How to scan SFX archives?

OK comrades the following question is as simple as they can get:

How do I set the on-demand scanner to scan inside SELF-EXTRACTING archives, if that's possible (and it should be according to the eset site) ?

The scanner can scan inside "multiple-level" zip/rar files, but a "single-level" zip/rar SFX archive seems to prevent the scanner from scanning inside it.

On the other hand, check out this link:
http://nod32.com/products/nt.htm
And scroll half-way down: it also says:

[...]

NOD32 Scanning Engine Key Features

• The highest detection and scanning rate performance.
• Unprecedented heuristic analysis capable of exposing DOS, Boot, Win32, macro, script and other viruses and worms in the wild.
• Built in powerful virtual emulator enables detection of the most sophisticated polymorphic and metamorphic viruses.
• Virus detection in compressed or protected executable files, such as Pklite, Lzexe, Diet, Exepack, CPAV, UPX, AsPack.
• Support of many archive formats, e.g. ZIP, RAR, ARJ, LZH, LHA, including self-extracting files.
• Detection of viruses in encrypted, password protected databases and documents.
• Use of heuristic and algorithmic methods to clean viruses.
• Cleaning of macro viruses and restoration of the documents to original format.
• Recovery the most important system areas (functions) in the event of an infection.
• Storage of infected files in a safe format (not allowing execution) into the quarantine.
• Search speed is maximized through associative, multilevel cache and low-level code optimizations.
• Use of very fast single-point samples and CRCs for precise detection.
• Use of very few system resources.
• Disinfection/quarantining of the files automatically, on-the-fly.
• Full support of UNICODE in Windows NT / 2000 / 2003 / XP.

[...]

Perhaps only a mere detail, I agree, but if if says it, then the facts should be in accordance with the list of features. So anyone could help me with the configuration...

Awaiting feedback...

 

?!! If it states:

"Support of many archive formats, e.g. ZIP, RAR, ARJ, LZH, LHA, including self-extracting files"

then that means that it should also support "ZIP" and "RAR" in their SFX version, makes sense, right?

Otherwise, WHAT "self-extracting" files does it support??

I'm more curious than ever now - perhaps U could contact tech support and ask for the info, I'm still waiting to find out how to configure the scanner so it can scan these self-extracting archives...

 

Anyone?

 

Anyone?

 

Interesting question. Let's wait for a reply, Morgtoh. I would also like to know whether NOD32 scans inside SFX archives.

 

I'm trying to modify my last post, but I can't: Session check failure. Please try again.

It should read "Morgoth", not "Morgtoh". Sorry.

 

I wuz unable 2 register, hence my having to keep adding new posts for this (VERY) important issue to stay on top of the list.

As you can read in my first post (and on the eset site) the scanner is supposed to be able to read into SFX archives of the type ZIP, RAR & the others mentionned, yet it failed in my case. You can confirm this by creating a simple SFX-ZIP file with a known trojan-infected .exe within.

This may be a bug that dates from version 2.000.6, but whatever the reason, no doubt users will expect it to be corrected swiftly. Who knows what other features (cf. my 1st post) may have become buggy with time...

 

It may be an obvious question, but do you have Archives ticked in your scanning setup?

Hopefully Paul will be able to guide you through this...

Cheers

 

Thanks for the screenshots. Does the option "scan all files" mean that viruses inside SFX archives are detected, too? "All files" can mean anything. It doesn't necessarily mean that this includes SFX archives, too.

 

Negative, Blackspear

I already tried this setting & many others, even editing registry entries (all values named 'target_sfx_enable' set to 1) - to no avail.

Besides, 'scan all files' option comprises the .exe extension (which is also part of the default extensions), so it doesn't change anything and only has the scanner scan the .exe SFX archive itself, but not the files inside the SFX file...

This is most probably a bug. Perhaps those in charge here would have a means of contacting Eset directly, and in the process also have them check the functionality of the other features of the scanner: again my 1st post - scanning "encrypted databases", "protected executables" (whatever that means), & so on...

They should attend to all the bugs and remember to TEST the final 2.000.8 version before making it available next week.

Blackspear, Buddel, or anyone else, if U guys find a way of making the SFX-scan work, let us all know

Awaiting feedback...

 

Anyone?

 

Short answer is that NOD32 doesn't handle all self-extracting archives.

Regarding encryption and protection.. Some versions of Office documents had very simple protection/encryption, but didn't attempt to protect the macros, so, any virus in the document could be detecten, even though the document is encrypted/protected.

Best regards,
Anders

 

OK this I've already been told. But the question is, since on the Eset site it says (quote again):

"Support of many archive formats, e.g. ZIP, RAR, ARJ, LZH, LHA, including self-extracting files"

then WHAT "self-extracting" archives does it handle, if any? And how to configure Nod32 to do so?

 

Any "Self-extracting File" if infected, upon activation, AMON will automatically spring into action using it's default settings...

Cheers

 

I know I know
But I wasn't talking about Amon here...

it's just that since the ON-DEMAND scanner is supposed to be able to scan inside certain archives (which it does) AND inside certain SFX archives (which it apparently can't), I'd just like to know how to configure the on-demand scanner to be able to scan inside these SFX files, and if that's not possible, to know when this bug will be corrected, because as I already pointed out it IS supposed to be able to scan inside certain SFX archives (but which archive types? RAR? ZIP?) according to the Eset site...

 

Hi,

Margoth, there are mistakes on the product discription sites..
For example the english and german one..
http://www.nod32.de/products/nt.php
and
http://nod32.com/products/nt.htm
on the german one is no discription for "Virus detection in compressed or protected executable files, such as Pklite, Lzexe, Diet, Exepack, CPAV, UPX, AsPack."
and "including self-extracting files" is not in the german text.
There is only a discription like this "Unterstützt Archive wie ZIP, RAR, ARJ, LZA und LHA" without "inklusive selbst-extrahierende Dateien" or so!

Maybe there are different versions for english, german and so on..
Or NOD32 can't scan such files

Have a look at this, old, but good information: http://home.arcor.de/scheinsicherheit/introduction.htm
and there is a new test procedure in work, for new tests..
another good site is http://www.rokop-security.de/ especially the following test: http://www.rokop-security.de/main/article.php?sid=632


bye

iNsuRRecTioN

 

OK Insurrection, danke schön for the links

However I am testing the standard english version of Nod32, and in my first post have quoted the description given on the English eset site, so my question(s) still remain unanswered:

- How to scan inside supported SFX files (SFX-ZIP, SFX-RAR,...) ?

- If that's not possible, and since it is SUPPOSED to be possible, then it must be a bug, so in that case WHEN will it be corrected ??

- Have the other features (scanning inside runtime packers, etc...) also been "lost", and if so, any to to check on that

 

Answers, anyone?

From what I read in another thread, according to Buddel & Newnod, the list of features advertised on the Eset site (cf. my 1st post in the thread ) has not been fully implemented yet, which would explain Nod32's inability to scan inside any SFX archive, and possibly inside runtime packers as well (someone correct me if I'm wrong), not to mention other possibly missing abilities.

Hoping this is true, and that these missing features are but temporary (otherwise they would not be on the Eset site at all, right? ), would it be possible to know when all all these features will be implemented? Anyone?? Plz

 

... would it be possible to know when all all these features will be implemented? Anyone?? Plz
I would also like to know the answer, but I don't think we will get one.

 

Oooh yes we will
U know what they say:

"A faint heart never won a fair lady"...

... nor a fair ANSWER, in this case.

So the only way will be to pound them with posts till they yield, BUT whilst remaining behind the line, ie. nice & polite.

That's what I call "aggressive diplomacy"

 

Oooh yes we will

Hope you are right. We won't give up.

 

Might I Suggest This Avenue??---->
http://www.nod32.com/about/contact.htm
Or--->
support@nod32.it

 

Yeah, I know about the contact addresses.

But I'm only testing the AV.

Would be logical to assume that a customer will be more promptly answered, as will be the guys in charge here (mods, admins) if they contact tech support...