NOD does not remove parent malware?

Using latest beta.
I want to ask when I run a malware exe file, NOD detects trojans etc dropped by this exe during install and deletes/ stops them but it does not do anything with the actual parent. That,s strange - treating the child processes but leaving the parent!
I hope I was able to explain.

 

So you're saying that if you save a worm received by Outlook, for instance, to the disk, NOD32 should delete the parent file msimn.exe

What you're saying is that the dropper is not detected which can only be resolved by adding a signature for the dropper. However, the point is that the file dropped is picked up by NOD32 as the dropper can vary. You should take into account that there are many installation package creators that can be used to cloak the threat.

 

I am not expert but just to give an example,I tirned off AMON, then I put installer package( exe) file of WinFixer on Desktop, turned on AMON again and run exe file, winfixer tries to install and NOD detects the malware and deletes/ quaratines it, however original exe installer remains there.
I expected it to delete the installer too.

 

Why should NOD do that? It's no malware - it just installs it...

Adding detection to those file would make the detection routines more complex and would maybe consume more performance. But as long as you're protected against the 'real' thread, where's the point in doing that?

 

I am not an expert but i saw AVs doing this, so I asked. Ur statement "it is no malware" doesn,t make a point ATM.

 

In any case, AMON will not automatically delete an already existing file, but it can be different for newly created and modified files.

Cheers

 

I would think that many installers are basically the same (written\use the same methods) regardless of what it is installing. Sense the installer itself is actually harmless, regardless of its` package, that would be the reason Nod ignores it. I am not saying it is right or wrong, just the way Nod coded the program. Just my .02

 

And I think it does. There's a slight difference between an executable code installing mybe some other executable code (maybe malware) and the executable code itself (the malware).

Only because other vendors decide to look unecessarily deeper into the installer doesn't automatically mean you're safer.

 

I can agree that the installer itself is harmless, and building a definition to allow NOD32 to find it would be counter-productive since the same installer may be used by other legitimate programs.

However, I would have to disagree with you in that if the payload/package that the installer is trying to install is harmful, I think NOD32 should be able to detect it...