NOD32 5.2.9.1 Signature Update Mysteries

Discussion in 'ESET NOD32 Antivirus' started by rnfolsom, Nov 6, 2012.

Thread Status:
Not open for further replies.
  1. rnfolsom

    rnfolsom Registered Member

    Joined:
    Nov 9, 2005
    Posts:
    247
    Location:
    Monterey, California
    1) Before installing NOD32 v5.2.9.1 last week (after uninstalling v4.2.71.1), I think I read somewhere that one of the v5.2.9.1 conveniences was that when I turned on my WinXPsp3 computer in the morning, NOD32 v5.2.9.1 would automatically download any signatures that Eset had released during the night.

    Is that convenience true? I ask because for me that automatic signatures update isn't happening.

    If that convenience is true, is there some advanced setting that disables that convenience? For example, in Advanced settings, at
    UPDATE > Update > Advanced update setup > Update mode tab . . . Update file size:
    I have checked "Ask before downloading update," and "Ask if an update file is greater than 1 kb"

    Could that last setting, instructing Eset to ask permission to download a signature if its size is greater than 1kb, be the cause of Eset not asking to download signatures when I first turn on my computer?

    2) Since NOD32 v5.2.9.1 isn't downloading when I first turn on my computer, in the system tray I click the Eset icon, then click on "Open ESET NOD32 Antivirus 5" which opens a window, where I click on Update. I read that "Update is not necessary. The virus signature database is up to date." But I click on it anyway --- and the usual result is that NOD32 downloads new signature updates.

    Is that normal, or have I messed something up by changing some setting in Advanced setup?

    Thanks for any comments, suggestions, or help.

    Roger Folsom
     
    Last edited: Nov 6, 2012
  2. Stimulator

    Stimulator Registered Member

    Joined:
    Nov 3, 2012
    Posts:
    12
    IMO your eset doesn't update its database when turning on OS because internet doesn't connect directly after the booting. If you wait one hour eset will update automatically, or you can delay the scheduled automatic update 5 or 10 minutes as explained here:

    06-11-2012 11-17-47 AM.jpg

    So, 5 or 10 minutes after booting eset will update its DB when internet is connected.
     
  3. Marcos

    Marcos Eset Staff Account

    Joined:
    Nov 22, 2002
    Posts:
    14,374
    If you set a threshold for update size and egui is not running yet, such update shouldn't be downloaded unless egui is started and you confirm it.
     
  4. rnfolsom

    rnfolsom Registered Member

    Joined:
    Nov 9, 2005
    Posts:
    247
    Location:
    Monterey, California
    Stimulator:

    Thanks for the explanation, and solution (subject to Marcos's comment on your post, if he makes one) --- but as explained below, I can't use your solution.

    In any case, I am surprised that on my computer "internet doesn't connect directly after the booting" because immediately after booting up I often go directly to my ISP's TMDA (Tagged Message Delivery Agent) anti-spam filter, which is on the internet.

    And I've never had to wait as long as five minutes after turning on my computer and booting up to access the internet (unless my ISP was having problems).

    But I had totally overlooked your Tools > Scheduler setting. After looking at NOD32 v5.2.9.1 Advanced Settings > Tools, I discovered the reason I had overlooked it: Apparently it is available in ESET Smart Security, but not in my NOD32 v5.2.9.1. In Tools, my only settings categories are Log files, Proxy Server, Quarantine, ESET Live Grid, System Updates, and Diagnostics.

    Roger Folsom
     
    Last edited: Nov 7, 2012
  5. rnfolsom

    rnfolsom Registered Member

    Joined:
    Nov 9, 2005
    Posts:
    247
    Location:
    Monterey, California
    Marcos:
    1) Does the EGUI (Eset Graphic User Interface) include the menu that appears from clicking on the NOD32 notification area icon, or only a window that appears after clicking on one of the menu items (other than "Temporarily disable protection")?

    Re your instruction that I confirm that EGUI was started: How could I (rather than Eset "randomly") download an update without confirming that EGUI has started, given that the only way I know to download an update is by clicking on the notification area icon, and clicking on "Open NOD32 Antivirus 5," and selecting Update, and then clicking on "Update virus signature database"?

    2) I think that your "set a threshold for update size" refers to my setting in Advanced Setup, at Update > Update > Update mode tab > Update file size:
    Checked "Ask before downloading update"
    and "Ask if an upgrade file is greater than 1 kb."

    Am I correct? (When I selected that setting, I thought that it allowed Eset to download an upgrade file of less than 1kb without asking. I never thought of it as an update size minimum or maximum.)

    3) If I were using Eset Smart Security instead of NOD32 v5.2.9.1, and had access to Stimulator's suggested "Tools > Scheduler > Task execution > Random Task execution delay" setting of 5 or 10 minutes, would that setting be advisable, or would it be likely to violate your requirement that an update should not be downloaded unless EGUI is started (and somehow confirmed)?

    My apologies for not fully understanding your post, with regard to my initial message and to Stimulator's suggestion. NOD32 v5.2.9.1 is my first use of any 5.x version.

    Roger Folsom
     
    Last edited: Nov 7, 2012
  6. Marcos

    Marcos Eset Staff Account

    Joined:
    Nov 22, 2002
    Posts:
    14,374
    Egui.exe is the process providing interaction with the user. Without it running, you will not get any prompts from ESET (e.g. in interactive firewall/HIPS mode or when the update size exceeds the limit/threshold for update without asking).

    Right. However, updates always exceed 1 kB so you'll always be prompted before an update is downloaded. If you want to be prompted only before downloading larger updates, set it to 1 MB at least. I, for one, would not recommend enabling this option unless you're connected via an expensive connection.

    I, too, am curious to know where the setting "Random task execution delay" is. I don't have it in my ESS.
     
  7. rnfolsom

    rnfolsom Registered Member

    Joined:
    Nov 9, 2005
    Posts:
    247
    Location:
    Monterey, California
    Marcos:
    Thank you for your reply. I get the general concept.
    But if I click on the notification area's Eset icon, and get the menu but do not click on any menu item, am I already in "the process providing access with the user"?
    Or do I also need to click on a menu item to get a window, in order to be in "the process providing access with the user"?
    Or do I also need to click on a window link, in order to be in "the process providing access with the user"?

    I didn't know that updates always are larger than 1 kb. Thanks for that information.

    I am not connected to the internet via an expensive connection; the monthly cost for my (and my wife's) internet connection (www.redshift.com, a local ISP) is a flat fee, independent of how much internet time we consume.

    My reason for selecting "Ask if an update file is greater than 1 kb" is entirely different. I am a mathematical economist, and one of my programs (Derive 6.1) solves large (or small) systems of equations and functions by manipulating the symbols --- no numbers required (they can be estimated later by statistical analyses, aka econometrics). I think I made that selection beginning with my first use of NOD32, NOD32 v2.x. I did so in order to be able to block a NOD32 update so that it couldn't confuse Derive. I'm a follower of former Intel CEO Andrew Grove, who wrote a book "Only the Paranoid Survive."

    (Derive 6.1 is no longer available, but there are alternative symbolic mathematics programs that do the same thing. I happen to be comfortable with Derive.)

    That statement was a big surprise!. I hope that Stimulator comes back to this thread and clarifies what added Tools > Scheduler > Show tasks > Task execution to his ESS.
    (Maybe it's a component of ESS, and perhaps even NOD32, if installed on multiple computers? That guess was inspired by Stimulator's Tools including a Licenses section, which is not one of my Tools.)

    If Stimulator doesn't return to this thread, I hope that his email address is on file somewhere at Wilders or at Eset, so that you could ask him about his Task Execution tool.

    Thanks in advance for any additional help in understanding when EGUI is active.

    Roger Folsom

    P.S. The small dialog box that prompts the user to permit an update download and install needs to be modified so that it always is on top of any other window, rather than somewhere behind the "on top" window. As it is, that dialog box often is hidden, so that the user never responds to it until long after Eset sent it. (As it happens, I've experienced that issue while writing this post.)
     
    Last edited: Nov 7, 2012
  8. agoretsky

    agoretsky Eset Staff Account

    Joined:
    Apr 4, 2006
    Posts:
    4,032
    Location:
    California
    Hello,

    To ensure that user interaction is registered, I would suggest opening the user interface and performing an action in there (for example, manually starting an update). I myself often do this when starting up a computer (or virtual machine) for the first time, each day. Usually, nothing happens because an update was downloaded (or in the process of downloading) but sometimes an update is available and downloaded. Usually that happens when the computer in question was hibernating or sleeping and did not actually fully power down.

    It has been a while since I looked, but I believe the average ESET daily virus signature database hovers between 15 and 60KB, depending upon which product and version is installed, and what sort of updates the software has been configured to download (standard updates or pre-release ones).

    By default, ESET's software checks hourly to see if there is a new update and, if so, downloads one. That check requires about 5-7KB of data, if memory serves.

    As far as I know, Red Shift Internet provides DSL connections, so if you are using a router between your DSL modem and computers to connect to the Internet, it should be managing the Internet connection so that it is always online. That is probably something to check with Red Shift, though.

    Unless you have reason to do so (e.g., prohibitively expensive Internet costs) I would strongly recommend leaving the update option configured with its default values for security reasons. ESET updates are cumulatively, so issuing an update once in while just means that you will eventually download a slightly bigger update when the software does eventually check for updates, but doing so repeatedly increases the chance (however slightly) of missing protection for some new fast-spreading threat. While the chances of that occurring, realistically-speaking, might be infinitesimally small, experience has shown me that every day someone has to get hit first by a new strain of malware. Making sure that the virus signature database stays current is a good way of making sure that is someone else's computer is that statistic, and not yours.

    Regards,

    Aryeh Goretsky
     
  9. Marcos

    Marcos Eset Staff Account

    Joined:
    Nov 22, 2002
    Posts:
    14,374
    Apparently Stimulator has a cracked v5 installed. Home version does not support remote administration nor NAP which are visible in the screen shot above. That said, the user is responsible for any issues stemming from hacking ESET's products and assistance will not be provided unless a legit version is installed.
     
  10. rnfolsom

    rnfolsom Registered Member

    Joined:
    Nov 9, 2005
    Posts:
    247
    Location:
    Monterey, California
    Mr. Goretsky: Please excuse my tardy reply. The reason is at the beginning of my reply to your other 03 December post, approximately at https://www.wilderssecurity.com/showthread.php?p=2158560

    My wife and I (two WinXPsp3 laptop computers) are doing that. Thanks for the information and recommendation. But before we understood how update timing works (thanks to you) it was surprising to read at "Open ESET NOD32 Antivirus 5 > Update" that "Update is not necessary - the virus signature database is up-to-date" and then click on the update link and get an update!

    Thanks for that information. If my guess (mentioned in my other post to you this evening) that my NOD32's installation folder's emNNN_32.dat files (this evening ranging from em000_32.dat to em023_32.dat) are signature updates, their daily size fits within your 15-60kb range.

    You are right that my redshift.com ISP uses DSL connections, and that my wife's and my laptops are connected to the internet via a router (wired Linksys). But our laptops and the router get their power from an APC Smart-UPS of 1500 Volt-Amps (surge and power reduction and failure protection), which we turn off at night when the laptops are not in use. So there's no way for NOD32 updates to come in at night (except if one of us stays up late). Consequently, updates are usually available to each of us when we turn our laptop on in the morning, after turning on what we call the APC "battery box."

    Understood. Our internet costs (to Redshift) are a flat monthly fee for our DSL connection, and the bill is not affected by the fact that our laptops are almost always connected to the internet (except at night when the "Battery Box" is turned off), or by the amount of time we actually spend using the internet. So finances are not why I have set up NOD32 to get permission before we download an update.

    In addition to checking for an update when we first turn on our laptops for the day, we almost always click Yes when Eset asks if we want to download an update. The only exceptions are if we are doing something extremely complicated, such as a complex spreadsheet or symbolic mathematics program.

    Long ago I suggested that Eset's "Do you want to download an update" messages should always position themselves in front of whatever windows are open, but that hasn't happened. Sometimes (but not always, which is a bit of a mystery) Eset's requests hide between two windows, instead of always moving to the front of all open windows.

    I do understand that Eset's updates install in the background and shouldn't affect even the most complex application software. But we can't be certain that our application software --- some of it rather elderly; we don't bother upgrading unless there is a functional improvement that affects how we use the software --- won't avoid noticing that Eset is downloading an update. Our laptops are far from new (mine is a Dell Latitude C840; my wife's is an IBM A31), so their RAMs are only 1GB each.

    I also have a recently acquired a used Dell Latitude E6500 which I upgraded from Vista to Windows7, but it is not at all ready for actual use (no application software yet installed). I'm taking my time setting it up.

    Thanks very much for your response to this "NOD32 5.2.9.1 Signature Update Mysteries" thread. As usual with your posts, I have learned a lot. Ever since my wife and I adopted Eset's NOD32 v2.x you have been an extremely useful educator. Thank you.

    Cordially, and appreciatively, R.N. (Roger) Folsom
     
    Last edited: Dec 17, 2012
Thread Status:
Not open for further replies.