Virus signatures database???

Discussion in 'NOD32 version 2 Forum' started by Morgoth, Dec 16, 2003.

Thread Status:
Not open for further replies.
  1. Morgoth

    Morgoth Guest

    OK just a quick question - I'm still testing Nod32, so anyone could tell me in which file the virus signatures are stored? I'd like to start Nod32 without it :doubt:
     
  2. sir_carew

    sir_carew Registered Member

    Joined:
    Sep 2, 2003
    Posts:
    884
    Location:
    Santiago, Chile
    You can select a option to scan only using the Heuristic, but it isn't necessary to delete the signature file.
     
  3. Morgoth

    Morgoth Guest

    Negative. I WANT to use the scanner without the database being physically present, thus I have to delete the database (temporarily of course - by moving it elsewhere).

    Which file contains the database? And can the scanner be started without it??
     
  4. MegaHertz

    MegaHertz Registered Member

    Joined:
    Nov 28, 2002
    Posts:
    69
    Location:
    U.S.A.
    The scanner will not start for me without the database file being present in the directory.
     
  5. Morgoth

    Morgoth Guest

    Darn - that's odd. VERY odd...
    Why need the database if only the 'heuristics' and 'advanced heuristics' option are enabled, (ie. the 'signatures' option disabled) ? o_O

    I'm sure there MUST be a way to launch thescanner without the database.

    But anyways, WHAT IS THE DATABASE FILE?
     
  6. mrtwolman

    mrtwolman Eset Staff Account

    Joined:
    Dec 5, 2002
    Posts:
    613
    There is no way to start a scanner without database (resource would be more appropriate) file beeing present. The reason is simple. There is only one file with scanner resources - engine, scanstring, all they are stored in one file. You do not have the file, you do not have the music...
    The only way is to launch NOD32, go to the settings and uncheck scanstings option... My advice is to list all scanned files in scanlog and add advanced heur...
    You can also use command line switches.
    The file name is nod32.000.

    Regards
     
  7. Morgoth

    Morgoth Guest

    OK mrtwoman thanx 4 the reply.

    But I need to be 100% sure:
    can U confirm FOR SURE that the nod32.000 contains not only the virus signatures, but the ENTIRE scanner itself (scanning engine, heuristics, "trans-heuristics", etc...)?

    I'm (re)asking that because I thought that at least the scanner & heuristics methods were in a smaller, seperate file, and that nod32.000 was only a database, nothing more - for what are the nod32.00x (with x >= 1) files for ? o_O
     
  8. anders

    anders Eset Staff Account

    Joined:
    Oct 25, 2002
    Posts:
    410
    As far as I know, the .000 gets updated to include the latest updates (incremental updates), and the .002 is for archive support, and the .003 is for the advanced heuristics.. I don't know what (if any) other information is kept in the .000 (the standard heuristics?). Though, if you deselect signature scanning in the interface (or via parameter), signatures will NOT be used while scanning. Some antivirus programs might require you to delete their signature files in order to test the heuristics, with NOD32, just deselect it in the options.

    Best regards,
    Anders
     
  9. Morgoth

    Morgoth Guest

    You said it: and this is the ONLY way of knowing for 100% sure that the heuristics are not buggy. Which is why I intend to find out how to do the same with this AV.

    See, I ran an interesting test:

    Step 1: With nod32.000:

    I changed the setup in IMON to cover the heuristics & advanced heuristics ONLY (no signatures) and mailed myself with a known trojan (part of the signatures database) - upon receipt, IMON popped in signaling an "unknown_heur_virus" or something, suggesting that it could detect it without the signatures.

    Step 2: Without nod32.000:

    I repeated EXACTLY the same test, only this time I moved nod32.000 to the recycled bin, then started the nod kernel & kui - of course, it signaled an error about not being able to load AMON, but IMON was up and running just fine, which means that IMON does not need nod32.000 to work properly, at least with signatures disabled. So with IMON's heuristics and Aheuristics enabled, I mailed myself again - same mail with enclosed trojan - and Lo! upon receipt, THERE WAS NO WARNING from IMON, even though I had left the nod32.002 and nod32.003 (Advanced Heuristics) intact! The only difference with Step 1 was that the signatures (and possibly the standard heuristics, which don't detect this Trojan anyways) had been left out!!! o_O


    So you see, you will understand why I'm more curious than ever now on finding out how to test the Heuristics & Adv. Heuristics without the signatures being physically present, as some other AVs require the user to do. Perhaps you could get the info from the Tech support.

    Once I get the info I won't pester anyone anymore with this issue. I promise, I'll be nice :D
     
Thread Status:
Not open for further replies.