defective archive causes nod32 v3.0.556.0 to crash

Discussion in 'ESET NOD32 Antivirus' started by b00ze, Dec 9, 2007.

Thread Status:
Not open for further replies.
  1. b00ze

    b00ze Registered Member

    Joined:
    Mar 8, 2006
    Posts:
    30
    Location:
    Rhineland
    I have an archive that causes nod32 v.3.0.556.0 on Vista 64 to crash ... the "ekrn.exe" shuts down on every scanning attemp ... and it locks down the computer then ... i put that archive into the quarantine for submitting, but i am not sure if this is the best way to inform eset about this bug. what shall i do?

    The online scan at http://virusscan.jotti.org/ says:

    Packers detected:
    PE_PATCH, TELOCK, PECOMPACT

    jotti results removed per Policy.
     
    Last edited by a moderator: Dec 9, 2007
    b00ze, Dec 9, 2007
    #1
  2. b00ze

    b00ze Registered Member

    Joined:
    Mar 8, 2006
    Posts:
    30
    Location:
    Rhineland
    no, the behaviour is different from yours ... when i disable the realtime-protection and scan the file manually, nod32 crashes ... all the time ... i found out that its caused by a tiny .exe file within the archive and not by the archive itself. im still not sure how to handle it. its not malware, or a virus. shall i send it to eset via email, or upload it somewhere (so that someone can confirm it)?
     
    b00ze, Dec 9, 2007
    #2
  3. b00ze

    b00ze Registered Member

    Joined:
    Mar 8, 2006
    Posts:
    30
    Location:
    Rhineland
    Same versions here. But as i mentioned before on Vista 64 Bit.

    Yes i did. And when i start a "on demand"-scan of that file, the service ("C:\Program Files\ESET\ESET NOD32 Antivirus\x86\ekrn.exe") crashes and after a short wile, ill get a full lockup here.
     
    b00ze, Dec 9, 2007
    #3
  4. b00ze

    b00ze Registered Member

    Joined:
    Mar 8, 2006
    Posts:
    30
    Location:
    Rhineland
    Ok, i have some news:

    I found out that is has something to do with the Data Execution Prevention (DEP). Its enabled by default for ALL Programms here. And this causes NOD32 to crash, while checking the "PE_PATCH, TELOCK, PECOMPACT"-packed exe-file. When i set the DEP to "only for Programs and Services needed by Windows", the scan of the file runs fine ... but i bet, there is an silent Buffer-Overflow too. This should really be fixed. It looks like an unsafe/buggy decrunch-algorithm.

    Feel free to check it out on your own:

    Link removed. No links allowed to malware or possible malware or direct downloads to unknown files on the forums.
     
    Last edited by a moderator: Dec 9, 2007
    b00ze, Dec 9, 2007
    #4
  5. swami

    swami Registered Member

    Joined:
    Mar 24, 2006
    Posts:
    215
    Do you have the right version, as you told before to be using 64 bit vista?
     
    swami, Dec 9, 2007
    #5
  6. b00ze

    b00ze Registered Member

    Joined:
    Mar 8, 2006
    Posts:
    30
    Location:
    Rhineland
    What right version do you mean? I use "ESET NOD32 3.0 Antivirus for Win XP/Vista (64-bit)" in combination with Vista Ultimate 64. The file is called "eav_nt64_enu.msi". That should fit.
     
    b00ze, Dec 9, 2007
    #6
  7. b00ze

    b00ze Registered Member

    Joined:
    Mar 8, 2006
    Posts:
    30
    Location:
    Rhineland
    sorry for bumping, but i made a small movie (4mb) about this strange behaviour. recorded in a vmware installation. Its reproduceable ... the eset support says: "we are unable to reproduce this..." argh! :-(

    http://www.bundeskanzleramt.mynetcologne.de/movie.mp4
     
    b00ze, Dec 12, 2007
    #7
Thread Status:
Not open for further replies.
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Accept Learn More...