About AMON??

Discussion in 'NOD32 version 2 Forum' started by embower, Dec 19, 2003.

Thread Status:
Not open for further replies.
  1. embower

    embower Registered Member

    Joined:
    Dec 19, 2003
    Posts:
    46
    AMON can't stakeout the type of .RAR.ZIP files :oops:
     
  2. iNsuRRecTioN

    iNsuRRecTioN Registered Member

    Joined:
    Sep 5, 2003
    Posts:
    303
    Location:
    Germany
    Hi embower,

    yes thats true, AMON don't scan in archives, because of performance issues.

    But maybe this will be optionally (as an option, not by default) implemented as an feature in NOD32V2 with an program component update.

    greetz

    iNsuRRecTiON
     
  3. embower

    embower Registered Member

    Joined:
    Dec 19, 2003
    Posts:
    46
    Thank you iNsuRRecTiON!

    Have the method of the solution? o_O
     
  4. embower

    embower Registered Member

    Joined:
    Dec 19, 2003
    Posts:
    46
    I did not find that options :oops: :oops:
     

    Attached Files:

  5. sir_carew

    sir_carew Registered Member

    Joined:
    Sep 2, 2003
    Posts:
    884
    Location:
    Santiago, Chile
    Hi,
    I think that isn't important that IMON into .ZIP, .ARJ, .RAR files, etc. because if you don't decompress the file, your system can't be infected, and if you try to decompress a virus, AMON will detect it and deny. The important is that AMON scan for UPX, etc packed files, because those files are compressed, however if you execute them, you will be infected.
     
  6. embower

    embower Registered Member

    Joined:
    Dec 19, 2003
    Posts:
    46
    I kown,thanks :)
    But,But I thinks that it can be similar to KAV,At the time of ZIP, .ARJ, .RAR files downloading the computer inside, Discovers virus and arrestments downloading :oops:
     
  7. LedLine

    LedLine Registered Member

    Joined:
    Dec 20, 2003
    Posts:
    9
    Why doesn't AMON detect the compressed file (UPX) of execution form? This thinks an important defect.
    :doubt:
     
  8. sir_carew

    sir_carew Registered Member

    Joined:
    Sep 2, 2003
    Posts:
    884
    Location:
    Santiago, Chile
    AMON is able to scan into compressed file like ASPack, UPX, and others.
     
  9. Ainur

    Ainur Guest

    Not yet! And neither does the on-demand scanner. For the moment, only the interface is there.

    But from what I've read on this forum, I think features such as scanning into runtime packers and self-extracting archives will be implemented in the near future, at least for the scanner. :)
     
  10. sir_carew

    sir_carew Registered Member

    Joined:
    Sep 2, 2003
    Posts:
    884
    Location:
    Santiago, Chile
    The NOD32 Scanner is able to scan into .zip and UPX files.
    I've samples, and it detect those. Also AMON detect packed viruses like UPX, not all the version of UPX, but the most used.
     
  11. LedLine

    LedLine Registered Member

    Joined:
    Dec 20, 2003
    Posts:
    9
    I am a Japanese user.
    AMON is checking not detecting Worm by which UPX compression was carried out by 2.000.08 versions.
    It is also checking detecting it as it being the on-demand scanner and IMON of NOD32.
    And the same was said of the English version.

    The improvement request is demanded of a selling agency (Canon). :'(
     
  12. Ainur

    Ainur Guest

    NEGATIVE - for the moment, nod32 only stores the compressed signatures of the virii/worms. It does not scan "inside" the packer.
     
  13. sir_carew

    sir_carew Registered Member

    Joined:
    Sep 2, 2003
    Posts:
    884
    Location:
    Santiago, Chile
    Hi,
    NOT, I've a sample compressed, I check it by KAV and it report as infected and appear also as "Packed File", I scan it with NOD32 and it detect without problems and I copy it to the desktop and AMON alert me without problems.
    I'm using the Spanish version of NOD32.
    I also check with NOD32 scanner a .zip package that contain a virus, and NOD scanner detect it.
     
  14. Ainur

    Ainur Guest

    Maybe, but that's not the point - as I said, for now nod only stores the compressed signatures.


    If you UNPACK the worm, will the on-demand scanner still detect the worm in the unpacked executable? You can download the (free) DOS upx utility here:
    http://upx.sourceforge.net/download/upx124w.zip
    Use the -d option to decompress, for example if packed file is 'worm_packed.exe' then type:
    upx -d worm_packed.exe -o worm_unpacked.exe ;)
     
  15. sir_carew

    sir_carew Registered Member

    Joined:
    Sep 2, 2003
    Posts:
    884
    Location:
    Santiago, Chile
    Hi,
    I understand your point, ESET add the packed sample same to the database, so if you unpack it, NOD will not detect it.
    You're bad, I decompress the Win32/Sinala.A Worm, and NOD still detect it. I also scan the original and KAV report is as packed, and the unpacked as obviously unpacked.
     
  16. sir_carew

    sir_carew Registered Member

    Joined:
    Sep 2, 2003
    Posts:
    884
    Location:
    Santiago, Chile
    Hi,
    You can have reason, because I discovered that earlie, when I scan some packed executables, NOD not show UPX- Infected by blabla... now only show infected by blabla.
    Do you said that NOD now not include the unpacker engine?, it's dangerous.
     
  17. iNsuRRecTioN

    iNsuRRecTioN Registered Member

    Joined:
    Sep 5, 2003
    Posts:
    303
    Location:
    Germany
    hmm, Ainur, when you're right (and I think so..), then I don't see the fun of it. Thats a unbounded cheek from eset!
    They attract many people with the pretended features of the new NOD32V2 like support of runtime packers (UPX, etc.) and when you use a trial version of NOD32V2 you will see in the "action" tab in the on-demand scanner with the options for archives, like rename, delete or clean are not greyed out and every one thinks, NOD32V2 can handle this. (Have a look at the screenie)
    But when an infection in an archive is found and you want rename, delete or clean the infection, you can't, because the options aren't available from the dialog is shown..! (Have a look at the attachmend)

    rant snipped

    Don't understand me incorrect, NOD32V2 is an fast and good Anti-Virus prog,
    but such a thing is unfair and not ok!

    off topic remarks concerning other AVs snipped

    bye

    iNsuRRecTiON
     

    Attached Files:

  18. LedLine

    LedLine Registered Member

    Joined:
    Dec 20, 2003
    Posts:
    9
    Hello.
    I also have a sample.
    The version of UPX compression is 1.08.
    Tested Worm is W32.HLLW.Antinny.

    AMON did not detect.
    On demand ones of NOD32 and IMON detect.

    The selling agency (CANON) accepts what AMON does not detect. :'(
     
  19. sir_carew

    sir_carew Registered Member

    Joined:
    Sep 2, 2003
    Posts:
    884
    Location:
    Santiago, Chile
    I think that AMON need an urgents adjustements, like include Advanced Heuristic, SCAN IN UPX FILES!!!!!!!, and more.
    ESET, what's happenning?
    :mad:
     
  20. Ainur

    Ainur Guest

    sir_carew:

    I even have a counter-example of a upx-packed trojan!

    The trojan is Win32/Xenozbot.10

    - When it's packed, the scanner detects it as the Xenozbot, and so does Amon if I try to create it, access it (eg. right-click on it) or run it.

    - When it's unpacked, the scanner (without super-heuristics) does NOT detect it, and neither does Amon if I try to create or access it. But Amon does detect it as Xenozbot if I try to run it. Also, the super-heuristics detect it as well, but only as an "unknown_advheur_trojan" or something...

    This proves that for now, nod32 can't scan inside packers, among other things. It just stores the "packed signatures" in its database. The AV which has the most unpacking engines to this day is KAV (manages over 500 packer types), but even this AV cannot scan inside all of them.

    Besides, this is not such a critical issue since as soon as the worm is run, Amon detects it anyways, as I previously showed. So there is no danger as such, however it is true that the ability to scan inside runtime packers would be GREATLY appreciated, all the more so than it is supposed to be part of nod according to their site...


    Insurrection:

    In a way, you're right, as several features advertised on the Eset site (scanning inside packers, and according to another thread, SFX files?) are not yet implemented. I don't know if they're aware of these issues. But since they do advertise them, that means they probably will be included in the near future (they'd better, esp. for their customers!) Like you pointed out, they've already included the graphic interfaces for the (missing) features. :D

    Remember that Nod is a young AV compared to the other old-timers. For a relatively recent AV, it performs quite well for detecting virii/worms. In a recent VB100, it was one of the 2 which detected 100% of the virii in each of the 6 categories (inc. polymorphic), and without any false alert. Even older AVs such as KAV, NAV, McAffee, Dr Web or the almighty F-secure did not achieve 100% in all categories (false alerts or not). What's more, nod also had a far superior scan speed. Impressive!

    But true enough, even a superior speed & performance is not an excuse for the missing features. Let's just hope Eset won't take too long to fulfil their "duty", and perhaps they should remove the missing features from their website in the meantime...


    Ledline:

    Try to RUN the packed worm - Amon will then detect it, if I'm not mistaken... ;)
     
  21. LedLine

    LedLine Registered Member

    Joined:
    Dec 20, 2003
    Posts:
    9
    My English is weak.
    I want you to speak simply. (He cannot understand)
    It is very sad that AMON does not detect UPX compression (version 1.0:cool:.

    In Japan, since UPX compression (version 1.0:cool: is in use, it becomes a problem.

    The selling agency (CANON) had also said that it took out an improvement request to developing agency (ESET).
     
  22. LedLine

    LedLine Registered Member

    Joined:
    Dec 20, 2003
    Posts:
    9
    It compressed using raised upx124w.
    It was not detected although the check of AMON of operation was carried out using it.

    It is detected as it being the ONDE mantle scanner of NOD32.
     
  23. sir_carew

    sir_carew Registered Member

    Joined:
    Sep 2, 2003
    Posts:
    884
    Location:
    Santiago, Chile
    For Ainur:
    You've reason, because ESET-NOD32 is a relative young Company-Antivirus, and the AV as the company is growing in the latest years, if I good, NOD32 v2.0 is only the second version of AV for 32-bit based systems. NOD-ICE are for 16-bit system based, in total 4 version.
    Consider that Symantec for 32-bit system have: NAV 4.0;5.0;6.0;7.0;8.0;9:0 and 10.0!!!!!, NAV have 6 generations of AV for 32-bit windows, and NOD only have 2!!!!. Consider that NOD is much better than NAV in many aspect as: Heuristic (LOL, the "heuristic" of NAV is a "joke"), the detection rates, the resources, etc. I believe that NOD will be the future AVP.
     
  24. LedLine

    LedLine Registered Member

    Joined:
    Dec 20, 2003
    Posts:
    9
    He cannot understand about what it is speaking.
    I am the user of NOD32 and like NOD.
    He fully understands thinking of NOD.
    Being troubled now is being unable to perform detection of UPX compression in AMON.
    This is defenselessly equal.
    It is very dangerous.
    I think that it is a bug.
    AMON does not detect Antiny.exe by which UPX compression was carried out.
    The on-demand scanner of NOD32 is detected.
     

    Attached Files:

  25. sir_carew

    sir_carew Registered Member

    Joined:
    Sep 2, 2003
    Posts:
    884
    Location:
    Santiago, Chile
    >He cannot understand about what it is speaking.
    If you are reffering to me, you're bad, because I understand the situation. on-deman scanner can detect viruses that use UPX, however on-access scanner not.
    I also think that it's dangerous, but if you try to open it, AMON will deny the access to the UPX file, but if you modify, rename or copy them, AMON will NOT detect it. However with those actions, you can't be infected, only opening the file, and AMON detect UPX viruses when you open them.
     
Thread Status:
Not open for further replies.