Nod32 & zip

I read today that KAV has developed a system for their AV to scan a zip-file for a password then use the password to scan inside protected .zip files.

For example the virus "Bagle.J". Is Eset/Nod32 doing something similar? Otherwise that´s a pretty big gap.

Regards

/Niklas

 

Would you please post the link where you read this information?

Regards,
Kent

 

http://www.theregister.co.uk/content/55/36049.html

 

Thanks for the link ... It was an interesting article.

Regards,
Kent

 

Yes, NOD had a similar system too. NOD system doesn't need read the body of the message to find the password and scan the file, KAV need that
NOD was one of the first in implement such system.

 

Sounds great! No need to worry then. I´ll just keep on using this great AV!

Thx!

 

Sir_carew am I right in thinking that you are saying NOD can scan inside this current batch of emailed password protected zip files without needing the message body?
If that is correct it should be capable of scanning inside any password protected zip file! I dont want to rain on NODs capabilities but it cant ,try this:-download eicar.com_zip place in a folder zip that folder and password protect it ,try and scan it ,NOD cannot(KAV cannot either but as KAV gets password for zip from message body so this is expected)
Steve

 

I know that NOD doesn't need the body because a spanish page explain that, an AV experts. It's only for worm that use that type of spread. I've a original psw protected file (bagle) and nod without the body can detect it. Obviously if you password protect them no av will detect that. Indeed KAV use a heuristic detection for those psw protected zip that doesn't had a body with the password but if you protect a simple zip file, kav heuristic alert will not alert you. I've tested that with a original zip that i've.

 

Are you saying it just applies to this particular worm if so it is not of much use because whats to stop other viruses/worms /trojans etc being sent the same way an AV either protcts against this form of delivery or it doesnt, and after all(as Eset are quick to point out) a virus inside a zip file is harmless as long as it is not accessed and remains harmless if accessed as long as the AV employed intercepts it
Steve

 

You may want to check out this link and it may answer some questions. Here is that link:


http://www.wilderssecurity.com/showthread.php?t=10337

 

Got a "Bagle.J" password protected yesterday. Went right through Nod32. Guess Eset/Nod32 need to come up with a solution.

 

Good to know, that NOD32 is able to detect file inside zip

 

Yeah but it doesn´t help when a zipfile is password protected. Then Nod32 can´t do anything.

 

Scanning inside archives for viruses is an unnecessary waste of resources.

 

NOD32 can't do anything? It went right through NOD32? Bah, complete rubbish. Any zip file that is password protected is harmless. If you were to unzip the file, and/or try to do anything with the contents of it, then NOD32 would stop it. This scanning of password protected zip files is just a gimmick to hog resources.

 

Dos:-I suppose next you'll be saying"the ability to defend against most trojans is a resource hogging gimmick"
Steve

 

Why do you suppose that?

 

Because judging by your last reply it would appear that if another AV does things that NOD doesn't or does things differently to NOD you consider it a gimmick.We all have to realise that that NOD is better in some ways than some (most)other AVs but some may be better in some ways than NOD.
I would myself prefer NOD to act the way KAV does in respect to these zip files(just for the "feeling"of extra security)and to be as strong in respect to trojans,if I was using KAV no doubt I would want it to be as light on resources and as fast as NOD,but these are the priorities of the developers but no way can a different set of priorities be considered "gimmicks".
If we can all stop taking a blinkered view of other AVs strengths and criticising them for the sake of criticising them we may be more succesful at getting some of the good points of other AVs incorporated into NOD,then it would then be the best fullstop,but if we do slag-off these strengths then Eset are never going to incorporate features that most of us give them the impression we don't want

 

Then you have judged wrong. How can you compare identifying a harmless secured virus inside a file to not detecting trojans at all? That is just idiotic to be honest. My response was to someone who appeared to be under the impression he was any less secure using NOD32 than if using KAV with password protected zip file scanning. The file inside a password protected zip file is harmless until unzipped, upon which NOD32 will alert the user that the file is infected. What is the real advantage of being able to scan inside password protected zip files received via e-mail?

 

How "harmless" is it if one of my 50 "not so computer talented" users get a virus before Nod32 updates? They might even get the idea to test if it is a virus and shut down Nod32.

Never underestimate the power of the stupid user. If Nod could scan the zipfile before the mail hits the box then i would feel safe. Not from the virus but from the user. Get what i mean?

 

I agree with you 100%. As the saying goes, "there is no patch for stupidity", this applies to many of the users that i manage systems for. And with the latest outbreaks this weekend of the bagle varient now rar'ing as well as zip'ing, this is something that must be addressed. I'm seeing the other major AV clients dealing with this... why does NOD32 just dismiss it?

 

What does that have to do with whether the file is zipped or not? If the pattern files aren't up to date, whether the file is scanned while zipped or unzipped is a moot point.

Not if NOD32 is configured correctly.

No I don't.

If the zip file gets to the desktop, and is somehow opened, and the pattern files are up to date, (just like any other AV) NOD32 will either delete the file, or block access to it.

Real-world example: One of my "not so talented" users comes in with a usb thumb drive containing SubSeven in a zip file. He plugs it in and moves the file to the desktop. He clicks on the zip file to install it. The real-time monitor of our AV smashes it, and moves it to quarantine, and he is denied access.

Did the zip file ever get scanned? No.

I talk to him sternly. End of story.

 

Exactly. Anyway, I wonder how many idiots are around who will:

1. unzip password protected file
2. execute it

 

I'm afraid there will be/are many of those "not so talented" users that would, as you have mentioned:
1. unzip password protected file
2. execute it

Sorry but this is not even a virus but an IQ test

-edit-
BTW NOD32 detects the new Win32/Bagle.M virus using advanced heuristics. For those who don't know - this is another virus that comes in password protected archive. This time the password needed to unzip the file is not in plain text but in a form of bitmap(!)

 

Sure, but the point is that whether or not the zip is password protected or not, as soon as the "innards" are exposed, the AV's RTM will hammer it.