I was wondering why the hell are other AVs like BitDefender and Kaspersky unpacking NOD32 quarantine files? It's just stupid. Is this allowed at all or not?
BD even detects it as Quarantine PE packer.

they would almost have to check these file - otherwise it would become a virus writer's hiding strategy - name your files as if they have been detected and rendered safe by another AV solution... how would you work round that?

But thats imho not they way to "steal" quarantined samples from some other AV.
Not to mention the mess it makes when you run two AVs (one primary and second one as backup). I tried BD9 and NOD32 this way and BD was constantly "stealing" NOD32 quarantined samples.

If the quarantined files are encrypted, then would other AVs still detect those files? ???

-{ Quote: "If the quarantined files are encrypted, then would other AVs still detect those files? ???" }-
That's what I was thinking too, they shouldn't be able to access those file if they are encrypted.
Very strange indeed.

-{ Quote: "That's what I was thinking too, they shouldn't be able to access those file if they are encrypted.
Very strange indeed." }-

encryption/packing - it's all been used by viruses too... if a "competitor" finds ANY type of packed or encrypted file, it MUST investigate to the best of it's abiltity - or it risks letting past a packed virus - which ironically, is EXACTLY what a quarantine file is...

now wouldn't it be interesting to have a virus that targets quarantine files, unpacks them into protected memory, alters them, and re-releases them with different characteristics... oh what fun!

But the meanings of an encrypted file and a packed file are different.....:-\

-{ Quote: "Pack

- To compress data in order to save space. Unpack refers to decompressing data. See data compression.

- An instruction that converts a decimal number into a packed decimal format. Unpack converts a packed decimal number into decimal.

- In database programs, a command that removes records that have been marked for deletion.

Encryption

The reversible transformation of data from the original (the plaintext) to a difficult-to-interpret format (the ciphertext) as a mechanism for protecting its confidentiality, integrity and sometimes its authenticity. Encryption uses an encryption algorithm and one or more encryption keys. See encryption algorithm and cryptography." }-

As such, the word 'reversible' is the key here, but wouldn't companies use encryption that can only be decrypted by them? ???

-{ Quote: "If the quarantined files are encrypted, then would other AVs still detect those files? ???" }-
I think that the files aren't encrypted...

-{ Quote: "In cases where you are unsure whether it's safe to delete an infected file, you may store it in quarantine, a convenient location to store infected or suspicious files in a benign form. (That is, in a form that can't be executed.) The location of the quarantine directory is set by default, but it can be changed in the Advanced Tab of the NOD32 System Setup page.

Note that in many cases (especially with Trojans, backdoors, dialers, Win32 worms incoming by email, etc.), the “infected” file is just the body of the worm. Since a file of this type contains no useful data, it is simply deleted instead of cleaned." }-
It seems that BitDefender, F-Prot, Kaspersky scan the quarantine files of NOD32...

-{ Quote: "I think that the files aren't encrypted..." }-

Add encryption of quarantine files to NOD32 future changes list! ;D

Firecat,

you know where the wishlist thread is..

http://www.wilderssecurity.com/showthread.php?t=49674

Looks like they are 1byte encrypted, by looking in a hex editor. This is not a problem, why would it be ? Some other AV doesn't "steal" any sample, it would not need it.. if it didnt know what the virus is then no detection ? ;-)

-{ Quote: "Add encryption of quarantine files to NOD32 future changes list! ;D" }-

IMHO public key crypto would be a bit overkill ;D