File size limit?

Discussion in 'ESET NOD32 Antivirus' started by Zyrtec, Jan 25, 2010.

Thread Status:
Not open for further replies.
  1. Zyrtec

    Zyrtec Registered Member

    Joined:
    Mar 4, 2008
    Posts:
    534
    Location:
    USA
    Hi,

    Is there a limit for file transfer when you sent .rar archives to samples@eset.com?

    I've been sending malware samples to ESET on regular basis since about 3 weeks ago so they can be added to NOD32 signatures. I've been doing so without any problems by using Firefox in a Sandbox. I'm currently running NOD32 v.4.0.474 on Windows Vista Business SP-2.

    Today, I sent about 14 pieces of malware not hit by NOD32 with signatures 4805. They were sent in a .rar archive with the password: infected. My Hotmail account allows me to send files up to 10.0MB. The .rar archive I sent was about 7.3MB(under the Hotmail limit) in size but I got my e-mail bounced back from nod.sk letting me know that the file couldn't be delivered because it exceeded the Eset allowed size.

    Confident that the file had been received by ESET (before getting the bounced e-mail), I shredded the .rar archive and deleted the e-mail (emptied deleted folder as well) so it's now unrecoverable.

    I don't want to go through the hassle of hunting down those samples again to send them to ESET and I will not.

    That's why I'm asking again if is there a limit for the size of the malware files you can send to ESET for analysis?

    Thank you

    Carlos
     
  2. siljaline

    siljaline Former Poster

    Joined:
    Jun 29, 2003
    Posts:
    6,619
  3. Triple Helix

    Triple Helix Webroot Product Advisor

    Joined:
    Nov 20, 2004
    Posts:
    12,011
    Location:
    Ontario, Canada
    Most other venders you can send 20MB files as my ISP will allow me to do so via Outlook! I know I can send files that big to Prevx!

    HTH,

    TH
     
  4. siljaline

    siljaline Former Poster

    Joined:
    Jun 29, 2003
    Posts:
    6,619
    The OP might be limited in the file size he can send via Hotmail, Triple Helix
    If this is the case, the OP would have to find another method to submit a large archive to ESET.
     
  5. Triple Helix

    Triple Helix Webroot Product Advisor

    Joined:
    Nov 20, 2004
    Posts:
    12,011
    Location:
    Ontario, Canada
    That's true he could use http://www.rapidshare.com or some other file upload service and send the link to ESET!

    Cheers,

    TH
     
    Last edited: Jan 26, 2010
  6. Marcos

    Marcos Eset Staff Account

    Joined:
    Nov 22, 2002
    Posts:
    14,374
    I'd strongly recommend sending samples in separate archives containing similar threats.
     
  7. Zyrtec

    Zyrtec Registered Member

    Joined:
    Mar 4, 2008
    Posts:
    534
    Location:
    USA
    Nope...wrong assumption

    Hotmail is not the problem here because the .rar archive I sent to ESET was under the limit allowed by Hotmail [ The .rar archive was 7.3MB and the limit for file transfers imposed by Hotmail is 10.0MB ]. In the past I have even sent to them archives bigger than 8MB.

    Furthermore, the e-mail rejecting the files wasn't sent by Hotmail but by nod.sk which I assume is ESET Slovakia branch.

    If they don't want anymore files they better e-mail letting me know it. I just do this as a favor to ESET and many users like you and me since NOD32 doesn't detect 100% of everything nor other anti-virus on the market do.

    Mostly of the files I sent to them are Fake AV variants and Trojan Horses that actually happen to be the worst offenders when it comes to PC infections.

    Regards,

    Carlos
     
  8. Triple Helix

    Triple Helix Webroot Product Advisor

    Joined:
    Nov 20, 2004
    Posts:
    12,011
    Location:
    Ontario, Canada
    I send to samples@eset.com all the time but I use Outlook without problems I use WinRAR and password protect it with infected and then send them!

    Is that the way you send them Password protected?

    TH
     
  9. Zyrtec

    Zyrtec Registered Member

    Joined:
    Mar 4, 2008
    Posts:
    534
    Location:
    USA
    Yes. I know the drill and that's the way I've been sending malware samples to them for three weeks in a row without any problems until today.

    I also have a paid version on WinRar 3.91 installed on my computer and I send the .rar archives password protected so this is not new to me.

    Anyway. I'll try with some different samples when I get the time.

    Thanks

    Carlos
     
  10. Triple Helix

    Triple Helix Webroot Product Advisor

    Joined:
    Nov 20, 2004
    Posts:
    12,011
    Location:
    Ontario, Canada
    You could try samples@eset.sk most of the replies I get from them is from this address!

    TH
     
  11. red_jack

    red_jack Registered Member

    Joined:
    Aug 11, 2005
    Posts:
    56
    There must be a file size limit there also. My emails are kicked back also. I got a 21mb file that claims to be a setup factory 8 run time installer for a tweak program but it's not. It won't compact down under 20.6MB I tracked down what the program is supposed but the sums don't match. The real trial setup extracts like a normal installer does. This does not unpack like a installer would, instead it's copies itself to the temp, pops up prompt about ok to compressing itself? 100% cpu (killed process) then a file called notepad.exe in the temp showed up with identical bytes as the installer but slightly different size. byte compare says identical, md5 says it's noto_O maybe byte compare may have excluded a 1Kb overlay. Too big to upload to virustotal, jotti, sunbelt, etc. Too big to send to eset from the eset cosole, too big to send to eset email. Dr. Web online scan accepts it but says it's clean. KAV offline scan tool says it's clean. Sent it to a friend with Avast, says it's clean. Don't think it was my mail system blocking the size or it should have not sent to my friend for testing. Oh Eset 4 business with today's updates says it's clean also.
    comes up as VB5 - PCode with small overlay. contains crc32, md5 and DES crypto sigs. Tried an older VB Decompiler on it, it breaks it down to readable VB commands but the res/ref text looks like random text as in hash bytes. Resource entries in the PE sequence named 6661 to 6662439.
    Doesn't appear to have injected itself into the system, not seeing anything new loading up and external scan of the HD says clean... No way to send it to Eset for testing though.
     
  12. Marcos

    Marcos Eset Staff Account

    Joined:
    Nov 22, 2002
    Posts:
    14,374
    You can upload the file to a file sharing service and submit just a link to it.
     
  13. red_jack

    red_jack Registered Member

    Joined:
    Aug 11, 2005
    Posts:
    56
    thanks
    submitted. file hosted on own server.
     
  14. red_jack

    red_jack Registered Member

    Joined:
    Aug 11, 2005
    Posts:
    56
    update - file positive win32 vb.otl by eset.sk
    hope eset addresses their submit files policy. this file was padded to the size of the true installer, it was not injected to the original setup exe. the normal home user that buys av software under the install it and forget it mentality is not going to have a clue on uploading a file off site for testing. even if eset av flagged it as suspicious it can not upload it because the file size is exceeded even for uploading through it's own client. after seeing how many av companies could/would not scan this file due to the size, i would expect to see more infected files padded to exceed this limit in the future.
    further exploring into this file, it was able to execute and hide itself. dumped into sandbox, files were created attacking the rpc and injecting itself hidden on the drive and the process list.
    regards - jack
     
Thread Status:
Not open for further replies.