New virus but Nod don't find it.

Point to Kaspersky then.-

 

At any rate, detecting these xored files may give a false impression that NOD32 missed them though it's not true.

 

BTW, decryption of such XORed PE-EXE files will be added to AntiVir's engine aswell, as there was quite a few malware recently that uses this (droppers).

Bitdefender also decrypts them on-the-fly.

As for detecting such samples, all antivirus programs are reporting malware in archives such as ZIPs aswell. So it's merely malware in a container, nothing new.

 

- in this case the benign encrypted storage of malware some choose to add detection for, but isn't the real threat still only the software that decrypts and causes it to execute, not the un-executable lump of data that does nothing on it's own?

Protecting against real threats is a good thing, but is there an application that let's XORed files be accessed directly like we all can do with an archive?

What I'm wondering is, are all files having the resultant of XOR tested or just a select few?

 

It would seem a simple matter to change to a better encryption method. That prevents detection for already found viruses and would remove the chance of malware doing the same. Yes. I realize unpacked quarantine files would be redetected and placed back, but that is a vicious cycle of unpack -> quarantine ->unpack.
No confusion to the user when another AV comes along and refinds the virus.

 

This is most definitely not a FP, as Schouw has said. Just as AV's will detect malware within a ZIP archive, they also detect malware packed by other means. Some AV's, like KAV, just have more comprehensive unpacking abilities.

The fact that the file cannot be run/executed is irrelevant with regards to the on-demand scanner. It's the real-time scanner than needs to concern itself with whether a file can be run/executed.

Most AV's have an option to disable unpacking of files during a scan.

 

Sure.
I've got no problem with AV's notifying of a containers contents (taken on board further information to that which I originally had available) - even though IMPO for NOD32 Quarantine files (or any AV quarantine files so long as they are stored benignly) there is no useful purpose served for the end user to have them identified as a potential threat. If checking for an XOR-ed result of an NFI* file, why not prepend or append the threat name with 'Probably NOD32 Quarantine File' - it would sure reduce the confusion that is caused by other products reporting them...just a thought.

Kind of reminds me of the customer who had his PC infected with 'cookies'....


*sorry - NQF

 

Lets turn it around and simply say that ESET could use another way of encrypting their quarantined files, instead of expecting other AV's to use potentially dangerous exclusion methods of the quarantine store...

 

It's been the NQF way for a long time now - any method of storing could be decrypted.

Who expects other AV's to us a potentially dangerous exclusion method?

Cheers