2 Discoveries in Kaspersky's Archive Detection Ability

Discussion in 'other anti-virus software' started by Elliot, Nov 8, 2004.

Thread Status:
Not open for further replies.
  1. Elliot

    Elliot Registered Member

    Joined:
    Nov 5, 2004
    Posts:
    41
    I've tested KAV 5 Personal on some archives and found:

    1. The archive depth that KAV could penetrate differs from your 'Protection Level' settings. With Recommended Level, KAV won't detect a eicar contained in a zip archive, which was contained in an self-extract rar archive, something like this:

    EICARTEST.exe\eicar2.zip\eicar.zip\eicar.com

    But with Maximum Protection Level, those could be detected. Anyway, I see no explanation nor detailed settings upon the depth of archive to be detected with different protection level. Don't know the limit depth.

    2. KAV's Brute-force ability.
    I've tried to compress some virus into a rar archive which was protected with password '1234'. KAV was able to detect them inside the password protected rar archive without asking me for password(Maximum Level used, and 'Don't ask for password' checked). Then I changed the password to 12345, and the virus still could be detected. Then I tried password much more complicated, and this time after a long pause(about 10 secs on my Centrino 1.5G), KAV reported no virus was found. It seems that during the long pause, KAV was busy trying to guess the password of your archive in a Brute-force manner. That's very interesting.
     
  2. TopperID

    TopperID Registered Member

    Joined:
    Oct 1, 2004
    Posts:
    1,527
    Location:
    London
    In the Pro version, self extracting archives are excluded from the recommended level protection for real time monitoring; while emails are excluded from demand scaning.

    These are about the only differences between recommended and max protection.
     
  3. Elliot

    Elliot Registered Member

    Joined:
    Nov 5, 2004
    Posts:
    41
    I haven't change the On-Access settings, what I tested was On-Demand scanner. It is true that you could only find the two diffenrences you said above from the software's users interface, but I do have realized that there must be something more various from different level settings.
     
Loading...
Thread Status:
Not open for further replies.