NOD no longer scanning everything

Discussion in 'ESET NOD32 Antivirus' started by Carbonyl, Aug 28, 2009.

Thread Status:
Not open for further replies.
  1. Carbonyl

    Carbonyl Registered Member

    Joined:
    May 19, 2009
    Posts:
    256
    As a starter, I'm running Win7 RTM and NOD 4.0.437.0 both updated to the latest. Recently I ran a manual scan, on-demand, in-depth, using the 'Scan as administrator' option. The scan took 7 minutes, as opposed to the usual 12 that I've seen in the past. The total number of files is actually greater than those in past scans, as well.

    Looking at the log files indicates that NOD is no longer scanning the C:\System Volume Information, C:\ProgramData, or C:\Users\AllUsers folders. Even when Scan as administrator has been selected. I have checked through my settings. All files are set to be scanned, no exclusions are set at all. Can anyone please advise me on how to ensure full protection? I've not modified my settings in the least, but NOD seems to be operating under limited permissions, and that makes me worried. Viruses love to hide in the system volume information folder, and this sudden change of scan behavior without reason is troubling.
     
  2. ASpace

    ASpace Guest

    No virus that is currently in System Volume information can harm your computer until you manually initialize System Restore option and restore to a state that was infected by that malware .

    Anyway , to proove you that NOD32 actually scans the folders you mention , temporary disable the AV&AS protection of NOD32 . Note , you must disable both Web-access protection and Real-time file system protection

    Then , visit www.eicar.org and download that file:
    http://www.eicar.org/download/eicar.com

    Save it to ...let's say , C:\ProgramData\ folder .

    Re-enable all protection modules of NOD32 . Ensure there are no exclusions .
    Go to that folder and attempt to run/access the Eicar.com test file

    What happens now ? :)
     
  3. Carbonyl

    Carbonyl Registered Member

    Joined:
    May 19, 2009
    Posts:
    256
    It seems to find the test file just fine after doing what you recommended... though that just makes me more perplexed. o_O There are some very marked differences in my scan logs, though I haven't touched my settings at all!

    For reference, here's a scan log from earlier this week: ~142000 files @ ~13 min

    Scan Log
    Version of virus signature database: 4361 (20090823)
    Date: 8/24/2009 Time: 7:13:03 AM
    Scanned disks, folders and files: Operating memory;C:\Boot sector;C:\
    C:\hiberfil.sys - error opening [4]
    C:\pagefile.sys - error opening [4]
    C:\Home Base\Rebuild\foobar2000_0.9.6.8.exe » NSIS - archive damaged - the file could not be extracted.
    C:\Program Files (x86)\foobar2000\uninstall.exe » NSIS - archive damaged - the file could not be extracted.
    C:\ProgramData\Microsoft\Search\Data\Applications\Windows\MSS.log - error opening [4]
    C:\ProgramData\Microsoft\Search\Data\Applications\Windows\tmp.edb - error opening [4]
    C:\ProgramData\Microsoft\Search\Data\Applications\Windows\Windows.edb - error opening [4]
    C:\ProgramData\Microsoft\Windows Defender\IMpService925A3ACA-C353-458A-AC8D-A7E5EB378092.lock - error opening [4]
    C:\ProgramData\Microsoft\Windows Defender\Scans\History\CacheManager\MpSfc.bin - error opening [4]
    C:\System Volume Information\Syscache.hve - error opening [4]
    C:\System Volume Information\Syscache.hve.LOG1 - error opening [4]
    C:\System Volume Information\Syscache.hve.LOG2 - error opening [4]
    C:\System Volume Information\{0a4f9191-90b8-11de-826e-001fbc01945b}{3808876b-c176-4e48-b7ae-04046e6cc752} - error opening [4]
    C:\System Volume Information\{16a7a948-8cca-11de-86c9-001fbc01945b}{3808876b-c176-4e48-b7ae-04046e6cc752} - error opening [4]
    C:\System Volume Information\{26d68bad-8d91-11de-b128-001fbc01945b}{3808876b-c176-4e48-b7ae-04046e6cc752} - error opening [4]
    C:\System Volume Information\{3808876b-c176-4e48-b7ae-04046e6cc752} - error opening [4]
    C:\System Volume Information\{4b13bce0-89c3-11de-aec4-001fbc01945b}{3808876b-c176-4e48-b7ae-04046e6cc752} - error opening [4]
    C:\System Volume Information\{4b13bce6-89c3-11de-aec4-001fbc01945b}{3808876b-c176-4e48-b7ae-04046e6cc752} - error opening [4]
    C:\System Volume Information\{4b13bceb-89c3-11de-aec4-001fbc01945b}{3808876b-c176-4e48-b7ae-04046e6cc752} - error opening [4]
    C:\System Volume Information\{4b13bcf0-89c3-11de-aec4-001fbc01945b}{3808876b-c176-4e48-b7ae-04046e6cc752} - error opening [4]
    C:\System Volume Information\{506dc5b8-8f26-11de-8953-001fbc01945b}{3808876b-c176-4e48-b7ae-04046e6cc752} - error opening [4]
    C:\System Volume Information\{506dc5bc-8f26-11de-8953-001fbc01945b}{3808876b-c176-4e48-b7ae-04046e6cc752} - error opening [4]
    C:\System Volume Information\{a80fab88-89cd-11de-aa7d-001fbc01945b}{3808876b-c176-4e48-b7ae-04046e6cc752} - error opening [4]
    C:\System Volume Information\{a80fac2c-89cd-11de-aa7d-001fbc01945b}{3808876b-c176-4e48-b7ae-04046e6cc752} - error opening [4]
    C:\System Volume Information\{a80fae38-89cd-11de-aa7d-001fbc01945b}{3808876b-c176-4e48-b7ae-04046e6cc752} - error opening [4]
    C:\System Volume Information\{a80fb9ed-89cd-11de-aa7d-001fbc01945b}{3808876b-c176-4e48-b7ae-04046e6cc752} - error opening [4]
    C:\System Volume Information\{cdc693b8-8dbb-11de-889e-001fbc01945b}{3808876b-c176-4e48-b7ae-04046e6cc752} - error opening [4]
    C:\System Volume Information\{d57f91d2-8b37-11de-bd3d-001fbc01945b}{3808876b-c176-4e48-b7ae-04046e6cc752} - error opening [4]
    C:\System Volume Information\{d57f921a-8b37-11de-bd3d-001fbc01945b}{3808876b-c176-4e48-b7ae-04046e6cc752} - error opening [4]
    C:\System Volume Information\{d57f925f-8b37-11de-bd3d-001fbc01945b}{3808876b-c176-4e48-b7ae-04046e6cc752} - error opening [4]
    C:\System Volume Information\{e6ba4f2f-8d91-11de-b9b7-001fbc01945b}{3808876b-c176-4e48-b7ae-04046e6cc752} - error opening [4]
    C:\Users\All Users\Microsoft\Search\Data\Applications\Windows\MSS.log - error opening [4]
    C:\Users\All Users\Microsoft\Search\Data\Applications\Windows\tmp.edb - error opening [4]
    C:\Users\All Users\Microsoft\Search\Data\Applications\Windows\Windows.edb - error opening [4]
    C:\Users\All Users\Microsoft\Windows Defender\IMpService925A3ACA-C353-458A-AC8D-A7E5EB378092.lock - error opening [4]
    C:\Users\All Users\Microsoft\Windows Defender\Scans\History\CacheManager\MpSfc.bin - error opening [4]
    C:\Users\{USER}\NTUSER.DAT - error opening [4]
    C:\Users\{USER}\ntuser.dat.LOG1 - error opening [4]
    C:\Users\{USER}\ntuser.dat.LOG2 - error opening [4]
    C:\Users\{USER}\AppData\Local\Microsoft\Windows\UsrClass.dat - error opening [4]
    C:\Users\{USER}\AppData\Local\Microsoft\Windows\UsrClass.dat.LOG1 - error opening [4]
    C:\Users\{USER}\AppData\Local\Microsoft\Windows\UsrClass.dat.LOG2 - error opening [4]
    C:\Windows\ServiceProfiles\LocalService\NTUSER.DAT - error opening [4]
    C:\Windows\ServiceProfiles\LocalService\NTUSER.DAT.LOG1 - error opening [4]
    C:\Windows\ServiceProfiles\LocalService\NTUSER.DAT.LOG2 - error opening [4]
    C:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.dat - error opening [4]
    C:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.dat - error opening [4]
    C:\Windows\ServiceProfiles\NetworkService\NTUSER.DAT - error opening [4]
    C:\Windows\ServiceProfiles\NetworkService\NTUSER.DAT.LOG1 - error opening [4]
    C:\Windows\ServiceProfiles\NetworkService\NTUSER.DAT.LOG2 - error opening [4]
    C:\Windows\System32\catroot2\edb.log - error opening [4]
    C:\Windows\System32\catroot2\{127D0A1D-4EF2-11D1-8608-00C04FC295EE}\catdb - error opening [4]
    C:\Windows\System32\catroot2\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\catdb - error opening [4]
    Number of scanned objects: 142104
    Number of threats found: 0
    Time of completion: 7:25:55 AM Total scanning time: 772 sec (00:12:52)


    Now here's a scan from this morning, same settings: ~142000 files @ ~7.5 min


    Scan Log
    Version of virus signature database: 4378 (2009082:cool:
    Date: 8/28/2009 Time: 12:49:41 PM
    Scanned disks, folders and files: Operating memory;C:\Boot sector;C:\
    C:\hiberfil.sys - error opening [4]
    C:\pagefile.sys - error opening [4]
    C:\Home Base\Rebuild\foobar2000_0.9.6.8.exe » NSIS - archive damaged - the file could not be extracted.
    C:\Program Files (x86)\foobar2000\uninstall.exe » NSIS - archive damaged - the file could not be extracted.
    C:\Users\{USER}\NTUSER.DAT - error opening [4]
    C:\Users\{USER}\ntuser.dat.LOG1 - error opening [4]
    C:\Users\{USER}\ntuser.dat.LOG2 - error opening [4]
    C:\Users\{USER}\AppData\Local\Microsoft\Windows\UsrClass.dat - error opening [4]
    C:\Users\{USER}\AppData\Local\Microsoft\Windows\UsrClass.dat.LOG1 - error opening [4]
    C:\Users\{USER}\AppData\Local\Microsoft\Windows\UsrClass.dat.LOG2 - error opening [4]
    C:\Windows\Logs\CBS\CBS.log - error opening [4]
    C:\Windows\Logs\DPX\setupact.log - error opening [4]
    C:\Windows\Logs\DPX\setuperr.log - error opening [4]
    C:\Windows\Microsoft.NET\Framework\v3.0\Windows Communication Foundation\SMSvcHost.exe.config - error opening [4]
    C:\Windows\Microsoft.NET\Framework64\v3.0\Windows Communication Foundation\SMSvcHost.exe.config - error opening [4]
    C:\Windows\Panther\UnattendGC\diagerr.xml - error opening [4]
    C:\Windows\Panther\UnattendGC\diagwrn.xml - error opening [4]
    C:\Windows\Panther\UnattendGC\setupact.log - error opening [4]
    C:\Windows\Panther\UnattendGC\setuperr.log - error opening [4]
    C:\Windows\PLA\System\System Diagnostics.xml - error opening [4]
    C:\Windows\PLA\System\System Performance.xml - error opening [4]
    C:\Windows\security\database\secedit.sdb - error opening [4]
    C:\Windows\System32\catroot2\edb.log - error opening [4]
    C:\Windows\System32\catroot2\{127D0A1D-4EF2-11D1-8608-00C04FC295EE}\catdb - error opening [4]
    C:\Windows\System32\catroot2\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\catdb - error opening [4]
    C:\Windows\winsxs\amd64_microsoft-windows-n..n_service_datastore_31bf3856ad364e35_6.1.7600.16385_none_2d2382534fb0bdfa\dnary.xsd - error opening [4]
    Number of scanned objects: 142498
    Number of threats found: 0
    Time of completion: 12:57:18 PM Total scanning time: 457 sec (00:07:37)


    The scan times alone seem to indicate that fewer files are being scanned!
     
  4. ASpace

    ASpace Guest

    Just what I though - you are looking in the log files that show {error opening} errors . They no longer appear in the new log . But this doesn't mean that the file/folder is no longer being monitored . Simply there are no longer files in these folders that are locked or inaccessabled for NOD32 . The log files clearly demonstrate the the same amount of files are being scanned (142000) . Eicar test files prooves the program is working .
     
  5. Carbonyl

    Carbonyl Registered Member

    Joined:
    May 19, 2009
    Posts:
    256
    I certainly appreciate what you're saying, but I'm slightly confused about a few things, and I hope you're not offended if I keep asking questions. I'm slow on the uptake, and paranoid to a large extent, so I apologize for being difficult!

    If what you say is true, then there should be no more locked files in the System Volume Information. I find this hard to believe, since I haven't disable the System Restore feature in Windows, and I have ALWAYS seen at least one entry in the logs of that type since back when I was using NOD v2.7. I can't verify the presence of these files, or try the Eicar test in that directory, though, since even if I reveal hidden operating system files, I'm still denied access to the folder (as an administrative user).

    Additionally, if the same number of files are truly being scanned (~142000), why has the scan time decreased by almost five minutes?

    I am not saying you are wrong... I'm just perplexed! o_O I can't figure out why all of these previously locked files would suddenly disappear, or why NOD would suddenly scan so much faster even though slightly more files have been added to the system. My gut is that there's a 'silent exclusion' going on, which could be very much incorrect, but is why I'm asking the questions I am.

    Again, sorry to press the issue. Understanding is just about the only thing that ever quells my paranoia, and confusion only serves to increase it, so I ask a lot of stupid questions. :oops:
     
  6. ASpace

    ASpace Guest

    I am unable to answer your questions being precise because I don't use your computer . I am not offened nor worries or disturbed , don't worry :)

    What is important is that the program works . You can test it numerous times with Eicar or any other threat you want .

    Remember , also , that there are different scanning profiles with different settings .
     
  7. ccomputertek

    ccomputertek Registered Member

    Joined:
    Jul 27, 2009
    Posts:
    371
    You might want to open NOD32 and press F1 for help and search the help files for the " optimized scanning " option, that might answer some questions.

    Optimized scanning

    Increases the speed of scanning. If checked, the scanned files will not be checked again until a next update, or until their content is modified.
     
  8. ASpace

    ASpace Guest

    @ccomputertek





    It isn't the optimized scanning feauture - NOD32 has update numerous times since the first scan
     
  9. ccomputertek

    ccomputertek Registered Member

    Joined:
    Jul 27, 2009
    Posts:
    371
    He can try that anyway, you never know.I leave optimized scanning off to avoid any issues.
     
  10. ASpace

    ASpace Guest

    No issues possibles with this option because NOD32 updates often enough to have the files scanned again
     
  11. ccomputertek

    ccomputertek Registered Member

    Joined:
    Jul 27, 2009
    Posts:
    371
    easy enough to try it once with it off anyway, no program is perfect.you never , never know. :)
     
  12. jswas

    jswas Registered Member

    Joined:
    Jun 11, 2008
    Posts:
    18
    I have vista installed and use nod32 V4.0.437.0. I am not familiar with windows 7 but assume that user access etc is similar to vista. When I first installed vista I found that the system volume inf.folder never showed up in the scan logs because nod was unable to scan due to security settings in the folder. I then right clicked the folder then properties and then the security tab. I added "Everyone" to the list with "full control" enabled. I then performed an In Depth Scan and Nod displayed the individual restore points within the system volume folder but returned error[4] and was thus unable to open the files to scan. Nod32 is definately unable to scan these files as it could under XP. However under XP if a virus were found in a restore point the only way to delete it would be to delete all restore points and then to re-enable system restore. However I am not concerned that Nod is not able to scan the restore points in vista as it is not possible for a virus to cause a problem providing you do not restore your computer from an infected restore point.
     
Thread Status:
Not open for further replies.