That little grey pop up scanning window (botton right of screen)

Discussion in 'ESET NOD32 v3 Beta Forum' started by Tempest, Aug 21, 2004.

Thread Status:
Not open for further replies.
  1. Tempest

    Tempest Registered Member

    Joined:
    Aug 15, 2004
    Posts:
    23
    I'm a bit puzzled about the new pop up file scanning thing that shows in the bottom right of the screen.

    It seems totally random.

    I go to many many different websites, all with a wide variety of text and images. Once in a blue moon for no apparent reason whatsoever, that little gray box pops up and appers to be downloading an image or something.

    But I have seen 100's of images and thet box does not pop up.

    It's like totally random and I guess may pop up about twice during a hour of surfing the net.

    Can anyone explain ?
     
  2. Blackspear

    Blackspear Global Moderator

    Joined:
    Dec 2, 2002
    Posts:
    15,115
    Location:
    Gold Coast, Queensland, Australia
    If you have the following ticked by default, then only large files of a certain size will have the pop up window displayed. What the exact size is I have not checked into...

    Hope this helps...

    Cheers :D
     

    Attached Files:

  3. Sweetie(*)(*)

    Sweetie(*)(*) Registered Member

    Joined:
    Aug 10, 2004
    Posts:
    419
    Location:
    Venus
    this happens to me with p2p and msn file swapping, it appears to be scanning the hash # of the file, which is quite good, and how i managed to pick up the new heur virus which was hidden in an mpeg file[ posted last week]
    it picked up a hidden ext .iiv
     
  4. Stan999

    Stan999 Registered Member

    Joined:
    Sep 27, 2002
    Posts:
    566
    Location:
    Fort Worth, TX USA

    An image may already be in your browser cache from a prior visit and not downloaded again.
     
  5. Alec

    Alec Registered Member

    Joined:
    Jun 8, 2004
    Posts:
    355
    Location:
    Dallas, TX
    I think it only occurs for files of a certain size as Blackspear and others noted. However, the interesting thing is that I think that there is an upper limit on the file size for its appearance as well. If you think about it, the setting that says "Switch to passive (compatible) for files... larger than [2048]kb" probably means that the translucent popup won't appear for those files larger than 2MB. Why? Because it doesn't really need to. My understanding is that the popup is only there to provide feedback where otherwise there would be none. When IMON HTTP is in passive mode it doesn't wait for full file completion, it passes packets as it receives and processes them. Therefore, the browser itself can display download progress if need be, because it is receiving packets in a timely fashion. So, you probably only see the popup when the downloaded image/file/etc. is between, say, 500 to 2048kb, and then probably only when the download exceeds a set time threshold. That is, if the file is, say, 600KB, but it downloads within 1-2sec... the code for the popup probably isn't triggered since its not really needed and would be more of an annoyance as it caused excessive flashing in the bottom right corner.
     
  6. Tempest

    Tempest Registered Member

    Joined:
    Aug 15, 2004
    Posts:
    23
    Thanks for the nice Piccie :)
    A Picture's worth a thousand words.....

    To be honest it FEELS totally random (though guess it isn't then)

    I've been browsing around and downloading various freeware files of the net and 99.9% of the time, then out of the blue that little window pops up and I think, what the hell is that doing ? I can't say I have ever accociated it popping up with anything large.
    I shall have to go to some large image areas and see it it pops up each time.

    Steves digicams has megabyte+ images of digi camera shanpshots. I'll see if one of those triggers it as that's about as big a picture as you will find.
     
  7. Tempest

    Tempest Registered Member

    Joined:
    Aug 15, 2004
    Posts:
    23
  8. Stan999

    Stan999 Registered Member

    Joined:
    Sep 27, 2002
    Posts:
    566
    Location:
    Fort Worth, TX USA
  9. Tempest

    Tempest Registered Member

    Joined:
    Aug 15, 2004
    Posts:
    23
    Yeah, it popped up for those... But why, when it didn't pop up for the other BIG one I posted earlier?

    Is it just file size as they are noth jpegs.... (still puzzled)
     
  10. donsan

    donsan Registered Member

    Joined:
    Feb 5, 2004
    Posts:
    149
    Location:
    grand prairie tx
    hey nice yard i didn't get a peep out of nod when i looked at your pictures.
     
  11. martindijk

    martindijk Registered Member

    Joined:
    Jun 13, 2003
    Posts:
    537
    Location:
    Gorredijk - the Netherlands
    Yep, got three download images on top of each other.

    rgds,
    Martin
     
  12. Stan999

    Stan999 Registered Member

    Joined:
    Sep 27, 2002
    Posts:
    566
    Location:
    Fort Worth, TX USA
    I don't know? Must have something to do with the size maybe. Your large one was around 3.5MB while those yard pictures are around 1MB each.

    If you have a high speed broadband connection the pop-up may not have time to show up with smaller images?
     
  13. Alec

    Alec Registered Member

    Joined:
    Jun 8, 2004
    Posts:
    355
    Location:
    Dallas, TX
    Did you read what I posted earlier? It's not just a "large" file popup, its a popup that occurs only for a certain RANGE of sizes. Your two files aren't in the range. The small jpg is only 77kb, and the large one you linked to is something like 3.3mb. The default setting in NOD32 is to switch to passive mode for files larger than 2mb. Stan's jpg are all in the correct size range, that's why his will generate the popup.
     

    Attached Files:

    Last edited: Aug 22, 2004
  14. Stan999

    Stan999 Registered Member

    Joined:
    Sep 27, 2002
    Posts:
    566
    Location:
    Fort Worth, TX USA
    Hi donsan,

    Thanks. If you didn't get the NOD pop-up download window do you have the IMON HTTP checking enabled?
     
  15. Tempest

    Tempest Registered Member

    Joined:
    Aug 15, 2004
    Posts:
    23
    Ahhh, ok.... The mist is beginning to clear a bit, sorry I didn't understand what you said earlier.
    I thought it was just anything OVER a certain size.
    So we've got a certain range (say 500K - 2000K) for example, anything larger or smaller it ignores.

    OK, fair enough. (not quite following the logic as to why only middle range files have dodgy stuff in them) but ok will accept that.
     
  16. Alec

    Alec Registered Member

    Joined:
    Jun 8, 2004
    Posts:
    355
    Location:
    Dallas, TX
    No, it's not that it only scans those in that range... it's just that it switches to a different mode of operation for the 2mb+ size files. It still scans the large files, it just doesn't wait to completely receive those files before passing packets on to the underlying app. If it waits to completion and it detects a virus, it can dump the whole file and report the virus prior to the underlying app ever seeing any packets. However, in passive mode it's still scanning, but now if it detects a virus and pops up a warning the underlying app has already received a portion of the file in question. NOD32 can try to reset and terminate that TCP session, but some of the malware packets in question may have been downloaded. That potential partial download probably isn't that big of a risk, really, but still the other mode is probably a tad safer.

    The problem is, that for large files this would appear as weird behavior to many users. For example, your large jpg shows up in the browser as a progressive render during the download. That is, it sweeps down from top to bottom as the file downloads. If passive mode wasn't active, then the file would be gathered up by NOD32, you would continue to see a blank screen, and then -- wham -- it would all appear at once. The progressive JPG is sort of a feedback mechanism to let you know that the file is actually being downloaded. Likewise, say you wanted to watch an Apple Quicktime or Windows Media stream. If NOD32 didn't switch to passive, then playback wouldn't begin with only a partial download. It would likely have to wait until the entire stream file had been downloaded.
     
  17. DiGi

    DiGi Registered Member

    Joined:
    Jul 24, 2003
    Posts:
    114
    Location:
    in the middle of nowhere
    Idea for automatic passive-mode switch was:

    1) all viruses/scripts/malware are small.
    2) it is annoying wait for downloading *big* files... (images, archives)

    so all small files (you CAN specify what means "small", it depends on your connection speed, for me is small files max 200kb) are scanned in efectivity mode (imon can shows nice page if file is infected), bigger are scanned only in compatibility mode (connection is ABORTED if file is infected - you will get only part of infected file).

    Popup window appears only for Efectivity mode - and efectivity mode is used only for smaller files...
     
  18. Tempest

    Tempest Registered Member

    Joined:
    Aug 15, 2004
    Posts:
    23
    Thanks for all the explanations.

    I shall bow to people who know a lot more about viruses than myself and leave NOD at it's default settings.

    Glad to know it's looking after me :)
     
  19. martindijk

    martindijk Registered Member

    Joined:
    Jun 13, 2003
    Posts:
    537
    Location:
    Gorredijk - the Netherlands
    Well said Tempest.

    rgds,
    Martin
     
  20. Tempest

    Tempest Registered Member

    Joined:
    Aug 15, 2004
    Posts:
    23
  21. Blackspear

    Blackspear Global Moderator

    Joined:
    Dec 2, 2002
    Posts:
    15,115
    Location:
    Gold Coast, Queensland, Australia
    Alec, what program are you using to make your screenshots? They look great :D

    Cheers :D
     
  22. Alec

    Alec Registered Member

    Joined:
    Jun 8, 2004
    Posts:
    355
    Location:
    Dallas, TX
    Photoshop Elements. It's pretty handy for that sort of thing. For screenshots you will also probably get better results with GIFs than with JPGs. You can quickly compare the two in PhotoshopE, and it seems to auto select the better format in most cases.

    Edit: Oops, I should say that the screenshot itself was taken with AnalogX's Capture utility (freeware), THEN I just used PhotoshopE to convert from a huge BMP into a GIF (plus add the ellipse for highlighting).
     
  23. Blackspear

    Blackspear Global Moderator

    Joined:
    Dec 2, 2002
    Posts:
    15,115
    Location:
    Gold Coast, Queensland, Australia
    Thanks for that :D

    Cheers :D
     
  24. Alec

    Alec Registered Member

    Joined:
    Jun 8, 2004
    Posts:
    355
    Location:
    Dallas, TX
    Your quite welcome. :D
     
  25. Everton1878

    Everton1878 Guest

    Noticed that box when starting bitorrent client, but not with anything else

    Just tried it with the IL2 forum link...
    I get the grey box when browsing using IE but not when using firefox

    Does it not monitor when using firefox or is it just becasue firefox loads images quicker than IE?
     
Thread Status:
Not open for further replies.