NOD does not remove parent malware?

Discussion in 'ESET NOD32 v3 Beta Forum' started by aigle, Nov 1, 2006.

Thread Status:
Not open for further replies.
  1. aigle

    aigle Registered Member

    Joined:
    Dec 14, 2005
    Posts:
    11,047
    Location:
    Saudi Arabia/ Pakistan
    Using latest beta.
    I want to ask when I run a malware exe file, NOD detects trojans etc dropped by this exe during install and deletes/ stops them but it does not do anything with the actual parent. That,s strange - treating the child processes but leaving the parent!
    I hope I was able to explain.
     
  2. Marcos

    Marcos Eset Staff Account

    Joined:
    Nov 22, 2002
    Posts:
    14,374
    So you're saying that if you save a worm received by Outlook, for instance, to the disk, NOD32 should delete the parent file msimn.exe :eek:

    What you're saying is that the dropper is not detected which can only be resolved by adding a signature for the dropper. However, the point is that the file dropped is picked up by NOD32 as the dropper can vary. You should take into account that there are many installation package creators that can be used to cloak the threat.
     
  3. aigle

    aigle Registered Member

    Joined:
    Dec 14, 2005
    Posts:
    11,047
    Location:
    Saudi Arabia/ Pakistan
    I am not expert but just to give an example,I tirned off AMON, then I put installer package( exe) file of WinFixer on Desktop, turned on AMON again and run exe file, winfixer tries to install and NOD detects the malware and deletes/ quaratines it, however original exe installer remains there.
    I expected it to delete the installer too.
     
  4. Adramalech

    Adramalech Registered Member

    Joined:
    Apr 17, 2005
    Posts:
    79
    Why should NOD do that? It's no malware - it just installs it...

    Adding detection to those file would make the detection routines more complex and would maybe consume more performance. But as long as you're protected against the 'real' thread, where's the point in doing that?
     
  5. aigle

    aigle Registered Member

    Joined:
    Dec 14, 2005
    Posts:
    11,047
    Location:
    Saudi Arabia/ Pakistan
    I am not an expert but i saw AVs doing this, so I asked. Ur statement "it is no malware" doesn,t make a point ATM.
     
  6. NOD32 user

    NOD32 user Registered Member

    Joined:
    Jan 23, 2005
    Posts:
    1,766
    Location:
    Australia
    In any case, AMON will not automatically delete an already existing file, but it can be different for newly created and modified files.

    Cheers :)
     
  7. ThunderZ

    ThunderZ Registered Member

    Joined:
    May 1, 2006
    Posts:
    2,459
    Location:
    North central Ohio, U.S.A.
    I would think that many installers are basically the same (written\use the same methods) regardless of what it is installing. Sense the installer itself is actually harmless, regardless of its` package, that would be the reason Nod ignores it. I am not saying it is right or wrong, just the way Nod coded the program. Just my .02 :D
     
  8. Adramalech

    Adramalech Registered Member

    Joined:
    Apr 17, 2005
    Posts:
    79
    And I think it does. There's a slight difference between an executable code installing mybe some other executable code (maybe malware) and the executable code itself (the malware).

    Only because other vendors decide to look unecessarily deeper into the installer doesn't automatically mean you're safer.
     
  9. Elrendhel

    Elrendhel Registered Member

    Joined:
    Oct 25, 2006
    Posts:
    27
    I can agree that the installer itself is harmless, and building a definition to allow NOD32 to find it would be counter-productive since the same installer may be used by other legitimate programs.

    However, I would have to disagree with you in that if the payload/package that the installer is trying to install is harmful, I think NOD32 should be able to detect it...
     
Thread Status:
Not open for further replies.