NOD32 does not scan archives - when will this be fixed?

Discussion in 'NOD32 version 2 Forum' started by Richard Kaufmann, Dec 13, 2005.

Thread Status:
Not open for further replies.
  1. German IT magazine c't stated that NOD32 is not able to scan archives for viruses during download. I tested it and found that they are right (as always).

    This renderes the product in a corporate environment completely useless. A administer more than 300 clients and on each workstation and on each server a on-access scanner is working and cannot be switched off.

    I thought I can test NOD32 and maybe switch when the next renewal happens to my Mcafee contract but now I think I am wrong.

    Regards
    Richard Kaufmann
     
  2. webyourbusiness

    webyourbusiness Registered Member

    Joined:
    Nov 16, 2004
    Posts:
    2,640
    Location:
    Throughout the USA and Canada
    AMON scans them on access - how does this make NOD32 "completely useless" - I've been using NOD32 in a corporate environment for more than a year and it is FAR from useless.....

    (oh - about your being wrong - you're right... your ARE wrong!)
     
  3. Marcos

    Marcos Eset Staff Account

    Joined:
    Nov 22, 2002
    Posts:
    14,374
    IMON scans all files including archives during the download process.

    If AMON was to scan archives internally, it wouldn't make any difference in terms of safety and, what's more, it would render your machine completely useless as it would take much time to unpack archives.
     
  4. pykko

    pykko Registered Member

    Joined:
    Apr 27, 2005
    Posts:
    2,236
    Location:
    Romania...and walking to heaven
    What NOD32 doesn't actually have is an option to clean or delete the archive or the file inside the archive, when it finds a virus inside it.

    Sometimes it has the option to delete the entire archive (I think when it finds more than one virus inside it), but not to delete specific files from within the archive.
     
  5. OK,
    go to http://www.eicar.com/anti_virus_test_file.htm

    an try to download all the eight files at the end of the page.

    I only get a warning message (and the download is not possible) when I download the eicar.com file via http and https. In ALL other cases NOD32 displays no warning and I am able to download the files to my harddisk. Due to this behaviour I say that AMON is not scanning archives and it is not working.

    Regards
    Richard
     
  6. webyourbusiness

    webyourbusiness Registered Member

    Joined:
    Nov 16, 2004
    Posts:
    2,640
    Location:
    Throughout the USA and Canada
    only the https zip files come down... and both of those are detected then trying to extract the threat using winrar... ergo, 100% threat protection... hardly useless!
     
  7. TimaN

    TimaN Registered Member

    Joined:
    Aug 22, 2005
    Posts:
    125
    Location:
    Tulsa, OK
    I'm with you all 100% pykko. I wish NOD32 was able to clean archives without deleting the whole archive.
     
  8. webyourbusiness

    webyourbusiness Registered Member

    Joined:
    Nov 16, 2004
    Posts:
    2,640
    Location:
    Throughout the USA and Canada
    I think the problem is that your settings will determine how the threat is handled and where in the process - ie, BEFORE it's downloaded, or AFTER.

    This means that you would need to setup NOD32 to handle archives as you would prefer (where possible) - but at the worst possible case, any threats found inside an archive will be detected when they are accessed or extracted using AMON.

    To me it indicates that a further knowledge of NOD32 is required before reviewing the product, because by no means is it "useless".
     
  9. tigre

    tigre Guest

  10. JimIT

    JimIT Registered Member

    Joined:
    Jan 22, 2003
    Posts:
    1,035
    Location:
    Denton, Texas
    No need for fix. It ain't broke.

    nm...
     
  11. Blackcat

    Blackcat Registered Member

    Joined:
    Nov 22, 2002
    Posts:
    4,010
    Location:
    Christchurch, UK
    Very few RTM's of AV's can scan archives. Command, Dr Web, McAfee Enterprise, and BitDefender are some of the ones that do offer the choice of archive scanning, but this is not a default setting.

    But a number of others do not e.g. AMON and KAV 5. The last two AV vendors are no slouch in detection rates but at the present time they do not offer this scanning choice.

    The main reason being that it may slow down performance considerably. Further, malware can be picked up in the archive when it is extracted, then the RTM (AMON)jumps in.

    So most AV companies leave archive scanning to the on-demand scanner.
     
  12. Brian N

    Brian N Registered Member

    Joined:
    Jul 7, 2005
    Posts:
    2,148
    Location:
    Denmark
    99% of all the crap NOD has detected for me was through IMON in .exe .zip .rar & .cab files.
    It's quite obvious that the tester from the magazine has no idea how to use or configure the program.

    Regarding the eicar files: IMON blocks all 4 files (http). The other 4 (https) will get zapped by AMON or the on-demand scanner. So their statement is incorrect.
     
  13. HAN

    HAN Registered Member

    Joined:
    Feb 24, 2005
    Posts:
    2,080
    Location:
    USA
    I'll have to chime in here too. When I read the thread title, I thought "That's not right. NOD has always scanned archives on download". And it indeed does.

    But FWIW, I agree with the AMON comment. Archives are NOT dangerous until opened. (Another FWIW... as a matter of course, my company does not allow any inbound archive files. If one is sent and is necessary, it is pulled out of the server by hand from quarantine. Malware archives like Sober never even make it to the AV scanner...)
     
  14. alglove

    alglove Registered Member

    Joined:
    Jan 17, 2005
    Posts:
    904
    Location:
    Houston, Texas, USA
    Make sure that IMON is setup to scan archives. Go to IMON --> Setup --> Miscellaneous --> Scanner --> Setup. Make sure that "Archives" is checked in the Setup tab, and the Actions tab is set to "Prompt for Action" for archives.
     
  15. YeOldeStonecat

    YeOldeStonecat Registered Member

    Joined:
    Apr 25, 2005
    Posts:
    2,345
    Location:
    Along the Shorelines somewhere in New England
    Why do people worry about the fact that it can't clean "bad" individual files out of a compressed file...if that compressed file has something bad in it...then I want the whole bloody thing deleted that instant. Screw worrying wether an antivirus can pick and clean 3x items out of the 50 or 100 in the zip file. I can't think of a single situation where I'd want to clean out that zipped file. Any zipped file attempting to come into any systems I'm in charge of...if it's dirty, there is nothing worth saving to me, I want it deleted without question.

    All my NOD deployments...I give the user zero chance of being "prompted what to do"..no "Quarantine"...everything is set to delete automatically.

    As for the scanning in compressed files...you have your faith in the antivirus..the AMON. If it has the definitions to detect it, AMON will stop it. If AMON didn't stop it, then it didn't have the definitions for it, and being able to scan within zipped files would not have picked it up anyways. One of the main points most of us have chosen NOD32 for, and one of their main selling points, is speed, the fact that it's lightweight and fast. You can't have it both ways..want to scan inside compressed files, choose an AV product that takes overnight to scan. Want speed? Well, here's NOD32...have faith in AMON or don't have faith in it at all.
     
  16. tazdevl

    tazdevl Registered Member

    Joined:
    May 17, 2004
    Posts:
    837
    Location:
    AZ, USA
    Problem with that is that if you have a FP in an app, you could render it or the OS useless.
     
  17. Upasaka

    Upasaka Guest

    I use NOD32 and have done for the last three years,it has never failed in any way!
    The tests at eicar .com I have used several times in the past as a check and NOD passes without fail.
    The HTTP tests all get stopped by termination of the connection,the first 2 HTTPS tests are flagged and stopped immediately and the second 2 are flagged on test after download (I check all files I download) and if unzipped the virus is caught and quarrantined.

    I am a home user, not a professional user in anyway,if I can set NOD32 to give this level of protection anyone can!
     
  18. Blackspear

    Blackspear Global Moderator

    Joined:
    Dec 2, 2002
    Posts:
    15,115
    Location:
    Gold Coast, Queensland, Australia
    I do the same thing, except thoroughly recommend using Quarantine, for safety reasons, and no, it's never happened yet, but the day I don't check Quarantine is the day I'll receive a phone call that Nod32 has ripped out some precious file and killed their cat :rolleyes: ;) :D

    Cheers :D
     
  19. YeOldeStonecat

    YeOldeStonecat Registered Member

    Joined:
    Apr 25, 2005
    Posts:
    2,345
    Location:
    Along the Shorelines somewhere in New England
    I don't worry about that....the app would easily be reinstalled. If the antivirus does it's job...it will catch the bad guy before it hits/infects the OS. I've been supporting small businesses long enough to learn that if a bad guy hits an OS...that OS is going down for the count anyways. I've seen it happen a couple of times with other antivirus products. And as is my rule for my business clients...if the OS gets hit...there is no way I'll do a repair, or go under the false assumption that an antivirus properly cleaned an OS file. That computer is getting a format and reinstall. I've seen it in the past...once an OS is hit, even when other antiviruses said they "cleaned" those OS files...that computer will have hiccups for the rest of its life. That client will be calling my phone with little glitches.
     
  20. kjempen

    kjempen Registered Member

    Joined:
    May 6, 2004
    Posts:
    379
    Computer magazines that are always right? That will be the day! I've read plenty of articles that are full of mistakes, especially about security software and audio/video compression. It's rare that they get these articles correct. And if I can spot mistakes then it makes me wonder how much work/effort did they actually put into making their article correct.

    And like others have commented in this thread: NOD32's IMON (Internet Monitor) stops the first 4 Eicar files before they get downloaded to your hard drive. Which proves the article to be mistaken. And the other 4 Eicar test files that are hosted on encrypted connection (HTTPS protocol) will only be scanned and detected by AMON or the On-Demand scanner.

    EDIT: By the way, is there any anti-virus product that is able to scan archives hosted on a secure/encrypted connection before they're downloaded to your hard drive?
     
  21. Happy Bytes

    Happy Bytes Guest

    Correct. There's no scanner on the whole earth who's able to scan HTTPS contents during transfer.
     
  22. kjempen

    kjempen Registered Member

    Joined:
    May 6, 2004
    Posts:
    379
    Thanks for clearing that up, Happy Bytes! :)
     
Thread Status:
Not open for further replies.