Al Puzzuoli 0 Posted December 7, 2013 Posted December 7, 2013 Hello, I am trying to study various pieces of malware from within a VMware virtual machine. My host system is running Windows 7 64, and Nod32 7.0.302.0. The problem I am having is that Frankly, Eset is almost doing its job too well. NOD is preventing me from downloading any bad things, via the web browser in my virtual machine. On my host system, I get an alert about c:\Windows\SysWow64\vmnat.exe. I tried excluding this file, but NOD doesn't seem to honor the exclusion. The vmnat.exe alerts just keep coming. I suppose I could just temporarily disable protection on my host system, but I'm curious as to the mechanics of what is going on here, and why the exclusion isn't working. Thanks, Al
Arakasi 549 Posted December 7, 2013 Posted December 7, 2013 (edited) You may have set the exe in the exclusions of real time scanning. Have you tried adding the directory as exclusion "c:\Windows\SysWow64\" Another option is disabling the web protection. If you are downloading this infected file, it will get stopped by web protection before it hits memory or disk for real-time scanning. Or caught by the http or ftp protocol scanning. Yes my friend Eset is a fortress. Coupled with low false positives, great support, and lightweight package, i dont understand why its not more of an eye opener to some. Edited December 7, 2013 by Arakasi
Administrators Marcos 5,444 Posted December 7, 2013 Administrators Posted December 7, 2013 Please post a screen shot of the alert you're getting. If it's actually malware, excluding it from scanning wouldn't be wise.
geosoft 18 Posted December 8, 2013 Posted December 8, 2013 I think Arakasi is right about the web filtering. I would go into Protocol Filtering in Advanced Settings and exclude the vmnat.exe from protocol application filtering.
ESET Moderators Peter Randziak 1,181 Posted December 9, 2013 ESET Moderators Posted December 9, 2013 Hello, Geosoft is right the malware is being detected by protocol filtering (on the host system) even before it can reach the virtual machine. You can exclude vmnat.exe from protocol filtering or you can download the malware to the VM using some secure protocol like HTTPs, with SSL scanning disabled on the host OS. Another solution is to manipulate with the malware in encrypted archives.
Recommended Posts