strange quarantine operation?!

Discussion in 'NOD32 version 2 Forum' started by iNsuRRecTioN, Dec 18, 2003.

Thread Status:
Not open for further replies.
  1. iNsuRRecTioN

    iNsuRRecTioN Registered Member

    Joined:
    Sep 5, 2003
    Posts:
    303
    Location:
    Germany
    Hi there,

    why NOD32V2 quarantine files bye copy instead of move? o_O

    I think thats misleading the users. Every AV prog I know move infected files when they quarantine them. So that you cannot access this files and they are "securely" stored for later operations!

    bye

    iNsuRRecTioN
     
  2. sir_carew

    sir_carew Registered Member

    Joined:
    Sep 2, 2003
    Posts:
    884
    Location:
    Santiago, Chile
    Hi,
    Yes, it's true, I test it. The motive, I don't know, but it would a option to remove the file from the original location, maybe a good suggestion for a future version.
     
  3. Buddel

    Buddel Guest

    A very good suggestion, IMHO. :)
     
  4. anders

    anders Eset Staff Account

    Joined:
    Oct 25, 2002
    Posts:
    410
    The quarantine is more of a safe backup place. In order to get the effect you want, select "[ x ] Quarantine", then select what you want to do with the original file.. Clean or Delete.

    Best regards,
    Anders
     
  5. Blackspear

    Blackspear Global Moderator

    Joined:
    Dec 2, 2002
    Posts:
    15,115
    Location:
    Gold Coast, Queensland, Australia
    Anders, my understanding is, if ticked, Nod will try to Clean, if unable, it will Delete, if unable, it will Quarantine.

    Is this correct?

    Cheers :D
     
  6. Mele20

    Mele20 Former Poster

    Joined:
    Apr 29, 2002
    Posts:
    2,495
    Location:
    Hilo, Hawaii
    How do you have the on demand scanner set up? If you have it set to notify/other action plus quarantine that is exactly what it will do. If you have it set to clean and quarantine then it will attempt clean and will also quarantine. The irritating and misleading thing about it is that it COPIES rather than MOVES the file to quarantine. This is contrary to all common sense and to what all other AV do. So, it is very dangerous the way it is presently set up. But then this is the problem with NOD32. It has never been set up logically. Version 2 is much better than version 1 but it is still illogical in many ways. Copying instead of moving to quarantine is one of them. NOD32 is a great scanner, but it is by far the most difficult of all to use because it is so illogical.
     
  7. sig

    sig Registered Member

    Joined:
    Feb 9, 2002
    Posts:
    716
    From the Help file:

    As of version 2.0, NOD32 supports a file quarantine system.

    In most cases, NOD32 is capable of cleaning infected files. In cases where an infected file cannot be cleaned, you may send it to our labs for detailed analysis. The quarantine folder is a convenient location to store infected or suspicious files in a benign form. (That is, in a form that can't be executed.) The location of the quarantine directory is set by default, but it can be changed in the Extended Tab of the NOD32 System Setup page.

    Note that in many cases (especially with Win32 worms), the “infected” file is just the body of the worm. Since a file of this type contains no useful data, it is simply deleted instead of cleaned.
    -------------------------------------------------------------------

    If all quarantine in NOD does is create a copy of the file (in a manner such that the copy cannot be executed) perhaps the action should be called "copy and rename infected file to a storage folder" or something else clearly indicating that it copies the file rather than actually moves and isolates the infected file. This would avoid any confusion for those who expect that the act of putting a file in quarantine means that the original suspect file is actually moved to a quarantine folder. After all, in the common vernacular putting something into quarantine does not mean to "copy" or "back up" but to remove and securely isolate.
     
  8. Blackspear

    Blackspear Global Moderator

    Joined:
    Dec 2, 2002
    Posts:
    15,115
    Location:
    Gold Coast, Queensland, Australia
    I hope it does more than this, if something is "Quarantined" in customs, it is isolated so it cannot infect anything else.

    More light on the subject from a Eset Mod would be appreciated.

    Cheers :D
     
  9. anders

    anders Eset Staff Account

    Joined:
    Oct 25, 2002
    Posts:
    410
    The major difference is that Quarantine isn't an action, it's an.. option... You can select Quarantine, but you still need to select an action (Clean / Delete / Ignore, etc). Calling it "Make backup" might be good, but, then people will complain about not having a quarantine feature, and wonder where the backup was saved.... I think the best thing is to make it clearer (somehow) that you also need to select an action to perform on the file.

    Best regards,
    Anders
     
  10. Blackspear

    Blackspear Global Moderator

    Joined:
    Dec 2, 2002
    Posts:
    15,115
    Location:
    Gold Coast, Queensland, Australia
    Thank you Anders, it is clear now, however, as you suggest, it definately needs to be reworded, something to the effect of:

    Quarantine infected file that can not be Cleaned or Deleted (this will allow you to send the file to Eset for further analysis)

    Cheers :D
     
  11. sig

    sig Registered Member

    Joined:
    Feb 9, 2002
    Posts:
    716
    That would be accurate only if the suspect file that cannot be cleaned or deleted is actually moved to the Quarantine folder and not just copied.

    Said by Anders: "...Calling it "Make backup" might be good, but, then people will complain about not having a quarantine feature, and wonder where the backup was saved.... "

    In cases where the file cannot be cleaned or deleted is the file actually moved or just copied to the quarantine folder? If it just copies the file it appears that NOD indeed does not have a quarantine feature as many other AV's since the use of the term is not equivalent to common use. It's a backup folder for the infected file, it does not put the infected file itself into quarantine. It makes a safe copy while retaining the infected file in its original location. Is that correct?

    If it is correct, then if people wonder where the backup was saved you can call it anything you want (Suspect Sample Copy Folder or whatever) but it appears that calling it quarantine can be misleading to users as to the actual purpose it performs. given the common use of the term in other AV's.
     
  12. Blackspear

    Blackspear Global Moderator

    Joined:
    Dec 2, 2002
    Posts:
    15,115
    Location:
    Gold Coast, Queensland, Australia
    It sure sounds like it :doubt:

    Agreed

    Indeed the dictionary defines it as: A period of isolation. The place where detention is enforced. Any period or state of enforced isolation.... and so on, and so on....

    To use the word Quarantine, in this instance, is VERY misleading, and needs to be addressed. Like I stated above, my perception was from a logical standpoint: Nod tries to Clean first, if unable, Nod then tries to Delete, if unable, Nod then would Quarantine the infection so it cannot spread, as in ISOLATE the file...

    Cheers :D
     
  13. iNsuRRecTioN

    iNsuRRecTioN Registered Member

    Joined:
    Sep 5, 2003
    Posts:
    303
    Location:
    Germany
    Hi, a simple solution would be an option that move the files instead of copy the files.. So that everyone who like the quarantine operation copy the file (like a backup) it does it, and for everyone woh like the quarantine operation move the file, it does it so, when the option move is activated in NOD32..

    so long.

    iNsuRRecTiON
     
  14. sig

    sig Registered Member

    Joined:
    Feb 9, 2002
    Posts:
    716
    On the one hand I can see that perhaps from ESET's point of view, the file should either be cleaned or deleted and the copy/store function isn't a big deal, rather a convenience if one wants to submit the infected file or perhaps play with it.

    However the use of the word "quarantine" suggests a functional equivalent to the quarantine function popularized by other AV's (and they used the term first) and that appears not to be the case. And again, what happens when a file cannot be cleaned or deleted? (Presumably that can and does happen on occasion.) Does the infected file remains in place and is not moved? Selecting the quarantine function simply sends an encoded copy to the quarantined folder?

    So what ESET might regard as quibbling here over semantics is instead a request for descriptive accuracy in the set up options. Based on what has been said here so far, it seems that when ESET claims NOD has a quarantine function that statement is inaccurate if one compares that feature with the pre-existing quarantine functions/features of other AV's.
     
  15. sir_carew

    sir_carew Registered Member

    Joined:
    Sep 2, 2003
    Posts:
    884
    Location:
    Santiago, Chile
    Hi,
    Maybe, ESET in the future will include more option to the quarantine, for example: Add files manually, send it directly to ESET, etc.
     
  16. Blackspear

    Blackspear Global Moderator

    Joined:
    Dec 2, 2002
    Posts:
    15,115
    Location:
    Gold Coast, Queensland, Australia
    Agreed, but not even that, to use the word Quarantine, means your are Isolating something for protection, this is NOT the case here.

    Cheers :D
     
  17. iNsuRRecTioN

    iNsuRRecTioN Registered Member

    Joined:
    Sep 5, 2003
    Posts:
    303
    Location:
    Germany
    @sir_carew, yes, thats what I mean. Such options on quarantine are very useful and the misleadings will gone :D

    greetz

    iNsuRRecTiON
     
  18. Mele20

    Mele20 Former Poster

    Joined:
    Apr 29, 2002
    Posts:
    2,495
    Location:
    Hilo, Hawaii
    Re:strange quarantine operation?1

    Well it works if you consider finding and then giving only the option to LEAVE as working!

    Eset needs badly to stop focusing on IMON which is an unnecessary piece of junk and focus on what is important...such things as providing PROPER quarantine! This file should have been AUTOMATICALLY quarantined. Instead, it still sits INTACT in my downloaded programs folder. That is INEXCUSABLE.

    I won't be renewing my license in October if quarantine is not fixed. I could care less about anything to do with IMON. I don't use email scanners. My ISP scans all mail with Symantec Corporate and I would never, ever open an attachment in email without saving to disk first and then scanning via command line adv. heuristics. So, Eset, stop focusing on email scanners and fix all the other things that are far more important!
     
  19. Stan999

    Stan999 Registered Member

    Joined:
    Sep 27, 2002
    Posts:
    566
    Location:
    Fort Worth, TX USA
    Re:strange quarantine operation?1

    Hi Mele20,

    I would disagree with this.

    I prefer to have IMON, which uses AH by default, to check the mail prior to the Inbox.

    I probably receive more infected e-mails then you do.

    I want the infected attachment removed but also like to be notified, at the same time, what the infection was which is what IMON does.

    Your method would require additional, unnecessary work and time on my part by having to first save the attachment, then run a scan on it, then delete the saved attachment and also delete the infected email.

    IMON allows me do to all of the above with just one mouse click.

    I am running WinXP Pro and don't have any problems using IMON. IMON, with AH, does a good job of catching the infected mail without additional effort on my part.

    I guess a personal preference for different features is one of the reasons some folks choose one AV over another AV.
     
  20. dvk01

    dvk01 Global Moderator

    Joined:
    Oct 9, 2003
    Posts:
    3,131
    Location:
    Loughton, Essex. UK
    Re:strange quarantine operation?1


    When you read the NOD help files, you will see that quarantine in NOD is NOT used like it is in other set & go antiviruses.

    NOD quarantine does NOT delete the infected file, a copy of the file is put in quarantine so you can send it on to nod for checking if you wish to. You still have to delete the file itself, either through NOD or manually.

    I see no point in ever usingt quarantine normally and would automatically delete all infected files,

    Why would you want to keep an infected file on your computer, unless you intend to do something else with it


    This is what NOD help files say about the quarantine folder


    As of version 2.0, NOD32 supports a file quarantine system.

    In most cases, NOD32 is capable of cleaning infected files. In cases where an infected file cannot be cleaned, you may send it to our labs for detailed analysis. The quarantine folder is a convenient location to store infected or suspicious files in a benign form. (That is, in a form that can't be executed.) The location of the quarantine directory is set by default, but it can be changed in the Extended Tab of the NOD32 System Setup page.


    Note that in many cases (especially with Win32 worms), the “infected” file is just the body of the worm. Since a file of this type contains no useful data, it is simply deleted instead of cleaned.
     
  21. Mele20

    Mele20 Former Poster

    Joined:
    Apr 29, 2002
    Posts:
    2,495
    Location:
    Hilo, Hawaii
    Re:strange quarantine operation?1

    I don't want to delete the file. I want the infected file TRANSFERRED not COPIED to quarantine. This is how, Symantec, TrendMicro, McAfee and others do it. It is the standard method. Eset has to go and not only be totally different but not make this clear to the user which is inexcusable. Anyone coming from many other AV to NOD expects NOD to use quarantine like they have been accustomed to.

    Read the thread Blaskspear points to. It is discussed there. What I object to is that NOD32 leaves the infected file where it found it and copies it to quarantine. That is so stupid. I love NOD, I love how it doesn't conflict with hardly anything, but I have a fast computer now and it can handle more bloated av so if this isn't fixed, I seriously question if I will renew my subscription. Since I don't get a lot of viruses, I may keep NOD32 in spite of this, but I will certainly trial other av before I decide.

    The infected file should be automatically transferred to quarantine every time. This should be an ironclad rule. You then go to quarantine and deal with it there. Quarantine is the SAFE place to deal with an infected file. Other av companies realize this why not Eset? From the safe place, you delete it, you send it to Eset, you repair it if possible, rename it or you just leave it in quarantine and do nothing as it cannot harm your computer. If you uninstall NOD32 quarantine is not touched unless you so desire so you can reinstall and quarantine remains with quarantined items inside. So, it is perfectly safe to leave viruses in quarantine if you don't want to deal further with them. It is much faster this way. You run your weekly on demand scheduled scan while you sleep and the next day any viruses have been sent to quarantine (not copied...sent) and you can forget about them and do nothing further unless you wish to.

    NOD32 makes the whole process unnecessarily complicated and drawn out IMO. When you run NOD32 in Clean mode, you have to sit there and watch the entire thing! If you don't, NOD will stop on the first infected file. It won't pop up a screen and notify you even. It just hangs until you finally go back to it and see what has happened. This means that you cannot run a scheduled scan while sleeping unless you run it just in scan mode which means you have to do it all over again if it finds something. NOD32 should simply quarantine any infected files without asking and not change the file when it quarantines as it does now. If if worked this way, then you could run a scheduled scan while sleeping, or run one anytime, and not have to sit and watch the whole thing.
     
  22. Blackspear

    Blackspear Global Moderator

    Joined:
    Dec 2, 2002
    Posts:
    15,115
    Location:
    Gold Coast, Queensland, Australia
    Re:strange quarantine operation?1

    Mele20, one simple word... AGREED :D

    It is not logical when Eset use the word "Quarantine", it should be changed to "Copied", and who within the general public want to make a copy of a virus? I can say 100% for sure, not a single one of my customers, they want the meaning of the word to have the same action, not a new definition, unless Eset can have it adjusted in a dictionary.

    Cheers :D
     
  23. Paul Wilders

    Paul Wilders Administrator

    Joined:
    Jul 1, 2001
    Posts:
    12,472
    Location:
    The Netherlands
    off topic quarantine issue merged into the on topic existing thread - paul

    regards.
     
  24. Steve_Da_B

    Steve_Da_B Registered Member

    Joined:
    Feb 23, 2004
    Posts:
    16
    Location:
    UK
    Kaspersky offers pretty similar options. You select an action like delete, clean whatever; then there's a separate check-box for quarantine.

    I actually have no problem with NOD's way of doing this -- I can set my first action to clean, the second to delete; and then I can decide if I want to keep a copy of all viruses found (ie select quarantine for both first and second action) or just those it couldn't clean. Or none at all.

    Maybe the wording could be changed ("Keep a copy in quarantine"). While a file is in Quarantine it seems to me that it is like the dictionary definition -- it is isolated, can't infect others etc etc.

    Seems that the options can be configured to do pretty much what you like, and as far as I can see mimic the behaviour of other AV progs. Maybe the out-of-the-box default options should be set up to mimic the quarantine behaviour of other AV progs.
     
  25. iNsuRRecTioN

    iNsuRRecTioN Registered Member

    Joined:
    Sep 5, 2003
    Posts:
    303
    Location:
    Germany
    yes thats it!

    At KAV for example, you can choose between quarantine is copy only or move the file to the Quarantine, for further analyses or send them to Kaspersky.

    best regards,

    iNsuRRecTiON
     
Thread Status:
Not open for further replies.