Jump to content

NOD32 Not Honoring Exclusion of c:\SysWow64\vmnat.exe


Recommended Posts

Posted

Hello,

I am trying to study various pieces of malware from within a VMware virtual machine. My host system is running Windows 7 64, and Nod32 7.0.302.0. The problem I am having is that Frankly, Eset is almost doing its job too well. ;) NOD is preventing me from downloading  any bad things, via the web browser in my virtual machine. On my host system, I get an alert about c:\Windows\SysWow64\vmnat.exe. I tried excluding this file, but NOD doesn't seem to honor the exclusion. The vmnat.exe alerts just keep coming. I suppose I could just temporarily disable protection on my host system, but I'm curious as to the mechanics of what is going on here, and why the exclusion isn't working.

Thanks,

Al

 

Posted (edited)

You may have set the exe in the exclusions of real time scanning.

Have you tried adding the directory as exclusion "c:\Windows\SysWow64\"

 

Another option is disabling the web protection. If you are downloading this infected file, it will get stopped by web protection before it hits memory or disk for real-time scanning. Or caught by the http or ftp protocol scanning.

Yes my friend Eset is a fortress. ;)

Coupled with low false positives, great support, and lightweight package, i dont understand why its not more of an eye opener to some. :)

Edited by Arakasi
  • Administrators
Posted

Please post a screen shot of the alert you're getting. If it's actually malware, excluding it from scanning wouldn't be wise.

Posted

I think Arakasi is right about the web filtering. I would go into Protocol Filtering in Advanced Settings and exclude the vmnat.exe from protocol application filtering.

  • ESET Moderators
Posted
Hello,

 

Geosoft is right the malware is being detected by protocol filtering (on the host system) even before it can reach the virtual machine.

You can exclude vmnat.exe from protocol filtering or you can download the malware to the VM using some secure protocol like HTTPs, with SSL scanning disabled on the host OS.

Another solution is to manipulate with the malware in encrypted archives.

Guest
This topic is now closed to further replies.
  • Recently Browsing   0 members

    • No registered users viewing this page.
×
×
  • Create New...