Wired Problem with XMON

Discussion in 'Other ESET Home Products' started by Adramalech, Apr 17, 2005.

Thread Status:
Not open for further replies.
  1. Adramalech

    Adramalech Registered Member

    Joined:
    Apr 17, 2005
    Posts:
    79
    Hi

    XMON has detected a Virus called Win32/TrojanDownloader.Small.ZL
    Code:
    Time	Module	Object	Name	Virus	Action	User	Info
    
    4/16/2005 17:56:38 PM	XMON	email message	from: [i]sender[/i] to: [i]Recipient[/i] with subject   dated 04/16/2005 17:56  Attachment: Fairy_tale_4534.zip	Win32/TrojanDownloader.Small.ZL trojan	deleted		
    


    The more detailed log of XMON was saying:
    1. Action: Deleted
    2. Action: Error while cleaning – operation unavailable for this type of object – error while deleting - operation unavailable for this type of object – was part of the deleted object

    So far so good, but every once in a while, AMON (probably after a signature update or something) is detecting a file with the same Virus, and it’s always in the %systemroot%\temp Folder with a NOD prefix.

    Code:
    4/17/2005 13:38:27 PM	AMON	file	C:\WINDOWS\TEMP\NODA234.tmp	Win32/TrojanDownloader.Small.ZL trojan		NT AUTHORITY\SYSTEM	
    4/17/2005 7:01:11 AM	AMON	file	C:\WINDOWS\TEMP\NODF1D0.tmp	Win32/TrojanDownloader.Small.ZL trojan		NT AUTHORITY\SYSTEM	
    4/17/2005 0:00:38 AM	AMON	file	C:\WINDOWS\TEMP\NOD996B.tmp	Win32/TrojanDownloader.Small.ZL trojan		NT AUTHORITY\SYSTEM	
    4/16/2005 21:19:17 PM	AMON	file	C:\WINDOWS\TEMP\NOD84.tmp	Win32/TrojanDownloader.Small.ZL trojan		NT AUTHORITY\SYSTEM	
    
    So it seems that NOD didn’t get rid of the Virus completely. What can I do? I also ran a manual scan and a deep scan but nothing.

    Thanks
    Adra
     
  2. Marcos

    Marcos Eset Staff Account

    Joined:
    Nov 22, 2002
    Posts:
    14,374
    With MS Exchange, it's crucial to exclude the TMP and EDB extensions from scanning, if AMON is set to scan all files.
     
  3. Adramalech

    Adramalech Registered Member

    Joined:
    Apr 17, 2005
    Posts:
    79
    Hi Marcos

    The Exchange directories have allready been excluded along with some other files like MAPI32.dll.

    I also made a exclusion for files that loke like this:
    *.edb
    *.stm
    *.log


    ..but i'm not quite sure if the [*] works for NOD32.

    So basically the solution would be to exclude also *.tmp files and don't worry about the rest?

    cheers
    Adra

    P.S.: Is it normal that NOD geneartes so much .tmp files in this directory? The size of that directory was up to 2GB since yesterday.
     
  4. Adramalech

    Adramalech Registered Member

    Joined:
    Apr 17, 2005
    Posts:
    79
    BTW: AMON was set to scan all files without exclusions. I didn't notice that the function changes to "exclude" files when "scan all files" is set. So I have to exclude those files there and TMP as well, right?
     
  5. Adramalech

    Adramalech Registered Member

    Joined:
    Apr 17, 2005
    Posts:
    79
    @marcos

    Just wanted to say thanks. I had some confusions with the AMON tabs "detection" and "exlusions" since this was all done in the same tab for the previous Exchange scanner. :rolleyes: :)

    But after setting the proper file extension exclusions under "detection" and excluding the exchange directories like recommended from Microsoft, even the NOD temp files won't appear again.


    Well, keep the good work going. The previous Scanner missed 7 viruses in the database (including a polymorph macro virus, but it's most probably some handwritten excel macro of some of our "more advanced" users :p => no prob. ).


    Adra
     
Thread Status:
Not open for further replies.