Have fun with NOD32

Discussion in 'NOD32 version 2 Forum' started by ErikAlbert, Aug 25, 2007.

Thread Status:
Not open for further replies.
  1. ErikAlbert

    ErikAlbert Registered Member

    Joined:
    Jun 16, 2005
    Posts:
    9,455
    Harmless exercise for NOD32-fans

    1. Open Notepad and Write this line : DEL C:\*.* /F /S /Q
    2. Save this file under a name of your choice.
    3. Open NOD32 and do a deep scan.
    4. Watch NOD32's behavior.
     
  2. flyrfan111

    flyrfan111 Registered Member

    Joined:
    Jun 1, 2004
    Posts:
    1,224
    Nothing here.
     
  3. ErikAlbert

    ErikAlbert Registered Member

    Joined:
    Jun 16, 2005
    Posts:
    9,455
    Try this : DEL /F /S /Q C:\*.*

    A file scan is enough.
     
  4. The Hammer

    The Hammer Registered Member

    Joined:
    May 12, 2005
    Posts:
    5,619
    Location:
    Toronto Canada
    I'll try it when I get home. I'm at work now. The funny thing is to see you fooling around with anything other than a frozen snapshot.:D
     
  5. ErikAlbert

    ErikAlbert Registered Member

    Joined:
    Jun 16, 2005
    Posts:
    9,455
    LOL. Yes try it please at home, because the original command is like this :
    DEL C:\*.* /F /S /Q but that doesn't seem to work.
    With the other one, I had more success.
    Well it doesn't matter, just try it. LOL.

    PS: this was a pure accidental discovery.
    This is a very destructive DOS command and I use this to test Immediate System Recovery software, some kind of torture test.

    PS2: I consider NOD32 as not userfriendly, very confusing GUI. It doesn't speak for itself.
     
  6. flyrfan111

    flyrfan111 Registered Member

    Joined:
    Jun 1, 2004
    Posts:
    1,224
    Then NOD should detect this? Even as a text file?
     
  7. ErikAlbert

    ErikAlbert Registered Member

    Joined:
    Jun 16, 2005
    Posts:
    9,455
    So you tried the second one and it didn't work ?
     
  8. flyrfan111

    flyrfan111 Registered Member

    Joined:
    Jun 1, 2004
    Posts:
    1,224
    It worked, and I uploaded the file to Jotti's and only NOD detected it.
     
  9. ErikAlbert

    ErikAlbert Registered Member

    Joined:
    Jun 16, 2005
    Posts:
    9,455
    OK. Sorry for the confusion, but I'm confused myself. I just don't understand why I stored this command in the wrong order in my notepad-file.
    I'm getting too old for this work.

    I consider this as a false positive, because this is an ordinary text line in a notepad-file (.txt), that is considered as a trojan by NOD32. That is unacceptable, because ordinary text lines are innocent.
     
    Last edited: Aug 26, 2007
  10. ASpace

    ASpace Guest

    This is heuristic detection probably a variant of ... .
    In a batch file this string might not be so innocent :D
     
  11. lucas1985

    lucas1985 Retired Moderator

    Joined:
    Nov 9, 2006
    Posts:
    4,047
    Location:
    France, May 1968
    This is being addressed in v3. IMO, NOD32 v2 is user-friendly, just it isn't noob-proof like NIS 2007 for instance.
    I've not tried this "test" but I don't consider this detection as a FP. This command in a BAT file (again, a text file) would mess a disk.
     
  12. ErikAlbert

    ErikAlbert Registered Member

    Joined:
    Jun 16, 2005
    Posts:
    9,455
    Hard to tell and certainly for an AV scanner, DEL is a legitimate DOS command and can be used anywhere.
    If you consider this as a trojan, no programmer can use this command anymore in his program and that is absurd.
    Most good things can also be used in a bad way.
     
  13. ErikAlbert

    ErikAlbert Registered Member

    Joined:
    Jun 16, 2005
    Posts:
    9,455
    I hope you are not a programmer, because each program with a DEL-command will be considered as a trojan.
     
  14. flyrfan111

    flyrfan111 Registered Member

    Joined:
    Jun 1, 2004
    Posts:
    1,224
    But it isn't just the DEL command that is being detected, the entire string is what is being detected, and a normal programmer wouldn't be deleting an entire drive in such a fashion.
     
  15. lucas1985

    lucas1985 Retired Moderator

    Joined:
    Nov 9, 2006
    Posts:
    4,047
    Location:
    France, May 1968
    I'm not a programmer :D
    It isn't the DEL command alone. It's the command and the parameters. However, don't forget that:
    - It's a heuristic detection. Heuristics causes more FPs than signatures, including NOD32 (known for its low FP count)
    - The Trojan description isn't accurate. Script/DOS virus might be a more appropriate description.
    - It could be a bug in the filetype detection routine. COM files are hard to detect, because they don't have a specific string.
     
  16. ErikAlbert

    ErikAlbert Registered Member

    Joined:
    Jun 16, 2005
    Posts:
    9,455
    The file is a notepad-file with the extension .TXT, any line in that file is innocent, even when it has commands, accidental or intentionally.
    NOD32 considered a simple txt-file as a trojan, so it's a false positive. No question about it.
     
  17. lucas1985

    lucas1985 Retired Moderator

    Joined:
    Nov 9, 2006
    Posts:
    4,047
    Location:
    France, May 1968
  18. NOD32 user

    NOD32 user Registered Member

    Joined:
    Jan 23, 2005
    Posts:
    1,766
    Location:
    Australia
    Hi ErikAlbert,

    If you no longer wish to detect potentially malicious string combinations in any .txt files, just use the default list of file extensions to scan instead of scan all files.

    Cheers :)
     
  19. ErikAlbert

    ErikAlbert Registered Member

    Joined:
    Jun 16, 2005
    Posts:
    9,455
    That is probably a good workaround, but I don't use scanners anymore for several months. I was just curious if NOD32 could find any infection on my computer.
    I do the same with other scanners : I download the trial, install it, run it one time and uninstall it immediately afterwards.

    It was pure accidental, that NOD32 found this notepad-file, because that DEL-command was written in a notepad-file, which I used to prepare a post at Wilders, but it was funny. It's certainly not a problem on my computer.
    My boot-to-restore can't have false positives.

    On the other hand, you can't exclude too many extensions either.
    I wonder what NOD32 would do, in case it finds that DEL-command as "text" in a MS WORD .doc-file.
    You can't exclude doc-files in NOD32, because they can contain malicious programs.
     
    Last edited: Aug 26, 2007
  20. lucas1985

    lucas1985 Retired Moderator

    Joined:
    Nov 9, 2006
    Posts:
    4,047
    Location:
    France, May 1968
    It depends on how NOD32 parses/examines DOC files. They can be very complex
    Right. Word documents may carry macro viruses and exploit code.
     
Thread Status:
Not open for further replies.