Author Topic: NOD32 Technical Support - Interesting response (Read 5863 times)

Carol Haynes · « **on:** December 03, 2006, 05:08 AM »

Following my recent issues with Netgear SC101 drivers and NOD32 I got an interesting suggestion from NOD32 support - switch of the IMON module and see if that cures your problem. I tried it and no more problems but I was worried that by turning off IMON I was leaving a security hole in my AV solution ... here is their response to my concerns ...

The next version of NOD32 will be sans IMON. It's being totally eliminated from the program for this very reason.

In 1992, when NOD32 was introduced, very few programs operated at the winsock level. Today, in addition to Google and Microsoft, 100's of other developers are creating software in this manner. That would be fine, except for the fact that any app that operates here, needs the top spot in the stack, and only one program can have it.

As it is now, it can't be enabled at all, on a server.

IMON was just the first layer of defense, a supplement. The strengths of NOD32 are AMON, which scans every file that performs an action, as it performs that action, and the advanced heuristics which is stopping 90+ % of all new threats, before a definition is even written.

By quitting IMON now, you'll not only allow both programs to operate together, but you'll also lose no coverage.

Thank you,
Eset Tech Support

So there you have it - IMON does nothing useful so you may as well switch it off and forget it (and save a few CPU cycles presumably in the process) !!

mouser · « **Reply #1 on:** December 03, 2006, 07:00 AM »

cool - thanks for sharing that carol.

f0dder · « **Reply #2 on:** December 03, 2006, 11:15 AM »

Hummm...

what they're basically saying is that they can't write a stable socket filter driver?

Curt · « **Reply #3 on:** December 03, 2006, 11:39 AM »

an interesting suggestion from NOD32 support - switch of the IMON module
As it is now, it can't be enabled at all, on a server.

So there you have it - IMON does nothing useful
-Carol Haynes (December 03, 2006, 05:08 AM)

Did not Eset point out that this talk is about a server?
- or did I read something that is not there?

Are you running a normal pc at home, or some server?

Carol Haynes · « **Reply #4 on:** December 03, 2006, 12:15 PM »

Home PC - but given that they say it doesn't really achieve anything and that it won't even be in the next release ...

f0dder · « **Reply #5 on:** December 03, 2006, 12:28 PM »

I dunno about their claim that "it doesn't really achieve anything"...

I don't really know how they implement the stuff, but a filter driver could detect an incoming buffer overflow (or other exploit) attempt before it activates. Keep in mind that you don't necessarily need to write anything to disk - there's been at least a couple of worms that only ever lived in memory.

dk70 · « **Reply #6 on:** December 03, 2006, 12:46 PM »

As I understand HTTP scanning the one and only unique feature is drive by protection where code is executed in memory - or through browser exploits perhaps. As soon as good old files are involved default module kicks in. More or less the same for email filter though such a thing often does a lot more than just look at attachments/files. Free Avira is doing quite well without any of these.

Sounds like a bad excuse from someone who aims at optimal protection. Could be disabled by default perhaps.

Author Topic: NOD32 Technical Support - Interesting response (Read 5863 times)

Carol Haynes

NOD32 Technical Support - Interesting response

mouser

Re: NOD32 Technical Support - Interesting response

f0dder

Re: NOD32 Technical Support - Interesting response

Curt

Re: NOD32 Technical Support - Interesting response

Carol Haynes

Re: NOD32 Technical Support - Interesting response

f0dder

Re: NOD32 Technical Support - Interesting response

dk70

Re: NOD32 Technical Support - Interesting response