Quarantined....

Discussion in 'NOD32 version 2 Forum' started by 0pium_Dealer, Jun 26, 2004.

Thread Status:
Not open for further replies.
  1. 0pium_Dealer

    0pium_Dealer Registered Member

    Joined:
    Jun 20, 2004
    Posts:
    106
    Hi guys

    I just did a scan using the command line setting, Nod picked up a few false positive files that's been quarantined.

    I know these files are OK, and they're pretty important. How do I get them out of the quarantine box and make Nod treat them as OK?

    One of there files is actually located in the recovery partition of my drive, and I don't want that file to be deleted in case I need to reinstall XP in the future....

    TIA
     
  2. Blackspear

    Blackspear Global Moderator

    Joined:
    Dec 2, 2002
    Posts:
    15,115
    Location:
    Gold Coast, Queensland, Australia
    Nod does NOT quarantine files in the meaning of the word found in a dictionary, it instead makes a copy of the infection so it can be sent to Eset for further analysis...

    I’ll see if I can find out how to find the exact location of where files are “quarantined” so you can email them to samples@nod32.com

    Cheers :D
     
  3. Blackspear

    Blackspear Global Moderator

    Joined:
    Dec 2, 2002
    Posts:
    15,115
    Location:
    Gold Coast, Queensland, Australia
    I think this is where copies of infected files are stored, will need someone else to confirm this...

    Cheers :D
     

    Attached Files:

    • 3.JPG
      3.JPG
      File size:
      38.1 KB
      Views:
      464
  4. Blackspear

    Blackspear Global Moderator

    Joined:
    Dec 2, 2002
    Posts:
    15,115
    Location:
    Gold Coast, Queensland, Australia
  5. 0pium_Dealer

    0pium_Dealer Registered Member

    Joined:
    Jun 20, 2004
    Posts:
    106
    Thanks Blackspear

    I'll have a look at those links and decide if its worth sending file to nod...

    As stated in your post, nod make a copy of the files that are quarantined so that we can post to eset for analysis, Am I to assume that the quarantined files will not be deleted?

    The funny thing is, the alert only came up when I did the scan using command lines. I've done a number of scan using the GUI by checking all the boxes stated in your instructions, and all the scan passed... :doubt: :doubt:
     
  6. Blackspear

    Blackspear Global Moderator

    Joined:
    Dec 2, 2002
    Posts:
    15,115
    Location:
    Gold Coast, Queensland, Australia
    I had this exact same situation yesterday, Trojans were only found when using the command line scan, they were in "System Restore". I turned off System Restore, rebooted the PC into safe mode and could not open the Command Centre for Nod32, so just ran a standard GUI scan, it came up clean, again rebooted the PC, ran a further Command Line scan, and there remained 1 trojan, repeated the above to no avail.

    We'll be slaving that PC off another on Monday or running the Barts PE bootable CD, either way it will be cleaned on Monday :D

    Cheers :D
     
  7. diesel

    diesel Registered Member

    Joined:
    May 25, 2004
    Posts:
    21
    so if a file is indeed found to be infected? how is the original copy of the infected file "cleaned"?

    how is it cleaned? is it deleted? do u delete it manually?
     
  8. Blackspear

    Blackspear Global Moderator

    Joined:
    Dec 2, 2002
    Posts:
    15,115
    Location:
    Gold Coast, Queensland, Australia
    It isn't cleaned, the copy is encrypted so it can be sent to Eset for further analysis...


    The encrypted file as far as I know remains in C:\Program Files\Eset\Infected Files You can manually remove this if you want.

    Hope this helps...

    Cheers :D
     
  9. diesel

    diesel Registered Member

    Joined:
    May 25, 2004
    Posts:
    21
    hmmmm still unclear about it

    so the original, real infected file, what do you do with that? remove it manually? what if it's an important system file or file critical to another program? wouldn't some way of "cleaning" versus deleting be better?
     
  10. ronjor

    ronjor Global Moderator

    Joined:
    Jul 21, 2003
    Posts:
    57,728
    Location:
    Texas

    Just a thought. As long as you backup your data, you could rename that file. Backing up your system is the key.

    Most antivirus programs CAN have problems restoring a file. I wouldn't put faith that any program could restore a file. Backup your data no matter what anyone advertises.
     
  11. Blackspear

    Blackspear Global Moderator

    Joined:
    Dec 2, 2002
    Posts:
    15,115
    Location:
    Gold Coast, Queensland, Australia
    I am only talking about quarantine, where a file can not be cleaned or deleted, if you have ticked the quarantine option, then the infected file remains until you are given further advice as to how to remove the file, once Eset support or someone from this forum has advise you how to...

    So the choices for a scan that finds a infection should be:

    1. Clean
    2. If unble to clean, Delete
    3. If unable to Delete, Quarantine
    4. Send the encrypted quarantined file to support@nod32.com
    5. Post a message on this forum and ask for help as well
    6. Wait for further instructions

    Hope this is a little clearer :D

    Cheers :D
     
  12. 0pium_Dealer

    0pium_Dealer Registered Member

    Joined:
    Jun 20, 2004
    Posts:
    106
    Blackspear

    My files been send to Nod for analysis :)

    Just wondering... I've had infected emails coming through that was picked up by Nod, and deleted.

    The infected files are noted in the logs, but are copies kepy anywhere?

    As I originally posted above, Nod picked up two false positive, one in the C Drive, the other in the Recovery Partition....

    I have two files stored in the infected folder, of different sizes :doubt: :doubt: :doubt: Not sure why they are diferent in size, would've thought because one is a copy of the other, they'll be the same size....

    My question is this, are infected emails that's been deleted by Nod also copied and kept in the infected folder?....

    I have scanned both files stored in the infected folder, both clean :doubt: :doubt:

    Anyway, I've sent both to Nod, so I'll just have to wait and see if I'll get a reply :rolleyes: :rolleyes: :rolleyes:
     
  13. norky

    norky Registered Member

    Joined:
    May 1, 2004
    Posts:
    172
    Location:
    Lithia, FL
    that seems to be an iffy implementation of a quarantine
     
  14. Mele20

    Mele20 Former Poster

    Joined:
    Apr 29, 2002
    Posts:
    2,495
    Location:
    Hilo, Hawaii
    That's right! Quarantine in NOD32 is a joke. Even as bad as it is, to give some perspective, (and mods please don't say this is OT as it isn't) KAV 5.0 has no quarantine to speak of! It will not send an infected file to quarantine or even make a copy and put the copy in quarantine. You have to manually move an infected file there. I've been unhappy with NOD32's handling of quarantine ever since I got it almost two years ago and I was considering switching to KAV 5.0 until I tried it.

    I wish NOD32's quarantine functioned similar to that of NAV and PC-Cillin. I think all infected objects should AUTOMATICALLY be moved to quarantine...not COPIED but moved. I do not believe ANY ACTION should be taken on an infected object when it is outside of quarantine. To me this is just basic good sense and caution. I want the NOD32 on demand scanner or AMON or IMON if you use it (I don't) to, upon detecting a virus, automatically quarantine it and continue the scan (if this happens during an scheduled scan). I don't want to have to interrupt my sleep when running a scheduled scan in the middle of the night nor do I wish to be inefficient and be forced, as I now am, to run a scan only and then while in attendance run another scan with clean chosen. I would far prefer to go to quarantine, at a time of my choosing, and determine in a SAFE environment on my computer exactly what I want to do.

    I used to leave viruses intact in Quarantine all the time when I had NAV and PC-Cillin. Sometimes those viruses turned out to be false positives and I could then restore them. Other times they were real viruses but they could not harm the computer in a real quarantine which both those AV have and I would confidently leave them there forever although I could also easily delete them from quarantine if I wished.
     
  15. TheQuest

    TheQuest Registered Member

    Joined:
    Jun 9, 2003
    Posts:
    2,301
    Location:
    Kent. UK by the sea
    Hi, Mele20

    All though I agree in principle with what you a saying.

    The Problem with that is if a system file was infected and was in use it could
    not moved, the move would take place at reboot.

    And it that system file was a critical file the OS might not boot back to
    Windows.

    Moving any file system file is dangerous as the system can become unstable.

    I might be wrong about this so please correct me if so.

    Take Care,
    TheQuest :cool:
     
Thread Status:
Not open for further replies.