NOD32's unpacking engine?

What kind of unpacking engine does NOD32 have, or does it have any at all?

Curious, its missing repacked baddies for me.

 

Virus detection in compressed or protected executable files, such as Pklite, Lzexe, Diet, Exepack, CPAV, UPX, AsPack, FSG, Petite, Neolite.

Support of many archive formats, e.g. ZIP, RAR, ARJ, LZH, LHA

 

dear Kobra if you name the baddies and the run-time packers used to pack them, it'll surely enlighten us. if you are testing or in a real-life situation, please explain in detail so that we'll all learn a little and who knows might be able to shed a little light. as far as i know NOD32 didn't have problems with packers. it even detected the version of the packer used to compress the files.

oh by the way Marcos CPAV is Central Point Antivirus which adds a checksum to every file it scans. if there is a packer by that name please let us know. no offense meant i just want to know.

 

I'm working with a repacked Trojan that seems to have several different rebased baddies inside it. Heres my results so far..

So far:

NOD32: Missed (including /AH command line option for Advanced Heuristics)
BitDefender: Missed
BOClean: Missed
TDS3: Missed
Ewido: Missed
Trojan Remover: Missed
Trend Online: Missed
Panda Full Edition: Missed
Antivir(H+Bdev): Missed (Including their new deep heuristic engine)
Symantec Corporate: Missed (yes, super heuristics were ON)
PCcillin(trend): Missed
e-Trust: Missed

Dr.Web: Found
F-Secure: Found
McAfee: Found
KAV5: Found (note, their online scan MISSED, but installed product got)
KAV4.5: Found

I sent the sample packed/rebased file over to NOD32, BOClean, BitDefender and some others already. So far, only Kevin at BOClean has replied, and issued new updates to cover it, there was several rebased/hacked baddies inside hiding that nothing else picked up either! Only the 4 progs above managed to pick everything up so far.

 

what about the versions of those AV products? all those were updated upto which date?? how many trojans do you have in that collection? can you giveout the KAV and McAfee namings of those "baddies"? thank you.

 

All the latest versions.. The bundle part of the trojan was picked up by 4 of the products as various things such as:

MultiDropper-FD
Win32:Trojan-gen. {UPX!}
Trojan horse Dropper.ExeBundle.AC
Trojan.Muldrop.660
TrojanDropper.Win32.ExeBund

However, inside this packed bundle, with the dropper, are several new "Mystery Meats" as BOClean folks called it when they disected it. I'm assuming this to mean rebased/hacked based on what they told me.

 

What about ace, cab, tar, tar.gz? I did some tests with eicar txt file and noticed that NOD32 don't detect the eicar test virus within those formats.

Can we expect a support of ace, cab, tar, tar.gz in future versions? I think it isn't less important than other formats.

Regards

 

cab will be supported, I don't know about others... But AMON will catch infected files on unpacking...

 

AH uses a generic unpacker, so, Ah can analyze others format than he aboves and also can analyze some packed files that are packed with a new utility never seen before.