About AMON??

AMON can't stakeout the type of .RAR.ZIP files

 

Hi embower,

yes thats true, AMON don't scan in archives, because of performance issues.

But maybe this will be optionally (as an option, not by default) implemented as an feature in NOD32V2 with an program component update.

greetz

iNsuRRecTiON

 

Thank you iNsuRRecTiON!

Have the method of the solution?

 

I did not find that options

 

Hi,
I think that isn't important that IMON into .ZIP, .ARJ, .RAR files, etc. because if you don't decompress the file, your system can't be infected, and if you try to decompress a virus, AMON will detect it and deny. The important is that AMON scan for UPX, etc packed files, because those files are compressed, however if you execute them, you will be infected.

 

I kown,thanks
But,But I thinks that it can be similar to KAV,At the time of ZIP, .ARJ, .RAR files downloading the computer inside, Discovers virus and arrestments downloading

 

Why doesn't AMON detect the compressed file (UPX) of execution form? This thinks an important defect.

 

AMON is able to scan into compressed file like ASPack, UPX, and others.

 

Not yet! And neither does the on-demand scanner. For the moment, only the interface is there.

But from what I've read on this forum, I think features such as scanning into runtime packers and self-extracting archives will be implemented in the near future, at least for the scanner.

 

The NOD32 Scanner is able to scan into .zip and UPX files.
I've samples, and it detect those. Also AMON detect packed viruses like UPX, not all the version of UPX, but the most used.

 

I am a Japanese user.
AMON is checking not detecting Worm by which UPX compression was carried out by 2.000.08 versions.
It is also checking detecting it as it being the on-demand scanner and IMON of NOD32.
And the same was said of the English version.

The improvement request is demanded of a selling agency (Canon).

 

NEGATIVE - for the moment, nod32 only stores the compressed signatures of the virii/worms. It does not scan "inside" the packer.

 

Hi,
NOT, I've a sample compressed, I check it by KAV and it report as infected and appear also as "Packed File", I scan it with NOD32 and it detect without problems and I copy it to the desktop and AMON alert me without problems.
I'm using the Spanish version of NOD32.
I also check with NOD32 scanner a .zip package that contain a virus, and NOD scanner detect it.

 

Maybe, but that's not the point - as I said, for now nod only stores the compressed signatures.


If you UNPACK the worm, will the on-demand scanner still detect the worm in the unpacked executable? You can download the (free) DOS upx utility here:
http://upx.sourceforge.net/download/upx124w.zip
Use the -d option to decompress, for example if packed file is 'worm_packed.exe' then type:
upx -d worm_packed.exe -o worm_unpacked.exe

 

Hi,
I understand your point, ESET add the packed sample same to the database, so if you unpack it, NOD will not detect it.
You're bad, I decompress the Win32/Sinala.A Worm, and NOD still detect it. I also scan the original and KAV report is as packed, and the unpacked as obviously unpacked.

 

Hi,
You can have reason, because I discovered that earlie, when I scan some packed executables, NOD not show UPX- Infected by blabla... now only show infected by blabla.
Do you said that NOD now not include the unpacker engine?, it's dangerous.

 

hmm, Ainur, when you're right (and I think so..), then I don't see the fun of it. Thats a unbounded cheek from eset!
They attract many people with the pretended features of the new NOD32V2 like support of runtime packers (UPX, etc.) and when you use a trial version of NOD32V2 you will see in the "action" tab in the on-demand scanner with the options for archives, like rename, delete or clean are not greyed out and every one thinks, NOD32V2 can handle this. (Have a look at the screenie)
But when an infection in an archive is found and you want rename, delete or clean the infection, you can't, because the options aren't available from the dialog is shown..! (Have a look at the attachmend)

rant snipped

Don't understand me incorrect, NOD32V2 is an fast and good Anti-Virus prog,
but such a thing is unfair and not ok!

off topic remarks concerning other AVs snipped

bye

iNsuRRecTiON

 

Hello.
I also have a sample.
The version of UPX compression is 1.08.
Tested Worm is W32.HLLW.Antinny.

AMON did not detect.
On demand ones of NOD32 and IMON detect.

The selling agency (CANON) accepts what AMON does not detect.

 

I think that AMON need an urgents adjustements, like include Advanced Heuristic, SCAN IN UPX FILES!!!!!!!, and more.
ESET, what's happenning?

 

sir_carew:

I even have a counter-example of a upx-packed trojan!

The trojan is Win32/Xenozbot.10

- When it's packed, the scanner detects it as the Xenozbot, and so does Amon if I try to create it, access it (eg. right-click on it) or run it.

- When it's unpacked, the scanner (without super-heuristics) does NOT detect it, and neither does Amon if I try to create or access it. But Amon does detect it as Xenozbot if I try to run it. Also, the super-heuristics detect it as well, but only as an "unknown_advheur_trojan" or something...

This proves that for now, nod32 can't scan inside packers, among other things. It just stores the "packed signatures" in its database. The AV which has the most unpacking engines to this day is KAV (manages over 500 packer types), but even this AV cannot scan inside all of them.

Besides, this is not such a critical issue since as soon as the worm is run, Amon detects it anyways, as I previously showed. So there is no danger as such, however it is true that the ability to scan inside runtime packers would be GREATLY appreciated, all the more so than it is supposed to be part of nod according to their site...


Insurrection:

In a way, you're right, as several features advertised on the Eset site (scanning inside packers, and according to another thread, SFX files?) are not yet implemented. I don't know if they're aware of these issues. But since they do advertise them, that means they probably will be included in the near future (they'd better, esp. for their customers!) Like you pointed out, they've already included the graphic interfaces for the (missing) features.

Remember that Nod is a young AV compared to the other old-timers. For a relatively recent AV, it performs quite well for detecting virii/worms. In a recent VB100, it was one of the 2 which detected 100% of the virii in each of the 6 categories (inc. polymorphic), and without any false alert. Even older AVs such as KAV, NAV, McAffee, Dr Web or the almighty F-secure did not achieve 100% in all categories (false alerts or not). What's more, nod also had a far superior scan speed. Impressive!

But true enough, even a superior speed & performance is not an excuse for the missing features. Let's just hope Eset won't take too long to fulfil their "duty", and perhaps they should remove the missing features from their website in the meantime...


Ledline:

Try to RUN the packed worm - Amon will then detect it, if I'm not mistaken...

 

My English is weak.
I want you to speak simply. (He cannot understand)
It is very sad that AMON does not detect UPX compression (version 1.0.

In Japan, since UPX compression (version 1.0 is in use, it becomes a problem.

The selling agency (CANON) had also said that it took out an improvement request to developing agency (ESET).

 

It compressed using raised upx124w.
It was not detected although the check of AMON of operation was carried out using it.

It is detected as it being the ONDE mantle scanner of NOD32.

 

For Ainur:
You've reason, because ESET-NOD32 is a relative young Company-Antivirus, and the AV as the company is growing in the latest years, if I good, NOD32 v2.0 is only the second version of AV for 32-bit based systems. NOD-ICE are for 16-bit system based, in total 4 version.
Consider that Symantec for 32-bit system have: NAV 4.0;5.0;6.0;7.0;8.0;9:0 and 10.0!!!!!, NAV have 6 generations of AV for 32-bit windows, and NOD only have 2!!!!. Consider that NOD is much better than NAV in many aspect as: Heuristic (LOL, the "heuristic" of NAV is a "joke"), the detection rates, the resources, etc. I believe that NOD will be the future AVP.

 

He cannot understand about what it is speaking.
I am the user of NOD32 and like NOD.
He fully understands thinking of NOD.
Being troubled now is being unable to perform detection of UPX compression in AMON.
This is defenselessly equal.
It is very dangerous.
I think that it is a bug.
AMON does not detect Antiny.exe by which UPX compression was carried out.
The on-demand scanner of NOD32 is detected.

 

>He cannot understand about what it is speaking.
If you are reffering to me, you're bad, because I understand the situation. on-deman scanner can detect viruses that use UPX, however on-access scanner not.
I also think that it's dangerous, but if you try to open it, AMON will deny the access to the UPX file, but if you modify, rename or copy them, AMON will NOT detect it. However with those actions, you can't be infected, only opening the file, and AMON detect UPX viruses when you open them.