NOD32 unable to scan system files?

Discussion in 'NOD32 version 2 Forum' started by rlaska, Sep 8, 2006.

Thread Status:
Not open for further replies.
  1. rlaska

    rlaska Registered Member

    Joined:
    Sep 8, 2006
    Posts:
    1
    Good morning,

    I'm a fairly competent computer user (infosec analyst [not for windows systems, though]) who is migrating away from Norton SystemWorks 2k4 (newer versions are more complete but much slower) on my WinXP box (AthlonXP2400, 1.5gB RAM). I've seen much applause within the security community concerning NOD32, so I'm giving the trial a go. I like it so far, but I'm concerned with some errors I'm getting during the "In-Depth Analysis":

    =====================================================

    [size=-1]Scan performed at: 9/7/2006 5:41:15 AM
    Scanning Log
    NOD32 version 1.1740 (20060905) NT
    Operating memory - is OK

    Date: 7.9.2006 Time: 05:41:21
    Scanned disks, folders and files: C:
    C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\6cda4a6034e70663d1be0b1e980cc66f_04511d4c-8955-4409-b36b-635ffa47d13a - error opening (Access denied) [4]
    C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\e6e90a60a6203c277ef3a25cfa503c74_04511d4c-8955-4409-b36b-635ffa47d13a - error opening (Access denied) [4]
    C:\Documents and Settings\LocalService\NTUSER.DAT - error opening (File locked) [4]
    C:\Documents and Settings\LocalService\ntuser.dat.LOG - error opening (File locked) [4]
    C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat - error opening (File locked) [4]
    C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG - error opening (File locked) [4]
    C:\Documents and Settings\NetworkService\NTUSER.DAT - error opening (File locked) [4]
    C:\Documents and Settings\NetworkService\ntuser.dat.LOG - error opening (File locked) [4]
    C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat - error opening (File locked) [4]
    C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG - error opening (File locked) [4]
    C:\Documents and Settings\user\NTUSER.DAT - error opening (File locked) [4]
    C:\Documents and Settings\user\NTUSER.DAT.LOG - error opening (File locked) [4]
    C:\Documents and Settings\user\Application Data\Mozilla\Firefox\Profiles\default.kgm\parent.lock - error opening (File locked) [4]
    C:\Documents and Settings\user\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat - error opening (File locked) [4]
    C:\Documents and Settings\user\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG - error opening (File locked) [4]
    C:\System Volume Information\MountPointManagerRemoteDatabase - error opening (Access denied) [4]
    C:\WINDOWS\SoftwareDistribution\EventCache\{C21E414A-D19A-406E-88BF-7C23D59FB48B}.bin - error opening (File locked) [4]
    C:\WINDOWS\system32\CatRoot2\edb.log - error opening (File locked) [4]
    C:\WINDOWS\system32\CatRoot2\tmp.edb - error opening (File locked) [4]
    C:\WINDOWS\system32\config\default - error opening (File locked) [4]
    C:\WINDOWS\system32\config\default.LOG - error opening (File locked) [4]
    C:\WINDOWS\system32\config\SAM - error opening (File locked) [4]
    C:\WINDOWS\system32\config\SAM.LOG - error opening (File locked) [4]
    C:\WINDOWS\system32\config\SECURITY - error opening (File locked) [4]
    C:\WINDOWS\system32\config\SECURITY.LOG - error opening (File locked) [4]
    C:\WINDOWS\system32\config\software - error opening (File locked) [4]
    C:\WINDOWS\system32\config\software.LOG - error opening (File locked) [4]
    C:\WINDOWS\system32\config\system - error opening (File locked) [4]
    C:\WINDOWS\system32\config\system.LOG - error opening (File locked) [4]
    C:\WINDOWS\system32\config\systemprofile\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat - error opening (File locked) [4]
    C:\WINDOWS\system32\config\systemprofile\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG - error opening (File locked) [4]
    Number of scanned files: 334249
    Number of threats found: 0
    Time of completion: 06:43:50 Total scanning time: 3749 sec (01:02:29)

    Notes:
    [4] File cannot be opened. It may be in use by another application or operating system.[/size]

    =====================================================

    NOD32 does not seem to be able to scan system files.

    I noticed that NOD32krn.exe is running as "NT AUTHORITY\SYSTEM", but nod32.exe is running as my user (currently in the Administrators group).

    Question:

    Does NOD32's scanning engine not run as SYSTEM? I never encountered these errors in Norton (to the best of my recollection), although it may be that Norton just ignores them.

    I even tried to run nod32.exe as SYSTEM (using the now-famous at.exe hack), and it had just as many errors, although for different files (strange).

    Although NOD32 seems to have a very advanced scanning system according to the performance analyses I've seen online, I wonder if it's implementation isn't a bit weaker than Norton (i.e., if it doesn't run the scanner as SYSTEM).

    Again, I'm not a windows expert, so I'd appreciate some clarification on how NOD32 works compared to something like Norton (preferably something I can verify myself or read up on -- I've experienced too many replies on some technical forums to the extent of "Yeah, it works. Don't worry about it.").

    One more thing... has anyone made a NOD32 module for BartPE? Any idea if it is possible (i.e., how "self-contained" NOD32 is).

    Thank you all,

    Ram
     
  2. NOD32 user

    NOD32 user Registered Member

    Joined:
    Jan 23, 2005
    Posts:
    1,766
    Location:
    Australia
    The NOD32 task scheduler when used like here runs the scan as NT AUTHORITY\SYSTEM

    NOTE: IMHO it's well worth using a password for your NOD32 settings.

    If you make your way thorugh this thread that Blackspear has put together to help users find their way around in NOd32 and configure for maximum detection and automation you should find the answers to most of your questions there.

    Yes I have seen a NOD32 BartPE plugin somewhere - try Google :D

    Cheers :)
     
  3. Blackspear

    Blackspear Global Moderator

    Joined:
    Dec 2, 2002
    Posts:
    15,115
    Location:
    Gold Coast, Queensland, Australia
    Hi Kansascaipira, as your question is one in its own right I have split it off to its own thread HERE

    Cheers :D
     
  4. oscarlee

    oscarlee Registered Member

    Joined:
    Sep 19, 2006
    Posts:
    5
    i had this problem so i decided to phone eset, they told me that these are files that are running so you cant open them so thats ok ,soon after i downloaded a program and opened a trojan file by accident nod32 found the trojan but would not remove it or send it to quarenteen , so i uninstalled and installed avast and this sorted my problem . i then phoned eset again and explained what happened and they sent me a copy of nod 32 and this worked perfect for now . so phone eset they were very good 01202548888
     
  5. Kansascaipira

    Kansascaipira Registered Member

    Joined:
    Sep 18, 2006
    Posts:
    3
    They sent you a copy of NOD32? What was the difference between that copy and the one you buy? I'm surprised they don't incorporate the fixes in your copy in to the general product.
     
Thread Status:
Not open for further replies.