Noob question about advanced heuristics

Discussion in 'ESET NOD32 Antivirus' started by Pain of Salvation, Mar 16, 2009.

Thread Status:
Not open for further replies.
  1. Pain of Salvation

    Pain of Salvation Registered Member

    Joined:
    Apr 21, 2005
    Posts:
    398
    Probably it´s a noob question, but I have to ask:

    Does nod32 v4 uses advanced heuristics on realtime scan on default settings?

    I see that it uses for newly created and modified files, but not for executed files, am I right? If I download a file using firefox web browser, for example, will nod32 use AH to scan this file?
     
    Last edited: Mar 16, 2009
  2. Marcos

    Marcos Eset Staff Account

    Joined:
    Nov 22, 2002
    Posts:
    14,374
    That's right.

    If you download an archive, web protection will scan it internally with AH and runtime packers enabled by default. If you download executable files, they will be scanned by real-time protection as well by default.
     
  3. Pain of Salvation

    Pain of Salvation Registered Member

    Joined:
    Apr 21, 2005
    Posts:
    398
    Will this executable file that I downloaded be scanned with AH? I mean, a downloaded executable is a "newly created file"?
     
    Last edited: Mar 16, 2009
  4. Marcos

    Marcos Eset Staff Account

    Joined:
    Nov 22, 2002
    Posts:
    14,374
    Yes, files that are downloaded are newly created.
     
  5. Pain of Salvation

    Pain of Salvation Registered Member

    Joined:
    Apr 21, 2005
    Posts:
    398
    Thanks, Marcos....

    I have another question...

    If a Pen Drive has a worm that autoexecutes when I plug it to the PC, will NOD32 use AH to detect this worm if it is a .inf file? Or only .exe files are scanned with AH in removable media?

    I'm asking this because I see a lot of infected pen drives with a file called Autorun.inf that actually is a worm, I think it's called Conficker... and it autoexecutes when the pen drive is plugged. Will nod32 use AH to scan this autorun.inf file?
     
  6. Marcos

    Marcos Eset Staff Account

    Joined:
    Nov 22, 2002
    Posts:
    14,374
    AH scans only exe/dll files. V4 has introduced new options for scanning removable media to provide better protection against Autorun worms. By default, files run from removable media are first scanned with maximum settings.
     
  7. bradtech

    bradtech Guest

    I have a lot of hits from those..

     
  8. Pain of Salvation

    Pain of Salvation Registered Member

    Joined:
    Apr 21, 2005
    Posts:
    398
    Those are my last questions, I promise... :p

    If nod32 uses AH for newly created files or modified files and for removable media by default, is there any advantage using AH on every file execution? I cannot imagine any virus infection without creating or modifying a file on the system.

    Also, what is the difference between enabling AH in these two options (images attached)?
     

    Attached Files:

  9. funkydude

    funkydude Registered Member

    Joined:
    Apr 5, 2004
    Posts:
    6,853
    I leave them disabled (default settings)
     
  10. Pain of Salvation

    Pain of Salvation Registered Member

    Joined:
    Apr 21, 2005
    Posts:
    398
    Ok, but what is the difference between those two configuration options?
     
  11. piranha

    piranha Registered Member

    Joined:
    Mar 21, 2005
    Posts:
    623
    Location:
    Laval, Qu?bec, Canada
    According to Marcos previous post, AH is already set when it is really needed so.....

    IMO, both means not really more protection but, surely, more use of CPU and memory, and probably slowdown of all pc performances.
     
  12. Marcos

    Marcos Eset Staff Account

    Joined:
    Nov 22, 2002
    Posts:
    14,374
    The first screenshot shows the check box that enables AH on file access while the second one enables AH on file execution.
     
Thread Status:
Not open for further replies.