Jump to content

Real time protector


Recommended Posts

Hi I am computer programmer. One of the reasons we have selected NOD32 antivirus is because its not a noob oriented dumb down version and its highly configurable. That is, it can be configured to prompt for decisions and not take them always alone. 

 

My issue however is just that in some cases, with "Cleaning level" to "No cleaning", NOD32 still intercepts files and forbids to be written to disk without any prompt, no log entry, even the program that writes the file its not aware the file was not written. 

 

Very specific case.  I protect the programs that I make using Themida protector, then sign it with our digital signature. NOD32 does not like the not signed.exe  and that is normal. However NOD32 intercepts the file and does not allow it to be saved while Themida is protecting it.

 

The binary to be protected is given to Themida on the command line, it protects it, but fails (without knowing) to save the modified(protected) binary. If I disable NOD32 realtime protection, the file is saved correctly. NOD32 does not alert me with a prompt, nor there is entry in NOD32 log.

 

How do I force NOD32 to ask me for every block?

 

Thank you

Link to comment
Share on other sites

  • Administrators

1, access to a file is only blocked if the file is detected by ESET.

2, if a file is detected during the process of signing, simply exclude the folder containing the file from scanning.

Link to comment
Share on other sites

Hi Marcos,

 

Thank your for your answer. Will try that, however it does not answer one important point.

 

Why NOD32 does not alert me and ask me what to do? The only way form me to know that it has blocked the file is for me to test if the files is protected (source and destination file is the same).

 

2, if a file is detected during the process of signing, simply exclude the folder containing the file from scanning.

 

Unfortunately I have many directories (tens). Its just pain in the *** if I have to do that manually. I really need NOD32 to ask me so I can use its dialog to ignore the directory/file.

Edited by nminkov
Link to comment
Share on other sites

  • Administrators

Why NOD32 does not alert me and ask me what to do? The only way form me to know that it has blocked the file is for me to test if the files is protected (source and destination file is the same).

 

This was explained above - a file is not blocked unless an alert is triggered. If no alert is triggered and a file is blocked, it must be a different issue, e.g. with file sharing violation. In such case, you'd need to contact Customer care to troubleshoot it further.

Link to comment
Share on other sites

you'd need to contact Customer care to troubleshoot it further.

I already did that twice, never got a response from them. Got some one on Twitter from NOD32 that oriented me to this forum,

Link to comment
Share on other sites

  • Administrators

Not sure which distributor you contacted, you can drop me a pm. The problem could be that it takes longer to scan protected files and Themida times out. You can try disabling advanced heuristics for newly created/modified files and keep it enabled on execution only to confirm or deny my assumption.

Link to comment
Share on other sites

  • Former ESET Employees

Hello nminkov,

 

Is the file being blocked upon creation? Is your .exe is created and saved in a folder without execution? Can you try going into Real-time file system protection and uncheck the file creation box? Obviously the ideal scenario is to have it checked but as long as you have file open and file execution checked you should be OK at least during the issue diagnosis.

Link to comment
Share on other sites

Hello nminkov,

 

Is the file being blocked upon creation? Is your .exe is created and saved in a folder without execution? Can you try going into Real-time file system protection and uncheck the file creation box? Obviously the ideal scenario is to have it checked but as long as you have file open and file execution checked you should be OK at least during the issue diagnosis.

Thank you Marcos and Javier,

 

I can see that Themida is protecting the .exe. and saving it, but after that, the save file is the original unprotected one (source dest are the same). We have tried to uncheck the file creation NOD32 option, however  its inconclusive, sometimes it works, some times not, and again, nothing is logged in NOD32 logs, which is even more odd.

 

The issue is observed on 3 different machines. 

 

We use Themida on the command line. Can NOD32 behaviour be affected by that?

 

I will try to make an example script to reproduce the issue using Themida demo version

Edited by nminkov
Link to comment
Share on other sites

I am having trouble to reproduce the issue, which is very strange because usually it happen every time NOD32 real time is running. Will post back when have more info.

Edited by nminkov
Link to comment
Share on other sites

  • Former ESET Employees

Don't know if you have tested excluding the Themida application completely as well as saving the protected version in an different path than the default path. Just a thought.

Link to comment
Share on other sites

Guest
This topic is now closed to further replies.
 Share

  • Recently Browsing   0 members

    • No registered users viewing this page.
×
×
  • Create New...