nminkov 0 Posted October 13, 2014 Posted October 13, 2014 Hi I am computer programmer. One of the reasons we have selected NOD32 antivirus is because its not a noob oriented dumb down version and its highly configurable. That is, it can be configured to prompt for decisions and not take them always alone. My issue however is just that in some cases, with "Cleaning level" to "No cleaning", NOD32 still intercepts files and forbids to be written to disk without any prompt, no log entry, even the program that writes the file its not aware the file was not written. Very specific case. I protect the programs that I make using Themida protector, then sign it with our digital signature. NOD32 does not like the not signed.exe and that is normal. However NOD32 intercepts the file and does not allow it to be saved while Themida is protecting it. The binary to be protected is given to Themida on the command line, it protects it, but fails (without knowing) to save the modified(protected) binary. If I disable NOD32 realtime protection, the file is saved correctly. NOD32 does not alert me with a prompt, nor there is entry in NOD32 log. How do I force NOD32 to ask me for every block? Thank you
Administrators Marcos 5,451 Posted October 13, 2014 Administrators Posted October 13, 2014 1, access to a file is only blocked if the file is detected by ESET. 2, if a file is detected during the process of signing, simply exclude the folder containing the file from scanning.
nminkov 0 Posted October 13, 2014 Author Posted October 13, 2014 (edited) Hi Marcos, Thank your for your answer. Will try that, however it does not answer one important point. Why NOD32 does not alert me and ask me what to do? The only way form me to know that it has blocked the file is for me to test if the files is protected (source and destination file is the same). 2, if a file is detected during the process of signing, simply exclude the folder containing the file from scanning. Unfortunately I have many directories (tens). Its just pain in the *** if I have to do that manually. I really need NOD32 to ask me so I can use its dialog to ignore the directory/file. Edited October 13, 2014 by nminkov
Administrators Marcos 5,451 Posted October 13, 2014 Administrators Posted October 13, 2014 Why NOD32 does not alert me and ask me what to do? The only way form me to know that it has blocked the file is for me to test if the files is protected (source and destination file is the same). This was explained above - a file is not blocked unless an alert is triggered. If no alert is triggered and a file is blocked, it must be a different issue, e.g. with file sharing violation. In such case, you'd need to contact Customer care to troubleshoot it further.
nminkov 0 Posted October 13, 2014 Author Posted October 13, 2014 you'd need to contact Customer care to troubleshoot it further. I already did that twice, never got a response from them. Got some one on Twitter from NOD32 that oriented me to this forum,
Administrators Marcos 5,451 Posted October 13, 2014 Administrators Posted October 13, 2014 Not sure which distributor you contacted, you can drop me a pm. The problem could be that it takes longer to scan protected files and Themida times out. You can try disabling advanced heuristics for newly created/modified files and keep it enabled on execution only to confirm or deny my assumption.
Former ESET Employees JavierSeguraNA 36 Posted October 13, 2014 Former ESET Employees Posted October 13, 2014 Hello nminkov, Is the file being blocked upon creation? Is your .exe is created and saved in a folder without execution? Can you try going into Real-time file system protection and uncheck the file creation box? Obviously the ideal scenario is to have it checked but as long as you have file open and file execution checked you should be OK at least during the issue diagnosis.
nminkov 0 Posted October 14, 2014 Author Posted October 14, 2014 (edited) Hello nminkov, Is the file being blocked upon creation? Is your .exe is created and saved in a folder without execution? Can you try going into Real-time file system protection and uncheck the file creation box? Obviously the ideal scenario is to have it checked but as long as you have file open and file execution checked you should be OK at least during the issue diagnosis. Thank you Marcos and Javier, I can see that Themida is protecting the .exe. and saving it, but after that, the save file is the original unprotected one (source dest are the same). We have tried to uncheck the file creation NOD32 option, however its inconclusive, sometimes it works, some times not, and again, nothing is logged in NOD32 logs, which is even more odd. The issue is observed on 3 different machines. We use Themida on the command line. Can NOD32 behaviour be affected by that? I will try to make an example script to reproduce the issue using Themida demo version Edited October 14, 2014 by nminkov
nminkov 0 Posted October 15, 2014 Author Posted October 15, 2014 (edited) I am having trouble to reproduce the issue, which is very strange because usually it happen every time NOD32 real time is running. Will post back when have more info. Edited October 15, 2014 by nminkov
Former ESET Employees JavierSeguraNA 36 Posted October 15, 2014 Former ESET Employees Posted October 15, 2014 Don't know if you have tested excluding the Themida application completely as well as saving the protected version in an different path than the default path. Just a thought.
Recommended Posts