Problem with archives, runtime packers and Software installers

Discussion in 'ESET NOD32 Antivirus' started by kevin009, Feb 13, 2008.

Thread Status:
Not open for further replies.
  1. kevin009

    kevin009 Registered Member

    Joined:
    Sep 11, 2007
    Posts:
    32
    I have a problem with NOD32 Version 3.0.621.0 on all archives and software installers. The problem is that such packed files take quite more time to be accessed as well as copied/deleted from the hard disk when NOD32 real time protection is enabled. I wanted to exclude all such archives, software installers and packed files from the real time scanning. Although I found that it was easy to exclude ZIP and RAR like this:

    Go to the Entire advanced setup tree > Real time file system protection > Setup > Extensions tab > Exclude archives like ZIP and RAR from real-time scanning.

    I can always right-click and scan such archives and runtime packers before opening them, or when the contents of the archive, runtime packer or software installer are extracted, NOD32 can automatically scan them.

    But all software installer packages like NOD32 (eav_nt32_enu) Kaspersky anti-virus (kav7.0.1.321en) as well as adobe product installers, etc still take a lot of time to be copied/deleted from the hard disk to the recycle bin. This was not a problem with NOD32 2.7. All these software installer packages have the .exe extension.
    I don’t want to exclude .exe files from scanning.

    Is it possible to set NOD32 not to scan archives, runtime packers and software installers until their contents are extracted ?
     
  2. Marcos

    Marcos Eset Staff Account

    Joined:
    Nov 22, 2002
    Posts:
    14,374
    ZIP/RAR archives (not SFX) are not scanned by the real-time protection at all. Disabling SFX archives in the real-time protection setup should help.
     
  3. kevin009

    kevin009 Registered Member

    Joined:
    Sep 11, 2007
    Posts:
    32
    Hello,
    Thanks for replying.
    But by default, NOD32 Version 3 is real-time scanning all Files including RAR, ZIP and all software installers which makes the copying much slower when copying and deleting data. To avoid this problem, I excluded RAR and ZIP from Real-time scanning, but I am puzzled what to do with the software installers which use the .exe extension. How to exclude all such installers from real-time scanning.

    For example, If we install NOD32 V.3 and use default settings, when we try to copy a ZIP or RAR that takes NOD32 v.3 atleast one minute to on-demand scan, into the hard disk, the copying is really slow if real time protection is enabled. The same problem is there for Executable software installers as described on my previous post.

    In the real-time scanning Threatsense options why is there no check-box option for excluding archives, runtime packers and SFX archives from real-time scanning like in the other threatsense options (Like the Antivirus and Antispyware tab) making any changes in the antivirus and antispyware tab threatsense options does not make any changes in the way other modules like realtime scanning and on-demand scanning. why ?
     
  4. Marcos

    Marcos Eset Staff Account

    Joined:
    Nov 22, 2002
    Posts:
    14,374
    Could you please provide a link to a rar/zip installer that is scanned by the real-time protection? The real-time protection oinly scans sfx archives on create, disabling that option should help you.
     
  5. kevin009

    kevin009 Registered Member

    Joined:
    Sep 11, 2007
    Posts:
    32
    Sorry,
    The ZIP RAR problem was due to an incorrect real time configuration. I wrote the posts wrongly without a proper investigation into the configuration.
    I apologize for any inconveniences.
     
    Last edited: Feb 14, 2008
  6. kevin009

    kevin009 Registered Member

    Joined:
    Sep 11, 2007
    Posts:
    32
    New Problem/Doubt o_O Help

    Now there is a new problem/doubt.

    Why is NOD32 V.3.0.621.0 scanning and deleting whole archives even though there are non-infected files in them. I've done many tests by putting an eicar test file in a ZIP along with 3 or more clean files, set the NOD32 context menu scanning option to "No Cleaning" and scanned the archive and upon detecting the eicar, and it quarantined and deleted the whole archive instead of removing only the virus (eicar).

    The same thing happened when I set NOD32 to "standard cleaning"

    According to the Help file documentation, NOD32 V.3 should delete whole archives only if the scanning is set to Strict Cleaning. Then why is this happening ?
     
  7. Marcos

    Marcos Eset Staff Account

    Joined:
    Nov 22, 2002
    Posts:
    14,374
    Re: New Problem/Doubt o_O Help

    Are you positive that the whole archives containing also some clean files are deleted automatically in strict cleaning mode? You should be prompted for an action in such case as it wouldn't be safe if the program deleted such an archive automatically.
     
  8. Bubba

    Bubba Updates Team

    Joined:
    Apr 15, 2002
    Posts:
    11,271
    Re: New Problem/Doubt o_O Help

    What was your Cleaning setting for Real-time file system protection when you say this occured on context menu scanning ?

    Does your On-demand computer scan log indeed show an item in the Cleaned column ?

    Also, what does your log files show for Detected threats at that same time in the Action column ?
     
  9. kevin009

    kevin009 Registered Member

    Joined:
    Sep 11, 2007
    Posts:
    32
    Re: New Problem/Doubt o_O Help

    Hi Marcos,
    Quote:
    Are you positive that the whole archives containing also some clean files are deleted automatically in strict cleaning mode? You should be prompted for an action in such case as it wouldn't be safe if the program deleted such an archive automatically.

    Answer: Yes, I’m positive about it. Please look below.

    1. Strict Cleaning: When I set the context menu cleaning options to Strict Cleaning, then right clicked this eicar.zip archive packed with the eicar virus and some clean files, then right clicked the archive > Advanced Options > Clean Files. … Then NOD32 quarantined and deleted the whole archive without displaying the virus alert window when eicar was detected.

    2. Standard Cleaning: When I set NOD32 context menu scanning to Standard Cleaning, upon the eicar detection, NOD32 displayed the Threat alert window with only two options: “Delete” and “Leave” When I clicked the Delete button, the whole archive was deleted. When I clicked the leave button, the archive was left intact.

    3. No Cleaning: Same thing happened as in Standard Cleaning.


    Please look at this scan log (same results for Standard Cleaning and No Cleaning) and see for yourself. Here Eicar test file was a part of the deleted object (the deleted object was the whole eicar.zip archive)

    NOTE: All other options in NOD32’s entire advanced setup tree were at default except for the “Cleaning options” in the context menu scanning. (changes were made only in the context menu settings – Strict Cleaning, Standard Cleaning, No Cleaning)


    Scan Log
    Version of virus signature database: 2870 (20080212)
    Date: 2/13/2008 Time: 9:45:06 PM
    Scanned disks, folders and files: E:\eicar.zip
    E:\eicar.zip » ZIP » eicar.exe - Eicar test file - was a part of the deleted object
    E:\eicar.zip » ZIP » application.txt - is OK
    E:\eicar.zip » ZIP » Application 2.txt - is OK
    E:\eicar.zip » ZIP » Caliver.txt - is OK
    E:\eicar.zip » ZIP » New Microsoft Word Document.doc - is OK
    E:\eicar.zip » ZIP » system.txt - is OK
    E:\eicar.zip » ZIP » nentenst.exe » RAR » advheur.nup - is OK
    E:\eicar.zip » ZIP » nentenst.exe » RAR » archs.nup - is OK
    E:\eicar.zip » ZIP » nentenst.exe » RAR » charon.nup - is OK
    E:\eicar.zip » ZIP » nentenst.exe » RAR » engine.nup - is OK
    E:\eicar.zip » ZIP » nentenst.exe » RAR » ntbaseen.nup - is OK
    E:\eicar.zip » ZIP » nentenst.exe » RAR » pwscan.nup - is OK
    E:\eicar.zip » ZIP » nentenst.exe » RAR » utilmod.nup - is OK
    E:\eicar.zip » ZIP » nentenst.exe » RAR » main.dll - is OK
    E:\eicar.zip » ZIP » nentenst.exe » RAR » mfc42.dll - is OK
    E:\eicar.zip » ZIP » nentenst.exe » RAR » mfc42u.dll - is OK
    E:\eicar.zip » ZIP » nentenst.exe » RAR » msvcrt.dll - is OK
    E:\eicar.zip » ZIP » nentenst.exe » RAR » readme.txt - is OK
    E:\eicar.zip » ZIP » nentenst.exe » RAR » setup.exe - is OK
    E:\eicar.zip » ZIP » nentenst.exe » RAR » ntstden.nup - is OK
    E:\eicar.zip » ZIP » nentenst.exe » RAR » ntineten.nup - is OK
    E:\eicar.zip » ZIP » nentenst.exe » RAR » setup.xml - is OK
    Number of scanned objects: 23
    Number of threats found: 1
    Time of completion: 9:45:13 PM Total scanning time: 7 sec (00:00:07)

    So can you tell me exactly why it happened. Is it a bug ?





    Hi Bubba,
    Here are your answers:

    What was your Cleaning setting for Real-time file system protection when you say this occured on context menu scanning ?

    Answer: it was “Standard Cleaning”

    Does your On-demand computer scan log indeed show an item in the Cleaned column ?

    Answer: Please look in the above scan log and see for yourself

    Also, what does your log files show for Detected threats at that same time in the Action column ?

    Answer: It shows the eicar test file as shown in the above log: (E:\eicar.zip » ZIP » eicar.exe - Eicar test file - was a part of the deleted object)

    Anything to tell about this ?
     
  10. kevin009

    kevin009 Registered Member

    Joined:
    Sep 11, 2007
    Posts:
    32
    Why hasn't anyone responded to my thread above yet ? :(
     
Thread Status:
Not open for further replies.