That big Temp file..... DviX (Put to rest hopefully)

Discussion in 'ESET NOD32 Antivirus' started by MaVRiC, Jan 15, 2008.

Thread Status:
Not open for further replies.
  1. MaVRiC

    MaVRiC Registered Member

    Joined:
    Dec 7, 2007
    Posts:
    25
    I see a lot of concern about this big file and that the system apparently freezes for everyone concerned with scanning the Firefox / thunderbird folders with the DviX web player installed.

    I had concerns as well, but done a bit of playing and analyzing, Hopefully I can put this to bed for a lot of people.

    From what I have read of late and listening to a podcast about Nods advanced heuristics engine is it creates a sandbox environment and emulates (or at least tries to) what a specific file does so it can evaluate if the file is malicious or not. So the temp file created must be the sandbox environment.

    The 1.6gb and 880mb files created are very near to the sizee of a double and single cd dvix avi movie respectively, so seeing that I would say that dll is used in the process of encoding as well as just playing.


    In this image the folder properties report 160 files, yet EAV has scanned a total of 1593 written files (this scan was a selective only on thunderbird)

    ci5.png


    Now in this image we see that EAV has not stopped responding, but is in fact running and using bucket loads of IO, but utilizing very little CPU time to do its job, I like that, means I can get on with other stuff and not have the CPU tied up in a scan.

    ci1.png


    Now this image is a snip of a Sys Internals filemon log, this log was huge a total of 178023 file read/write operations (I wont post the log it was 12 meg in size)

    ci4.png

    So to sum it up for those out there worried about this.
    NOD32 is doing its job on a file that looks like it is used to create AVI files of 1.6gb in size, and using very little in the way of resources to do it (nice move eset), that is why it seems to hang, it is not hanging it is grinding away at its job. Just give it time it will complete in time depending on your system specs. My system took just over 4 minutes to do the task and it is no slow box.

    Hope this helps, If any other have a theory on this it would be good to hear you chim in as well.
     
  2. Stijnson

    Stijnson Registered Member

    Joined:
    Nov 7, 2007
    Posts:
    533
    Location:
    Paranoia Heaven
    Great explanation MaVRiC! Thanks for taking the time to explain this for all those who have issues regarding this topic.

    I have one question though: assuming you are right about the 'sandbox emulation', does this also apply to v2.7 or is this something that is only featured in v3.0?
    Because if this 'sandbox emulation' is a v3.0 feature only, people with 2.7 might still wonder what is causing the scan delay.
     
  3. jmc777

    jmc777 Registered Member

    Joined:
    Aug 6, 2004
    Posts:
    244
    Thanks for the explanation. I wonder if the 2792 sig update helped things, as scanning the DivX installer doesn't hang my system like it did yesterday. (And I've also noticed that a file which took over 60mins to scan, the Sony Ericsson updater installer, now scans in under a minute. I sent support some info about it on Friday, and they seem to have tweaked something.)
     
  4. lucas1985

    lucas1985 Retired Moderator

    Joined:
    Nov 9, 2006
    Posts:
    4,047
    Location:
    France, May 1968
    Sandbox emulation = Advanced heuristics.
     
  5. Chalawah

    Chalawah Registered Member

    Joined:
    Jul 26, 2005
    Posts:
    75
    Location:
    Australia
    MaVRiC,

    Thank you for the time and thought you have put into your post.

    I will use your method to analyse computing issues in the future.

    A lesson learned.

    Thanks.:cool:
     
  6. MaVRiC

    MaVRiC Registered Member

    Joined:
    Dec 7, 2007
    Posts:
    25
    No problems :) is only a theory but a logical one..

    Have noticed today with the latest update of the archive module and signature files there is no large temp file, super fast scan and a unpack error in the scan log.

    I wonder if this particular file has been deliberately bypassed by the scan engine o_O

    C:\Program Files\mozilla firefox\plugins\npdivx32.dll » PECompact v2.xx - unpack error
    C:\Program Files\Mozilla Thunderbird\plugins\npdivx32.dll » PECompact v2.xx - unpack error

    =================================================
    Virus signature database: 2796 (20080116)
    Update module: 1019 (20071030)
    Antivirus and antispyware scanner module: 1102 (20080103)
    Advanced heuristics module: 1068 (20071119)
    Archive support module: 1070 (20080115)
    Cleaner module: 1024 (20071217)
    =================================================
     
  7. Supersnake

    Supersnake Registered Member

    Joined:
    Jul 12, 2003
    Posts:
    121
    I'm impressed with how well you presented this to us MaVRiC.
    Thank you.
     
  8. COSMO26

    COSMO26 Registered Member

    Joined:
    Oct 21, 2003
    Posts:
    404
    The trajedy of this excellent post is that it won't be a "Sticky" and anyone Searching for "That big Temp file..... DviX" wiill endure reading 56 posts for "That", 28 posts for "big" , 66 for "Temp", etc., with unknown Threads in each you have to read. I laugh at jerks who pontificate " Don't you search? (most on MS Chat) "

    There is no better Forum than this one but someone either needs to change the Search method, or start posting "Sticky's", or say "We have outlawed going to the bathroom during the new rollout and just be patient." A long-ago Reply stated this "format" type Forum Sucks for "Search" (just Google) but ESET shouldn't shoot itself in the foot Daily with critical info not being readily displayed OR FOUND EASILY!!!!!
     
Thread Status:
Not open for further replies.