Question about AMON

I have recently noticed that when AMON is running (like always) instead of scanning all files as it should, it is quickly switching back and forth between ewidoguard.exe and KPF4gui.exe (which is the Kerio firewall). If I shut down ewido guard then it just scans KPF4gui.exe. If I shut down both, it scans as it should. Is there someway around this problem? I don't want to run without a firewall as I am on DSL.

 

i had the same problem the best thing to do is click on amon then setup and exclusions and exclude ewido file and your fire wall file and all will be fine.

 

donsan thanks for the advice, but can you tell me exactly how to do it? I know how to get in the exclude folder in AMON, but what exactly do I type in for ewido and for Kerio to exclude them?

 

Hi Jayt there is a thread here: https://www.wilderssecurity.com/showthread.php?t=55963

Hope this helps...

Cheers

 

I tried that Blackspear but it doesn't work

 

Thank you ronjor. Now it works. I am greatly appreciative

 

AMON is still scanning everything it should. But yes, it is a waste of CPU time to scan the same exectable a billion times a minute. I have several EXEs excluded myself, including BOClean.exe, BOClean.ini, ewidoguard.exe, and a couple others.

 

Well heres one I can't get to go away......
Its located in documents and settings\yourusername\local settings\temp\WCESCOMM.LOG

Here is the kinda stuff thats in the log.. and I can't get it to exclude it?

11/25/2004 15:41:29.312 - Windows CE Services (3.7.3244) Communication Logging.
11/25/2004 15:41:29.312 - Logging file auto-purge after a successful device connection.
11/25/2004 15:41:29.312 - Connection: Process connection from IP address 127.0.0.1:1043.
11/25/2004 15:41:29.406 - TCP: ....S., 192.168.55.101(1065) => 192.168.55.100(743 Seq=-2006582616--2006582616 Ack=0 Win=32768 Len=48
11/25/2004 15:41:29.421 - Proxy: Connection Attempt on port 7438, dest ip 0x6437a8c0
11/25/2004 15:41:29.421 - TCP: .A..S., 192.168.55.100(743 => 192.168.55.101(1065) Seq=39984-39984 Ack=-2006582615 Win=8760 Len=44
11/25/2004 15:41:29.515 - CesProxy: Accept on port 990, IsWinsock 1, hResult 0
11/25/2004 15:41:29.531 - TCP: ....S., 192.168.55.100(1025) => 192.168.55.101(990) Seq=40093-40093 Ack=0 Win=8192 Len=44
11/25/2004 15:41:29.531 - TCP: .A..S., 192.168.55.101(990) => 192.168.55.100(1025) Seq=-2006496727--2006496727 Ack=40094 Win=32768 Len=44
11/25/2004 15:41:30.312 - CesProxy: Accept on port 7438, IsWinsock 0, hResult 0
11/25/2004 15:41:30.312 - CesProxy: Accept on port 990, IsWinsock 1, hResult 0
11/25/2004 15:41:30.312 - TCP: ....S., 192.168.55.100(1026) => 192.168.55.101(990) Seq=40875-40875 Ack=0 Win=8192 Len=44
11/25/2004 15:41:30.312 - TCP: .A..S., 192.168.55.101(990) => 192.168.55.100(1026) Seq=-2006262601--2006262601 Ack=40876 Win=32768 Len=44
11/25/2004 15:41:30.453 - CesProxy: recv failed on Win socket 990, err = 10054
11/25/2004 15:41:30.453 - CesProxy: Close Win socket 990
11/25/2004 15:41:30.453 - CesProxy: Close PPP socket 990
11/25/2004 15:41:30.453 - TCP: ...R.., 192.168.55.100(1025) => 192.168.55.101(990) Seq=40296-40296 Ack=-2006496685 Win=0 Len=40
11/25/2004 15:41:30.453 - CesProxy: recv failed on PPP socket 990, err = 10053
11/25/2004 15:41:33.906 - TCP: ....S., 192.168.55.101(1066) => 192.168.55.100(999) Seq=-2005353517--2005353517 Ack=0 Win=32768 Len=48
11/25/2004 15:41:34.015 - Proxy: Connection Attempt on port 999, dest ip 0x6437a8c0
11/25/2004 15:41:34.093 - TCP: .A..S., 192.168.55.100(999) => 192.168.55.101(1066) Seq=44656-44656 Ack=-2005353516 Win=8760 Len=44
11/25/2004 15:41:34.234 - TCP: ....S., 192.168.55.101(1067) => 192.168.55.100(567 Seq=-2005295062--2005295062 Ack=0 Win=32768 Len=48
11/25/2004 15:41:34.343 - Proxy: Connection Attempt on port 5678, dest ip 0x6437a8c0
11/25/2004 15:41:34.468 - TCP: .A..S., 192.168.55.100(567 => 192.168.55.101(1067) Seq=45000-45000 Ack=-2005295061 Win=8760 Len=44
11/25/2004 15:41:34.796 - CesProxy: Accept on port 999, IsWinsock 0, hResult 0
11/25/2004 15:41:35.812 - TCP: ....S., 192.168.55.101(106 => 192.168.55.100(567 Seq=-2005061202--2005061202 Ack=0 Win=32768 Len=48
11/25/2004 15:41:35.906 - TCP: .A..S., 192.168.55.100(567 => 192.168.55.101(106 Seq=46468-46468 Ack=-2005061201 Win=8760 Len=44
11/25/2004 15:41:36.093 - CesProxy: Accept on port 5678, IsWinsock 0, hResult 0
11/25/2004 15:41:36.343 - CesProxy: Accept on port 5678, IsWinsock 0, hResult 0

Is the documents and settings area locked off to nod or something?

 

another question.... does anybody know if it is benficial to have AMON scanning system.ini all the time?... mine does it continually?

 

That file looks like it is being permantly written to. Just wondering why it is in a temp location in the first place...

Cheers

 

Yes I did ... I can delete it and it lets me... but once its deleted it obviously can't scan it anymore so you don't see it in amon...however within a few seconds.. it is recreated and written back to the temp dir. and then amon picks it up again.

this file is created I believe from my "Microsoft ActiveSync".. its the program that continually monitors activity on my pda... if the pda is unplugged from its dock then amon no longer scans it...but once the pda is placed back in the dock, then it is again.
If I uncheck in the active sync software for it to not syncronize when docking... it still scans the file... the only way not to scan is to undock the pda.

Its no big deal really..... just wondering why I can't exclude it?
I suppose its a log file similiar to system.ini .... I haven't tried excluding that one yet...

 

I just installed Nod32 on a laptop running XP Pro and ActiveSync. I have almost the same problem as you except mine also still scans this file when not docked or the docking station not even connected to the computer. Has anyone figured out how to make Nod32 stop scanning this file over and over?
Thanks,
Buddy

 

Man.. I still don't have it nailed down.. I too have activesync... but all of the other computers I see with the problem do not.
I turned off pestpatrol, excluded IMON.dll with pestpatrol and I still get the symptoms.

The only other thing I have not done is install that program that times the startups?...
I did install bootvis.exe That did speed up my boottime!... but imon is still a mystery.

I just hope NOD fixes it with the next edition.

 

Just to show how helpful this forum is, I was reading this post and it reminded me to check AMON to see if it was scanning any file continuously. (I hadn't looked at it in some time). I found that it was scanning and rescanning the file SunUserDat.sdb over and over again. It took me a little while to find the file, but I finally found it and excluded it. It is a file that is related to Sunbelt's Counterspy. Now AMON is working like it should.

 

Good to see and thanks for letting us know.

Cheers

 

If its that much of a problem ,You might want to consider letting amon use the default extension list(which wouldnt contain a .log file , i wouldnt have thought) rather than scan all files.
ellison

 

I apolgize for my earlier post.. I responded too hastily.. I thought you were talking about IMON... but you were not.. you were talking about AMON... sorry for the mispost!

 

Well....I gave up. I can't seem to get Amon to stop scanning that one .log file that's part of ActiveSync with Amon set to scan all files. I'd feel more comfortable with it set to scan all files but Amon was scanning that one file several times a second. I did try to add a wildcard to exclusions, *.log but that didn't work either. I ended up unchecking the "scan all files" in Amon. Any ideas why that one file can not be excluded?

Thanks,
Buddy

 

Buddy.. I haven't read your thread thoroughly, but the problem I has was similiar...
In the exclude list you have to exclude both file formats, short and long type...
here is an example:

To exclude files.. put both file formats...

1. Browse the the "file"

2. put the short dos filename... ie: c:\docume~1\yourusername\locals~1\temp\wcescomm.log

3. Now also the long one... ie:
C:\DOCUMENTS AND SETTINGS\yourusername\LOCAL SETTINGS\TEMP\WCESCOMM.LOG

Hope this helps...

 

Thanks for reminding me about this. That worked. I thought Eset claimed to have fixed this problem around a year or so ago, so I didn't think about short dos filename having to be entered manually.
Thank you,
Buddy

 

No prob... I think it has something to do with anything thats in the "documents and settings" folder because that is protected and not visible to the normal network... since windows explorer can see it..you think nod could to eh?

I just noticed that anytime you try to exclude anything in that directory or sub, you get that problem.