Thinking about asking for my money back on a NOD32 license - AMON issue.

Thinking about asking for my money back on a NOD32 license - AMON issue. - Progress

All,

I've emailed support on this issue and hope it can be resolved but I thought I'd chime in here to see if anyone else has run into this AMON issue.

The issue is this:

NOD32 will be running on a file server and therefore it will be required to scan files that will be copied to the server via network shares. AMON scans my test virus EXE upon creation (i copy it to the fileserver) but then does nothing automatically with them, if I have the option to display an alert window unchecked in the AMON setup. Another user can then come along and copy the infected file down to his system. In addition, if I then go to the file server and execute the file, AMON detects it all right (and even offers me the option to delete it, if I have that enabled), it DOES NOT PREVENT the virus from infecting the system. Although this seems to be a huge fault, it's not my primary concern.

My primary concern is that I'm unable to, in an automated manner, stop viruses which have been copied up to and then down from my file server.

Please let me know if anyone can shed some light on this issue.

Thanks!!!

-Ryan

 

Wow. Can anyone duplicate this behavoir?

This sounds like a pretty big security risk ... there should be some way to prevent that.

 

I must be missing something here
- is there any reason why setting AMON to clean automatically wouldn't work?

 

I tried both "Clean automatically" and "Prohibit Access" neither of which actually did anything to the file after it was copied to the share (Even though it was scanned and showed up as a virus in the NOD32 logs, there was no action taken. It did not even prevent access to the file when I tried to copy it back down from another machine.

 

Your "test virus exe?" What file are we talking about here?

 

Just tested "Prohibit Access" here and it does exactly what I expected of it - makes the file locked both locally and remotely. If you've still got access remotely I wonder if its actually a network cached version rather than a live version?
"Clean Automatically" also leaves the file locked both locally and remotely if it's unable to clean it.

In fact they both work quite well for me. I assume that since you're talking about a file server you're using standard M$ network shares? - not that it should be any different regardless

 

A version of agobot that is being detected via heuristics.

That actually brings up a good point... perhaps it only displays this behavior on heuristically detected viruses?

 

could you please email me a preferably zipped copy Here and I'll test it as well if you like?

 

YGM. It's a zipped executable.

To recap: I'm able to copy it up to the server w/ nod and then copy it right back, no cleaning or locking occurs. It DOES show up in the log though.

Thanks!!

 

I agree with what has been posted (no sense repeating it 2 sections down)

Having it set with these options has always worked for me and my clients. Prohibit access should work the way it is specified.

Keep us posted

 

Thanks Capp,

Can you confirm that it has worked the same way for heuristically detected viruses as well?

-Ryan

 

Well, I can't confirm because with my settings, if it detects something...it cleans & deletes if it cannot clean. Most of the time, viruses are deleted so I don't have to mess with them again.

 

For probably unknown NewHeur_PE (probable variant) it does appear to work a little different. I was able to operate on that file as you said you were. I can only think that it must be because it's considered unacceptable for false positives to be deleted/locked although it's such a rare occurence. If your PC's have got NOD installed and configured like mine I would still think it not possible to run the exe even though it's not locked for acces as a HE detect.
I'm sending a copy to ESET now just in case they haven't yes got one elsewhere to build a signature from - thats the best and quickest way to resolve it - get it added to the signatures !!!
I should mention that uploading via eMail or HTTP still brought about the standard high impact responses even with the file tucked away inside a ZIP

 

I've just tested w/ the eicar.com file and can confirm that it's the heuristic detection that's working differently.. Hopefully I'll hear back from support to confirm or deny this.

It DID let me execute and infect myself with this virus, even though it was detected as NewHeur_PE though.... One of the reasons I've been pushing NOD at my company is because it's heuristics have allowed it to detect some viruses that NAV has let right through. This agobot variant being one of them. But if it's not going to do anything with them on the file server I'm not sure what my next step is.

Thanks for your help NOD32 user!

 

No problem
I must confess I'm surprised it let you infect yourself.
FYI - have you seen the advanced config guide that Blackspear has put up?
[thread=37509]Config Guide[/thread]
Happy NODding

 

I'm kinda surprised as well.

Any brave soul out there want to duplicate the results? It's a pretty easy virus to removal, although it does put entries in your hosts file.

Yep, I saw that guide and my setup is just about the same (didn't set deep heuristics yet) (it didn't detect the virus at all w/out advanced set)

-Ryan

 

Right O then - I'll take one for the team and try infect myself later.
(but first I'll swap to my standby boot hahaha)

NP

 

Obviously, files detected via Advancd heuristics cannot be prevented from running. Imagine that AMON would block each newly created file for several seconds - the system would become unuseable. That's also why we highly recommend to carry out a full system scan after a NewHeur_PE virus has been detected in order to copy it to quarantine and delete it subsequently. With IMON enabled, there would be no chance for such a new virus to make it to your disk whatsover.

As of the new version 2.13.0, you will be able to set AMON to move files detected via AH automatically to quarantine.

 

Thanks for the clarification Marcos.

I have a question about your statement that it is obvious that AH+ files cannot be prevented from running. Are you saying that they aren't actually scanned w/ AH prior to execution?

Is 2.13 expected this quarter?

Thanks again.

Ryan

Edit: Regarding IMON, that's not really applicable to the fileserver scenario is it? Does IMON scan files as they are uploaded to a share?

 

Hi Hoenlere,
the thing is that it takes several seconds for AH to evaluate the scan result, so it's impossible to block files by AMON in that case (note that probable viruses detected by standard heuristics are actually blocked). A beta version 2.13.0 is planned to be released in a couple of weeks (2-4, hard to tell for sure).

As to IMON, it's not recommended to run on servers at all (and it wouldn't prevent from writing infected files on the disk through Windows shares either). However, with NOD32 installed on client workstations, the chance of getting a new virus would be signifficantly reduced.

 

Marcos,

Gotcha, I understand.

Thanks for the clarification!

-Ryan

 

Thanks for the info Marcos. Once more I learn a new thing

 

Update:
As of last update released sometime before 10:21am EST signature database version 1.999 (20050215) this unknown NewHeur_PE is now detected by name.

 

Outstanding!!

 

An Excellent job from Eset Team.