Question about AMON

Discussion in 'NOD32 version 2 Forum' started by jayt, Nov 24, 2004.

Thread Status:
Not open for further replies.
  1. jayt

    jayt Registered Member

    Joined:
    Aug 30, 2004
    Posts:
    345
    Location:
    PA - USA
    I have recently noticed that when AMON is running (like always) instead of scanning all files as it should, it is quickly switching back and forth between ewidoguard.exe and KPF4gui.exe (which is the Kerio firewall). If I shut down ewido guard then it just scans KPF4gui.exe. If I shut down both, it scans as it should. Is there someway around this problem? I don't want to run without a firewall as I am on DSL.
     
  2. donsan

    donsan Registered Member

    Joined:
    Feb 5, 2004
    Posts:
    149
    Location:
    grand prairie tx
    i had the same problem the best thing to do is click on amon then setup and exclusions and exclude ewido file and your fire wall file and all will be fine.
     
  3. jayt

    jayt Registered Member

    Joined:
    Aug 30, 2004
    Posts:
    345
    Location:
    PA - USA
    donsan thanks for the advice, but can you tell me exactly how to do it? I know how to get in the exclude folder in AMON, but what exactly do I type in for ewido and for Kerio to exclude them?
     
  4. Blackspear

    Blackspear Global Moderator

    Joined:
    Dec 2, 2002
    Posts:
    15,115
    Location:
    Gold Coast, Queensland, Australia
    Hi Jayt there is a thread here: https://www.wilderssecurity.com/showthread.php?t=55963

    Hope this helps...

    Cheers :D
     
  5. jayt

    jayt Registered Member

    Joined:
    Aug 30, 2004
    Posts:
    345
    Location:
    PA - USA
    I tried that Blackspear but it doesn't work :(
     
  6. ronjor

    ronjor Global Moderator

    Joined:
    Jul 21, 2003
    Posts:
    57,770
    Location:
    Texas
    Jayt

    Go to exclusion . Click on add. Click file at the pointer in the screenshot, then click file at the bottom of the window. Browse to program files, open Kerio and click on the file that is continuously scanned. It will show up in the window.
    Click apply. Do that for as many files as you want.
     

    Attached Files:

  7. jayt

    jayt Registered Member

    Joined:
    Aug 30, 2004
    Posts:
    345
    Location:
    PA - USA
    Thank you ronjor. Now it works. I am greatly appreciative :D
     
  8. ronjor

    ronjor Global Moderator

    Joined:
    Jul 21, 2003
    Posts:
    57,770
    Location:
    Texas
    Good to hear Jayt. NOD has so many options for configuration, it can be confusing at times.
     
  9. nameless

    nameless Registered Member

    Joined:
    Feb 23, 2003
    Posts:
    1,184
    AMON is still scanning everything it should. But yes, it is a waste of CPU time to scan the same exectable a billion times a minute. I have several EXEs excluded myself, including BOClean.exe, BOClean.ini, ewidoguard.exe, and a couple others.
     
  10. windstrings

    windstrings Registered Member

    Joined:
    Oct 20, 2004
    Posts:
    337
    Well heres one I can't get to go away......
    Its located in documents and settings\yourusername\local settings\temp\WCESCOMM.LOG

    Here is the kinda stuff thats in the log.. and I can't get it to exclude it?

    11/25/2004 15:41:29.312 - Windows CE Services (3.7.3244) Communication Logging.
    11/25/2004 15:41:29.312 - Logging file auto-purge after a successful device connection.
    11/25/2004 15:41:29.312 - Connection: Process connection from IP address 127.0.0.1:1043.
    11/25/2004 15:41:29.406 - TCP: ....S., 192.168.55.101(1065) => 192.168.55.100(743:cool: Seq=-2006582616--2006582616 Ack=0 Win=32768 Len=48
    11/25/2004 15:41:29.421 - Proxy: Connection Attempt on port 7438, dest ip 0x6437a8c0
    11/25/2004 15:41:29.421 - TCP: .A..S., 192.168.55.100(743:cool: => 192.168.55.101(1065) Seq=39984-39984 Ack=-2006582615 Win=8760 Len=44
    11/25/2004 15:41:29.515 - CesProxy: Accept on port 990, IsWinsock 1, hResult 0
    11/25/2004 15:41:29.531 - TCP: ....S., 192.168.55.100(1025) => 192.168.55.101(990) Seq=40093-40093 Ack=0 Win=8192 Len=44
    11/25/2004 15:41:29.531 - TCP: .A..S., 192.168.55.101(990) => 192.168.55.100(1025) Seq=-2006496727--2006496727 Ack=40094 Win=32768 Len=44
    11/25/2004 15:41:30.312 - CesProxy: Accept on port 7438, IsWinsock 0, hResult 0
    11/25/2004 15:41:30.312 - CesProxy: Accept on port 990, IsWinsock 1, hResult 0
    11/25/2004 15:41:30.312 - TCP: ....S., 192.168.55.100(1026) => 192.168.55.101(990) Seq=40875-40875 Ack=0 Win=8192 Len=44
    11/25/2004 15:41:30.312 - TCP: .A..S., 192.168.55.101(990) => 192.168.55.100(1026) Seq=-2006262601--2006262601 Ack=40876 Win=32768 Len=44
    11/25/2004 15:41:30.453 - CesProxy: recv failed on Win socket 990, err = 10054
    11/25/2004 15:41:30.453 - CesProxy: Close Win socket 990
    11/25/2004 15:41:30.453 - CesProxy: Close PPP socket 990
    11/25/2004 15:41:30.453 - TCP: ...R.., 192.168.55.100(1025) => 192.168.55.101(990) Seq=40296-40296 Ack=-2006496685 Win=0 Len=40
    11/25/2004 15:41:30.453 - CesProxy: recv failed on PPP socket 990, err = 10053
    11/25/2004 15:41:33.906 - TCP: ....S., 192.168.55.101(1066) => 192.168.55.100(999) Seq=-2005353517--2005353517 Ack=0 Win=32768 Len=48
    11/25/2004 15:41:34.015 - Proxy: Connection Attempt on port 999, dest ip 0x6437a8c0
    11/25/2004 15:41:34.093 - TCP: .A..S., 192.168.55.100(999) => 192.168.55.101(1066) Seq=44656-44656 Ack=-2005353516 Win=8760 Len=44
    11/25/2004 15:41:34.234 - TCP: ....S., 192.168.55.101(1067) => 192.168.55.100(567:cool: Seq=-2005295062--2005295062 Ack=0 Win=32768 Len=48
    11/25/2004 15:41:34.343 - Proxy: Connection Attempt on port 5678, dest ip 0x6437a8c0
    11/25/2004 15:41:34.468 - TCP: .A..S., 192.168.55.100(567:cool: => 192.168.55.101(1067) Seq=45000-45000 Ack=-2005295061 Win=8760 Len=44
    11/25/2004 15:41:34.796 - CesProxy: Accept on port 999, IsWinsock 0, hResult 0
    11/25/2004 15:41:35.812 - TCP: ....S., 192.168.55.101(106:cool: => 192.168.55.100(567:cool: Seq=-2005061202--2005061202 Ack=0 Win=32768 Len=48
    11/25/2004 15:41:35.906 - TCP: .A..S., 192.168.55.100(567:cool: => 192.168.55.101(106:cool: Seq=46468-46468 Ack=-2005061201 Win=8760 Len=44
    11/25/2004 15:41:36.093 - CesProxy: Accept on port 5678, IsWinsock 0, hResult 0
    11/25/2004 15:41:36.343 - CesProxy: Accept on port 5678, IsWinsock 0, hResult 0

    Is the documents and settings area locked off to nod or something?
     
  11. windstrings

    windstrings Registered Member

    Joined:
    Oct 20, 2004
    Posts:
    337
    another question.... does anybody know if it is benficial to have AMON scanning system.ini all the time?... mine does it continually?
     
  12. Blackspear

    Blackspear Global Moderator

    Joined:
    Dec 2, 2002
    Posts:
    15,115
    Location:
    Gold Coast, Queensland, Australia
    That file looks like it is being permantly written to. Just wondering why it is in a temp location in the first place...

    Cheers :D
     
    Last edited: Nov 25, 2004
  13. windstrings

    windstrings Registered Member

    Joined:
    Oct 20, 2004
    Posts:
    337
    Yes I did ... I can delete it and it lets me... but once its deleted it obviously can't scan it anymore so you don't see it in amon...however within a few seconds.. it is recreated and written back to the temp dir. and then amon picks it up again.

    this file is created I believe from my "Microsoft ActiveSync".. its the program that continually monitors activity on my pda... if the pda is unplugged from its dock then amon no longer scans it...but once the pda is placed back in the dock, then it is again.
    If I uncheck in the active sync software for it to not syncronize when docking... it still scans the file... the only way not to scan is to undock the pda.

    Its no big deal really..... just wondering why I can't exclude it?
    I suppose its a log file similiar to system.ini .... I haven't tried excluding that one yet...
     
  14. Budman

    Budman Registered Member

    Joined:
    Dec 23, 2002
    Posts:
    24
    I just installed Nod32 on a laptop running XP Pro and ActiveSync. I have almost the same problem as you except mine also still scans this file when not docked or the docking station not even connected to the computer. Has anyone figured out how to make Nod32 stop scanning this file over and over?
    Thanks,
    Buddy
     
  15. windstrings

    windstrings Registered Member

    Joined:
    Oct 20, 2004
    Posts:
    337
    Man.. I still don't have it nailed down.. I too have activesync... but all of the other computers I see with the problem do not.
    I turned off pestpatrol, excluded IMON.dll with pestpatrol and I still get the symptoms.

    The only other thing I have not done is install that program that times the startups?...
    I did install bootvis.exe That did speed up my boottime!... but imon is still a mystery.

    I just hope NOD fixes it with the next edition.
     
  16. jayt

    jayt Registered Member

    Joined:
    Aug 30, 2004
    Posts:
    345
    Location:
    PA - USA
    Just to show how helpful this forum is, I was reading this post and it reminded me to check AMON to see if it was scanning any file continuously. (I hadn't looked at it in some time). I found that it was scanning and rescanning the file SunUserDat.sdb over and over again. It took me a little while to find the file, but I finally found it and excluded it. It is a file that is related to Sunbelt's Counterspy. Now AMON is working like it should.
     
  17. Blackspear

    Blackspear Global Moderator

    Joined:
    Dec 2, 2002
    Posts:
    15,115
    Location:
    Gold Coast, Queensland, Australia
    Good to see and thanks for letting us know.

    Cheers :D
     
  18. ellison64

    ellison64 Registered Member

    Joined:
    Oct 5, 2003
    Posts:
    2,499
    If its that much of a problem ,You might want to consider letting amon use the default extension list(which wouldnt contain a .log file , i wouldnt have thought) rather than scan all files.
    ellison
     
  19. windstrings

    windstrings Registered Member

    Joined:
    Oct 20, 2004
    Posts:
    337
    I apolgize for my earlier post.. I responded too hastily.. I thought you were talking about IMON... but you were not.. you were talking about AMON... sorry for the mispost!
     
  20. Budman

    Budman Registered Member

    Joined:
    Dec 23, 2002
    Posts:
    24
    Well....I gave up. I can't seem to get Amon to stop scanning that one .log file that's part of ActiveSync with Amon set to scan all files. I'd feel more comfortable with it set to scan all files but Amon was scanning that one file several times a second. I did try to add a wildcard to exclusions, *.log but that didn't work either. I ended up unchecking the "scan all files" in Amon. Any ideas why that one file can not be excluded?

    Thanks,
    Buddy
     
  21. windstrings

    windstrings Registered Member

    Joined:
    Oct 20, 2004
    Posts:
    337
    Buddy.. I haven't read your thread thoroughly, but the problem I has was similiar...
    In the exclude list you have to exclude both file formats, short and long type...
    here is an example:

    To exclude files.. put both file formats...

    1. Browse the the "file"

    2. put the short dos filename... ie: c:\docume~1\yourusername\locals~1\temp\wcescomm.log

    3. Now also the long one... ie:
    C:\DOCUMENTS AND SETTINGS\yourusername\LOCAL SETTINGS\TEMP\WCESCOMM.LOG

    Hope this helps...
     
  22. Budman

    Budman Registered Member

    Joined:
    Dec 23, 2002
    Posts:
    24
    Thanks for reminding me about this. That worked. I thought Eset claimed to have fixed this problem around a year or so ago, so I didn't think about short dos filename having to be entered manually.
    Thank you,
    Buddy
     
  23. windstrings

    windstrings Registered Member

    Joined:
    Oct 20, 2004
    Posts:
    337
    No prob... I think it has something to do with anything thats in the "documents and settings" folder because that is protected and not visible to the normal network... since windows explorer can see it..you think nod could to eh?

    I just noticed that anytime you try to exclude anything in that directory or sub, you get that problem.
     
Thread Status:
Not open for further replies.