Jump to content

Cleaning Behavior in Nod 32


eshrugged
Go to solution Solved by eshrugged,

Recommended Posts

Hi.

 

My question concerns each Nod 32 scanner.

 

If I have the cleaning parameter set to -- No cleaning -- Nod 32's behavior as described in the GUI help file is :

 

No cleaning – Infected files will not be cleaned automatically. The program will display a warning window and allow the user to choose an action. This level is designed for more advanced users who know which steps to take in the event of an infiltration.

 

 

 In the past I've used security products that had this option for no auto-clean. They did have a catch, however. Upon infiltration you'd be presented with action options but if you didn't respond to the prompt within X seconds the programs would either take the matter out of your hands and choose its own coded action or if the security program process was called by the OS shell, Windows Explorer, the computer would become unresponsive and you'd be forced to do a hard shutdown.

 

How long will Nod 32's, infiltration prompt for action wait for user action? Minutes, hours, infinity?

 

 

Link to comment
Share on other sites

Hi Marcos.

 

Thank you very much for taking the time to test this on your own. How long did your test run?

 

I thought ESET would have data available from their own development tests. Is this forum the proper place to ask for that type of data? If not here, do you know where I should ask?

 

 

Link to comment
Share on other sites

Thank you very much for taking the time to test this on your own. How long did your test run?

Surely 3 days... :D

No seriously, if NOD32 would have such an option then it would surely be below 30 seconds and I think it would also be configurable.

 

As both isn't the case I think there isn't such an option. But as a future suggestion this would be a neat idea.

 

I thought ESET would have data available from their own development tests. Is this forum the proper place to ask for that type of data? If not here, do you know where I should ask?

Well... there are many forum members (mods and "staff members") from ESET here - some are from ESET Slovakia, some from ESET NA and also a few from other countries.

But as ESET is a huge company, nobody knows everything. Especially if this is such a detailed question like you asked.

So maybe there are other forum members which can answer your question more certainly, but Marcos test is also a way to find the answer out... :D

Edited by rugk
Link to comment
Share on other sites

 Hi rugk.

rugk, on 01 Mar 2015 - 11:43 AM, said : 

Surely 3 days... :D

 

hehee

 

Thank you for the info regarding the forum. It's good to know. I understand getting an answer for my initial question (and follow ups) could take some time. I appreciate Marcos' earlier 'take the bull by the horns' testing. Until I find out a more definitive answer, I'll be satisfied with using the default parameter.

 

My choice would be :

 

Upon detection, if I'd previously moved the parameter slider to -- No cleaning -- I prefer that Nod32 notify, then do nothing unless and until I choose which action to take.

Edited by eshrugged
Link to comment
Share on other sites

  • Administrators

By default, dialogs requiring user intervention are closed after 120 seconds and I left the alert window open much longer. That confirms my assumption that alerts are an exception to the setting.

Link to comment
Share on other sites

I use the default even if I know what I should answer on a threat notification, as I think it works fine to restore from the quarantine. But I have never had a real FP case so I haven't needed to, I have only got some PUA detections and for those you will be notified what to do even if you use the default cleaning.

Link to comment
Share on other sites

By default, dialogs requiring user intervention are closed after 120 seconds and I left the alert window open much longer. That confirms my assumption that alerts are an exception to the setting.

 

Thanks Marcos. In the near future I'll try contacting ESET to see if they've tested and have publically available results for my scenario. I'll report back. I don't have a test environment set up.

Link to comment
Share on other sites

  • Administrators

 

By default, dialogs requiring user intervention are closed after 120 seconds and I left the alert window open much longer. That confirms my assumption that alerts are an exception to the setting.

 

Thanks Marcos. In the near future I'll try contacting ESET to see if they've tested and have publically available results for my scenario. I'll report back. I don't have a test environment set up.

 

 

I wrote that I had tested it. So asking someone else to conduct the very same test is redundant. No special test environment is needed, just use the eicar test file to trigger an alert.

Link to comment
Share on other sites

 

 

By default, dialogs requiring user intervention are closed after 120 seconds and I left the alert window open much longer. That confirms my assumption that alerts are an exception to the setting.

 

Thanks Marcos. In the near future I'll try contacting ESET to see if they've tested and have publically available results for my scenario. I'll report back. I don't have a test environment set up.

 

 

I wrote that I had tested it. So asking someone else to conduct the very same test is redundant. No special test environment is needed, just use the eicar test file to trigger an alert.

 

It wouldn't be redundant.

 

A scenario for my original question :

 

I'm the admin. Cleaning is set to -- No cleaning. I'm away for X hours. A household member who's less capable than I of making an informed decision for an alert will call me. My answer to him/her could take many minutes.

 

I know I can test with eicar or otherwise (and might end up doing so) but I wanted to avoid potentially doing an unnecessary, hard shut down.

Link to comment
Share on other sites

Do it with Eicar, when you have the threat notifications on the screen leave it and go do some grocery shopping or whatever, and when you come back check if the notification is still on the screen, I figure that should be long enough to see if it stays up for a "long time" or not. I can't see why you would need to do a hard shutdown, the only "bad" thing that could happen is probably that the notification is long gone when you come back as you don't want that  :)

 

Or just fire up a VM and do it in there.

Edited by SweX
Link to comment
Share on other sites

  • Solution

I did some brief testing of real-time protection with cleaning set to -- No cleaning.

 

It's important to note that I used the eicar test tool. It's easily contained. A self-replicating malware, on the other hand, is not. So, to be clear, I'm not advocating for or encouraging anyone to set their cleaning parameter to -- No cleaning. I tested it because there might be circumstantial usefulness to me. The default -- Standard cleaning -- imo, is the best option for most, to all, including myself.

 

Machine is W7 SP1 x64 (I use process explorer instead of task manager and it's set to always be on top). 

 

First test was opening the eicar file in notepad. I left the Nod32 alert up for about 30 minutes. Brief notes:

 

1) Alert window stays on top of all windows, including windows opened post alert, except for process explorer. Alert window can be moved but you cannot copy and paste its contents. At the end of and during the 30 minutes I had no problems with my PC and at conclusion Nod32 allowed me to choose to clean or take no action.

 

2) I could open other programs, including browsers, from the desktop, taskbar, start menu , etc, during the alert.

 

3) Nod32 auto-updated (scheduled) mid-test.

 

The second test had an eicar file directly on the desktop. I left Nod32's alert in place for about 20 minutes. Brief notes:

 

1) Same as note #1 above except test length.

 

2) I could not open any desktop programs (or use their context menus). I could open programs, including browsers, in the taskbar and in the start menu.

 

1rst test --post-5450-0-81901100-1425494234_thumb.jpg

 

2nd test --post-5450-0-35878500-1425494317_thumb.jpg

 

Thanks to everyone who added to this thread. 

 

Regards.

 

 

 

 

Link to comment
Share on other sites

Nice test!

So a small explanation of the two scenarios: If a threat is detected and ESS/NOD32 ask the user then the process which creates or executes (or is) the threat is blocked until a user chooses a decision. And as this is in the second case the explorer it's of course also blocked and this is the reason why you can't open any programs or open the context menu there.

Edited by rugk
Link to comment
Share on other sites

Ya. I realize that ESET will forever wait for our response to its alerts until we respond to them. But I hope that future release will have some sort of flexibility like a timer. The user can choose whether to let ESET have prompt alert forever, 30 minutes or 5 minutes. If no action is taken after timeout, ESET will allow or block the program( depends on users options)

Edited by yongsua
Link to comment
Share on other sites

Guest
This topic is now closed to further replies.
  • Recently Browsing   0 members

    • No registered users viewing this page.
×
×
  • Create New...