How to scan SFX archives?

Discussion in 'NOD32 version 2 Forum' started by Morgoth, Dec 10, 2003.

Thread Status:
Not open for further replies.
  1. Morgoth

    Morgoth Guest

    OK comrades the following question is as simple as they can get:

    How do I set the on-demand scanner to scan inside SELF-EXTRACTING archives, if that's possible (and it should be according to the eset site) ?

    The scanner can scan inside "multiple-level" zip/rar files, but a "single-level" zip/rar SFX archive seems to prevent the scanner from scanning inside it.

    On the other hand, check out this link:
    http://nod32.com/products/nt.htm
    And scroll half-way down: it also says:

    [...]

    NOD32 Scanning Engine Key Features

    • The highest detection and scanning rate performance.
    • Unprecedented heuristic analysis capable of exposing DOS, Boot, Win32, macro, script and other viruses and worms in the wild.
    • Built in powerful virtual emulator enables detection of the most sophisticated polymorphic and metamorphic viruses.
    • Virus detection in compressed or protected executable files, such as Pklite, Lzexe, Diet, Exepack, CPAV, UPX, AsPack.
    • Support of many archive formats, e.g. ZIP, RAR, ARJ, LZH, LHA, including self-extracting files.
    • Detection of viruses in encrypted, password protected databases and documents.
    • Use of heuristic and algorithmic methods to clean viruses.
    • Cleaning of macro viruses and restoration of the documents to original format.
    • Recovery the most important system areas (functions) in the event of an infection.
    • Storage of infected files in a safe format (not allowing execution) into the quarantine.
    • Search speed is maximized through associative, multilevel cache and low-level code optimizations.
    • Use of very fast single-point samples and CRCs for precise detection.
    • Use of very few system resources.
    • Disinfection/quarantining of the files automatically, on-the-fly.
    • Full support of UNICODE in Windows NT / 2000 / 2003 / XP.
    [...]


    Perhaps only a mere detail, I agree, but if if says it, then the facts should be in accordance with the list of features. So anyone could help me with the configuration...

    Awaiting feedback...
     
  2. Paul Wilders

    Paul Wilders Administrator

    Joined:
    Jul 1, 2001
    Posts:
    12,472
    Location:
    The Netherlands
    Morgoth,

    As you correctly copy and pasted:

    It doesn't state all archive formats etc.

    Thus:

    ..the facts are in accordance with the list of features.

    regards.

    paul
     
  3. Morgoth

    Morgoth Guest

    ?!! If it states:

    "Support of many archive formats, e.g. ZIP, RAR, ARJ, LZH, LHA, including self-extracting files"

    then that means that it should also support "ZIP" and "RAR" in their SFX version, makes sense, right?

    Otherwise, WHAT "self-extracting" files does it support??

    I'm more curious than ever now - perhaps U could contact tech support and ask for the info, I'm still waiting to find out how to configure the scanner so it can scan these self-extracting archives...
     
  4. Morgoth

    Morgoth Guest

    Anyone? :(
     
  5. Morgoth

    Morgoth Guest

    Anyone? :mad:
     
  6. Buddel

    Buddel Guest

    Interesting question. Let's wait for a reply, Morgtoh. I would also like to know whether NOD32 scans inside SFX archives.
     
  7. Buddel

    Buddel Guest

    I'm trying to modify my last post, but I can't: Session check failure. Please try again.

    It should read "Morgoth", not "Morgtoh". Sorry. :)
     
  8. Morgoth

    Morgoth Guest

    I wuz unable 2 register, hence my having to keep adding new posts for this (VERY) important issue to stay on top of the list. :D

    As you can read in my first post (and on the eset site) the scanner is supposed to be able to read into SFX archives of the type ZIP, RAR & the others mentionned, yet it failed in my case. You can confirm this by creating a simple SFX-ZIP file with a known trojan-infected .exe within.

    This may be a bug that dates from version 2.000.6, but whatever the reason, no doubt users will expect it to be corrected swiftly. Who knows what other features (cf. my 1st post) may have become buggy with time... :doubt:
     
  9. Blackspear

    Blackspear Global Moderator

    Joined:
    Dec 2, 2002
    Posts:
    15,115
    Location:
    Gold Coast, Queensland, Australia
    It may be an obvious question, but do you have Archives ticked in your scanning setup?

    Hopefully Paul will be able to guide you through this...

    Cheers :D
     

    Attached Files:

  10. Buddel

    Buddel Guest

    Thanks for the screenshots. Does the option "scan all files" mean that viruses inside SFX archives are detected, too? "All files" can mean anything. It doesn't necessarily mean that this includes SFX archives, too.
     
  11. Morgoth

    Morgoth Guest

    Negative, Blackspear

    I already tried this setting & many others, even editing registry entries (all values named 'target_sfx_enable' set to 1) - to no avail. :mad:

    Besides, 'scan all files' option comprises the .exe extension (which is also part of the default extensions), so it doesn't change anything and only has the scanner scan the .exe SFX archive itself, but not the files inside the SFX file...

    This is most probably a bug. Perhaps those in charge here would have a means of contacting Eset directly, and in the process also have them check the functionality of the other features of the scanner: again my 1st post - scanning "encrypted databases", "protected executables" (whatever that means), & so on...

    They should attend to all the bugs and remember to TEST the final 2.000.8 version before making it available next week.

    Blackspear, Buddel, or anyone else, if U guys find a way of making the SFX-scan work, let us all know :doubt:

    Awaiting feedback...
     
  12. Morgoth

    Morgoth Guest

    Anyone?
     
  13. anders

    anders Eset Staff Account

    Joined:
    Oct 25, 2002
    Posts:
    410
    Short answer is that NOD32 doesn't handle all self-extracting archives.

    Regarding encryption and protection.. Some versions of Office documents had very simple protection/encryption, but didn't attempt to protect the macros, so, any virus in the document could be detecten, even though the document is encrypted/protected.

    Best regards,
    Anders
     
  14. Morgoth

    Morgoth Guest

    OK this I've already been told. But the question is, since on the Eset site it says (quote again):

    "Support of many archive formats, e.g. ZIP, RAR, ARJ, LZH, LHA, including self-extracting files"

    then WHAT "self-extracting" archives does it handle, if any? And how to configure Nod32 to do so? o_O
     
  15. Blackspear

    Blackspear Global Moderator

    Joined:
    Dec 2, 2002
    Posts:
    15,115
    Location:
    Gold Coast, Queensland, Australia
    Any "Self-extracting File" if infected, upon activation, AMON will automatically spring into action using it's default settings...

    Cheers :D
     
  16. Morgoth

    Morgoth Guest


    I know I know
    But I wasn't talking about Amon here...

    it's just that since the ON-DEMAND scanner is supposed to be able to scan inside certain archives (which it does) AND inside certain SFX archives (which it apparently can't), I'd just like to know how to configure the on-demand scanner to be able to scan inside these SFX files, and if that's not possible, to know when this bug will be corrected, because as I already pointed out it IS supposed to be able to scan inside certain SFX archives (but which archive types? RAR? ZIP?) according to the Eset site... :doubt:
     
  17. iNsuRRecTioN

    iNsuRRecTioN Registered Member

    Joined:
    Sep 5, 2003
    Posts:
    303
    Location:
    Germany
    Hi,

    Margoth, there are mistakes on the product discription sites..
    For example the english and german one..
    http://www.nod32.de/products/nt.php
    and
    http://nod32.com/products/nt.htm
    on the german one is no discription for "Virus detection in compressed or protected executable files, such as Pklite, Lzexe, Diet, Exepack, CPAV, UPX, AsPack."
    and "including self-extracting files" is not in the german text.
    There is only a discription like this "Unterstützt Archive wie ZIP, RAR, ARJ, LZA und LHA" without "inklusive selbst-extrahierende Dateien" or so!

    Maybe there are different versions for english, german and so on..
    Or NOD32 can't scan such files :D

    Have a look at this, old, but good information: http://home.arcor.de/scheinsicherheit/introduction.htm
    and there is a new test procedure in work, for new tests..
    another good site is http://www.rokop-security.de/ especially the following test: http://www.rokop-security.de/main/article.php?sid=632
    :p

    bye

    iNsuRRecTioN
     
  18. Morgoth

    Morgoth Guest

    OK Insurrection, danke schön for the links ;)

    However I am testing the standard english version of Nod32, and in my first post have quoted the description given on the English eset site, so my question(s) still remain unanswered:

    - How to scan inside supported SFX files (SFX-ZIP, SFX-RAR,...) ?

    - If that's not possible, and since it is SUPPOSED to be possible, then it must be a bug, so in that case WHEN will it be corrected ??

    - Have the other features (scanning inside runtime packers, etc...) also been "lost", and if so, any to to check on that o_O
     
  19. Morgoth

    Morgoth Guest

    Answers, anyone?

    From what I read in another thread, according to Buddel & Newnod, the list of features advertised on the Eset site (cf. my 1st post in the thread ;)) has not been fully implemented yet, which would explain Nod32's inability to scan inside any SFX archive, and possibly inside runtime packers as well (someone correct me if I'm wrong), not to mention other possibly missing abilities.

    Hoping this is true, and that these missing features are but temporary (otherwise they would not be on the Eset site at all, right? :mad:), would it be possible to know when all all these features will be implemented? Anyone?? Plzo_O
     
  20. Buddel

    Buddel Guest

    ... would it be possible to know when all all these features will be implemented? Anyone?? Plzo_O
    I would also like to know the answer, but I don't think we will get one.
     
  21. Morgoth

    Morgoth Guest

    Oooh yes we will :D
    U know what they say:

    "A faint heart never won a fair lady"...

    ... nor a fair ANSWER, in this case.

    So the only way will be to pound them with posts till they yield, BUT whilst remaining behind the line, ie. nice & polite.

    That's what I call "aggressive diplomacy" :D :D
     
  22. Buddel

    Buddel Guest

    Oooh yes we will

    Hope you are right. We won't give up. :D
     
  23. hayc59

    hayc59 Guest

    Might I Suggest This Avenue??---->
    http://www.nod32.com/about/contact.htm
    Or--->
    support@nod32.it
    :D :D :D
     
  24. Morgoth

    Morgoth Guest

    Yeah, I know about the contact addresses.

    But I'm only testing the AV.

    Would be logical to assume that a customer will be more promptly answered, as will be the guys in charge here (mods, admins) if they contact tech support... ;)
     
  25. Paul Wilders

    Paul Wilders Administrator

    Joined:
    Jul 1, 2001
    Posts:
    12,472
    Location:
    The Netherlands
    Ladies and gents,

    There's no use in repeating one and the same question over and over again, as is the case in this thread.

    Be assured Eset is aware of this issue. Until Eset has news on this topic, I'm closing this thread. Eset reps can re-open this thread or start a new one on the subject as soon as there's news to report.

    regards.

    paul
     
Thread Status:
Not open for further replies.