NOD32 & ziped_compressed files

Discussion in 'NOD32 version 1 Forum' started by Tassie_Devils, Nov 29, 2002.

Thread Status:
Not open for further replies.
  1. Tassie_Devils

    Tassie_Devils Global Moderator

    Joined:
    May 8, 2002
    Posts:
    2,514
    Location:
    State Queensland, Australia
    HI:
    I have used PC-Cillin for past 3 years and I do really like it.

    However, I had not heard of NOD at the time of purchase [quiet achiever heh!] and probably [make that would have] purchased NOD32 if I had known about it back then. I am GOING to purchase NOD when my current licence expires in Feb, but hope the new NOD version is out before that.

    My question: How good is NOD at scanning zipped/compressed files.

    Oh I know all the good folk around will say it scans zip. double zip, rar, etc. etc. PC-Cillin detects all except one... the .SIT files created by Aladdin's Stuffit program [Mac proggy, I am using the Windows version, much much easier to use than ZIP IMHO, and a lot faster and more compression].

    I have added .SIT to my 'Compressed' list, but when I put the Eicar 'Test String' inside a doc and compress it with 'Stuffit' and scan it does not alarm. Then put the same file in a ZIP/double ZIP/even triple ZIP and it alarms.

    It alarms on everything else I test.

    Will NOD detect .SIT compression. Everytime I look at AV's and see the compression lists, I NEVER see .SIT mentioned. [Have not seen NOD's].

    Would someone who has it, do a test and tell me or if someone already knows 'for sure'. This seems to be one of the main compression proggys out there yet it's never mentioned in the compression lists of AV detection.

    Thanks for any responses.
     
  2. Paul Wilders

    Paul Wilders Administrator

    Joined:
    Jul 1, 2001
    Posts:
    12,472
    Location:
    The Netherlands
    Hi Tassie,

    I'll pass this one on to the tech guys from Eset ;).

    regards.

    paul
     
  3. Tassie_Devils

    Tassie_Devils Global Moderator

    Joined:
    May 8, 2002
    Posts:
    2,514
    Location:
    State Queensland, Australia
    That was quick. thanks Paul :D
    Originally I had emailed Trend about it, and their 'Service Department' said they would look into it. That was when I had PC-Cillin 2000. When I updated to 2002, got the same result, no scan of .SIT files. *sigh*

    thanks again for reply. will check back later, will be going to work here now and not back until about 10 hours.
    Cheers.
     
  4. Paul Wilders

    Paul Wilders Administrator

    Joined:
    Jul 1, 2001
    Posts:
    12,472
    Location:
    The Netherlands
    Tassie,

    Eset has been informed in the meanwhile. Enjoy your work!

    regards.

    paul
     
  5. jan

    jan Former Eset Moderator

    Joined:
    Oct 25, 2002
    Posts:
    804
    Hey Tassie,

    it has been forwarded to the guy who is carrying about the archives here. Thanks for the tip.

    rgds, :D

    jan
     
  6. anders

    anders Eset Staff Account

    Joined:
    Oct 25, 2002
    Posts:
    410
    One major reason for this AFAIK, is that StuffIt is 99.9% Macintosh. Sure, I've seen that StuffIt is available for Windows, but I've NEVER EVER seen a .sit-archive for anything else than Macintosh.

    In the Windows-world, it's (as you surely know) mostly ZIP (though, I prefer RAR (WinRAR)).

    Personally, I don't care THAT much for scanning inside of archives. Sure, it's a good feature, but, I most often leave it disabled when scanning. First of all, scanning of archives won't increase protection. (It could possibly help determine the source of infection though)

    As long as a resident antivirus is loaded, no known viruses will be allowed to execute.

    Best regards,
    Anders
     
  7. Scotterpops

    Scotterpops Registered Member

    Joined:
    Feb 11, 2002
    Posts:
    6
    Correct!   In my opinion, the single feature that has slowed down anti virus utilities (and your computer in general) more than any other is the ability to scan within archives, a feature that I'm sure was demanded by the public and of little value, if any at all.
     
  8. Tassie_Devils

    Tassie_Devils Global Moderator

    Joined:
    May 8, 2002
    Posts:
    2,514
    Location:
    State Queensland, Australia
    HI guys. Thanks for the responses. :)

    The Stuffit Program for windows has FULL functionality in all aspects, including archiving.
    Attached shot shows Stuffit Browser itself with cursor pointing to Archives. [could not get a screen capture showing the 'tool tip' wording of 'Archive']

    I only wanted to know if it does or not, and if it's 'not that important' then why does the Eicar site have those 'tests' for zip and double zip scanning. Seems to be a big deal if AV's can/cannot scan within those compressed archives, a lot of AV vendors make an issue of it.

    So what you Anders and scotterpops are saying, why bother with scanning compressed files, as long as resident scanning engine running?

    Cheers.

    edit: typo

    edit: PS: Also Stuffit has separate program for 'Stuffit' and 'Zip' files. You can 'unzip' or 'expand' any compressed file with 'Expander'. You can also use 'Drop Zip' or 'Drop Stuff' to either zip or stuff a file, so if sending a normal compressed file to someone who does not have Stuffit, just use Drop Zip and they can open with their own WinZip, etc. Very handy. I found it much faster than WinZip. Have not tried WinRAR Anders :)
     

    Attached Files:

  9. Tassie_Devils

    Tassie_Devils Global Moderator

    Joined:
    May 8, 2002
    Posts:
    2,514
    Location:
    State Queensland, Australia
    DropZip!!! :D
     

    Attached Files:

  10. Paul Wilders

    Paul Wilders Administrator

    Joined:
    Jul 1, 2001
    Posts:
    12,472
    Location:
    The Netherlands
    Tassie,

    In essence: yes. Compressed files are as such harmless. Only when actually activated, they might become dangerous - and that's when the resident running AMON jumps in.

    regards.

    paul
     
  11. anders

    anders Eset Staff Account

    Joined:
    Oct 25, 2002
    Posts:
    410
    Sure, there's nothing negative about scanning archives (in an on-demand scanner... I would NEVER want an on-access scanner to scan archives).

    However, StuffIt isn't THAT common (in the Windows world) so, that's probably why it doesn't have high priority for the different antivirus vendors.

    Best regards,
    Anders
    EuroSecure
     
  12. Randy_Bell

    Randy_Bell Registered Member

    Joined:
    May 24, 2002
    Posts:
    3,004
    Location:
    Santa Clara, CA
    Actually KAV (Kaspersky) does have this capability, to scan compressed files on-the-fly: but I think that option isn't turned on by default, because it causes a sluggish response on most systems. ;)
    Agreed: NAV doesn't have this capability either. ;)
     
  13. Tassie_Devils

    Tassie_Devils Global Moderator

    Joined:
    May 8, 2002
    Posts:
    2,514
    Location:
    State Queensland, Australia
    Hi Randy, Anders, Paul. :)

    OK, so I guess the short answer is no to scannin SIT files.
    Thanks for replies.

    I also realise that compressed are safe unless extracted and try to execute a dangerous file, that never was an issue.

    I only wanted to know if it did scan SIT, it wasn't a problem, just curious. As I stated earlier one of the 'tests' from Eicar was the ability to scan single/double zip files, and since I had Stuffit and PC-Cillin could not, just wanted to know if other AV's could.

    I am in no doubt as to the marvellous ability of NOD at all. I most certainly will be getting it when the new version comes out. :D

    Once again thanks to all who replied. ;)
     
Thread Status:
Not open for further replies.