defective archive causes nod32 v3.0.556.0 to crash

Discussion in 'ESET NOD32 Antivirus' started by b00ze, Dec 9, 2007.

Thread Status:
Not open for further replies.
  1. b00ze

    b00ze Registered Member

    Joined:
    Mar 8, 2006
    Posts:
    30
    Location:
    Rhineland
    I have an archive that causes nod32 v.3.0.556.0 on Vista 64 to crash ... the "ekrn.exe" shuts down on every scanning attemp ... and it locks down the computer then ... i put that archive into the quarantine for submitting, but i am not sure if this is the best way to inform eset about this bug. what shall i do?

    The online scan at http://virusscan.jotti.org/ says:

    Packers detected:
    PE_PATCH, TELOCK, PECOMPACT

    jotti results removed per Policy.
     
    Last edited by a moderator: Dec 9, 2007
  2. krokodil_bb

    krokodil_bb Registered Member

    Joined:
    Oct 13, 2007
    Posts:
    86
    Location:
    BB
    1. from nod setting disable all real-time, email & web protection
    2. now try to scan your files which cause problems
    3. if not crash now, then is it this bug and you must wait to fixed release from eset.
    4. if is it same, send file to eset support
     
    Last edited: Dec 9, 2007
  3. b00ze

    b00ze Registered Member

    Joined:
    Mar 8, 2006
    Posts:
    30
    Location:
    Rhineland
    no, the behaviour is different from yours ... when i disable the realtime-protection and scan the file manually, nod32 crashes ... all the time ... i found out that its caused by a tiny .exe file within the archive and not by the archive itself. im still not sure how to handle it. its not malware, or a virus. shall i send it to eset via email, or upload it somewhere (so that someone can confirm it)?
     
  4. krokodil_bb

    krokodil_bb Registered Member

    Joined:
    Oct 13, 2007
    Posts:
    86
    Location:
    BB
    scan_ok.png
    on w2k scanned ok,
    my version is 3.0.566 and Archive support module: 1065 (20071109).
    Did you tryed scan it with disabled all protection? (not only real-time)
     
  5. b00ze

    b00ze Registered Member

    Joined:
    Mar 8, 2006
    Posts:
    30
    Location:
    Rhineland
    Same versions here. But as i mentioned before on Vista 64 Bit.

    Yes i did. And when i start a "on demand"-scan of that file, the service ("C:\Program Files\ESET\ESET NOD32 Antivirus\x86\ekrn.exe") crashes and after a short wile, ill get a full lockup here.
     
  6. b00ze

    b00ze Registered Member

    Joined:
    Mar 8, 2006
    Posts:
    30
    Location:
    Rhineland
    Ok, i have some news:

    I found out that is has something to do with the Data Execution Prevention (DEP). Its enabled by default for ALL Programms here. And this causes NOD32 to crash, while checking the "PE_PATCH, TELOCK, PECOMPACT"-packed exe-file. When i set the DEP to "only for Programs and Services needed by Windows", the scan of the file runs fine ... but i bet, there is an silent Buffer-Overflow too. This should really be fixed. It looks like an unsafe/buggy decrunch-algorithm.

    Feel free to check it out on your own:

    Link removed. No links allowed to malware or possible malware or direct downloads to unknown files on the forums.
     
    Last edited by a moderator: Dec 9, 2007
  7. swami

    swami Registered Member

    Joined:
    Mar 24, 2006
    Posts:
    167
    Do you have the right version, as you told before to be using 64 bit vista?
     
  8. b00ze

    b00ze Registered Member

    Joined:
    Mar 8, 2006
    Posts:
    30
    Location:
    Rhineland
    What right version do you mean? I use "ESET NOD32 3.0 Antivirus for Win XP/Vista (64-bit)" in combination with Vista Ultimate 64. The file is called "eav_nt64_enu.msi". That should fit.
     
  9. b00ze

    b00ze Registered Member

    Joined:
    Mar 8, 2006
    Posts:
    30
    Location:
    Rhineland
    sorry for bumping, but i made a small movie (4mb) about this strange behaviour. recorded in a vmware installation. Its reproduceable ... the eset support says: "we are unable to reproduce this..." argh! :-(

    http://www.bundeskanzleramt.mynetcologne.de/movie.mp4
     
Thread Status:
Not open for further replies.