Nod Scanning within Zipped files

Discussion in 'NOD32 version 1 Forum' started by Trevor Marsh, Jan 12, 2003.

Thread Status:
Not open for further replies.
  1. Trevor Marsh

    Trevor Marsh Guest

    Hi All,
    I have just purchased NOD32 after giving up with Norton AV 2003 and it's resource hogging. However I have one or two concernes with NOD32. The other AV suite I have been testing is Panda Titainium Edition which seems to check within ZIP files better than NOD. As an example on the eicar testfile site there are four examples you can click on (one is a text file so I'll ignore that one) to attempt to download, a "naked" eicar.com file and two zipped versions. one zipped just once and the other a nested zip. While Panda readily detected all three examples before I even got the "save" dialog box, NOD32 could only detect the "naked" one and let me download the other two without any reaction at all, only (finally) reacting when I attempted to extract the zips. The same happens with the e-mail scanning, the only the "naked" one is recognised as a virus, the zipped ones let through with no problem.
    I have set zip files to be scanned in Amon (along with ace,rar and other compression formats) but it doesn't seem to be actually doing this.
    As NOD32 is recognised on almost every Anti-Virus software reviews site as being one of the best I am fully prepared to accept that it is something that I have got wrong rather than a NOD failing (surely Panda isn't a better product than NOD? none of the review sites state this)

    So, what could I be doing wrong in the Amon set-up that makes it not scan zipped archives? Anybody got any clues please?

    TIA,
    Trev
     
  2. Technodrome

    Technodrome Security Expert

    Joined:
    Feb 13, 2002
    Posts:
    2,140
    Location:
    New York
    By design amon will not detect virus inside of zipped(archived) file( since is totally harmless). However during extraction of zipped files amon will block or detect infected files!


    Technodrome
     
  3. Trevor Marsh

    Trevor Marsh Guest

    Hi, thanks for the prompt reply. I'm not too sure I like the idea that an AV product won't scan within compressed archives. I know that any infection is safe while it's in the archive but my wife uses this machine as well as myself and I would be much happier if I knew that infected files would be stopped *before* they even got to my HDD rather than have them waiting there to be "activated". Seems a bit like being happy having a time bomb under my seat so long as it's not ticking to be honest. I wish I had know this before I paid out for NOD32, I'd have gone with Panda instead. I would suggest that is is something that the Devs *must* look at implementing in the next version, it is now common in nearly all other AV products.

    Trev
     
  4. Phil

    Phil Registered Member

    Joined:
    Oct 24, 2002
    Posts:
    248
    Go into setup. You will see a check box to allow NOD32 to scan archives. Works like a charm. ;)

    Phil
     
  5. Technodrome

    Technodrome Security Expert

    Joined:
    Feb 13, 2002
    Posts:
    2,140
    Location:
    New York
    Hmm...I believe he asked about amon(not NOD32 main scanner) not detecting zipped viruses "on fly" ( such as DrWeb or KAV).


    Technodrome
     
  6. Phil

    Phil Registered Member

    Joined:
    Oct 24, 2002
    Posts:
    248
    Are you trying to say I should actually READ the post before I reply? Jeez!! :D :D

    Phil
     
  7. Technodrome

    Technodrome Security Expert

    Joined:
    Feb 13, 2002
    Posts:
    2,140
    Location:
    New York
    Yes I insist! (At least read between paragraphs) :D :D :D


    Technodrome
     
  8. :( :D

    I noticed that too, and I noticed that Panda would also scan them by right clicking on the zipped file only.. Even if they were double zipped.. However, after the havoc that just the trial version of Panda did, I would stay clear away from them.. It slowed my computer to a crawl, and some of it's def's I guess contain actual virul strings, which caused other AV's except Nod32 to send off a false positive, depending on your point of view. I agree with Technodrome's advice.. If it's not a virus, it at least won't give off a falsie! However, I DO think that if someone right clicks on a zipped, or even double zipped file, it should be detected... I have my settings checked on archives, and if I right click scan on Eicar zipped once or twice, NOD32 won't detect it. Does that sound right to you?

    I liked Alwil Avast for that..Out of all the other AV's I test drove, it did good. However, I always have one eye glued to Virus Bulletin, and I don't feel comfortable with anything but NOD32 at this point. Maybe later, I'll change my mind. Who knows...
     
  9. Technodrome

    Technodrome Security Expert

    Joined:
    Feb 13, 2002
    Posts:
    2,140
    Location:
    New York
    Hmmm... NOD32 Explorer right click scan option (if you are talking about this one) will detect archived virus.


    Technodrome
     
  10. mrtwolman

    mrtwolman Eset Staff Account

    Joined:
    Dec 5, 2002
    Posts:
    613
    Scanning inside the zips is technically, no big deal. But if you assess the risk from not scanning inside the zips on the fly (but detecting any risky file on zips extraction) and their costs here is the conclusions: going inside the zips would eat some portion of your computer speed but would not give you any real increase in the level of protection.

    I can live without scanning zips on the fly very well.....
     
  11. Trevor Marsh

    Trevor Marsh Guest

    I agree with you, with one exception and that is that my machine is used by my wife, quite often unsupervised, who's computer literacy is at the point of launching Ebay from the favourites bar in IE. I would much rather be confident that malicious files can be detected by my AV product *before* they get to my HDD whether through clicking on a link or via e-mail. While I'm not overly confident in Panda with respects to it's on demand scanning or it's database, it does at least out perform NOD32 in this, to me, very vital respect.
    I am sticking with NOD32 at the moment as I have just paid for it but I would like to see this feature in future updates/versions. It still seems to me, to be a very strange ommision from what is in all other respects one of the best AV products available.
     
  12. navalair

    navalair Registered Member

    Joined:
    Jan 4, 2003
    Posts:
    14
    "Go into setup. You will see a check box to allow NOD32 to scan archives. Works like a charm.

    Phil"

    Phil, which "setup" does this check box appear in? I can't find it in Amon or the Control Center on my version of NOD32.
     
  13. spy1

    spy1 Registered Member

    Joined:
    Dec 29, 2002
    Posts:
    3,139
    Location:
    Clover, SC
    navalair - Start/Programs/Eset/Nod32/"Set-Up' tab, under "Diagnostic Methods". Pete
     
  14. rodzilla

    rodzilla Registered Member

    Joined:
    Jun 15, 2002
    Posts:
    653
    Location:
    australia
    I doubt that AMON will ever scan inside an archive. Why would it ? Why would it need to ? It's an on access scanner ... watch it go berserk if you try to unzip an infected archive.

    If you tell the NOD32 on demand scanner to scan inside archives, it will ... whether doing a full scan or looking at an individual .zip with the contect menu right mouseclick.

    A virus inside a .zip archive is not a virus per se ... it becomes a virus when you extract it ... and even if you don't tell the NOD32 on demand scanner to scan inside archives, AMON will block extraction, leaving the harmless non-virus trapped inside the archive.

    Scanning inside archives within archives within archives to the power of N*15000 in 800 different formats is a marketroid creation anyway. We managed to survive for more than ten years without in-archive scanning, but end users have been snake oiled into thinking it's a Good Thing, and now we're stuck with it. I've always thought it was a crock ... and no-one has ever come up with a convincing argument to prove it's not.
     
  15. JacK

    JacK Registered Member

    Joined:
    Jun 20, 2002
    Posts:
    737
    Location:
    Belgium -Li?ge
    I hope it will never unless it can be unactivate : waste of time an resources :)

    I don't see any good reason to scan inside archives.

    Each AV has its limits : when x times compressed no AV detects infections inside archives, I gave while ago an URL for testing purposes with different compressing rates.

    Scanning inside archives is totally useless and just a stupid commercial argument for lambda users IMHO ;)

    Rgds,
     
  16. Trevor Marsh

    Trevor Marsh Guest

    I can't prove "it's a good thing" but I can give a reason why I like it (and have in my previous posts). My wife uses this PC, she is completely PC "unsavy", she knows how to use e-mail, go to Ebay and play games on MS's Zone.com and that is as far as her knowledge goes. She uses this machine unsupervised quite often and I would feel a LOT happier if I knew that if she recieved an e-mail with a compressed archive that was malicious, it would be automatically detected and cleaned before she got the chance to try to extract it. The same with a file download, I would be happier if it was detected before it was downloaded.

    The "right click on demand scanning" isn't an option in this instance as she would have to be "savy" enough to navigate to the folder it was saved to and then right click etc. She isn't "stupid" by any means, just not interested in the "ins and outs" of computers, she just want's to be able to "use it" in the same way she uses a TV. Not worrying what's going on in the background.

    In this situation, and others I can think of, Amon scanning within compressed archives would, to my mind, be a "good thing" with very little down side. After all it could be a switchable option just as it is on the on demmand scanner, there to be used if you want to. Just a way of making PC's a little more "user friendly" and "fool proof". Not everybody wants to get "under the hood" of their PC, some just want to be able to "use and go".

    Trev
     
  17. JacK

    JacK Registered Member

    Joined:
    Jun 20, 2002
    Posts:
    737
    Location:
    Belgium -Li?ge
    Hi Trev,

    I don't quote catch why you would feel safer this way ?
    Anyway if she tries to unpack, the virus will be stop cold blood.
    If it's a downloadable file, no way to see whether it contains BEFORE the download is complete. Most d/l managers have a feature allowing to scan automatically d/l files with your AV when d/l is complete.
    I have a zipped collection of virus/worms on my machine.
    If I want to play with, I have to unactivated NOD32 or no way to go : impossible to run any virus

    What do you fear exactely ?

    Password protect NOD32 so you wife might not disable it by inadvertence and you would be perfectly safe ;)

    Rgds,
     
  18. mrtwolman

    mrtwolman Eset Staff Account

    Joined:
    Dec 5, 2002
    Posts:
    613
    what or who is lambda user ? Tnx 4 answer.
     
  19. rodzilla

    rodzilla Registered Member

    Joined:
    Jun 15, 2002
    Posts:
    653
    Location:
    australia
    >Scanning inside archives is totally useless and just a stupid commercial argument for lambda users IMHO

    Oui, d'accord, mon ami!

    I cannot think of one practical use for it ... not even Trevor's. :)

    (Trevor ... your wife is no more likely to infect your PC by not scanning inside downloaded archives than she is if she tries to unpack and install them. AMON is watching!) :)
     
  20. rodzilla

    rodzilla Registered Member

    Joined:
    Jun 15, 2002
    Posts:
    653
    Location:
    australia
    > The "right click on demand scanning" isn't an option in this instance as she would have to be "savy" enough to navigate to the folder it was saved to and then right click etc.

    If she can't find the archive then she can't extract the files. You can do the right mouseclick trick when you arrive home. :) :)

    (Sorry ... I just couldn't help myself.) :)
     
  21. JacK

    JacK Registered Member

    Joined:
    Jun 20, 2002
    Posts:
    737
    Location:
    Belgium -Li?ge
    the average user : "l'utilisateur moyen" :
    you, Trevor's wife and me :)
     
  22. Trevor Marsh

    Trevor Marsh Guest

    Lol, yes I knew the dictonomy when I wrote it but I'm afraid that after years of experiece with Pc's ( I was doing Dbase systems in the Mid 80's) "if it can go wrong, it will". I would rather prepare, and have an answer for, all/most eventuallities, than have regrets. You can call me paranoid of you like, I'm used to it, after more re-installs that I have had "hot dinners" you would be the same.....:)

    Trev
     
  23. mrtwolman

    mrtwolman Eset Staff Account

    Joined:
    Dec 5, 2002
    Posts:
    613
    Thanks for explanation. I'd correct the explanation to Trevor's wife and you :D
     
  24. rodzilla

    rodzilla Registered Member

    Joined:
    Jun 15, 2002
    Posts:
    653
    Location:
    australia
    Rod's First Law of Computing .....

    "Some computer users should be compelled to wear boxing gloves 24/7"

    :rolleyes: :rolleyes:
     
  25. Blackspear

    Blackspear Global Moderator

    Joined:
    Dec 2, 2002
    Posts:
    15,115
    Location:
    Gold Coast, Queensland, Australia
    lmao, some users should only be able to watch through toughened glass in a locked room :D
     
Thread Status:
Not open for further replies.