NOD32- Inconsistent scan results

Discussion in 'ESET NOD32 Antivirus' started by Hollowstriker, Apr 4, 2010.

Thread Status:
Not open for further replies.
  1. Hollowstriker

    Hollowstriker Registered Member

    Joined:
    Mar 28, 2010
    Posts:
    50
    I noticed this behaviour in NOD32 when I happened to scan the program Advanced Process Termination- apt.exe by Diamond Computer Systems (http://tds.diamondcs.com.au/). The file in question is a program which allows for the termination of processes using a variety of methods and hence, it is not unusual for NOD32 to flag it as Win32/APT (according to the result when uploaded to VirusTotal.

    The issue is that when a folder/ZIP file containing the executable or even the executable itself is scanned using the right-click context menu>> clean with ESET NOD32 Antivirus/Scan files, NOD32 reports that nothing is infected.

    However, when scanning the specific folder using the NOD32 GUI (Custom scan- In-depth scan), NOD32 flags it and logs the executable as:
    Code:
    Win32/APT potentially unsafe application - was a part of the deleted object
    Another case in which the executable is detected would be when it is directly accessed/copied/run and the Detect potentially unsafe applications option is enabled in real-time filesystem protection settings.

    My question would be is this behaviour by design- the context menu is not supposed to raise any alerts if a potentially unwanted/unsafe application is scanned? (I don't see any options to customize the context menu scan to detect these items- though I would expect it to follow the real-time filesystem protection settings; such as when I would want to scan files before burning them to a CD for a friend and expect NOD32 to alert me if there is a threat among the files.)

    Screenshots/Scan log: Resources.zip (does not contain apt.exe; that can be downloaded from Diamond CS)
     
  2. Brambb

    Brambb Registered Member

    Joined:
    Sep 25, 2006
    Posts:
    411
    Location:
    The Netherlands
    You can alter the context-menu profile on the on-demand scan configuration. Seems PUA is disabled in that profile so you see these two different scan results.
     
  3. Hollowstriker

    Hollowstriker Registered Member

    Joined:
    Mar 28, 2010
    Posts:
    50
    @Brambb

    Thanks for the quick and concise reply! Found what I wanted in order to configure it properly:

    option01.png

    option02.png


    Just an additional question about this scan profile- when I do a context-menu scan, usually it is on a file/folder. However, in the settings below, there are additional options for operating memory, boot sectors, email files. I would presume operating memory would be the full system RAM, boot sectors to be that of which the file is located on (e.g. C: or F: ) and email files are files with extensions eml, emlx, msg, mbx); unnecessary to be checked if my only goal is to ensure all files which I scan from context menu are scanned/cleaned?


    option03.png
     
  4. Brambb

    Brambb Registered Member

    Joined:
    Sep 25, 2006
    Posts:
    411
    Location:
    The Netherlands
    Although I never tested this myself I guess if you tick 'Operating memory' and 'Boot sectors' it will scan the memory and boot files prior to the files selected in the context menu (Just like a normal on-demand scan). Which will make the scan time for just files a bit long.

    The e-mail files are a different thing, these are unchecked cause they are normally quite large archived files and should be scanned by the incoming and outgoing e-mail protocol engine. If you want to enable this for context-menu scanning if up to the user.
     
Thread Status:
Not open for further replies.