Saved Email 'Threat Found!' Suggestion for NOD32 3.0 and 4.0

Discussion in 'ESET NOD32 Antivirus' started by rnfolsom, Feb 9, 2009.

Thread Status:
Not open for further replies.
  1. rnfolsom

    rnfolsom Registered Member

    Joined:
    Nov 9, 2005
    Posts:
    247
    Location:
    Monterey, California
    Note: I will (try to) put a link to this post in Blackspear's "Future Changes to EAV 3.0."

    My suggestion for NOD32 3.0 and 4.0, described at the end of this message, is based on my experience with NOD32 2.70.32, in cleaning up viruses in saved email, discovered by an In-Depth Analysis demand scan of my wife's computer. My suggestion may be moot because 3.0 and 4.0 have already fixed the problem, but I'm posting it here because I won't know whether the newer NOD32 versions did fix it unless (or until) a 3.0 or 4.0 demand scan again finds viruses on my wife's or my computer.

    But I don't expect that to happen soon, because for three or more years we have used NOD32 Antivirus on our Win2k Sp4 laptop computers. And all of our periodic Demand scans always have used In-Depth Analysis without ever discovering a threat --- until a week ago --- presumably because NOD32 v2.x was keeping them out.

    I have spent this past week full time, learning how to remove those viruses, and finally succeeding in doing so.
    [The more detailed "see RNF stumble around" version of that story is in a Wilders NOD32 v2 forum thread, "Email Viruses, NOD32v2 ScanLog Questions," at https://www.wilderssecurity.com/showthread.php?t=232331
    A shorter summary (including suggestions for cleaning infected SeaMonkey email) is in a MozillaZine SeaMonkey forum thread, "Removing Zipped-Trojan infected messages (NOD32 AV)," at http://forums.mozillazine.org/viewtopic.php?f=40&t=1079895 ]

    Removing the infected email messages was difficult because we use the Mozilla SeaMonkey browser and email, which (like its cousin Mozilla Thunderbird, and like its predecessors, Mozilla Suite, Netscape Communicator, and probably the original Netscape) puts many messages into a single archive file. Therefore, the NOD32 scan log did not include message-identifying information such as the message's date and time, subject, or sender. Instead, a typical scan log entry was the following:
    path to SeaMonkey Email's initial folder, then
    Mail\pop.OurISP.com\Inbox >>MBOX >>mail093.eml >>MIME >>jolie.zip >>ZIP >>jolie.exe - Win32/Wigon.EX trojan. Unfortunately, the message number, in this case mail093, does not show up in SeaMonkey Email, so it's of no use in identifying the infected message.

    I'm NOT suggesting that Eset figure out a way to match that mail number to the message's identifying information. That's asking too much.

    But clicking on an infected saved email's scan log entry generates a Threat Found! dialog box, gray in color (not the usual red-bordered Threat Found! box). And I AM suggesting that that saved email Threat Found! dialog box needs work, because it is VERY confusing.

    On my wife's computer, if the threat was a worm or some other infection other than a Trojan, the dialog box offered five available actions: Leave, Clean, Rename, Delete, and Replace. (I have no idea why one might select either Rename or Replace, which may be why a 3.0 Threat Found! dialog box illustrated in the 3.0 User Guide on page 18 omits them. On the other hand, that illustrated Threat Found! dialog box is not specifically about saved email.)

    But initially, I had a major mystery: sometimes Delete was available so I could (and did) use it; sometimes Delete was not available because everything other than Leave was greyed out. That inconsistency caused me to think that NOD32 was breaking. It took awhile for me to realize (probably with the help of something I read somewhere) that if the threat is a worm (or probably many other virus types), Delete will be available, but if the threat is a Trojan (and perhaps some other particular virus types), only the Leave option will be available.

    In Message #2 of the Wilders thread cited above, Marcos explained that "emails in mailboxes (dbx, mbx files) can only be deleted manually from within the appropriate email client. The scan log should show additional details about infected email, such as the sender, date of sending, subject, etc." That definitely helped, although I really don't know what mailboxes are or if SeaMonkey uses them, and I'd never heard of dbx or mbx. But he didn't mention Trojans vs Non-Trojan infections, and clearly his second sentence didn't apply to Mozilla email programs.

    So my experience that infected non-Trojan saved email messages can be deleted from within the scan log, while infected Trojan saved email messages cannot be deleted from within the scan log, may be seriously incomplete.

    SUGGESTION:

    On my wife's computer (reminder: running NOD32 2.70.32), the scan log Threat Found! message for a saved email borne Trojan includes the following: "The file can be deleted. It is strongly recommended that you back up any crucial data before you proceed. Cleaning of archive cannot be performed." Note that for an inexperienced scan log user, "the file can be deleted" is in direct conflict with the Delete button being greyed out. That is very confusing, especially if you don't already know that Trojans are special. Note also that the backup recommendation is irrelevant if your only choice is to leave the infection in place.

    I suggest wording something like the following: "This archive cannot be cleaned now, because of the type of infection it contains [or because it contains a Trojan, if that's the only infection that prevents cleaning an archive]. And the entire archive cannot be deleted, because it includes non-infected content. But the infected file within the archive probably can be removed later, from within [or, by using] the appropriate application. For example, an infected email message in an email archive probably can be removed later, from within the email program. But before you open 'the appropriate application' to attempt to remove an infected file from an archive, first back up the archive, for example by copying it or copying a folder containing it."

    Roger Folsom
     
Thread Status:
Not open for further replies.