How to let ME block or not downloaded files (and not Nod32) ?

[EzheTThezh 1]

Hello,

 

I face a simple yet annoying problem: sometime when I download a file, it is blocked by Nod32 because (this is not the original message as I run Nod32 in french version so it may sound a bit different in the english version): "your download has been blocked because this file seems to be infected by a virus or  a malware".

 

I would like Nod32 to finish the download and then ask me what I want to do but I don't have the choice: my download is automatically aborted  :/

 

How can I do that ?

 

Thank you in advance,

 

[Marcos 5,074]

If it is malware what you download then ESET won't give you a chance to continue with the download. However, if it's a potentially unwanted, unsafe or suspicious application which is detected, you'll be asked whether you want to terminate connection or take no action so that the download is completed.

[rugk 397]

Here you can get more information about PUAs: What is a potentially unwanted application?

There you can also see a message of a blocked download of a PUA and as you can see you can continue it.

But if it's malware then you can't do this of course.

 

Maybe some specific examples or screenshots would help to determinate what kind of detection it is.

Edited April 4, 2015 by rugk

[EzheTThezh 1]

Thank you for your answer.

What leads me to confusion is that Eset tells me that the downloaded file seems to be infected by a virus or a malware, which lets me think that, possiblly,  it may not be infected. Maybe this is the result of its heuristic engine and that it could be a false positive ? So again, I am looking for a way to decide by myself if I choose to continue the download or if I stop it.

Do I have to understand that you are telling me it is impossible ?

I tried several anti virus in the past years and, so far, I never saw one stopping a download without expressly asking me if I want to continue or not.

[rugk 397]

Well... of course you could completely deactivate the protocol scanning (which triggers this message) or exclude your browser (as you can see in the second screenshot below), but this would deactivate an important protection layer of NOD32.

 

So could you provide some screenshots of the message, where it states it "seems" to be infected?

If this is not a PUA detection and "seems" to be infected then this is a bit strange.

You can also post some links here, but if you do so please "unlink" them by replacing hxxp:// with hxxp:// e.g.

[SweX 871]

IMO, instead of fiddling around with exclusions and start believing the product is wrong and that it may be a FP each time it detects something(doing its job), simply send in a FP report to ESET and be done with it.

 

hxxp://kb.eset.com/esetkb/index?page=content&id=SOLN141&actp=search&viewlocale=en_US&searchid=1428166173832

 

If it really is a FP they will take care of it, if not then the detection will stay, and if you're still not happy after that then you can use exclusions provided you know about the risks. 

 

"I never saw one stopping a download without expressly asking me if I want to continue or not."

 

And if the user takes the wrong decision and end up infected they would blame the product, and the vendor would blame the user for taking the wrong decision. Therefore, no questions asked is best for the majority of users. But when it comes to user optional detections like Unsafe/Unwanted the choice is totally yours.

[EzheTThezh 1]

Thank you very much for your explanations. I understand better how things work with Eset now.

@rugk: I will definitely not disable the protocol scanning.

I can not post any screenshot because I chose to stop downloading the file: I didn't understand that a malware is way too risky compared to an adware.

Thank you again

[EzheTThezh 1]

I tried to download again the file and the problem occured again: see the screenshot (french):

[LabVIEW707 13]

What exactly are you downloading? Can you provide a link? 

[EzheTThezh 1]

This is some 3D stuff found on a blog:

hxxp://uploaded.net/file/gftnv1nv/yen.2415.78-3D_Max_model_mouldings.rar

Edited April 5, 2015 by EzheTThezh

[LabVIEW707 13]

Well even Google Chrome gave me a warning so I would not trust it. It may not be malware related but no way would I trust downloading it. 

[EzheTThezh 1]

I would like to download this file though and see by myself what's inside of it: if there is any kind of .exe file I won't open it for sure. So I tried what rugk suggested above and excluded Firefox from the protocol filtering. This time the download went further on, but at the very end Firefox gave me the same message "download blocked because  etc ...". And I couldn't retrieve the file.

[rugk 397]

I think this block is maybe a block from Firefox. Many browser also block malicious downloads.

So as this file got blocked by seemingly 1000 parties I really would stay away from it.

 

BTW under what name is it detected from NOD32?

Edited April 6, 2015 by rugk

[LabVIEW707 13]

Not sure what else to tell you. Eset, Google Chrome and Firefox are all warning you not to download it. If you absolutely need the file then I suggest emailing the person who made the file and telling them. 

[EzheTThezh 1]

OK you guys are probably right, I won't try to download it anymore, it would just be kind of stupid to do that.

@rugk: I can't give you any response because NOD32 doesn't give any name in the message.

[SweX 871]

@rugk: I can't give you any response because NOD32 doesn't give any name in the message.

I don't believe the notification in your screenshot in post #8 is an ESET detection notification, at least it doesn't look like it. It seems to be from the browser itself. Firefox uses "malware data" provided by Google, so if it is blocked in Chrome there is a chance that it is blocked in Firefox as well.

[EzheTThezh 1]

Thank you all for your clear explanations