After much thought,Virus Guy came up with this jewel:

> kurt wismer wrote:
>
> > virus guy's contention that anti-virus products don't detect
> > exploits on their way in is demonstrably false - there are
> > products that do have technology for scanning things as they
> > come off the wire (nod32 is one of the ones that implements...
>
> I don't recall that it was ever shown that any AV product prevented,
> for example, IE from crashing when exposed to test samples of the VML
> vulnerability.
>
> Can you point to a URL that describes how (or where) nod32 situates
> itself such that it's able to be the first process to intercept (scan)
> ethernet packets before that data is passed to a higher layer?
>
> Does NOD make such a claim?

From the Nod32 help files on "Internet Monitor-IMON" module.

Enable HTTP checking - if enabled, all traffic through HTTP is scanned.

Ports used by the HTTP protocol - a list of ports used by the HTTP
protocol.

Automatically detect HTTP communication on other ports - enables
automatic detection of HTTP communication also on other than the ports
specified.

In the Actions section you can specify how IMON will act if an incoming
infiltration from the Internet is detected.

Display warning window with action selection - IMON will show up a
warning window and allow the user to terminate the connection with the
particular server.

Automatically deny download of infected file - IMON will automatically
terminate the connection.

Compatibility Setup
Client compatibility setup provides an option to toggle between active
and passive mode (better efficiency and better compatibility
respectively) used for a particular application.

IMON works in two modes: "passive" and "active". In passive (higher
compatibility) mode, portions of a downloaded file are continuously
passed on to the target application whilst IMON stores a temporary copy
of each of the fragments. When the last fragment is detected, the whole
file is scanned for viruses. If an infiltration is detected, a warning
window appears and the connection with the particular server is
terminated. A disadvantage of that is that the already downloaded
portion of the file may already contain a fundamental portion of a
malicious code. What's more, if the application repeatedly attempts to
download infected file, it may use the already downloaded data and
request only the rest of the file. In such case, IMON may not find
nothing suspicious in the remaining portion.

In active (higher efficiency) mode, IMON first downloads and scans
whole file and then passes it on to the target application. This
procedure is safer because in the case of an infiltration the
application does not receive any portion of the downloaded file. A
disadvantage is that the application receives all data at once,
therefore it cannot show the download status properly. Therefore, if
the download lasts for more than 5 seconds, a small window showing the
dowload progress pops up beneath the system tray. Active mode is not
suitable for certain types of data which requires a continual data flow
(e.g. multimedia, streaming video/audio).

The Server compatibility option enables you to set Higher compatibility
mode for particular servers regardless of the mode set for the
particular browser.

Switch to passive (compatible) mode for files larger than ... KB - if
enabled, files larger than the specified size will be downloaded in
passive mode automatically.

Switch to passive (compatible) mode for files being downloaded that
take more than ... seconds - if enabled, files being downloaded will
switch to passive mode after the specified time has elapsed. This
setting is useful for larger files or for slower connections.


--
Virus Removal Instructions http://home.neo.rr.com/manna4u/
Keeping Windows Clean http://home.neo.rr.com/manna4u/keepingclean.html
Change nomail.afraid.org to gmail.com to reply. nomail.afraid.org is
specifically setup for USENET.Feel free to use it yourself.