Problem for AMON...

Discussion in 'NOD32 version 2 Forum' started by embower, Sep 1, 2004.

Thread Status:
Not open for further replies.
  1. embower

    embower Registered Member

    Joined:
    Dec 19, 2003
    Posts:
    46
    The AMON module detection that the virus files is after, but can't
    Prohibit it run.
    You can try to run a virus under the normal of AMON, the AMON can
    detection and hint you act, but the virus has already is run.. :( :( :(
     
  2. embower

    embower Registered Member

    Joined:
    Dec 19, 2003
    Posts:
    46
    You can try :'(
     
  3. embower

    embower Registered Member

    Joined:
    Dec 19, 2003
    Posts:
    46
    Thus the NOD32 can't guarantee the safety of the calculator enough :doubt:
     
  4. Blackspear

    Blackspear Global Moderator

    Joined:
    Dec 2, 2002
    Posts:
    15,115
    Location:
    Gold Coast, Queensland, Australia
    Are you talking about a Trojan being loaded into memory and AMON's inability to stop this?

    Cheers :D
     
  5. Marcos

    Marcos Eset Staff Account

    Joined:
    Nov 22, 2002
    Posts:
    14,374
    Perhaps you set AMON not to scan files upon creation / execution. It works here fine and we wouldn't have certainly released NOD with such a bug.
     
  6. Blackspear

    Blackspear Global Moderator

    Joined:
    Dec 2, 2002
    Posts:
    15,115
    Location:
    Gold Coast, Queensland, Australia
    Can you try rephrasing your question please...

    Cheers :D
     
  7. embower

    embower Registered Member

    Joined:
    Dec 19, 2003
    Posts:
    46
    Because I tried :mad:
     
  8. embower

    embower Registered Member

    Joined:
    Dec 19, 2003
    Posts:
    46
    My Amon setup..

    You can try to close the AMON first, then the decompression a Trojan, then be in use the AMON, run the trojan under the AMON environment, the AMON will hint the action, but the Trojan has already been run and established the file of DLL :doubt:
     

    Attached Files:

  9. embower

    embower Registered Member

    Joined:
    Dec 19, 2003
    Posts:
    46
    I use this file to test, Please delete the file extension .txt




    It is not according to wilders policy to post a link to a possible virus or trojan or other malware So I have removed the attached file to prevent someone from becoming unknowingly infected--bigc
     
    Last edited by a moderator: Sep 2, 2004
  10. ronjor

    ronjor Global Moderator

    Joined:
    Jul 21, 2003
    Posts:
    57,719
    Location:
    Texas
    This is what I see when I try to save that file using NOD 2.12.1
     

    Attached Files:

  11. Blackspear

    Blackspear Global Moderator

    Joined:
    Dec 2, 2002
    Posts:
    15,115
    Location:
    Gold Coast, Queensland, Australia
    Embower, what version of Nod32 are you using?

    Also, what is your native language? Someone may be able to help you better speaking your dialect...

    Cheers :D
     
    Last edited: Sep 3, 2004
  12. MNKid

    MNKid Guest

    It say above the pic ... NOD 2.12.1
     
  13. Blackspear

    Blackspear Global Moderator

    Joined:
    Dec 2, 2002
    Posts:
    15,115
    Location:
    Gold Coast, Queensland, Australia
    No, that's Ronjor's ;)
     
  14. embower

    embower Registered Member

    Joined:
    Dec 19, 2003
    Posts:
    46
    Chinese...I am very sorry, my English is badly.... :'( :'( :'(
     
  15. embower

    embower Registered Member

    Joined:
    Dec 19, 2003
    Posts:
    46
    I know that the AMON can detection it...

    But, you try not to do any action, hide the dialog, then run it,the AMON will hint you act, it was still run,and establish other files in your computer, the AMON did not obstruct it completely :doubt:
     
  16. Blackspear

    Blackspear Global Moderator

    Joined:
    Dec 2, 2002
    Posts:
    15,115
    Location:
    Gold Coast, Queensland, Australia
    That's ok, you are doing very well, I can't speak Chinese ;)

    Can you send an email to support@nod32.com and place a link to this thread.

    Can you also send the file in question "Zipped" to sample@nod32.com and place a link to this thread. If you do not hear from them within 48 hours, please advise us here...

    Let us know how you go…

    Cheers :D
     
  17. BlueZannetti

    BlueZannetti Administrator

    Joined:
    Oct 19, 2003
    Posts:
    6,590
    Embower,

    I tried a few things on my PC and I think I now understand what you are saying.

    If I take an archived set of files which contain a few infected or malware files in the set, the following happens when it is extracted:

    1. AMON immediately flags the first infected extracted file as it appears and requests action
    2. As that dialog waits for a response, the remaining files are extracted and placed on the disk, this includes infected files.

    Let's just say that there were 6 infected files in the archive. At this point, you have a dialog box requesting action on the first infected file with no immediate indication that the other files have been flagged or locked.

    If you delete (or perform whatever selected action is desired) on the first file, you will get a succession of dialog boxes for all the remaining files. Execution of any of these files will be prohibited and a dialog box will be queued up for a response requesting action. If you perform a simple operation, like a file rename, it will occur. However, that new file will now appear in the dialog box queue as the last member of the queue. If you try a more active operation, such as a file move or copy, you will obtain a denied access message box from the OS and the operation will not occur.

    Before anyone becomes overly concerned at the transient existence of these files with NOD32, the same behavior is observed with AV's such as KAV at standard settings.

    As far as I can see, the files are resident on the disk, but basically locked from activity and are waiting for user input. Does this answer you question Embower?

    Blue
     
  18. ronjor

    ronjor Global Moderator

    Joined:
    Jul 21, 2003
    Posts:
    57,719
    Location:
    Texas
    I saved that file to disk. dmz.rar.txt was the name of the file. I tried to terminate when the warning appeared. Too late, it was on C:.
    I used eraser to remove the file. I unfortunately did not zip it up and send it it to Eset.
    I assume NOD knows what the file consisted of by the name in the warning screen. It did not stop it from getting on my hard drive.
     
  19. embower

    embower Registered Member

    Joined:
    Dec 19, 2003
    Posts:
    46
    The circumstance that I say is:The AMON run normally, then run a virus file.The AMON can discover and hint the action, but can't Prohibit access it run
     
  20. embower

    embower Registered Member

    Joined:
    Dec 19, 2003
    Posts:
    46
    Thank you very much

    I have already done according to your designation :p
     
  21. Blackspear

    Blackspear Global Moderator

    Joined:
    Dec 2, 2002
    Posts:
    15,115
    Location:
    Gold Coast, Queensland, Australia
    My pleasure...

    Let us know how you go...

    Cheers :D
     
Thread Status:
Not open for further replies.