NOD32 Setup Questions (from a New User)

Discussion in 'NOD32 version 2 Forum' started by rnfolsom, Nov 14, 2005.

Thread Status:
Not open for further replies.
  1. rnfolsom

    rnfolsom Registered Member

    Joined:
    Nov 9, 2005
    Posts:
    247
    Location:
    Monterey, California
    I am a very new NOD32 user (less than one week) who has tried to study the NOD32 installation manual, helpfile, and Blackspear's "Extra Settings for NOD32"
    https://www.wilderssecurity.com/showthread.php?t=37509
    rather carefully. Nevertheless, I have remaining NOD32 Setup questions.

    Perhaps I should post each question separately, but it seemed more efficient to collect them and post them all at once, letting any respondent choose which question or questions to answer. (To avoid quoting, any question can be answered by its number.)
    And if anyone thinks it is worth passing these questions on to Eset as issues that new help files or manuals ought to cover, a single collection of questions seemed more useful.

    Nevertheless, I will be happy to post each of these questions separately if I need to do so to conform to Wilders Security customs or regulations.


    1) General question: At numerous places in the setups for different modules, is an option to scan for "Potentially dangerous applications," which is unchecked by default. The NOD32 help explains that this option "enables . . . tools for remote access and administration," and Blackspear regularly provides the following "WARNING: enabling this option might result in deletion of Remote Adminstrative Programs such as those used by Network Administrators."
    Am I right in thinking that that this warning is relevant only to computers on Domain (client-server) networks?
    In my case there is no domain network anywhere in sight: There's only a four computer workgroup peer-to-peer network, all in the same house. If something needs installing or fixing, I do it at the computer's own keyboard. Can I safely ignore that warning? Am I correct in thinking that I would have NO disadvantage to ALWAYS checking the "potentially dangerous applications" option?


    2) General question: Why not always check "Copy to Quarantine," regardless whether the selected action is Prompt or something else? I can't think of any reason not to copy a problem to quarantine, at least as a default setting. I do understand that Quarantine is not a substitute for cleaning or deleting.


    3) General question: I have found that the enormous number of choices takes many hours to set, and then to check to try to confirm that one hasn't missed anything (e.g. to remember for each profile to not send any messages to anybody, since this is a small home office and not a domain network environment). I will be acquiring licenses to run NOD32 on two additional computers, but I dread spending multiple hours on each one trying to do set the same settings over and over again. All use the same operating system (Win2k Sp4). Is there any master file of all settings that I could copy from the computer I am now setting up, to the other two computers?


    4) EMON, Setup, Logs, System section:
    If "Log all files" and "Synchronous logging" both are NOT checked, are infections logged anyway?


    5) IMON, Setup, POP3:
    What are the rationales for the "Switch to Passive" defaults at 2048kb and 55secs?
    That is, under what circumstances (e.g. dialup vs. broadband connection) should these be larger (or smaller) numbers and roughly how much larger or smaller should they be? [I'm looking for rough orders of magnitude here. If a decrease were needed, would an appropriate initial try be more like 10% or 50% or 80%? If an increase were wanted, would an appropriate initial try increase the default by a fractional percentage (e.g. 20%), or double or triple it?]


    6) IMON, Setup, HTTP, Actions section:
    If "Automatically deny download of file" is checked, does the user (client) get any notice about why the download was denied, so that the user doesn't waste time trying again, or investigating possible causes for the download failure?
    If "Automatically deny . . . " gives no notice, then what risks (due to delay) are posed by the alternative option, "Display warning window with action selection"?



    7) IMON, Setup, HTTP, Client compatibility (questions 7.1-7.3):

    7.1) To me, the first two columns make little sense.

    7.1.a) What does Mozilla/3.0 or /4.0 or /5.0 mean? Mozilla is my default browser and email, and I have the latest version, which is 1.7.12. Firefox and Thunderbird versions also are still in the 1.x range, with 1.5.x just out of beta but still in "release candidate" status.

    7.1.b) I simply do not believe that Mozilla/4.0 (whatever that 4.0 may mean) uses IEXPLORE.EXE, which is the Microsoft Internet Explorer executable file (at least, that's the file to which my start menu's MSIE shortcut points). Yet that same-row entry is not only on my computer, but also is in the NOD32 help file screenshot for HTTP scanner compatibility setup. So unless Mozilla does use MSIE's executable (if so, this is another of the many times my beliefs turn out to be wrong, so I'd sure appreciate a link to somewhere that explains that), why are Mozilla and IEXPLORE.EXE on the same row?

    7.2) The HTTP Client compatibility help screenshot has Mozilla/4.0 - IEXPLORE.EXE in green Higher [protection] efficiency, but NOD32 Update in red Higher compatibility, where I think the former is active (signatures and heuristics both) while the latter is passive (signatures only, no heuristics).

    Should I conclude from the NOD32 help file's illustrated treatment for NOD32 that trusted applications and their corresponding sites, such as

    MS Windows-Update-Agent (I have two entries for that, one for iexplore.exe and the other for svchost.exe)
    NOD32
    Sunbelt's CounterSpy
    Webroot's SpySweeper

    might as well be higher compability, to speed up their update scans and downloads?

    I'm guessing that the higher compatibility might be significantly faster than higher efficiency, and that for these special sites there would be no real benefit from heuristics (admittedly, I'm assuming they are well protected). Or is Eset's site the only one known to be well protected? <grin>

    On the other hand, I'm tempted to err on the side of caution and set all sites, including Eset's NOD32 Update, to green "Higher efficiency" (as Blackspear recommends in his item #39).

    7.3) What are some symptoms that would suggest that a given application needs to be downgraded from higher efficiency to higher compatibility? Complete download failure? Or simply an unacceptably slow download (which of course could occur in any case due to time of day, workload at sending site, etc.)



    :cool: IMON, Setup, Miscellaneous, Scanner, Setup, Actions tab:
    Since action choices are set separately for Files, Archives, Self-extracting Archives, Run-time Packets, and Email, do I guess correctly that the "Email" action choices are only for email content, and that the attachment actions are covered by settings for the preceding categories?
    Or, do those preceding categories' settings cover only non-email downloads?


    9) NOD32 On-Demand (Manual) Scanner, Run NOD32, Profiles tab:
    Under the option "Use this profile when launching NOD32 from the Control Center," one of the choices is "NOD32." Is this choice really "Run NOD32?"


    10) NOD32 On-Demand (Manual) Scanner, Run NOD32, Profiles tab, re cleaning preferences/priorities:
    Suppose that for a particular profile, in its Actions tab "Clean" (vice Prompt for an action) is set, and in its Profiles tab, "Run this profile in cleaning mode" is checked (as Blackspear recommends).
    Suppose also that one uses that same profile to run a Manual Scan (vice Scan & Clean), by clicking the Scan button at the bottom of the Run NOD32 window.

    If an infection is found, does cleaning not occur? That is, does the Scan button override the profile settings to clean?


    11) UPDATE, Setup [of Automatic Update], Profiles section:
    Am I correct in thinking that these Automatic Update profiles have absolutely nothing to do with the NOD32 Manual Scanner profiles, even though both include a "My Profile" item?
    If I am wrong, what is the relationship between Update profiles and NOD32 scan profiles?


    12) UPDATE, Setup [of Automatic Update], Advanced button, Internet connection [type]:
    There's an entry for "Other (e.g. portable computer)." What does Eset probably have in mind here? Wireless (which is not elsewhere on the list)? Or something else?



    13) NOD32 On-Demand (Manual) Scanning with Command Line Parameters: what's the advantage?

    I ask questions 13.1 and 13.2 (below) because Blackspear's "Extra Settings for NOD32" items #70-#77,
    https://www.wilderssecurity.com/showthread.php?p=459401#post459401
    has an extensive discussion of how to run the NOD32 On-Demand (Manual) Scanner with command line parameters, by using NOD32 Control Center > NOD32 System Tools > Scheduler/planner > Add Scheduled Task "Nod32 Kernel – Execution of an external application.”
    I was astonished that he used "Execution of an external application" instead of "NOD32 On-Demand Scanner - Scanning." Then I discovered that he did so in order to use command line parameters. But I do not understand why command line parameters are beneficial, compared to simply using an In-Depth Analysis scan with the In-Depth Analysis profile settings at their most protective.

    13.1) Unscheduled and scheduled scans (since both allow the user to select a scanning profile):
    I would have expected that a Control Center > NOD32> In-depth analysis scan, if its profile settings are set to be most protective, would give me the best protection available. Is that true, or to get the maximum benefit from an (unscheduled) scan, are command line parameters necessary, due to missing options in the In-depth profile settings?

    13.2) If the answer to the preceding question is "yes" (command line parameters are necessary for highest protection efficiency), is there any document that lists the differences between an In-depth analysis scan with its most protective settings, and a Blackspear command line parameter scan? Admittedly, I could make this comparison myself, but doing so would be time consuming so I hope someone has already done it.

    Many thanks for any and all help.

    Roger Folsom
     
  2. alglove

    alglove Registered Member

    Joined:
    Jan 17, 2005
    Posts:
    904
    Location:
    Houston, Texas, USA
    Wow. First we had the "Blackspear's settings thread". Now we also have the "Roger's questions thread". :eek: :D

    1) You should be pretty safe. The only remote control program I have tried on my computers with NOD32 is the Windows XP Remote Desktop feature that comes with XP Professional. That works fine even with this setting checked.

    2) I am not sure. I suppose the answer may be that there may be a lot of files copied to quarantine, or there may be an issue with disk space. As far as I know, there is no way to clean files out of quarantine besides going in there and doing it manually. No "clean files older than 30 days" option or anything like that.

    3) I know there have been threads about this on the forum. I am pretty sure it is also in the "Future Changes" request thread. In the interests of trying to answer as many questions as possible, I hope that somebody else can provide a link. ;)

    7.1) I am not a web designer or run a web server. However, I believe terms like "Mozilla/3.0" refer to a set of features supported by the webpage and web browser. For example, there is the complaint, "Hey! The people who designed this webpage used all these Internet Explorer specific features, so it looks awful when I look at it with Mozilla!" Well, this lets webpage designers check which browser is in use, so that an "Internet Explorer" version of the page (MSIE) or a "Mozilla" version of the page "Mozilla/..." can be displayed.

    Many browsers are capable of multiple "personalities". See this example from the Opera knowledgebase, which describes how Opera can appear as Opera, Internet Explorer, or Mozilla: http://www.opera.com/support/search/supsearch.dml?index=570

    Now the second part of your question will probably make more sense to you. It is not Mozilla running the IEXPLORE.EXE executable. It is really Internet Explorer running in a "Mozilla compatbility mode".

    7.2) I believe the "efficiency" vs "compatability" has more to do with how the HTTP packets are scanned, in terms of "Gather the packets in a holding place and scan them" (efficiency) versus "Read the packets as a stream, possibly missing something along the way" (compatability). I do not think it has to do with whether heuristics are used or not. Somebody with greater techincal knowledge can feel free to correct me.

    7.3) I think programs that make use of streaming tend to have more problems with "efficieny" mode. The best way to tell is if the application does not seem to work correctly, if you get unexpected results, or if it just seems "choppy" for whatever reason.

    Ugh, I am out of breath already. I gotta take a break. Hope this helps some.
     
  3. Blackspear

    Blackspear Global Moderator

    Joined:
    Dec 2, 2002
    Posts:
    15,115
    Location:
    Gold Coast, Queensland, Australia
    You are indeed correct, it is set this way to prevent removal of remote admin software.


    No disadvantage at all, in fact the advantage is you are detecting more.


    I do not understand this either.


    If you add your new licenses to your current licenses you can download a Admin version that will allow you to push out all these settings to your other PC’s. Currently there is no simple method in exporting and importing settings, it has been added to the wish list.


    Not sure on this one, I just want everything logged.


    You will have to wait for Marcos to answer this one.


    You are given a warning window, however access has been blocked. If the site is infected, I don’t want to be going there, even if I am curious ;) :D


    Version 3 will have a very different layout from what we have been told here in the forum.


    This is based upon the origins of the web-browser, further details can be found in this forum.


    See answer given above.


    I prefer to stay on the side of caution, that is why I place everything GREEN, if for whatever reason there is an issue then I turn the program RED.


    That’s what I do, for the sake of a few seconds (which I have never noticed).


    There have been a few threads on certain applications where issues were found by using the RED setting, however these have been a minority.


    Web-browsing settings, and email is covered by POP3 (as far as I am aware).


    No idea ;) :D


    Cleaning would NOT occur in this case, you can go back through the log and right click on the infection and have it cleaned.


    Correct, you can have various profiles set for how you want updates to occur.


    No idea on this one, have to ask Marcos.


    You can set up various scan with various settings with a command line scan. What you are seeing is the back end of Nod32, features that are available, you can fully tweak Nod32, or not, these settings are available to the advanced user.


    In depth scan was made basically so there is a one click option available at maximum settings.


    See answer above, as to someone comparing the 2, I haven’t come across anyone yet.

    My pleasure. You owe me a keyboard, I just wore this one out ;) :D

    Cheers :D
     
  4. Blackspear

    Blackspear Global Moderator

    Joined:
    Dec 2, 2002
    Posts:
    15,115
    Location:
    Gold Coast, Queensland, Australia
    Thanks Alglove.

    Cheers :D
     
  5. rnfolsom

    rnfolsom Registered Member

    Joined:
    Nov 9, 2005
    Posts:
    247
    Location:
    Monterey, California
    Alglove:

    That's not a fair comparison; Blackspear's thread is much longer than my message! Admittedly, he padded his thread with a lot of screenshots. <grin>

    An intriguing explanation (which, unfortunately, I don't fully understand), and an interesting link. Thanks.

    You may be right, but that MSIE would run in “Mozilla compatibility mode" strikes me as extremely implausible. Why would the dominant browser deign to mimic a competitor? On the other hand, my understanding is that for use with web pages that are so MSIE dependent that they do not display well in Mozilla’s Firefox browser, Firefox has an extension that can display those MSIE dependent pages.

    You are right. I was wrong to say that active and passive correspond to whether the scan does or does not include heuristics; I now cannot find any support for that notion. Instead, they correspond to when scanning is done, as you said a bit later on. My notes now say that
    Higher [protection] efficiency (green) is active: Download entire file then scan it then pass it on to application.
    Higher compatibility (red) is passive: Continuously download file and pass it on to application while storing a temporary copy, then scan temporary copy after download is complete.

    Your statement about streaming is confirmed by NOD32's Help for NOD32 IMON, Setup, HTTP (to get help at that location, use Function Key 1).
    And your examples were very helpful to me. Thanks.

    It helped a lot! Thank you very much.

    One way or another, I've incorporated all of your responses into my original post, and after I've incorporated responses from other people also, I hope to be able to post a summary of my original questions and the responses (aka answers).

    Thanks again.

    Roger Folsom
     
  6. YeOldeStonecat

    YeOldeStonecat Registered Member

    Joined:
    Apr 25, 2005
    Posts:
    2,345
    Location:
    Along the Shorelines somewhere in New England
    Regarding the Quarantine, I've been doing IT/small business network support for a long long long time...and I can't remember any situation where there was an important file that I ever needed to retrieve from that padded room known as the Quarantine.

    Even going back many many years ago in school system networks, back in the old NT 4 Server days with Windows 95B clients....when those W32 Macro visuses were popular in school networks...the infected documents were always copies of the originals that the macro virus made. I haven't seen a document macro virus in ages though.

    The majority of problems these days come into your mailbox, and they are always bad files that I don't want, even if I were able to clean them, they'd be junk files.

    If it's operating system files that got infected....I don't want to keep those either, I will never...ever...take a system file that was infected....try to clean it..and if it were able to be cleaned...put it back into use on my system. That file has been damaged, IMO will never be right again. I will always take a virgin fresh system file extracted from the i386, from sfc /scannow, or from another healthy computer.

    IMO, it's a waste of hard drive space. Not that that really matters these days with gargantuan hard drives the size of a small country. But if to me it's garbage..then why bother saving it.
     
  7. Elwood

    Elwood Registered Member

    Joined:
    Sep 12, 2005
    Posts:
    205
    Location:
    Mis'sippi
  8. alglove

    alglove Registered Member

    Joined:
    Jan 17, 2005
    Posts:
    904
    Location:
    Houston, Texas, USA
    Thanks, Elwood. To expand a little upon this, the terms "Mozilla/3.0", "Mozilla/4.0", etc., go all the back to the mid-to-late 1990's, when Netscape was the dominant browser, and Internet Explorer was some afterthought that Bill Gates was trying to tie into Windows. "Mozilla/3.0" means that the webpages were written for Netscape 3.0, for example. Since there are many of these pages still left around, this is why today's Internet Explorer has to be able to interpret these modes.
     
  9. rnfolsom

    rnfolsom Registered Member

    Joined:
    Nov 9, 2005
    Posts:
    247
    Location:
    Monterey, California
    Blackspear:

    Thank you, very much, for your detailed responses to my questions. Many of your responses, I am proud to say, confirmed what I would have guessed had these questions been on a multiple choice examination. Your confirmations were extremely comforting.

    Here's hoping that Marcos notices this thread and responds to questions 4), 5), 9), and 12), or some subset thereof.

    Some of your responses caused me to think of an additional or revised question, or a remark. But you've already contributed much to my education, so please do not feel obliged to reply.

    Thank you again, very much.


    3) RNF Question . . . . Is there any master file of all settings that I could copy from the computer I am now setting up, to the other two computers?

    RNF Response: Wouldn't the NOD32 Admin version require a Domain (client-server) network, rather than my workgroup (peer-to-peer) network?


    4) RNF Question, re EMON, Setup, Logs, System section:
    If "Log all files" and "Synchronous logging" both are NOT checked, are infections logged anyway?

    RNF Response: Even where "everything" is a list of all Outlook email received! <grin> (Given my understanding that EMON scans all Outlook email.)


    7.1) RNF questions re IMON, Setup, HTTP, Client compatibility:
    7.1.a) What does Mozilla/3.0 or /4.0 or /5.0 mean? . . .
    7.1.b) Why are Mozilla and IEXPLORE.EXE on the same row?

    RNF Response: I'll see what I can find by a search. If anyone reading this has a suggestion about what to search for, please let me know.
    But I see now that Alglove's post #8 gives a good introductory explanation. And I'll add that the table's first column heading, "Browser (User Agent)" is a bit misleading, at least to non-techies (e.g. me), because according to my understanding of Alglove's explanation, "Mozilla/3.0 or /4.0 or /5.0" refer to the web page design.


    :cool: RNF Question re IMON, Setup, Miscellaneous, Scanner, Setup, Actions tab:
    Since action choices are set separately for Files, Archives, Self-extracting Archives, Run-time Packets, and Email, do I guess correctly that the "Email" action choices are only for email content, and that the attachment actions are covered by settings for the preceding categories?
    Or, do those preceding categories' settings cover only non-email downloads?

    RNF Response. That's my understanding also. But the Pop3 tab doesn't have scan settings; they are in the Miscellaneous tab. So I think my question remains. But it's not important, because in this location I've got identical settings for everything from Files to Email.


    9) RNF Question re NOD32 On-Demand (Manual) Scanner, Run NOD32, Profiles tab:
    Under the option "Use this profile when launching NOD32 from the Control Center," one of the choices is "NOD32." Is this choice really "Run NOD32?"

    RNF Response: I can't imagine what else this choice could mean! <grin>


    13) RNF Question re NOD32 On-Demand (Manual) Scanning with Command Line Parameters: what's the advantage? [Compared to an In-depth Analysis scan, if the In-depth profile settings and Blackspear's Command Line Parameters both are set for maximal protection:]
    (Note: The material in square brackets was not in my original post. It is my new attempt to summarize the question.)

    RNF Response: Here's hoping someone else clears up this mystery for me! <grin> To use, or not to use, command line scanning: That is the question. (Apologies to Shakespeare.)



    Now about my owing you a new keyboard: I note at the beginning of your message that "Posts: 9,472." My understanding is that those are your posts. You have helped a lot of people! I will be happy to contribute my share, 4/9472 (4 being the number of your messages addressed to me; please advise if my count is too low), of your new keyboard expenses --- provided the keyboard is free standing and not part of a high end laptop computer.


    With much appreciation, Roger Folsom
     
    Last edited: Nov 16, 2005
  10. rnfolsom

    rnfolsom Registered Member

    Joined:
    Nov 9, 2005
    Posts:
    247
    Location:
    Monterey, California
    YeOldeStonecat:

    Your comments about your experience in not needing Quarantine were interesting. Thank you.

    Personally, I have set NOD32's settings to Prompt for Action rather than Delete, and have checked "Copy to Quarantine" every time I had the chance, for two reasons:

    a) I am very new to NOD32, so I don't yet fully trust it. Moreover, although I'm not new to AntiVirus programs (I've used Norton since some time in the 1980s, and McAfee before that), heuristics are a brand new concept for me. That reinforces my caution, in wanting to be able to recover something that may not truly be malware.

    b) My understanding is that Eset wants to receive copies of malware that NOD32 discovered by heuristics rather than by signatures. To be able to do that, I think I need to have a copy available in Quarantine. (There may be some workaround for not having a copy in Quarantine, but I don't know what that workaround would be.)

    Nevertheless, the fact that you haven't needed to restore corrupted files is very encouraging.

    I haven't needed to restore any corrupted files (including corrupted documents or email) either. It's nice to know that I am not alone in that.

    Roger Folsom
     
  11. Blackspear

    Blackspear Global Moderator

    Joined:
    Dec 2, 2002
    Posts:
    15,115
    Location:
    Gold Coast, Queensland, Australia
    My pleasure :D


    Good to see.


    I have sent you a PM.


    No, just a workgroup.


    Haven’t tried it, so not sure.


    My answer may have been a bit out of sorts. From what I can see these settings are for anything coming in from the internet, including POP3.


    No idea ;) :D

    And nor can I ;) :D


    The advantage is one you have click on a button, the other you schedule and can have everything automated, not having a prompt for anything ;) :D


    I believe the question has been answered Jeeves ;) :D


    Ahhh but the response has been loooooong, and the keyboard is part of a Panasonic Toughbook, fully maxed out with every available feature, you’re going to need deep pockets with very long arms ;) :D

    Cheers :D
     
  12. YeOldeStonecat

    YeOldeStonecat Registered Member

    Joined:
    Apr 25, 2005
    Posts:
    2,345
    Location:
    Along the Shorelines somewhere in New England
    And that's certainly fine if you're the end user, it's your computer. Me? I'm a consultant for small business networks....lots of them, so I have it set for delete. If I had it set for "prompt for action" I'd be getting dozens of calls each day from confused blonds. "What do I do with this big red scaaaaary window?"
     
  13. rnfolsom

    rnfolsom Registered Member

    Joined:
    Nov 9, 2005
    Posts:
    247
    Location:
    Monterey, California
    Blackspear:

    Thanks for clearing up my remaining questions.

    Yes, you finally answered it. :D Thank you. Apparently a maximally protective "In Depth" scan, and a command line scan using your parameters, are equally protective, and the only reason for using the command line with your parameters would be for scheduling.

    On the other hand, I suspect that some non-command line settings exist that would cause a scheduled scan to use an In-depth analysis scan.

    If so, then the enormous advantage of your command line parameters explanation is that it gives a great starting point for an end user who wants to customize --- a much simpler starting point than NOD32's setup, which has settings scattered over many screens. (That's why I suggested a matrix, item 7 in my message at
    https://www.wilderssecurity.com/showthread.php?p=607686#post607686)

    Personally, I don't use scheduling because my self-selected work schedule is so erratic (even over a full 24 hours) that I can't forecast when the computer will simultaneously be turned on and not in use by me.

    Well, given that new information, I'm hereby cancelling my offer to pay 4/9472 of the cost of a new freestanding cheap keyboard. You had your chance. Sorry 'bout that! :D

    Thanks for all the help.

    Roger Folsom
     
  14. The Hammer

    The Hammer Registered Member

    Joined:
    May 12, 2005
    Posts:
    5,619
    Location:
    Toronto Canada

    Iv'e done exactly that. Control Centre Profile-In Depth Analysis. Daily 6pm.
     
    Last edited by a moderator: Nov 17, 2005
  15. rnfolsom

    rnfolsom Registered Member

    Joined:
    Nov 9, 2005
    Posts:
    247
    Location:
    Monterey, California
    Thanks for that confirmation.

    Roger Folsom
     
Thread Status:
Not open for further replies.