How NOD32 deal with .exe file with shell which added by a cracked copy of VMProtect

Discussion in 'ESET NOD32 Antivirus' started by ooVoo, Aug 2, 2012.

Thread Status:
Not open for further replies.
  1. ooVoo

    ooVoo Registered Member

    Joined:
    Aug 2, 2012
    Posts:
    67
    Location:
    CHINA
    well, since I know, there are lots of people think the effect would be same while adding protection to .exe file, with a licensed VMProtect or a cracked copy.
    But recently, I got a case showing that a secure and clean executable file is danger, and the reason is this .exe file was protected by a cracked VMProtect.
    So, I wonder how NOD32 analyze such file and, do licensed VMProtect and cracked VMProtect can really get same effect?
     
  2. ooVoo

    ooVoo Registered Member

    Joined:
    Aug 2, 2012
    Posts:
    67
    Location:
    CHINA
    in additional, how could the software detect the VMProtect is a cracked copy? Since in my test, many antivirus soft do not report this sample.
     
  3. Marcos

    Marcos Eset Staff Account

    Joined:
    Nov 22, 2002
    Posts:
    14,374
    If you think the file is detected in error, submit it to the ESET Malware Lab as per the instructions here.
     
  4. ooVoo

    ooVoo Registered Member

    Joined:
    Aug 2, 2012
    Posts:
    67
    Location:
    CHINA
    already sent. :)
     
  5. Marcos

    Marcos Eset Staff Account

    Joined:
    Nov 22, 2002
    Posts:
    14,374
    Unfortunately, I couldn't find any recent submission with a VMProtect detection. However, I was assured that those detections are not False positives if detected as a Trojan.
     
  6. ooVoo

    ooVoo Registered Member

    Joined:
    Aug 2, 2012
    Posts:
    67
    Location:
    CHINA
    Marcos, previously the sample is sent by zhu.....ng@version-2.com.cn, so I think you have already got it. I resent it to samples#eset.com.

    Edit: email address obfuscated to secure personal data.
     
    Last edited by a moderator: Aug 8, 2012
Thread Status:
Not open for further replies.