A couple of NOD32 questions

Discussion in 'NOD32 version 1 Forum' started by msingle, Jan 25, 2003.

Thread Status:
Not open for further replies.
  1. msingle

    msingle Registered Member

    Joined:
    Jan 25, 2003
    Posts:
    82
    Hi,

    I have just "discovered" NOD32 and it looks interesting and am considering taking it for a spin and if I like it putting an article about it in my newsletter and a shortly forthcoming ebook. However a couple of questions have come up in my reading:

    1. How does NOD32 handle zip files meaning how deep can it scan if there is a zip file in a zip file, etc. and at what point does it scan - while downloading or once the unzipping has taken place?
    2. I've read somewhere, not sure where, that NOD32 doesn't scan outgoing emails. Is that true and if it is wouldn't that be important or is there reasoning behind this, if true, that I'm missing?

    Thanks for your time.
     
  2. mrtwolman

    mrtwolman Eset Staff Account

    Joined:
    Dec 5, 2002
    Posts:
    613
    NOD32 can scan inside the zip archives, ich you enable that feature. But scanning zips inside the zips that are in zips etc is pure salesdroid argumentation..... it brings no additional security. The virus is only dangerous, when it is extracted. and in the same moment as the viral file is created on your disk, AMON (the resident scanner in NOD32) will intercept it.

    Regards
     
  3. Paul Wilders

    Paul Wilders Administrator

    Joined:
    Jul 1, 2001
    Posts:
    12,472
    Location:
    The Netherlands
    In addition:

    I's true.

    The logic behind this is, any ITW virus will be catched by the AMON, can be cleaned - thus your keeping your system clean. Therefore, there's no reason to check outgoing emails form a clean system.

    regards.

    paul
     
  4. sig

    sig Registered Member

    Joined:
    Feb 9, 2002
    Posts:
    716
    Unless someone can explain otherwise, I think the "scan outgoing mail" thing some AV's crow about is just a panacea for the user and a sales gimmic for the AV. I can't understand the logic of this "feature."

    For this feature to "work," your system must already be infected and your AV hasn't caught the baddie, thus allowing the infection. But if your system is infected, how will the same AV that allowed the infection to occur now catch it in an outgoing email? If the AV doesn't detect the malware and it infects the system, logically the same AV could scan outgoing email 10 times and it would make no difference: if the AV didn't detect the malware infecting the system it won't catch it in an outgoing email either.

    And if the AV did catch the malware when first introduced in the system and the baddie's been eliminated, then the system is clean. Consequently, the email will be clean as well.

    So I see some AV's creating a new "feature" that they say will enhance security (when it doesn't) and give customers the expectation that any decent AV should or must have this IMO useless feature to protect its customers. It's bogus and a sales gimmic. A marketer's sly idea, but I don't see how it enhances detection and security, although it might bolster the vendor's market share. It's about marketing, not security, in my view.
     
  5. msingle

    msingle Registered Member

    Joined:
    Jan 25, 2003
    Posts:
    82
    Okay the reasoning behind the outgoing virus scan is more clear and makes sense now that it's been explained. A virus can't go out if when it comes in or is accessed for the first time it's caught and dealt with properly.

    However, on the compressed files issue. If you have a zip in a zip, etc. and those files are never unzipped I understand that your computer won't get infected. But if you email that infected file out couldn't that cause trouble for the receiver?

    I'm, again, probably missing something here.

    Thanks to everyone for your answers so far.
     
  6. sig

    sig Registered Member

    Joined:
    Feb 9, 2002
    Posts:
    716
    If you send a zip file containing malware to another user, that other user would have problems if he/she is running no AV/AT protection. (In which case they likely have other issues as well.) If they have a decent AV program (and AT program too for that matter if they get a lot of files that are passed around), the malware should be caught upon execution, unless it's something blazingly new or rare which no updates or heuristics will catch.

    If you want to make sure the file is clean, unzip it before sending to check it out. When it gets into matters of compressed files, packed files, etc, if I understand correctly evidently there are ways of eluding simple scanning detection by AV's and AT's...until the file is executed. Then a good AV (and AT) should detect and bop them. Again, viruses and worms are not the only concern if people are receiving zipped files and passing them on as is.
     
Thread Status:
Not open for further replies.