Nod32 fails to delete virus.

Discussion in 'NOD32 version 2 Forum' started by beatnik, Aug 27, 2004.

Thread Status:
Not open for further replies.
  1. beatnik

    beatnik Registered Member

    Joined:
    Jul 24, 2004
    Posts:
    25
    Inpite LowWaterMark closed the previous thread because maybe he didnt want to face the truth about Nod my question remains unanswered.

    Nod32 cant delete some viruses if they are running as processes in memory and also it cant delete viruses that exist in System Restore Folder.

    May someone explain to us why? We want the virus cleaned without booting in safe mode. Why Avast can and Nod cant? Avast was able to delete the 2 viruses that nod32 detected and couldnt able to delete it as well as killing the running memoery process of the virus. I beleieve Aavst is better but thaen again Nod is faster and lighter. But what matter i beleive its the efficiency of the product to delete virus, not the speed or the light resources.

    ps. Also i was not the one who started the insults.
     
  2. LowWaterMark

    LowWaterMark Administrator

    Joined:
    Aug 10, 2002
    Posts:
    17,875
    Location:
    New England
    That thread was closed for the reasons noted in the post I made there. It had gone too far and was unlikely to ever get back to a proper discussion.

    Further, it doesn't matter who started the insults. This isn't a forum of children arguing over who started what... The topic was closed so that no one would continue those insults. (Besides, the whole start of that thread, re: the crack and all, was just plain wrong and not worthy of discussion.)

    However, you are free to post other topics, just stay on topic and polite and things should be fine.

    If your question is regarding how NOD32 handles cleaning malware, especially those that are running in memory, and also how malware files are properly deleted from the System Restore area, then maybe someone will answer you - if they feel that it is worth their time, and if they can expect a reasonable dialog with you.
     
  3. flyrfan111

    flyrfan111 Registered Member

    Joined:
    Jun 1, 2004
    Posts:
    1,224
    I hereby apologize for my remark to beatnik in his other thread. I should have used more tact, I do feel though his use of the crack he used should have ruined any chance he may have had of obtaining any help on this forum. Still several people decided to give him advice, which he refused to follow and began blaming NOD for how poorly it handled an infection on his system, I just got tired of hearing his NOD bashing and continued requests for assistance and as I stated in the thread, Blackspear does quite abit for the members of this forum and the time he was spending giving beatnik advice could have been better spent on assisting legitimate users of NOD. My reasons however, do not justify my stooping to the level that I did and for that I apologoze. Thank you for your time and attention in this matter, and I endeavor to use more tact when dealing with people who post to this forum
     
  4. optigrab

    optigrab Registered Member

    Joined:
    Nov 6, 2002
    Posts:
    624
    Location:
    Brooklyn/NYC USA
    Beatnik, if you prefer the way Avast handles infections better than NOD32, then you will probably be happier to stick with Avast.

    There are several things one must consider when choosing an AV. You stated that you don't care so much about NOD32 being "faster and lighter", so this good attribute is worth less to you than many others. But still there are certainly others that agree with you. For the number of infections that I run against (very few), I choose to face the possibilty that I will have to boot to Safe Mode to clean a virus, rather than feel the performance impact of a heavier AV every day.

    Also, as difficult as it is to interpret test results, I am comfortable with the belief that NOD32 has a better detection rate than Avast, so that's another thing that I get in return for running the risk of booting to Safe Mode to clean a virus. Others will much prefer Kaspersky - the test results for that product are typically better than both NOD32 and certainly AVAST - but those folks don't necessarily care about the same traits as you or I. See, it's all about which traits are important to you.
     
  5. beatnik

    beatnik Registered Member

    Joined:
    Jul 24, 2004
    Posts:
    25
    I am always polite to people, especially when i seek help, until someone starts to insult me but i will listen to you and not talk back.

    Also the crack problem was a waste of time but i want to tell you that ebcause i wanted a way out of this without reformatting, but eventually i did reformat the hdd.

    Whoever wants to answer to the new question about malware thart runs in memoery and why Nod32 cant kill the process and then thr infected hdd file please do so.

    Until now, only Avast was able to do for me, even Kasperksy didnt.
     
  6. optigrab

    optigrab Registered Member

    Joined:
    Nov 6, 2002
    Posts:
    624
    Location:
    Brooklyn/NYC USA
    flyrfan111,

    Way to take the high road. Well done. ;)

    - O
     
  7. beatnik

    beatnik Registered Member

    Joined:
    Jul 24, 2004
    Posts:
    25
    Now i saw tha last 2 posts (it was posted thae time i was replying to the previous post).

    Flyrfan apology accepted. Also i must say that i dont refuse to follow advice like you said but i wanted a solution without having again to deal with reformatiing because i already formated the pc 2 times. Apparently this didnt happen, the solution never came and i was forced to reformat.

    Optigrab if Nod could also had a boot-tiem scan and the ability to killa nd remove the virus the it would be my first choice. Speed - Light - Clean Capabilies.
     
  8. flyrfan111

    flyrfan111 Registered Member

    Joined:
    Jun 1, 2004
    Posts:
    1,224
    NOD doesn't delete virii in active memory mostly for security and stability reasons, for example some proof of concept virii have implemented shutdown prevention techiniques similar several popular antivirus programs and firewalls, thus in order to prevent your system from becoming locked up and possibly causing read/write failures and such, NOD deals with this situation in safe mode where the file will be still on the hdd, in general Eset has designed NOD to err on the side of system stability and security, this is also their reasoning behind how and why NOD handles quarantine differently than most AV's, NOD doesn't move the file as some system files it is critical where the file is on the hdd, not just the contents of the file that are important, Eset feels it is just better to block execution of the file as opposed to moving it and risking destabilizing the system. Granted the files affected by being moved are limited but it is always better to be safe than sorry.
     
  9. beatnik

    beatnik Registered Member

    Joined:
    Jul 24, 2004
    Posts:
    25
    "NOD doesn't delete virii in active memory mostly for security and stability reasons, for example some proof of concept virii have implemented shutdown prevention techiniques similar several popular antivirus programs and firewalls"

    But why cant it just kill the infected process and then disinfect the system infected file rather than deleting it without destabilizing the systems integrity? Why doesnt do this action on the fly as Avast does?

    if it knows how a virus works and detects it, whats the problem of disinfect the file if it is attached to another one, restoring the original one or just delete the file if its only virri? After all it does detect it and know how this virus work so logically it has the method of correcting it.
     
  10. flyrfan111

    flyrfan111 Registered Member

    Joined:
    Jun 1, 2004
    Posts:
    1,224
    It is just Eset's chosen method of dealing with such ocurrences, as I stated they tend to do things the safest way to insure stability. Yes I agree the majority of the time, shutting down the process would not cause any problems, but it seems to me that Eset has chosen to (for whatever reason they decided) handle it the way they do. One of the moderators or programmers will have to explain exactly why. I am just stating my preception of how NOD seems to work.
     
  11. dvk01

    dvk01 Global Moderator

    Joined:
    Oct 9, 2003
    Posts:
    3,131
    Location:
    Loughton, Essex. UK
    With regards to removing or disinfecting running files

    Most good antiviruses will not attempt to remove a running process but will either stop the process and then delete the file if that will not cause system problems, but because of the way windows works most files that are in use or have been in use by windows cannot be deleted without a reboot because the files are locked by windows itself or by using safe mode where the malware isn't loaded in the first place

    as to system restore

    BY design NO antivirus or ANY OTHER program is supposed to be able to insert or delete from the system restore folder only the actual system restore process can insert or delete files

    any AV that tells you it has fixed a file in system restore is lying to you as M$ make it so that it cannot be deleted except by it's own System restore process
     
  12. beatnik

    beatnik Registered Member

    Joined:
    Jul 24, 2004
    Posts:
    25
    Well as to system restore Avast ata boott-ime scan told me that a file names A3778483 were infected with a virus and it asked me if i want to delete it knowing that its a system file. I said yes and it deleted it. So, it can been removed becaus i searched for it and didnt found it.

    as to removing or disinfecting running files i wanted to say that i understand that if a running process is terminated unexpectently or stopped then it is possible to create system instability and problems especially if that file is a systems one. Nod32 should let the user decide if we wanted to terminate the file or not. And when it vomes to Safe mode then who guaranteed that the virus infected file would be again reloaded into memory (especially if its a system oen) although we work in safe mode!! Maybe its saome basic system file that Win wont do without it. What then? Nod32 the way that handles this now, would not kill ot stop the infected process and if its not running maybe it would still characterized by windows as locked. Then what?

    I think the best soltuion is if Nod32 would adopt a boot-time scan so that no win file is actually load itself. No lock problems would exist, neithet running processes that cant b terminated. Avast does a great job with this boot-time scan trick. Why not Nod32 as well??!
     
  13. flyrfan111

    flyrfan111 Registered Member

    Joined:
    Jun 1, 2004
    Posts:
    1,224
    By deleting that one file you just rendered system restore useless to you should you need to restore to a point AFTER that point was set. System restore is incremental not cumulative, it doesn't save the changes entirely, but each time only the changes made since the last restore point was made are saved. Thus messing with the files in one restore point will render that restore point and all subsequent restore points nothing more than a waste of hard disk space. Should you try a restore most likely it would fail.
     
  14. ronjor

    ronjor Global Moderator

    Joined:
    Jul 21, 2003
    Posts:
    57,729
    Location:
    Texas


    This new version of NOD should make it extremely hard to get a virus in the first place. Unless you tend to want a virus.
     
  15. beatnik

    beatnik Registered Member

    Joined:
    Jul 24, 2004
    Posts:
    25
    lol, of course not. I already downlaoded and using Nod32 v2.12.1 at the moment we speak. Its just so damn ligth and fast.

    flyfran yes i already am ware of that, but if we just leave the system restore file infected then when we decide to restore and use it would it be usable with thew virus already inside it? And after all how did the damn virus infect a sr file in the first place?!? After all it locked by Xp fow write access isnt it?!?
     
  16. Benvan45

    Benvan45 Registered Member

    Joined:
    Jul 27, 2004
    Posts:
    556
    Man...oh man.....ever considered using Panda AV? When I read all these problems, I really don't understand why so many people are so crazy about Nod32.
    Surely....Nod is good, but there are other good to great scanners around.
    I'm a very content user of Panda and I never have any problems of the sort mentioned here.

    Take Eicar.com2.zip........using Nod (2.12), it won't clean the bugger, you have to take action yourself.
    Panda just kicks the buggers out and that's it.
    Configuration problems? Panda is that easy to configure.......and it just does what it is supposed to. It's light, fast, perfect updating, perfect mailscan etc.

    Don't just kick everything out except for Nod32, try some others........

    ;) Putin
     
  17. ronjor

    ronjor Global Moderator

    Joined:
    Jul 21, 2003
    Posts:
    57,729
    Location:
    Texas
    I have tried many others. Nothing compares to NOD.
     
  18. flyrfan111

    flyrfan111 Registered Member

    Joined:
    Jun 1, 2004
    Posts:
    1,224
    As a former Panda user I must tell you Panda is not all you pretend it to be, yes Panda did very well in this go round at Av-Comparatives, how ever in the next test you will again see Panda's weakness, it's heuristics are very poor, based soley on definitions Panda is a good scanner, heuristically it leaves a LOT to be desired. During my two years of using Panda I had numerous false positives during on demand scans with heuristics set to high and medium( its recommened setting) on very common files, Acrobat reader, Turbo Tax 2002, Quicken 2002-2004, Rogue Spear and MS's Streets and Trips just to name a few. The Acrobat reader has been detected heuristically by Panda Platinum 7 since it's release almost 2 years ago and tech supports answer is to exclude it instead of fixing the detection. That is a great answer to your customers. Yes I know NOD has FPs as well but there is a difference, Eset fixes them. As for Panda's new TruSecure, this is a behaviour blocker approach that both Symantec and McAfee tried several years back and abandoned because of too many FPs and requiring too much user intervention. I feel that heuristics is the way to go in the virus detection arena and NOD does heuristics better than any other AV out there, as the next Av-comparative will demonstrate once again.
     
  19. NAMOR

    NAMOR Registered Member

    Joined:
    May 19, 2004
    Posts:
    1,526
    Location:
    Arkham Asylum

    Have you considered that you read about problems here because this IS a help forum? Go to the Mcafee, Kaspersky, avast!, Dr.Web, AntiVir, or the Norton forum at computercops and you will see the same thing. People come here to have problems solved/questions answered. If Panda had a help forum you would see the EXACT same thing.
     
  20. Blackspear

    Blackspear Global Moderator

    Joined:
    Dec 2, 2002
    Posts:
    15,115
    Location:
    Gold Coast, Queensland, Australia
    Good post Namor

    Cheers :D
     
  21. bigc73542

    bigc73542 Retired Moderator

    Joined:
    Sep 21, 2003
    Posts:
    23,873
    Location:
    SW. Oklahoma
    we are drifting off topic a little, to keep from going to far off lets try to stay on this topic [ Nod32 fails to delete virus.]
     
  22. snapdragin

    snapdragin Administrator

    Joined:
    Feb 16, 2002
    Posts:
    8,415
    Location:
    Southern Ont., Canada
    Hi Beatnik,

    Regarding your question as to how the infected file entered the System Restore. If you have the System Restore feature turned on while doing a scan and cleaning with a security program (in this case your anti-virus program) the Windows System Restore feature detects that you are about to change, move, or delete file(s), it will take a copy of the file(s), give them a special name, and back them up into the protected System Restore folder so it will be able to restore those file(s) for you later if you wanted to go back to an earlier state. System Restore doesn't know if those files are clean or infected when it makes a copy of them. Then when you scan again with one of your security programs (anti-virus, anti-trojan, etc) those programs will detect any infected file (with the new name System Restore gave it) now in the System Restore folder, but Windows will not allow the security program to delete any of those now-protected files in that folder. That's what System Restore is all about - protecting it's backed up files so you will have them there if you ever need to revert back to an earlier date (restore point).

    To correctly remove any infected files that may have been backed up in the System Restore folder after you have cleaned your computer of any malware files, you just have to turn the System Restore feature off, reboot your computer to purge the restore points, then after the reboot turn your System Restore feature back on. Then when you do another scan with your security app, it should will no longer detect any infected file in the System Restore.

    Here is a link that will help explain how to turn your System Restore feature off and on: System Restore Instructions for XP.

    Hope that helps. :)

    Putin, if you wish to discuss other A/V's, please feel free to open a New Topic in our Other Anti-virus Software forum.

    Regards,

    snap
     
  23. who am i?

    who am i? Guest

    I must say, if M$ intended to block the "System Volume Information" folder from being accessed, they surely haven't done a good job. I know of at least 2 ways to access the system restore files on an ntfs volume, one using the task scheduler and the other using an admin account.
     
  24. pete_x

    pete_x Guest

    the system restore folder is looked to users/admins (only the system can access) as they are not listed in the permissions to access the folder all you have todo is enter your user name or administrators and give read write access or full control

    Simple file sharing has to be unchecked in folder option then you will have a security tab in the properties of folders and files

    You can not turn off simple file sharing in xp home
     
  25. jg88swe

    jg88swe Registered Member

    Joined:
    Jul 1, 2004
    Posts:
    181
    (havent reed anything on the forum topic)

    My opinion of NOD32 is positive but..

    When i had Lovsan (Msblast) on my computer ... NOD32 detected it in memory.. but couldt delete it .. :rolleyes: i had to scan the whole computer ... that took about 1 min :p ..

    then i could delete it..
     
Thread Status:
Not open for further replies.