Thinking about asking for my money back on a NOD32 license - AMON issue.

Discussion in 'NOD32 version 2 Forum' started by hoenlere, Feb 14, 2005.

Thread Status:
Not open for further replies.
  1. hoenlere

    hoenlere Registered Member

    Joined:
    Feb 14, 2005
    Posts:
    21
    Thinking about asking for my money back on a NOD32 license - AMON issue. - Progress

    All,

    I've emailed support on this issue and hope it can be resolved but I thought I'd chime in here to see if anyone else has run into this AMON issue.

    The issue is this:

    NOD32 will be running on a file server and therefore it will be required to scan files that will be copied to the server via network shares. AMON scans my test virus EXE upon creation (i copy it to the fileserver) but then does nothing automatically with them, if I have the option to display an alert window unchecked in the AMON setup. Another user can then come along and copy the infected file down to his system. In addition, if I then go to the file server and execute the file, AMON detects it all right (and even offers me the option to delete it, if I have that enabled), it DOES NOT PREVENT the virus from infecting the system. Although this seems to be a huge fault, it's not my primary concern.

    My primary concern is that I'm unable to, in an automated manner, stop viruses which have been copied up to and then down from my file server.

    Please let me know if anyone can shed some light on this issue.

    Thanks!!!

    -Ryan
     
    Last edited: Feb 15, 2005
  2. jollyroger

    jollyroger Registered Member

    Joined:
    Feb 15, 2005
    Posts:
    1
    Wow. Can anyone duplicate this behavoir?

    This sounds like a pretty big security risk ... there should be some way to prevent that.
     
  3. NOD32 user

    NOD32 user Registered Member

    Joined:
    Jan 23, 2005
    Posts:
    1,766
    Location:
    Australia
    I must be missing something here
    - is there any reason why setting AMON to clean automatically wouldn't work?
     
  4. hoenlere

    hoenlere Registered Member

    Joined:
    Feb 14, 2005
    Posts:
    21
    I tried both "Clean automatically" and "Prohibit Access" neither of which actually did anything to the file after it was copied to the share (Even though it was scanned and showed up as a virus in the NOD32 logs, there was no action taken. :( It did not even prevent access to the file when I tried to copy it back down from another machine.
     
  5. Detox

    Detox Retired Moderator

    Joined:
    Feb 9, 2002
    Posts:
    8,507
    Location:
    Texas, USA
    Your "test virus exe?" What file are we talking about here?
     
  6. NOD32 user

    NOD32 user Registered Member

    Joined:
    Jan 23, 2005
    Posts:
    1,766
    Location:
    Australia
    Just tested "Prohibit Access" here and it does exactly what I expected of it - makes the file locked both locally and remotely. If you've still got access remotely I wonder if its actually a network cached version rather than a live version?
    "Clean Automatically" also leaves the file locked both locally and remotely if it's unable to clean it.
    o_O
    In fact they both work quite well for me. I assume that since you're talking about a file server you're using standard M$ network shares? - not that it should be any different regardless
     
    Last edited: Feb 15, 2005
  7. hoenlere

    hoenlere Registered Member

    Joined:
    Feb 14, 2005
    Posts:
    21
    A version of agobot that is being detected via heuristics.

    That actually brings up a good point... perhaps it only displays this behavior on heuristically detected viruses?
     
  8. NOD32 user

    NOD32 user Registered Member

    Joined:
    Jan 23, 2005
    Posts:
    1,766
    Location:
    Australia
    could you please email me a preferably zipped copy Here and I'll test it as well if you like?
     
    Last edited: Feb 15, 2005
  9. hoenlere

    hoenlere Registered Member

    Joined:
    Feb 14, 2005
    Posts:
    21
    YGM. It's a zipped executable.

    To recap: I'm able to copy it up to the server w/ nod and then copy it right back, no cleaning or locking occurs. It DOES show up in the log though.

    Thanks!!
     
  10. Capp

    Capp Registered Member

    Joined:
    Oct 16, 2004
    Posts:
    2,125
    Location:
    United States
    I agree with what has been posted (no sense repeating it 2 sections down)

    Having it set with these options has always worked for me and my clients. Prohibit access should work the way it is specified.

    Keep us posted
     
  11. hoenlere

    hoenlere Registered Member

    Joined:
    Feb 14, 2005
    Posts:
    21
    Thanks Capp,

    Can you confirm that it has worked the same way for heuristically detected viruses as well?

    -Ryan
     
  12. Capp

    Capp Registered Member

    Joined:
    Oct 16, 2004
    Posts:
    2,125
    Location:
    United States
    Well, I can't confirm because with my settings, if it detects something...it cleans & deletes if it cannot clean. Most of the time, viruses are deleted so I don't have to mess with them again.
     
  13. NOD32 user

    NOD32 user Registered Member

    Joined:
    Jan 23, 2005
    Posts:
    1,766
    Location:
    Australia
    For probably unknown NewHeur_PE (probable variant) it does appear to work a little different. I was able to operate on that file as you said you were. I can only think that it must be because it's considered unacceptable for false positives to be deleted/locked although it's such a rare occurence. If your PC's have got NOD installed and configured like mine I would still think it not possible to run the exe even though it's not locked for acces as a HE detect.
    I'm sending a copy to ESET now just in case they haven't yes got one elsewhere to build a signature from - thats the best and quickest way to resolve it - get it added to the signatures !!!
    I should mention that uploading via eMail or HTTP still brought about the standard high impact responses even with the file tucked away inside a ZIP
     
  14. hoenlere

    hoenlere Registered Member

    Joined:
    Feb 14, 2005
    Posts:
    21
    I've just tested w/ the eicar.com file and can confirm that it's the heuristic detection that's working differently.. Hopefully I'll hear back from support to confirm or deny this.

    It DID let me execute and infect myself with this virus, even though it was detected as NewHeur_PE though.... One of the reasons I've been pushing NOD at my company is because it's heuristics have allowed it to detect some viruses that NAV has let right through. This agobot variant being one of them. But if it's not going to do anything with them on the file server I'm not sure what my next step is.

    Thanks for your help NOD32 user!
     
  15. NOD32 user

    NOD32 user Registered Member

    Joined:
    Jan 23, 2005
    Posts:
    1,766
    Location:
    Australia
    No problem
    I must confess I'm surprised it let you infect yourself.
    FYI - have you seen the advanced config guide that Blackspear has put up?
    [thread=37509]Config Guide[/thread]
    Happy NODding :)
     
  16. hoenlere

    hoenlere Registered Member

    Joined:
    Feb 14, 2005
    Posts:
    21
    I'm kinda surprised as well.

    Any brave soul out there want to duplicate the results? It's a pretty easy virus to removal, although it does put entries in your hosts file.

    Yep, I saw that guide and my setup is just about the same (didn't set deep heuristics yet) (it didn't detect the virus at all w/out advanced set)

    -Ryan
     
  17. NOD32 user

    NOD32 user Registered Member

    Joined:
    Jan 23, 2005
    Posts:
    1,766
    Location:
    Australia
    Right O then - I'll take one for the team and try infect myself later.
    (but first I'll swap to my standby boot hahaha)

    NP
     
  18. Marcos

    Marcos Eset Staff Account

    Joined:
    Nov 22, 2002
    Posts:
    14,374
    Obviously, files detected via Advancd heuristics cannot be prevented from running. Imagine that AMON would block each newly created file for several seconds - the system would become unuseable. That's also why we highly recommend to carry out a full system scan after a NewHeur_PE virus has been detected in order to copy it to quarantine and delete it subsequently. With IMON enabled, there would be no chance for such a new virus to make it to your disk whatsover.

    As of the new version 2.13.0, you will be able to set AMON to move files detected via AH automatically to quarantine.
     
  19. hoenlere

    hoenlere Registered Member

    Joined:
    Feb 14, 2005
    Posts:
    21
    Thanks for the clarification Marcos.

    I have a question about your statement that it is obvious that AH+ files cannot be prevented from running. Are you saying that they aren't actually scanned w/ AH prior to execution?

    Is 2.13 expected this quarter?

    Thanks again.

    Ryan

    Edit: Regarding IMON, that's not really applicable to the fileserver scenario is it? Does IMON scan files as they are uploaded to a share?
     
    Last edited: Feb 15, 2005
  20. Marcos

    Marcos Eset Staff Account

    Joined:
    Nov 22, 2002
    Posts:
    14,374
    Hi Hoenlere,
    the thing is that it takes several seconds for AH to evaluate the scan result, so it's impossible to block files by AMON in that case (note that probable viruses detected by standard heuristics are actually blocked). A beta version 2.13.0 is planned to be released in a couple of weeks (2-4, hard to tell for sure).

    As to IMON, it's not recommended to run on servers at all (and it wouldn't prevent from writing infected files on the disk through Windows shares either). However, with NOD32 installed on client workstations, the chance of getting a new virus would be signifficantly reduced.
     
  21. hoenlere

    hoenlere Registered Member

    Joined:
    Feb 14, 2005
    Posts:
    21
    Marcos,

    Gotcha, I understand.

    Thanks for the clarification!

    -Ryan
     
  22. NOD32 user

    NOD32 user Registered Member

    Joined:
    Jan 23, 2005
    Posts:
    1,766
    Location:
    Australia
    Thanks for the info Marcos. Once more I learn a new thing :)
     
  23. NOD32 user

    NOD32 user Registered Member

    Joined:
    Jan 23, 2005
    Posts:
    1,766
    Location:
    Australia
    Update:
    As of last update released sometime before 10:21am EST signature database version 1.999 (20050215) this unknown NewHeur_PE is now detected by name.
     
  24. hoenlere

    hoenlere Registered Member

    Joined:
    Feb 14, 2005
    Posts:
    21
    Outstanding!!
     
  25. DonKid

    DonKid Registered Member

    Joined:
    Jun 27, 2004
    Posts:
    566
    Location:
    S?o Paulo, Brazil
    An Excellent job from Eset Team. :D
     
Thread Status:
Not open for further replies.