NOD32 beta vs OE dbx files-TheNeverEndingStory<<grin>>

Discussion in 'NOD32 Early v2 Beta' started by Phil, Jan 16, 2003.

Thread Status:
Not open for further replies.
  1. Phil

    Phil Registered Member

    Joined:
    Oct 24, 2002
    Posts:
    248
    <quote from Mele20 in the NOD32 forum>
    I don't think your test duplicated what happened to me. I did an on demand scan, from within the NOD Control Center ..not from the desktop shortcut, using the scan button. The scanner never stopped on the virus in the sent folder or on the one in the deleted items folder. I never got a popup about them. The scan took 23 minutes and then the summary showed 16 viruses. I knew I didn't have 16 viruses. I could not look at any logs using the beta version. I had only that summary. I ran the on demand scanner many times and everytime it behaved in this fashion. Note that I'm talking about running it from within the NOD control center. It never stopped on any virus and would only display a brief summary at the end saying how many viruses were found..no details and would not let me look at any logs. If I tried to look at the logs that froze NOD32 and and I had to use c/a/d which closed down NOD32. I could scroll back through every single file to find the red highlighted ones, but that was difficult and I would miss some. Plus, of course, once I closed that session then it was saved to the logs which I could not later access and just trying to access them caused NOD32 to freeze leading to c/a/d which closed NOD down completely.

    So, instead, when I decided to try and clean or delete the viruses, I ran the on demand scanner again (from within the control center) and I chose to do the scan from the "clean" button rather than from the "scan" button. When I did that, the scanner stopped first on the yaha.N virus and announced in a popup box that it had found this virus in the deleted items.dbx box and then, under that, gave the name of the email, the sender, recipient, name of the virus and the location which was the deleted items box in OE. I was stunned. I thought I had deleted it off my system when IMON first caught it and put in quarantine and then I deleted it. I immediately went to the deleted items box and sure enough it was there unopened. I went back to the scanner's alert box where I was given the option to leave it or delete it. I did not get any popup boxes under the first box!

    The path was very explict giving the exact name of the email "What Does NOD32 call this Sucker", the sender, recipient, and the name of the virus in the attachment and the location of the email in the deleted items box. Since the path given was explict for that ONE email ...not the the deleted items box, I chose to hit the button "delete".

    The scanner then continued until it stopped next on the email with the virus in the sent items box. Again, ONE popup box only. The box said there was an email found in the sent items box infected with the magistr virus. It went on to give the same explict path for the infected piece of mail as it had with the infected email earlier. It gave the title of the email "Nod32 Not Detecting One Virus", the sender's name, the recipient's name, and the two viruses (that NOD was detecting) in the attachment and the location of the email as being in the sent items folder. Again Amon said it could not be cleaned but could be deleted. So, I deleted it.

    I have no idea why I didn't see any popup boxes under the first one. It must have had something to do with the fact that I first ran the scan using the scan button and then was forced to run it again using the clean button.

    The on demand scanner behaved differently if I called it from the desktop short cut than if I called it from within the NOD control center. From the desktop short cut it would report that it found 10 viruses. Run from the NOD control center, it would report it found 16 viruses. This was running the scans back to back. Of course, I could not look at the logs, so I do not know what it flagged because I was running it in scan mode where it would not stop on anything it found.
    </quote>

    Mele20,

    As stated in the other forum, I have not been able to reproduce what you saw. As to why, I don't have a clue. There are possible reasons -- I think I remember you saying you are on Win98, I am using XP Pro SP1 -- you could have a corrupt install -- you may have different setting -- this *is* Windows. :D I did not have any problems reading the log files which tends to make me think you may have had a corrupt install.

    As to you having to look through all the files to find the "red" ones, do you have the "all files" option seleted? The only files that show on my sys when scanning are *only* the locked files and the found viruses.

    What I find entertaining about this situation is I see some people on other forums strutting and preening and offering their "expert" advice and they don't even USE NOD32 or have not tried the beta. There's nothing you can do about other peoples' kids, I guess. :D

    Again, I don't doubt you saw what you saw, but sometimes memory can be a tricky thing. Eye witnesses are the *worst* possible witnesses in court cases. Should you ever feel brave enough again, it would be most interesting to see your results from a new test now that you know what to look for. Should you decide to not even try, I would certainly understand.

    Now, my new tests. I performed MANY tests using all different scanning methods with similar results. For the test I will report here, I did *exactly* what you did above. For the test, I used a zipped Eicar file because if something went goofy, I didn't want to infect myself. For the test, I put the test email in my Drafts "folder" along with some clean emails because the "folder" is really just a single dbx file that contains all the emails. This would replicate your experience with your Sent.dbx and your Deleted.dbx, I am just using a different file to isolate the test. Instead of trying to explain what I saw, I will attach jpg's, that is if I can figure out how to attach them, never having done that before. They are named NOD1, NOD2,NOD3, and (surprise, surprise) NOD4. They are in the order of the popups I saw. There was only ONE test virus, but NOD reported 4 because of the different ways the scanner caught it. This would correspond to you seeing more viruses than actually existed. I hope the screen shots will make this issue a little more clear. The reason for the 4 is it drilled all the way down inside the zip and identified the actual virus for the first popup and then backed all the way out to the dbx file. Again, I hope the pictures will explain.

    I will attempt to attach the first popup jpg to this post. This is where it drilled down through the dbx to the email to the zip and then inside the zip. Personal info has been removed.
     
  2. Phil

    Phil Registered Member

    Joined:
    Oct 24, 2002
    Posts:
    248
    Well, it didn't work. I will try the first jpg again in this post.
     

    Attached Files:

    • NOD1.jpg
      NOD1.jpg
      File size:
      35.9 KB
      Views:
      431
  3. Phil

    Phil Registered Member

    Joined:
    Oct 24, 2002
    Posts:
    248
    It worked that time. Cool! :D

    I will try to attach two here. If you will notice, the ONLY option is to "Leave" in the first one and these two.

    Again, the first one is where it drilled all the way down to the test virus itself. As you will see (I hope), NOD2 is where it had backed out to the zip, and NOD3 is where it had backed out to the email itself, correctly identifying in ALL cases the fact the virus is there. First it said here is a virus. Next it says here is a zip with a virus, and third it says here is an email with a zip that has a virus. Pretty danged neat if you ask me. Again, in ALL three of these cases, it says it can't do anything with it.

    OK, I can't figure out how to attach 2 so #3 will be in the next post.
     

    Attached Files:

    • NOD2.jpg
      NOD2.jpg
      File size:
      32.7 KB
      Views:
      431
  4. Phil

    Phil Registered Member

    Joined:
    Oct 24, 2002
    Posts:
    248
    OK, here is where it had backed up to the email with the infected zip (NOD3).
     

    Attached Files:

    • NOD3.jpg
      NOD3.jpg
      File size:
      32.4 KB
      Views:
      431
  5. Phil

    Phil Registered Member

    Joined:
    Oct 24, 2002
    Posts:
    248
    Now, here is the critical one -- the one that opens up other options like "Delete". PLEASE note what is PRECISELY identified. It is NO LONGER showing the email. It has zeroed in on the "Drafts.dbx" file itself. This is the FIRST time it has given me an option to do ANYTHING other than leave. Now, it has backed out to where it is targeting only the dbx file, which contains *every* email in what is called the Drafts "folder". Well, I hit delete. Guess what happened to *every* email in my drafts folder. Yep! Poof -- outa town -- gone -- deleted because *I* told it to delete.

    Mele20, I think this si the way the NOD32 beta is designed to operate. I can not explain what happened to you and I am truly sorry you lost your email. The only thing I can imagine is you had a corrupt install *or* there is a bug in the way the beta handles a different OS. Could be conflicting software -- I simply don't know. One thing I do know for SURE is (assuming correct operation) the NOD32 beta will NOT delete all the email UNLESS the user tells it to do so.

    I hope this little disertation helps you (and other readers) understand a little better my perception of how the new NOD works. :)

    Phil
     

    Attached Files:

    • NOD4.jpg
      NOD4.jpg
      File size:
      26.7 KB
      Views:
      431
  6. LowWaterMark

    LowWaterMark Administrator

    Joined:
    Aug 10, 2002
    Posts:
    17,875
    Location:
    New England
    [​IMG] Very nicely done Phil. And, it makes sense. Perhaps, as you say, it's not the exact same thing as happened to Mele, but, your analysis looks good for the circumstances...
     
  7. Carren

    Carren Registered Member

    Joined:
    Feb 10, 2002
    Posts:
    4
    Location:
    New Zealand
    Thankyou Phil .... that confirms exactly what I expected would happen, and simply reaffirms my personal belief that when *any* AV program finds an infected file, it is far safer for the user to simply navigate to that file and manually delete it. By doing that there is no room for error or misunderstanding.

    I am curious about two things? Firstly, does the current release version behave in the same way? Secondly, is OE unique in the way it manages mail, or do most email clients manage mail the same way? :doubt:
     
  8. Phil

    Phil Registered Member

    Joined:
    Oct 24, 2002
    Posts:
    248
    Thank you for the compliment. I folded, spindled, and mutilated the scanner in every way I could think of trying to reproduce what Mele20 described and it simply would NOT do it. There seems to be a lot of misinformation floating around about this situation and I felt a need to post a few facts on *my* experience with the beta. Personally, I can't wait for the release version - it's going to be NICE! :cool:

    Phil
     
  9. Phil

    Phil Registered Member

    Joined:
    Oct 24, 2002
    Posts:
    248
    Carren,

    I don't know about the release version because when I was using it, there is *no* way I would have handled an identified email virus in this way. In all previous cases when the POP3Scanner would ID a virus, I would simply empty and compact the "Deleted Items" folder.

    Many other email clients *do* use a single file for each "folder" as shown in the client. I don't know the interaction because I have not received a virus while testing/trying them, except for Pocomail (a WAY cool client, BTW) Poco puts any attachment in a different folder as an individual item so this would not be an issue with Poco.

    HTH
    Phil
     
  10. puff-m-d

    puff-m-d Registered Member

    Joined:
    Feb 13, 2002
    Posts:
    4,449
    Location:
    North Carolina, USA
    Phil,

    Here is a karma cookie for an excellent post :D !!!!!

    Regards,
    Kent
     
  11. Phil

    Phil Registered Member

    Joined:
    Oct 24, 2002
    Posts:
    248
    Thank you, Kent. Come to think of it, I *am* a little hungry. :D

    Phil
     
  12. jan

    jan Former Eset Moderator

    Joined:
    Oct 25, 2002
    Posts:
    804
    Hi all,

    sorry, I returned here with a "small" delay ;) caused by too much work with the Beta.

    Thank you, Phil for the nice explanation of the .dbx deletion problem. We are sorry that the problem occurred although the user has confirmed the deletion of the .dbx file full of e-mails by herself. Anyway, we admit that the message announcing it was not easily readable. That's why we decided we'll make it safer - the deletion of the e-mail storage files will be disabled in the next beta. This can avoid similar cases in the future.
    The current release version behaves in the different way you can try it, if you want.

    rgds, :)

    jan
     
Thread Status:
Not open for further replies.