file type feature

Discussion in 'ESET NOD32 Antivirus' started by catalinm, Jul 29, 2009.

Thread Status:
Not open for further replies.
  1. catalinm

    catalinm Registered Member

    Joined:
    Jul 29, 2009
    Posts:
    4
    I've made a little test with ESET NOD32 ANTIVIRUS 3.0.669.0

    I've made an ISO image containig a few infected files. Files were put into archives. Then, I've ran a complete scan on this ISO file. Everything went nice and easy. Viruses were found and cleaned.
    Then, I've came up with an ideea. I've changed the exytension for the ISO file, using the extension .dss (randomly chosen) .
    When I've ran a scan on the .dss file, no viruses were found. It seems that NOD32 doesn't know to use the 'file type' attribute and recognize various file types and scan according to the file type. Same problem with the ESET File Security for Linux.
    Any ideea how to deal with this? Or any ideea when a future implementation will resolve this issue?

    Regards,
    Catalin
     
  2. Rmuffler

    Rmuffler Former Eset Moderator

    Joined:
    Jun 26, 2008
    Posts:
    995
    Location:
    San Diego, CA USA
    Hello catalinm,

    Can you run the test again using version 4.0.437.0?

    Thank you,
    Richard
     
  3. Marcos

    Marcos Eset Staff Account

    Joined:
    Nov 22, 2002
    Posts:
    14,374
    The ISO format does not use a header like other file types do. We'd need to read a lot of data in order to determine that it's an iso file which would significantly slow down scanning. Since it's a compressed format, these are not dangerous unless extracted to the disk (at which point they would be detected). Also I'm not sure if tools for handling ISO files would open them with the iso extension renamed. Maybe they would, but bear in mind that, unlike AV scanners, the speed of reading does not matter to such tools.
     
  4. catalinm

    catalinm Registered Member

    Joined:
    Jul 29, 2009
    Posts:
    4
    In linux, iso file and other formats are easily recognized by "file" command which use file definitions to recognize file types (you can take a look in "file-4.x" package which has file definitions in /usr/share/file/magic, /usr/share/misc/magic, /usr/share/magic.mime ).

    37633 string CD001 ISO 9660 CD-ROM filesystem data (raw 2352 byte sectors)

    For windows platform where on access scanning is active your opinion is correct. The file must be renamed for opening with the suitable program. In linux where real access scanning is not necessary and could generate a lot of problems (dazuko is not officially supported in RHEL and SLES), this feature for detecting type of files and scanning accordingly is very useful. Other products like Kaspersky don't have this kind of issue.

    Anyway, using the last versions as Rmuffler suggested (4.0.437.0 for NOD32 AV for Windows and ESET File Security for Linux 3.0.15), I've reached same results (no virus found in renamed file) .

    I've extended the range of my tests, and tried to do the same with an regular .zip archive. Changing the extension of the file, this time I wasn't able to trick the antivirus software. The scanning engine detected that was an zip archive and scanned it accordingly.
     
  5. stackz

    stackz Registered Member

    Joined:
    Dec 27, 2007
    Posts:
    619
    Location:
    Sydney Australia
    CD001 - always seems to be found at 0x8001 for .iso files. (at least all the .iso files on my pc)
    I'm not suggesting though that this would be practical to test for.
     
    Last edited: Aug 3, 2009
Thread Status:
Not open for further replies.