NOD32 V4.0.467 - what is realtime file protection doing?

Discussion in 'ESET NOD32 Antivirus' started by JNicoll23, Oct 24, 2009.

Thread Status:
Not open for further replies.
  1. JNicoll23

    JNicoll23 Registered Member

    Joined:
    Oct 24, 2009
    Posts:
    14
    Location:
    Scotland
    In Protection Status -> Statistics - Real-time file system protection
    there's a display of the full path of the most recently-checked file.

    I've been watching this for a while. I've seen some data and log files which some apps update regularly (and now set exclusions for those because I know they're inncocent files).

    But I also see for example the name of my mail client's .exe turning up there quite often. The mail client is running all the time - it's not being stopped and restarted, so why would real-time scanning look at it over & over again?
    Moreover, I thought NOD32 had some 'smart' process that prevented it from rechecking unchanging files over & over again...

    The file count is steadily going up. Although I've turned 'log all objects' on all over the setup tree, I'm not seeing any details via Tools -> Log files of what files are actually being scanned. (I'd like to exclude more of them if it's a waste of time and cpu cycles.)

    Has anyone managed to get detailed logs produced?
     
  2. Brambb

    Brambb Registered Member

    Joined:
    Sep 25, 2006
    Posts:
    411
    Location:
    The Netherlands
    Seems the mail client is altering a file every now and then? Or perhaps cause its checking for new mail and NOD32 also kicks in for that. You can exclude it from scanning, the mail scanner should still scan mail traffic if you do so.

    There isn't a logfile for the real-time protection, it has been asked before to log all objects scanned by the realtime scanner but it would only slow the computer down.

    The only way I can think of to see all scanned objects is to use diskmon/procexp from SysInternals Suite to see all files that are being scanned. (Use the filter to only include ekrn.exe)
     
  3. JNicoll23

    JNicoll23 Registered Member

    Joined:
    Oct 24, 2009
    Posts:
    14
    Location:
    Scotland
    I already have all the data folders that the mail client updates (both its logs and the incoming mail & news storage) in my exclusions list. I don't see any reason why the app's .exe should be scanned more than once.

    As for logging slowing things down - so what? I can't imagine anyone would log all the time, but it'd be useful for seeing what's being done. For example at the next boot I'd love to see what the start-up check actually scans.

    The real-time scan doesn't seem (except for when I disabled it and enabled it again) to scan all that many files per second (ie the file count isn't changing rapidly most of the time) but the total number of files scanned is pretty large.

    I run an emulated machine and OS under Windows as well; I happened to be looking at the activity display at a pertinent moment and saw temporary files in the emulated system being scanned. I've added them to exclusions too. If I could see more of the eral-time scan activity details I think I could exclude quite a lot more.

    Of course there must be some overhead in processing an exclusions list, but it can't be as bad as unnecessary scanning of files.


    As for DiskMon, I was under the impression that that only records what's being accessed in terms of track & sector addresses on the disk. Is that wrong?
     
  4. jimwillsher

    jimwillsher Registered Member

    Joined:
    Mar 4, 2009
    Posts:
    668
    I requested this a year ago, and made the same points (about it being useful for debugging, but not logging 24x7 etc.), but the ESET mods totally missed the point and just ignored the request. So I gave up asking.

    They should take a look at other systems, which allow logging levels - non, verbose, debug etc. Extremely useful. Quite why they cannot grasp this I do not know. They offer a facility to install "test" modules, yet don't allow logging? Strange.....


    Jim
     
Thread Status:
Not open for further replies.