v3 issues.

Discussion in 'ESET NOD32 Antivirus' started by DMcCoy, Sep 10, 2008.

Thread Status:
Not open for further replies.
  1. DMcCoy

    DMcCoy Registered Member

    Joined:
    Sep 6, 2008
    Posts:
    4
    I'm rather regretting my move to NOD v3 as it doesn't seem to be finished yet.

    Outstanding issues are:

    1) Unable to manage web or mail on/off with the configuration editor or xml export from the client.
    2) Settings for web/mail do not survive a reboot, they come back on!
    3) Some applications unusable with advanced heuristics, java, msi deployment etc.
    4) No v3 for exchange yet (but after the last one had a bad definition update and removed thousands of .doc attachments I'm not sure I'll use it).
    5) Badly behaved v3 when all features are disabled. With NOD v3 installed my Extremez-ip file server had periods of extremely high cpu utilisation and opens thouands of unused file handles. Without nod installed (even when no RT scanning) all is fine.
    6) No central config file, with v2 you could have the clients update from the mirror folder, no option is yet available for v3, it was bad enough you could only have one config on it, but this is rather a large leap backwards.

    Anyone know if there are plans to add all the missing settings to the xml config file? as having to do it afterwards on each server is driving me nuts. Who would have thought I would miss Symantec! At least from a managability point of view.
     
  2. SmackyTheFrog

    SmackyTheFrog Registered Member

    Joined:
    Nov 5, 2007
    Posts:
    767
    Location:
    Lansing, Michigan
    I'll just hit these down the list:

    1) Press F5 to enter the advanced configuration, go to Email Protection and Web Access Protection and uncheck the first check box. That will disable those two modules.
    2) If you are disabling Email Protection and Web Access Protection through the GUI by going to Setup, Antivirus and Antispyware, and clicking Disable, you need to understand that those settings are only temporary and the modules will reload when the computer reboots. Follow the above instructions if you want them completely disabled.
    3) Advanced heuristics look for operating patterns that may be malicious instead of a true signature. This can be problematic for some applications and you need to understand that risk if you are going to enable them, and know how to make exceptions when problems arise.
    4) The XMON component is not available on v3 yet, which means you have to run a mixed environment which can be a pain. Thankfully the new RAS supports mirroring v2 and v3 definitions side by side which simplifies matters. With any antivirus scanner, false positives will be inevitable. If you are doing your job, a documented restore procedure should be in place for such events. Not the most enjoyable thing to do, but things are going to be unintentionally deleted so plan for it. You should also seriously consider configuring the module to dumping the message in an Infected Items folder instead of flat-out deleting items.
    5) No antivirus software is going to be perfect. Scanning engines install a kernel driver that may have compatibility issues with applications. What you are seeing is something worth contacting Eset or GroupLogic support about as odds are neither vendor has tested compatibility with the others software.
    6) All client configuration options are accessible through the Advanced Setup (F5) menu, and changes made there will be exported to the xml file. For easier management, you need to be running one or more RAS servers which you can manage with the Remote Administrator Console. The RAC also includes the Eset Configuration Editor which will allow you to build configuration xml files for all Eset products, which you can then push down to attached clients.
     
  3. DMcCoy

    DMcCoy Registered Member

    Joined:
    Sep 6, 2008
    Posts:
    4
    Yes, I did this. They came back on after a reboot, and are ticked again.

    The options do not exist however in the configuration editor.

    See above, both back on after a reboot.

    I do realise this, but a 700% increase to the install time of java, a 1500%+ increase to install a printer driver (I've no idea how long it was going to take, I gave up and turned off NOD after waiting 5 minutes for it to copy the driver files, it wasn't even an installer). is too much.

    A fine idea, all except for the fact that this option doesn't exist.

    Part of the problem is that v2 just worked and I've never had any issues with it. Life since v3 implementation has been 3 weeks of pure hell.

    The problem with this is that not ALL options are exported either here or are available in the configuration editor, they are simply ignore. Schedules, web, mail, some exclusion settings are lost on export or are missing.
     
  4. SmackyTheFrog

    SmackyTheFrog Registered Member

    Joined:
    Nov 5, 2007
    Posts:
    767
    Location:
    Lansing, Michigan
    Apologies, I got this one mixed up. Those two check boxes act the same as the GUI options and will restart and not be exported the xml file. If you want to prevent IMON and EMON from functioning, you need to disable the options "Integrate into Microsoft Outlook" and "Integrate in to Outlook Express/Windows Mail" under Email client, Setup... in the configuration editor and disable "Application protocol content filtering", "Enable POP3 email checking", and "Enable HTTP checking". The modules will still appear to be active, but activity to them will bypass the scanning engine.

    You are going to need to play around with the settings under Real-time file system protection. Specifically look at the settings for newly created and modified file: Runtime packers and Self-extracting archives. Nod32 extracts these types of files in protected memory space and executes them to look for malicious content that can be obscuring itself in an archive, but advanced features come at the expense of CPU cycles and disk I/O that can slow down installations. Leaving them enabled is going to be a cost/benefit analysis for your environment. You also most likely want to disable Real-time scanning on network drives, so make sure that is off.

    In the configuration editor, go to Nod32 version 2, XMON, Scanner, If an alert is generated... and you can modify the behavior of the XMON module so infected items are renamed, cleaned, or deleted with the option of dumping the file in the quarantine.

    There are a number of new features in v3 that have the possibility of breaking compatibility or causing issues compared to v2.7. They can be disabled or configured in most cases for compatibility's sake, but you are going to need to be careful and put in a good deal of time to research and testing. The upshot is that the scanning engine is more effective. It is a less mature product than v2 and issues will arise. Thankfully some of the biggest glaring issues have been addressed in the new builds from the last several months. Outlook Express integration flat out breaking or EMON deleting inbound messages as they were scanned at random were not fun at the time.

    Can you give more information on the problems you are having with the scheduler? I haven't seen or heard of that bug, personally. Also note that when you are working in the configuration editor, only options that are "Marked" (have a blue box instead of grey) will be saved to the XML file. Unmarked values/settings will not be saved to the configuration file and the default local client settings will be honored instead.
     
  5. ioniancat21

    ioniancat21 Registered Member

    Joined:
    Apr 23, 2008
    Posts:
    32
    I agree with DMcCoy, NOD32 v3 is not ready for prime time. My father used to say if something isn't broke, dont fix it. I think of v3 as that principle in a nutshell. Most users including myself were pleased with v2.7 so I understand Eset's idea to improve upon what they had. The problem is that unfortunately Eset dropped the ball instead. Fortunately v2.7 is still available as a downgrade option and updates are still working however for how long? Eventually Eset will want to move forward and abandon v2.7 so I have been preparing by testing other clients as I would have no choice but to switch vendors as v3.0 and all it's revisions wreak havoc on my computer(s).

    Some of my fun issues with v3.0:
    • overall instability in the client
    • frequent issues with e-mail and internet pages failing
    • adv. heuristics effecting applications
    • other minor annoyances and bigger footprint consuming more CPU and memory than v2.7

    Fortunately again, downgrading to v2.7 repaired all my issues. Hopefully v4.0 will fix these issues. Worst case Eset could repackage v2.7, rename it v4.0 and sadly most users would consider it an upgrade. Has Eset had a change of guard in-house as it almost makes no sense to have so many issues with v3.0 when v2.7 worked to perfection. Has Eset changed staff or something o_O o_O o_O o_O o_O
     
Thread Status:
Not open for further replies.