administrator, either), then it is irretrievably possible to kill applications. What I'm saying is, don't make it as easy as doing a "net stop"! And if some other sort of self-protection feature can feasibly be added to that, all to the good.

    Yes, it's a different subject, but I think MS Blaster was a good example. The WinXP firewall isn't always enabled by default, and plenty of WinXP users have (or "had") no clue what a "firewall" is.
     
Thread Status:
Not open for further replies.