NOD32 AMON slow at scanning UPX protected files

I have had some annoying problems with Windows Explorer/Total Commander being extremely slow at listing some files. Recently I have been able to pinpoint the problem to NOD32. Today I did some tests and tried to measure the performance hit when NOD32 AMON was active/inactive, when files were excluded from AMON scanning etc. Below are the results.

I used Alcohol 120% 1.9.2.1705 to create 35 cd&dvd image files in a directory. Each image consists of two files that are needed by Alcohol 120%, a .mdf and a .mds file (basically they work as bin/cue files but contain more information about the source disc), thus there are a total of 70 files in the directory. I measured the time it took for Windows Explorer to update all the icons in the directory after Windows had started ( I rebooted the computer between each test to avoid any cache having an impact on the result).

These are my AMON settings. (I have only listed the ones I thought were important).
Detection tab:
Scan on: Open and Execute
Media: Local
Extensions: MD? entry has been removed
Methods tab:
Methods: Signatures is checked while Heuristics is not checked (due to problems with false positives).
Exclusions: None at this point. See the test setups below.

This is the version of NOD32 I am using together with some system information:
NOD32 Antivirus System information
Virus signature database version: 1.830 (20040802)
Virus signature database build: 4725

Information on other scanner support parts
Advanced heuristics module version: 1.007 (20040309)
Advanced heuristics module build: 1053
Internet filter version: 1.001 (20031104)
Internet filter build: 1012
Archive support module version: 1.008 (20031127)
Archive support module build version: 1078

Information on installed components
NOD32 For Windows NT/2000/XP/2003 - Base
Version: 2.000.9
NOD32 For Windows NT/2000/XP/2003 - Internet support
Version: 2.000.8
NOD32 for Windows NT/2000/XP/2003 - Standard component
Version: 2.000.9

Operating system information
Platform: Windows XP
Version: 5.1.2600 Service Pack 1
Version of common control components: 5.82.2800
RAM: 1024 MB
Processor: AMD Athlon(TM) XP 2200+ (1836 MHz)

Test 1
Test setup:
Original Alcohol 120% installation used. AMON is started:
Result: about 16 seconds

Test 2
Test setup:
Original Alcohol 120% installation used. AMON is stopped:
Result: about 2 seconds

Test 3
Test setup:
Original Alcohol 120% installation used. AMON is started but the entire Alcohol 120% directory plus subdirectories are excluded from scanning:
Result: about 16 seconds

Test 4
Test setup:
All Alcohol 120% dlls and exe's are packed with UPX. I unpacked them using UPX -d. AMON is started but the entire Alcohol 120% directory plus subdirectories are excluded from scanning:
Result: about 2-3 seconds

Test 5
Test setup:
All Alcohol 120% dlls and exe's are packed with UPX. I unpacked them using UPX -d. AMON is started and no files are excluded from scanning:
Result: about 2-3 seconds

Test 6
Test setup:
I read some threads on this forum that NOD32 has a bug that causes file exclusion not to work if the short filename format is used. Knowing this I changed this registry key that is used to associate the mds/mdf filetype with AXShlEx.dll:
[HKEY_CLASSES_ROOT\CLSID\{32020A01-506E-484D-A2A8-BE3CF17601C3}\InprocServer32]
@="C:\\Progra~1\\ALCOHO~1\\ALCOHO~1\\AXShlEx.dll"
to
[HKEY_CLASSES_ROOT\CLSID\{32020A01-506E-484D-A2A8-BE3CF17601C3}\InprocServer32]
@="C:\\Program Files\\Alcohol Soft\\Alcohol 120\\AXShlEx.dll".
The original (UPX'ed) Alcohol 120% files are used. AMON is started and Alcohol 120%-directory is excluded from scanning.
Result: about 2-3 seconds


Conclusion:
NOD32 does not handle short filenames/paths very well (bug!). The protected executable scanner AMON is using seems very slow when scanning UPX'ed files. I know there has been discussion about the file exclusion problem in the NOD32 beta forum recently and I really hope ESET will fix this bug soon, but what do you think about the UPX scanning performance? Going from 2-3 seconds to 16-17 is about 8 times slowdown. Is it really supposed to take that long...has anyone else experienced this problem? It should also be noted that I have not compared NOD32 with other antivirus applications. Maybe NOD32 actually is faster than the competition... I don't know..

 

dear sach, welcome to the forum. right now i'm answering two mails so i haven't read your post totally but can you tell me what version of UPX is used? i have the latest 1.25 so i'll go and checkout a few things.

 

The UPX version used is 1.24, so it is a version that has been around for a while.
I will try to unpack the Alcohol 120% files and apply another executable packer, such as ASPack, and check out if that has similar impact on scanning performance as UPX.

 

This is weird... I can't get the same result for Test 4-5 anymore and I am beginning to think that I might have mixed up some settings when I made those tests... or if something else has changed since I made those tests.
Right now, regardless of UPX being used or not the file listing is always slow as soon as AMON is activated and the Alcohol 120% directory is not excluded from scanning.

AMON stopped = fast file listing (2-3 seconds)
AMON started and Alcohol directory excluded from scanning = fast file listing (2-3 seconds)
AMON started, no exclusions = slow (16+ seconds). Total Commander sometimes shows "not responding" for a while as it takes so long time.

So maybe something else than UPX is the cause of this slowdown...Right now I am all confused about the results. Would be interesting if someone else would try Alcohol 120% trial version and do similar tests.

 

dear sach, i packed some files with UPX 1.25 and saw that AMON causes a slowdown. this is not true for unpacked files. only when i pack files by UPX 1.25 those files take time to execute. if i turn off AMON then everything is normal. i don't drink so i don't have Alcohol but every other files UPXed causes AMON to misbehave. BTW another new packer FSG is not causing such problem.

 

Because its new and not yet implimented in NOD32... (its like scanning binary file without knowing what's inside),thats why you don't see decrease in performance...

 

and you came up with this all by yourself? other known packers doesn't cause this slowdown. lol thanks anyway.