Quarantine

Discussion in 'NOD32 version 2 Forum' started by Mele20, Aug 1, 2003.

Thread Status:
Not open for further replies.
  1. Mele20

    Mele20 Former Poster

    Joined:
    Apr 29, 2002
    Posts:
    2,495
    Location:
    Hilo, Hawaii
    This screen is confusing. It looks as though KlezJ was quarantined 6 times on July 29. That is not true though. It was quarantined ONCE on that day. The other five instances have been tonight which is August 1. I thought quarantine wasn't working properly because I didn't see this file appear there so I kept trying to open it to see if it would appear in quarantine. I finally realized what had happened.

    This is very misleading. It should show the CURRENT DATE not several days ago. EACH instance of quarantine should be listed with the date it was quarantined. This should happen even if it is the very same file being quarantined more than once.

    Plus, the glaring problem here is that it isn't really quarantined. It is still in the original location. Why isn't it moved to quarantine? The quarantine log shows that it is in quarantine although the log gives the wrong date. It should have been moved to quarantine the first time I went to scan it which was several days ago. That is what other av would do. What is quarantine for if the file isn't moved there? Why is quarantine greyed out on that screen?

    Ahh,,,I think I have it figured out. The file is only COPIED to quarantine! Is that correct? No other av I have used only copies the file to quarantine...they all MOVE it there which makes a lot more sense. Why would I want the infected file left in the original folder? How would I know that if I deleted it that I could always retrieve it from the copy put in quarantine? Plus why would I be required to take two actions...one quarantining a copy of it and another to delete the original file? Moving the original file is one action. Having to take two actions is extra work and unnecessary. I read the help files. There isn't anything to indicate that rather than MOVING the file to quarantine it is copied there. That is such a strange way of doing things seems to me and totally different from other av.

    Another thing: the screen says NOD can clean this virus. That is not true so why does it say that? Worms can't be cleaned as they are the whole file so they can only be deleted. NOD shouldn't tell me it can do something it cannot do.

    I can see that a lot of the changes in the GUI were just surface cosmetics as underneath much of the confusion which was there in version one is still there. There is also the problem of when you delete viruses that it doesn't show up in real time like with every other av I've used. You have to reboot! I reboot only once every 24 or more hours and wouldn't reboot hardly ever if I had XP instead of W98 so this is confusing and misleading.

    I see some good improvements and I love the shell extension that Paolo has provided so I can scan individual files from Explorer using advanced heuristics. However, there are still too many things about the GUI that need improvement. I have really tried to understand the weirdness that to me still completely envelopes NOD. However, I'm too frustrated by the incoherent reasoning in the way NOD behaves. Nothing about NOD is logical. I don't have this problem with the other two av I own or any others I have tried. I guess NOD just doesn't agree with me. It is an excellent scanner, and light on resources, but for me it is quite illogical in the way it works in many respects.
     

    Attached Files:

  2. Mele20

    Mele20 Former Poster

    Joined:
    Apr 29, 2002
    Posts:
    2,495
    Location:
    Hilo, Hawaii
    How come I can't attach more than one file? Here's the other one I was referring to:
     

    Attached Files:

  3. anders

    anders Eset Staff Account

    Joined:
    Oct 25, 2002
    Posts:
    410
    The quarantine is a "backup" option.. It will be copied there, and whatever action you choose will be applied upon the original file. (delete/clean/rename)

    Selecting "Quarantine" and clicking "Delete" would be the "normal" way of quarantining the object. Quarantining is not an action, it's more of a backup thing.. The action you probably want is "Delete" (or of course "clean" when that is applicable).

    Actually, some Klez variants "infects" files by creating a new file with another extension that holds the original file. I think that is the case here. It should be easily verified if you try to clean the file.

    Show up where? If an infected file is running, a reboot may be required to deal with it. (I haven't tested in a while, but many AVs used to have problems with files that are infected and running)

    Best regards,
    Anders
     
  4. Mele20

    Mele20 Former Poster

    Joined:
    Apr 29, 2002
    Posts:
    2,495
    Location:
    Hilo, Hawaii
    >The quarantine is a "backup" option.. It will be copied there, and whatever action you choose will be applied upon the original file.

    The backup aspect was what I didn't understand because the av I was using just before I decided to try version 2 of NOD quarantines the file if you want ...it doesn't copy it to quarantine ...neither do the other avs I have used. The fact the NOD makes a copy to put in quarantine should be in the help file. It is ok now that I finally understand, but was frustrating to take so much of my time figuring it out since there was nothing in the help file on this. It was logical I would assume NOD did it like my other av.

    Related to this, I was surprised to see when I installed version 2 that the quarantine folder from the beta 1 was intact and had the viruses that I had put in it six or seven months ago still there! Other av ask you when you uninstall if you want to save the quarantine items otherwise they are deleted during the uninstall. So, with NOD the quarantine folder is never uninstalled?

    >Actually, some Klez variants "infects" files by creating a new file with another extension that holds the original file. I think that is the case here. It should be easily verified if you try to clean the file.

    That was not a very good example. The extension was deliberately renamed to .mid. for testing my ISP's av scanner. But that screen saying it can clean when it cannot because it is a worm is also there for some other worm samples I have. I suppose they may be renamed also, but I don't think so. The person I got them from isn't sure but doesn't think they are renamed samples so NOD shouldn't say it can clean when it can't. But I can live with that inaccuracy now that I know about it.

    >Show up where? If an infected file is running, a reboot may be required to deal with it

    I was referring to a thread by someone here a couple of weeks ago.
    >Can anyone enlighten me why AMON still shows the viruses as active until reboot and why the red box doesn't say the virus has been deleted? It's all so confusing. (from AMON Confusing Virus Messages thread).

    I thought I was seeing the same thing when I wrote the first post, but I can't duplicate what that poster was complaining about tonite so ignore that. if I can duplicate the behavior later, I'll post and ask again.
     
  5. DolfTraanberg

    DolfTraanberg Registered Member

    Joined:
    Nov 20, 2002
    Posts:
    676
    Location:
    Amsterdam
    What i read is that NOD can clean the infiltration, not the file.
    Dolf
     
  6. Mele20

    Mele20 Former Poster

    Joined:
    Apr 29, 2002
    Posts:
    2,495
    Location:
    Hilo, Hawaii
    But my point is that worms can't be cleaned. The whole file gets deleted and I still think NOD shouldn't say it can clean when actually it "cleans" by deleting! That is confusing to me.
     
  7. DolfTraanberg

    DolfTraanberg Registered Member

    Joined:
    Nov 20, 2002
    Posts:
    676
    Location:
    Amsterdam
    From what you have posted, I see nowhere that they say they can clean the file o_O
     

    Attached Files:

    • NOD.jpg
      NOD.jpg
      File size:
      8.2 KB
      Views:
      1,196
  8. Mele20

    Mele20 Former Poster

    Joined:
    Apr 29, 2002
    Posts:
    2,495
    Location:
    Hilo, Hawaii
    Sorry, but I don't get the distinction you are trying to make. When you clean something...you clean it. You don't destroy it by deleting it. That is not cleaning. Cleaning fixes it. Deleting simply destroys it. Since a worm is usually the entire file, a worm can't be cleaned ...only destroyed which destroys the file.

    It's a matter of semantics I suppose. Semantics has always been my problem with NOD. The use of English for NOD is not at all what someone from the U.S. is used to. I find the language used in NOD to be quaint/odd and it is confusing. If it was anything other than an av, it wouldn't bother me that much, but misunderstanding something to do with your av because of language difficulties is not good. That is the main reason I like anti virus programs developed in the U.S. better. They are written using American English. Doesn't make those av's better. It just makes them easier for U.S. citizens to use (or at least for this U.S. citizen). :)
     
  9. DolfTraanberg

    DolfTraanberg Registered Member

    Joined:
    Nov 20, 2002
    Posts:
    676
    Location:
    Amsterdam
    what is infiltration in American English o_O
    cleaning in the sense of "get rid of it" is bad (American)English ?
     
  10. Dan Perez

    Dan Perez Retired Moderator

    Joined:
    May 18, 2003
    Posts:
    1,495
    Location:
    Sunny San Diego
    Hi all,

    I think this all comes back to Anders' point about the tendency for some viruses to create their own file (for whatever purpose). In cleaning this infiltration that file *must* be deleted as the file serves no purpose but to further the work of the virus. It is not the case of a normal infection where an existing file is modified by the virus code.

    Regards,

    Dan
     
  11. DolfTraanberg

    DolfTraanberg Registered Member

    Joined:
    Nov 20, 2002
    Posts:
    676
    Location:
    Amsterdam
    Always happy to learn, as my native language isn't (American) English
    I'm not sure I have o_O
    Dolf
     
  12. Finn McCool

    Finn McCool Registered Member

    Joined:
    Mar 3, 2003
    Posts:
    49
    Location:
    New Orleans
    The issue has nothing to do with American English. Cleaning an "infiltration" does not mean the same as cleaning a file, but it is a subtlety likely to be overlooked. The problem is that NOD32 doesn't use some terms in quite the same way as most popular anti-virus programs in the U.S., so the transition is more difficult. We're talking about jargon, not standard English, whether of the U.S. or UK variant.
     
  13. DolfTraanberg

    DolfTraanberg Registered Member

    Joined:
    Nov 20, 2002
    Posts:
    676
    Location:
    Amsterdam
    Thanks Finn I'll buy that :)
    Dolf
     
Thread Status:
Not open for further replies.