NOD packer and archive support?

Discussion in 'NOD32 version 2 Forum' started by azumi21, Mar 20, 2006.

Thread Status:
Not open for further replies.
  1. azumi21

    azumi21 Registered Member

    Joined:
    Aug 16, 2004
    Posts:
    129
    How many packers does the current version of NOD support?
    Will this improve in new version 3?

    Also, the same question on archives.

    Thanks in advance.
     
  2. pykko

    pykko Registered Member

    Joined:
    Apr 27, 2005
    Posts:
    2,236
    Location:
    Romania...and walking to heaven
  3. Marcos

    Marcos Eset Staff Account

    Joined:
    Nov 22, 2002
    Posts:
    14,374
    Heh, you are refering to a 1-year old test. AH uses a generic unpacker which they didn't mention !
     
  4. CyberMew

    CyberMew Registered Member

    Joined:
    Apr 17, 2005
    Posts:
    128
    Does NOD32 support PPMd and bzip2 compression? Winzip 10 has this feature and it scares me that NOD32 tells me it's an unknown compression format.
     
  5. azumi21

    azumi21 Registered Member

    Joined:
    Aug 16, 2004
    Posts:
    129
    Does the NOD AH generic unpacker now or will support these packers/crypters and the plethora of other/newer ones?

    NOD32 2.12.4 - May 2005 (the old test)

    "missed 23/30 tested"

    "armprotector, cexe, codesrypt, lamecrypt, mew11, mslrh, nfo, noodlecrypt, packman, pe-crypt, pecompact2, ped, pelocknt, perkypt4, pepack, peshield,pespin,pex, upack, vgcrypt, wwpack32, yodacrypt, yodaprotect."

    http://avtest.mycity.co.yu/fajlovi/uporedna_tabela_en.html
     
  6. kjempen

    kjempen Registered Member

    Joined:
    May 6, 2004
    Posts:
    379
    Maybe not so important (since archives themselves aren't really any threat), but even if the test is a bit old, 7z and ACE archive support is still missing in NOD.
     
  7. pykko

    pykko Registered Member

    Joined:
    Apr 27, 2005
    Posts:
    2,236
    Location:
    Romania...and walking to heaven
    Of course you have AH with generic unpacker but that doesn't solve everything. I have some files packed and NOD can't unpack them.

    And about .ACE archive support this is a very common archive type and also 7z started to be. Can't you update the archive support module to solve this issue? :)
     
  8. Marcos

    Marcos Eset Staff Account

    Joined:
    Nov 22, 2002
    Posts:
    14,374
    Yes, we will do so in the future. Or you want us to postpone the development of v3? :)
     
  9. pykko

    pykko Registered Member

    Joined:
    Apr 27, 2005
    Posts:
    2,236
    Location:
    Romania...and walking to heaven
    no, no....I just want some screen-shots :D :p
     
  10. Marcos

    Marcos Eset Staff Account

    Joined:
    Nov 22, 2002
    Posts:
    14,374
    It's not up to me, I've seen it only once anyway.
     
  11. Firecat

    Firecat Registered Member

    Joined:
    Jan 2, 2005
    Posts:
    7,927
    Location:
    The land of no identity :D
    From CSA, NOD32 Authorised Partner (http://www.nod32-av.com):

    I don't think this is a complete list, however, as many more packers should be supported via the generic unpack engine.

    You can also see this page for a test from CheckVir about NOD32's archive support (Jan. 2006):

    http://www.checkvir.com/index.php?CN=30.3.46.7&CIE=0

    However, NOD32 seems not to support self-extracting ZIP or ACE files.
     
  12. rothko

    rothko Registered Member

    Joined:
    Jan 12, 2005
    Posts:
    579
    Location:
    UK
    NOD32 does detect threats in self-extracting ZIP files as far as I can see, though not if they are password protected...
     
  13. azumi21

    azumi21 Registered Member

    Joined:
    Aug 16, 2004
    Posts:
    129
    Thank you Firecat =)


     
  14. CyberMew

    CyberMew Registered Member

    Joined:
    Apr 17, 2005
    Posts:
    128
    Er.. what about the 2 kinds of compression by Winzip 10?
     
  15. RejZoR

    RejZoR Registered Member

    Joined:
    May 31, 2004
    Posts:
    6,426
    WinZIP is just "rebranded" crap with few useless compressions.
    If you want powerful compression you go with PAQ/RAR/LZMA(7-zip->7z), if you want compatibility you go with standard ZIP (Deflate). Those stupid Deflate64 are mostly useless. Just a bit better compression than standard Deflate and 64bit extension support (longer filenames, over 2GB support etc).
    If you want alround archiving you use RAR or LZMA (7z).
    PPMd is also supported in 7-zip and is much better than the one in WinZip 10.
    Not to mention 7-zip is free and WinZip 10 is not.
    A bit offtopic though...
     
  16. IcePanther

    IcePanther Registered Member

    Joined:
    May 28, 2005
    Posts:
    308
    Location:
    (nearby) Paris, France
    My opinion is : these packed files, if malware (and also if legit, but it's not really the topic) must be extracted / unpacked / decrypted, before they can be run.

    If any antivirus catches the malware on unpacking before it runs, then the computer is protected, regardless of the number of unpackers it supports. That is for real time protection.

    Now I agree that for on-demand scanning it can be useful to support more formats, just for, say, enhanced security purposes, and to check you don't send an infected file to someone, for example.
     
  17. RejZoR

    RejZoR Registered Member

    Joined:
    May 31, 2004
    Posts:
    6,426
    That doesn't apply for runtime packers though and these are the most important.
     
  18. IcePanther

    IcePanther Registered Member

    Joined:
    May 28, 2005
    Posts:
    308
    Location:
    (nearby) Paris, France
    Hi

    I may not know what exaclty a runtime packer is, but I understand it as a compressed code that's uncompressed at runtime (when it is called / needed) by another part of the code, so it's hiden until the file unpacks it when running...

    I agree in this particular case, supporting the more (or having a generic detection way) packers would be a good thing, or allowing a code to load *in memory (necessarily unpacked to be run)* then scan/clean the memory, before allowing the code to be run. But this would be another thing, and probably would slow down the computer.
     
  19. Brian N

    Brian N Registered Member

    Joined:
    Jul 7, 2005
    Posts:
    2,148
    Location:
    Denmark
    Correct. Loads into memory when extracted and run. UPX is the most common runtime packer currently.
     
  20. IcePanther

    IcePanther Registered Member

    Joined:
    May 28, 2005
    Posts:
    308
    Location:
    (nearby) Paris, France
    Okay ^^ Thanks for the info, I had seen this UPX name numerous time when mentioning runtime packers indeed, i'll see on their site for more info and i'll test it on some software of my own to see by myself...
     
  21. Brian N

    Brian N Registered Member

    Joined:
    Jul 7, 2005
    Posts:
    2,148
    Location:
    Denmark
  22. NOD32 user

    NOD32 user Registered Member

    Joined:
    Jan 23, 2005
    Posts:
    1,766
    Location:
    Australia
    Agreed
    Agreed
     
Thread Status:
Not open for further replies.