NOD packer and archive support?

azumi21 · #1 March 20th, 2006, 03:01 PM

How many packers does the current version of NOD support?
Will this improve in new version 3?

Also, the same question on archives.

Thanks in advance.

pykko · #2 March 20th, 2006, 04:38 PM

hope they will, they are not supporting 7z and ace archives and many packers.... see here: http://avtest.mycity.co.yu/modules/n...php?storyid=29

Marcos · #3 March 20th, 2006, 05:27 PM

Heh, you are refering to a 1-year old test. AH uses a generic unpacker which they didn't mention !

CyberMew · #4 March 21st, 2006, 12:52 AM

Does NOD32 support PPMd and bzip2 compression? Winzip 10 has this feature and it scares me that NOD32 tells me it's an unknown compression format.

azumi21 · #5 March 21st, 2006, 02:21 AM

Quote:

Originally Posted by Marcos

Heh, you are refering to a 1-year old test. AH uses a generic unpacker which they didn't mention !

Does the NOD AH generic unpacker now or will support these packers/crypters and the plethora of other/newer ones?

NOD32 2.12.4 - May 2005 (the old test)

"missed 23/30 tested"

"armprotector, cexe, codesrypt, lamecrypt, mew11, mslrh, nfo, noodlecrypt, packman, pe-crypt, pecompact2, ped, pelocknt, perkypt4, pepack, peshield,pespin,pex, upack, vgcrypt, wwpack32, yodacrypt, yodaprotect."

http://avtest.mycity.co.yu/fajlovi/u...tabela_en.html

kjempen · #6 March 21st, 2006, 11:44 AM

Maybe not so important (since archives themselves aren't really any threat), but even if the test is a bit old, 7z and ACE archive support is still missing in NOD.

pykko · #7 March 22nd, 2006, 11:41 AM

Quote:

Originally Posted by Marcos

Heh, you are refering to a 1-year old test. AH uses a generic unpacker which they didn't mention !

Of course you have AH with generic unpacker but that doesn't solve everything. I have some files packed and NOD can't unpack them.

And about .ACE archive support this is a very common archive type and also 7z started to be. Can't you update the archive support module to solve this issue?

Marcos · #8 March 22nd, 2006, 12:34 PM

Yes, we will do so in the future. Or you want us to postpone the development of v3? :-)

pykko · #9 March 22nd, 2006, 12:48 PM

no, no....I just want some screen-shots

Marcos · #10 March 22nd, 2006, 01:09 PM

It's not up to me, I've seen it only once anyway.

Firecat · #11 March 22nd, 2006, 03:29 PM

From CSA, NOD32 Authorised Partner (http://www.nod32-av.com):

Quote:

- Virus detection in compressed or protected executable files, such as UPX, AsPack, FSG, Petite, Neolite, ExeStealth, yoda's Crypter, PECompact, Pklite, Lzexe, Diet, Exepack, CPAV, Morphine, CEXE, Hloopack, Polycrypt .

- Support of many archive formats, e.g. ZIP, RAR, ARJ, LZH, LHA, CAB, CHM, TAR, GZIP, BZIP2, NSIS, SIS, WISE.

I don't think this is a complete list, however, as many more packers should be supported via the generic unpack engine.

You can also see this page for a test from CheckVir about NOD32's archive support (Jan. 2006):

http://www.checkvir.com/index.php?CN=30.3.46.7&CIE=0

However, NOD32 seems not to support self-extracting ZIP or ACE files.

rothko · #12 March 22nd, 2006, 03:36 PM

Quote:

Originally Posted by Firecat

However, NOD32 seems not to support self-extracting ZIP or ACE files.

NOD32 does detect threats in self-extracting ZIP files as far as I can see, though not if they are password protected...

azumi21 · #13 March 23rd, 2006, 12:13 AM

Thank you Firecat =)

Quote:

Originally Posted by Firecat

From CSA, NOD32 Authorised Partner (http://www.nod32-av.com):

Quote:
- Virus detection in compressed or protected executable files, such as UPX, AsPack, FSG, Petite, Neolite, ExeStealth, yoda's Crypter, PECompact, Pklite, Lzexe, Diet, Exepack, CPAV, Morphine, CEXE, Hloopack, Polycrypt .

- Support of many archive formats, e.g. ZIP, RAR, ARJ, LZH, LHA, CAB, CHM, TAR, GZIP, BZIP2, NSIS, SIS, WISE.

I don't think this is a complete list, however, as many more packers should be supported via the generic unpack engine.

You can also see this page for a test from CheckVir about NOD32's archive support (Jan. 2006):

http://www.checkvir.com/index.php?CN=30.3.46.7&CIE=0

However, NOD32 seems not to support self-extracting ZIP or ACE files.

CyberMew · #14 March 23rd, 2006, 02:26 AM

Er.. what about the 2 kinds of compression by Winzip 10?

RejZoR · #15 March 23rd, 2006, 04:57 AM

WinZIP is just "rebranded" crap with few useless compressions.
If you want powerful compression you go with PAQ/RAR/LZMA(7-zip->7z), if you want compatibility you go with standard ZIP (Deflate). Those stupid Deflate64 are mostly useless. Just a bit better compression than standard Deflate and 64bit extension support (longer filenames, over 2GB support etc).
If you want alround archiving you use RAR or LZMA (7z).
PPMd is also supported in 7-zip and is much better than the one in WinZip 10.
Not to mention 7-zip is free and WinZip 10 is not.
A bit offtopic though...

IcePanther · #16 March 23rd, 2006, 12:44 PM

My opinion is : these packed files, if malware (and also if legit, but it's not really the topic) must be extracted / unpacked / decrypted, before they can be run.

If any antivirus catches the malware on unpacking before it runs, then the computer is protected, regardless of the number of unpackers it supports. That is for real time protection.

Now I agree that for on-demand scanning it can be useful to support more formats, just for, say, enhanced security purposes, and to check you don't send an infected file to someone, for example.

RejZoR · #17 March 23rd, 2006, 01:44 PM

That doesn't apply for runtime packers though and these are the most important.

IcePanther · #18 March 23rd, 2006, 02:30 PM

Hi

I may not know what exaclty a runtime packer is, but I understand it as a compressed code that's uncompressed at runtime (when it is called / needed) by another part of the code, so it's hiden until the file unpacks it when running...

I agree in this particular case, supporting the more (or having a generic detection way) packers would be a good thing, or allowing a code to load *in memory (necessarily unpacked to be run)* then scan/clean the memory, before allowing the code to be run. But this would be another thing, and probably would slow down the computer.

Brian N · #19 March 23rd, 2006, 02:33 PM

Quote:

Originally Posted by IcePanther

Hi

I may not know what exaclty a runtime packer is, but I understand it as a compressed code that's uncompressed at runtime (when it is called / needed) by another part of the code, so it's hiden until the file unpacks it when running....

Correct. Loads into memory when extracted and run. UPX is the most common runtime packer currently.

IcePanther · #20 March 23rd, 2006, 03:02 PM

Okay ^^ Thanks for the info, I had seen this UPX name numerous time when mentioning runtime packers indeed, i'll see on their site for more info and i'll test it on some software of my own to see by myself...

Brian N · #21 March 23rd, 2006, 03:06 PM

Also using UPX: http://nod32sse.hotserv.dk/scanwarning.php

NOD32 user · #22 March 25th, 2006, 10:17 AM

Quote:

Originally Posted by IcePanther

My opinion is : these packed files, if malware (and also if legit, but it's not really the topic) must be extracted / unpacked / decrypted, before they can be run.

If any antivirus catches the malware on unpacking before it runs, then the computer is protected, regardless of the number of unpackers it supports. That is for real time protection.

Now I agree that for on-demand scanning it can be useful to support more formats, just for, say, enhanced security purposes, and to check you don't send an infected file to someone, for example.

Agreed

Quote:

Originally Posted by RejZoR

That doesn't apply for runtime packers though and these are the most important.

Agreed

Thread Tools	Search this Thread
Show Printable Version Email this Page	Search this Thread: Advanced Search