Unpacking ability of some AV's

Discussion in 'other anti-virus software' started by Blackcat, Nov 12, 2005.

Thread Status:
Not open for further replies.
  1. iwod

    iwod Registered Member

    Joined:
    Jun 25, 2004
    Posts:
    708
    This thread is on Fire.!!! I suppose Happybytes is constanly monitoring this thread which means by the time i reply this he would have replied as well :D :D

    Now back to IlyaOS. Didn't support UPX? I dont think Happybytes would be happy about this statement. UPX is one of the MOST common Runtime packer. I would be surprise that ANY Current AV doesn't support it.........
     
  2. Edwin024

    Edwin024 Registered Member

    Joined:
    Nov 14, 2004
    Posts:
    1,008
    Heartwarming, those Eset guys respondings in this thread. Come to the rescue ;)
     
  3. IlyaOS

    IlyaOS Registered Member

    Joined:
    Nov 13, 2005
    Posts:
    29
    OK guys, you've convinced me of the false of Nod32 results!
    I don't take on truth any words without whey verification. I was real public test and we can belaave it ;)

    Happy Bytes, ,.--., , please check up other result for Nod32 and i'll correct them on my website. But please use the same engine version 2.50.25 and database.

    What other packers does it suport now?
     
  4. Happy Bytes

    Happy Bytes Guest

    I've been waiting for you :D :D :D

    You know, i don't mind testing av software. But at some point you should just admit that you messed it up and not trying to blame the weather and water temperature on it. (in this case "oh did i test the wrong version")

    No, he didn't. Even this NOD32 version is able to deal just fine with runtime packers. :-*
     
  5. ,.--.,

    ,.--., Guest

    I think we should not automatically assume that the results posted by IlyaOS are wrong:

    For example, my own results as of June 30, 2004 (re NOD32 2.009 w/o AH) show that the static UPX unpacking routine was not perfect at that date. The following samples were not detected:

    -----------------------------------------------------------------
    \NOD32\4_UPX\ (14) 1 653 256
    -----------------------------------------------------------------
    1. UPX190b.Coldfusion108.dll 19 456
    2. UPX.Netdevil12.exe 268 800
    3. UPX.Optixlite04.exe 29 696
    4. UPX084.Asylum013.exe 4 608
    5. UPX084.Bionet318.exe 305 664
    6. UPX084.rescompr.Theef2b5.exe 278 016
    7. UPX084.TheefLE111_comp4.exe 26 112
    8. UPX084.UPOLYX.Bionet318.exe 305 664
    9. UPX084.UPXME SCR.Bionet318.exe 305 664
    10. UPX104.TheefLE111_comp6.exe 24 066
    11. UPX108.TheefLE111_comp2.exe 26 626
    12. UPX120.TheefLE111_comp1.exe 27 650
    13. UPX124.TheefLE111_comp8.exe 23 554
    14. UPX124.UPXME SCR.AnalFTP01.exe 7 680
    ----------------------------------------------------------------


    http://illusivesecurity.il.funpic.de/viewtopic.php?t=12


    IlyaOS: Did you use /AH for the test?
     
  6. Firecat

    Firecat Registered Member

    Joined:
    Jan 2, 2005
    Posts:
    8,251
    Location:
    The land of no identity :D
    Lets see.....I have not tested many of these, but now NOD32 *should* be able to unpack all of these (provided settings are on max and advanced heuristics is enabled):

    UPX
    ASPack
    FSG
    Petite
    NeoLite
    EXEStealth
    YodaCrypt
    PKLite
    PECompact
    LZexe
    Polycrypt
    Morphine

    There may be some that I missed though.....:doubt:
     
  7. Stan999

    Stan999 Registered Member

    Joined:
    Sep 27, 2002
    Posts:
    566
    Location:
    Fort Worth, TX USA
    How about the other AVs tested on your test. Could some of those have significant flawed results also?
     
  8. Happy Bytes

    Happy Bytes Guest

    Sorry, we're not at a asia market. YOU do correct your own things. How silly does it look if i correct your results and you update it then? That's of course then a trustworthy test - as you called it a few posts before :eek:

    I'll give you some advice: Test in future the strength of guinness beer, the elasticity of bra's but don't ever ask again someone from an av company to update your lousy testresults 'coz you're not able to do it by yourself. Because with this attitute (see here the first quoted sentence) nobody will ever take your test serious!
     
  9. IlyaOS

    IlyaOS Registered Member

    Joined:
    Nov 13, 2005
    Posts:
    29
    Without AH.
     
  10. Firecat

    Firecat Registered Member

    Joined:
    Jan 2, 2005
    Posts:
    8,251
    Location:
    The land of no identity :D
    Well, there's your problem! Advanced heuristics uses generic unpack engine which noticeably enhances the unpack ability of NOD32. :)

    Of course, NOD32 2.5 is still better than 2.12 ;)
     
  11. ,.--.,

    ,.--., Guest

    UPX 125w was released on 29 June 2004. Maybe the static unpacking routine of NOD32 2.12.3 did not support it yet?

    Anyway, the best thing about NOD32 is AH (i.e., the generic unpacking engine). Therefore, you should always test with /AH. The term /AH is misleading because it does not merely relate to heuristic detection but also to NOD32's generic unpacking engine.
     
  12. RejZoR

    RejZoR Lurker

    Joined:
    May 31, 2004
    Posts:
    6,426
    Now there is one thing that always wondered me about these tests.
    If you test any kind of detection capabilities you HAVE to turn everything to maximal possible level given by the GUI. That from my point of view includes all kinds of archive scanning, spyware/riskware detection and heuristics.
    I wonder why NOD32 should be exception? Just because ESET guys are so nice to give as more control over engine subsystems? I guess not...
     
  13. ,.--.,

    ,.--., Guest

    @IlyaOS

    Don't take Michael's comments too serious. Even "famous" testers like Andreas Clementi or Andreas Marx initially screwed up their NOD32 tests (e.g., use of "incorrect" file names etc.). This AV is not that easy to test.
     
  14. RejZoR

    RejZoR Lurker

    Joined:
    May 31, 2004
    Posts:
    6,426
    Well it is easy to test. Just check all possible checkboxes for context scanner (basically same as on-demand) and scan the location with samples. It even gives you summary with how many samples were detected and how many were found to be clean. If you have a nicely organized database, this should result in a very precise results with minimal effort. Other way is to set scanner to delete infected files and you check the filecount after scanner sweep. But there might be errors because certain files fail to get deleted and so on.
     
  15. IlyaOS

    IlyaOS Registered Member

    Joined:
    Nov 13, 2005
    Posts:
    29
    :eek:

    Ok, no problem, Eset distributors here in Estern Europe will be happy for it. I'm taking with peoples here because i want find truth and provide users with relible results and i don't make many on such publications.
    My advise for you: learn geography, Russia is located in Europe, not in asia!!! :D

    This's all, I will ignor your future comments in this thread!
     
  16. Happy Bytes

    Happy Bytes Guest

    :D Nautilus, can you please stop this "Sissy-Talk"? :D
    The fact is here wrong testresults (we've found this out after lots of complaining) and finally he's asking me to update his testresults.

    I mean hey, thats really too much. Speaking about the other 2 guys - they do correct their things by their own. As i said making mistakes is not THAT problem. For instance i make ALWAYS the mistake to join such discussion :D
     
  17. IlyaOS

    IlyaOS Registered Member

    Joined:
    Nov 13, 2005
    Posts:
    29
    Thank you, i'll improve tests quality in future.
    Anyway your assistance was very useful.:)
     
  18. Happy Bytes

    Happy Bytes Guest

    Privet!
    Probably i should write in russian that you understand what i mean. However, then most other people will not understand. With Asia Market i meant the "suspicious deal with updating your results". Do you know what a asia market is ? You negoshate there - same as you did with offering me to update the results - has absolutely nothing to do with russia. :D
     
  19. Stefan Kurtzhals

    Stefan Kurtzhals AV Expert

    Joined:
    Sep 30, 2003
    Posts:
    702
    Well, there is a very good reason NOD32 behaves like this and if you would have sound knowledge about malware and understanding of AV scanning technology you would know why ESET made that decision.

    Sigh, when will people start to propperly inform themselves before trying to do AV tests?

    An example, there is a "new" AV test in a German PC magazine PC Praxis. They tested various scanners, also Bitdefender and Data Becker Maximum Protection which is using Bitdefender engine aswell. Strange enough, Maximum Protection had twice the scanning speed of Bitdefender. Seems they scanned the viruses in the same location with Bitdefender first and Maximum Protection 2nd. Too bad Bitdefender uses some scan speed method similar to Kaspersky's iStreams - which explains why Maximum Protection had twice the scanning speed because it could use the scan info from the previous scanning with Bitdefender. Carefully tested, oh yeah...
     
  20. ,.--.,

    ,.--., Guest

    @Michael

    How about an IRC chat sometime? *g*
     
  21. RejZoR

    RejZoR Lurker

    Joined:
    May 31, 2004
    Posts:
    6,426
    Well your geography isn't perfect either :p
    Russia is spanning over entire asian continent. There is just a very small part of russia located in european continent.

    The entire area is basically russia. On the far left side there are few european countries... So russia isn't exactly (just) an european country...
    http://img401.imageshack.us/img401/9185/mapfull4ru.jpg
     
  22. ,.--.,

    ,.--., Guest

    @Skeeve

    "Well, there is a very good reason NOD32 behaves like this and if you would have sound knowledge about malware and understanding of AV scanning technology you would know why ESET made that decision."

    1.
    I did not say that there was no good reason for this behaviour.

    2.
    I do know why ESET made such decision. Moreover, I never tested NOD32 using non-executable file names.

    3.
    I believe that ESET changed this behaviour in the meantime because malicous people started to register new executable file extensions ...

    4.
    The Istream example...that's really a good one. LOL! Thanks for providing this information.
     
  23. IlyaOS

    IlyaOS Registered Member

    Joined:
    Nov 13, 2005
    Posts:
    29
    Yes, but i meant AV market, Moscow and vicinity ("business part" of Russia, 90% enterprises) are located in euporen part. And in all market reports (IDC for example) Russia is included in CEE.
     
  24. Sputnik

    Sputnik Registered Member

    Joined:
    Feb 24, 2005
    Posts:
    1,198
    Location:
    Москва
    That's right. But please notice Moscow and St. Petersburg are just European cities. Compare it with Turkey, they also have an European and an Asian part.
     
  25. AndreyKa

    AndreyKa Registered Member

    Joined:
    Feb 25, 2005
    Posts:
    93
    Location:
    Russia
Thread Status:
Not open for further replies.
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.