RTP and .ini

Discussion in 'ESET NOD32 Antivirus' started by chmiller, Mar 24, 2009.

Thread Status:
Not open for further replies.
  1. chmiller

    chmiller Registered Member

    Joined:
    Feb 7, 2007
    Posts:
    41
    We have an issue where real time protection is causing NOD to take too long scanning files every time we save ACAD-like drawings. (ie, saving a drawing takes 9 secs as compared to less than a sec with RTP turned off). Looking at process monitor, the file that ekrn accesses *many* times upon saving a drawing is CDBASE.ini. At this point, the only way I found to get around this is to exclude .ini files from real-tme protection. But I'm afraid that's opening myself up to problems. Is there a better way around this? eg, is there a way to exclude just that one .ini file without *all* .ini files? Or can I exclude files being accessed by our ACAD-like program?
     
  2. edwin3333

    edwin3333 Registered Member

    Joined:
    Aug 29, 2007
    Posts:
    244
    I have an open case on this issue. Perhaps you can open one too so we can get this fixed? eSafe takes 1 second to "apply changes" without Nod32, but can take over 2 minutes due to this NOD32 INI locking issue. Zenworks crawls when modifying INI files, and we have seen some of the Zen INI settings get corrupt.
     
  3. chmiller

    chmiller Registered Member

    Joined:
    Feb 7, 2007
    Posts:
    41
    Thanks for the information. I had searched these forums for ".ini" to see if this was a known thing, and didn't find much. I'm interested that from what you say this is a well known issue? I guess my biggest concern is how wide am I opening myself up by excluding all .ini's in real time protection?
     
  4. edwin3333

    edwin3333 Registered Member

    Joined:
    Aug 29, 2007
    Posts:
    244
    No one can answer that question for you since it depends on your environment? Are you like me where you also have gateway antivirus along side of application layer exploit filtering, and malware URL blocking?

    As far as whitelisting INI's, I wouldn't do it. Google search INI virus and you will see they exist. Also, many viruses "launch" regardless of their file extension due to the way Microsoft handles binary data inside files without looking at the file extension. For example, all these GDI viruses (.jpg, .gif, .tif) execute regardless of what the file type is. They could be named .ini and still execute.

    Will this happen to you? Probably not, but it could.
     
  5. SmackyTheFrog

    SmackyTheFrog Registered Member

    Joined:
    Nov 5, 2007
    Posts:
    767
    Location:
    Lansing, Michigan
    Is the CDBASE.ini file a single file that accompanies the CAD install or a .ini that accompanies each drawing and can be in multiple directories?
     
  6. chmiller

    chmiller Registered Member

    Joined:
    Feb 7, 2007
    Posts:
    41
    Good question. It appears that whenever I open the program to do the drawings, it creates a folder within ...\Local Settings\Temp\folder name\... and the CDBASE.ini is within that temp folder. It uses this same folder as long as the program stays open - regardless of how many separate drawings I work on, or where the drawing files are located. Once I fully close and reopen the drawing program, then a new folder within the ...\Local Settings\Temp\new folder name\... is created which contains a CDBASE.ini.
     
Thread Status:
Not open for further replies.