NOD32 Vers 2.5 - AMON's Detection ???

Discussion in 'NOD32 version 2 Forum' started by JBB, Oct 2, 2005.

Thread Status:
Not open for further replies.
  1. JBB

    JBB Registered Member

    Joined:
    Sep 9, 2004
    Posts:
    51
    1). Does memory resident "AMON" of NOD32 Vers. 2.5, check for the actions that an executable pgm attempts as the executable is running and about to perform them and then pop up a real-time alert to stop if from performing the actions o_O

    -- OR --

    Does memory resident "AMON" of NOD32 Vers. 2.5, *only* check for potential dangorous behavior actions by heuristic scanning of an executable program file *just* before allowing it to launch o_O


    2). Will the memory resident "AMON" of NOD32 Vers. 2.5, intercept, and alert to Stop an executable program from performing a "Format" of your C: Drive and stop an executable from perform a "Generic Delete *.* of your C: Drive o_O
     
  2. flyrfan111

    flyrfan111 Registered Member

    Joined:
    Jun 1, 2004
    Posts:
    1,224
    AMON scans exes before they execute, whether it pops up an alert depends on how u have it set. if set to alert yes it will, if set to perform recommended action and silent mode it will just handle as needed without prompting.

    AMON uses both defs and heuristics.

    Depends on which exe is attempting those actions, they are also legitimate actions performed by the OS and should not be stopped in all instances. So a generic stopping is not advised either.

    Perhaps Marcos or Happy Bytes can provide a more definitive answer on that portion of your question.
     
  3. JBB

    JBB Registered Member

    Joined:
    Sep 9, 2004
    Posts:
    51
    Marcos,

    Would you be able to answer by below questions, especially item 2) o_O

     
  4. Marcos

    Marcos Eset Staff Account

    Joined:
    Nov 22, 2002
    Posts:
    14,376
    o_O I don't understand. NOD32 is not meant to block regular system commands that serve to format floppies/disks.
     
  5. alglove

    alglove Registered Member

    Joined:
    Jan 17, 2005
    Posts:
    904
    Location:
    Houston, Texas, USA
    Something like this may be more in the realm of ProcessGuard than NOD32.
     
  6. JBB

    JBB Registered Member

    Joined:
    Sep 9, 2004
    Posts:
    51
    Marcos,

    I was reading through an old NAV 2002 manual and it said that its resident component blocked both low-level formatting of hard drives only and blocked writing to the boot sector of hard drives. Now I know that this was a very old version of NAV, so I was wondering if current versions of Antivirus pgms like NOD32, etc; bother with providing this type of protection these days ? ... Perhaps, "unknown" viruses these days, don't bother attempting these type of activities ?
     
  7. flyrfan111

    flyrfan111 Registered Member

    Joined:
    Jun 1, 2004
    Posts:
    1,224
    NAV and McAfee used to include this type of behaviour blocking in earlier versions, I thought NAV removed from 2001 and on but I could be mistaken and they removed it in 2003, the problem with this type blocking and the reason the feature was removed is what Marcos and I alluded to, There are legitimate parts of the OS and other programs that need to perform these actions and the amount of alerts generated would result in people disabling their AV. Formatting a new partition, deleting files, adding a run key registry entry are all normal functions needed by legitimate programs and a generic or across the board blocking will creat excessive alerts. The current approach is to identify malicious programs attempting to perform these actions and stop them.
     
  8. JBB

    JBB Registered Member

    Joined:
    Sep 9, 2004
    Posts:
    51
    flyrfan111,

    Yes, now that you explained things, .... this makes sense to me for for Antivirus pgms.

    ...Hmm....Maybe the answer is supplement an antivirus pgm with a sandbox type of pgm where "unknown" pgms run with restrictive moadification access rights ?
     
  9. flyrfan111

    flyrfan111 Registered Member

    Joined:
    Jun 1, 2004
    Posts:
    1,224
    Your welcome. ProcessGuard and PreVx are two programs that may fit your needs. While they are not sandbox programs they are behaviour type blockers. A company called Finjan makes a sandbox program that detects malware, do a google search for the company, I can't for the life of me recall the name of the program, I tried it 3 or 4 years ago and didn't like it but, it may suit your needs. Best of luck in your search.
     
Thread Status:
Not open for further replies.