NOD32 2.12.1 not scanning in self extracting archive ?

Discussion in 'NOD32 version 2 Forum' started by Sisko, Aug 30, 2004.

Thread Status:
Not open for further replies.
  1. Sisko

    Sisko Registered Member

    Joined:
    Jan 16, 2003
    Posts:
    42
    Is something wrong with my configuration ?
    I scan a folder with 3 files inside :
    eicar.com : the eicar test file
    eicar.exe : A self extrating RAR archive with eicar.com inside (WinRar 3.40 Beta 5)
    eicar_com.exe : A self extrating RAR archive with eicar_com.zip inside (WinRar 3.40 Beta 5)

    The result log is :
    date: 30.8.2004 time: 11:14:22
    Scanned disks, directories and files: D:\Eicar\
    D:\Eicar\eicar.com - Eicar test file
    D:\Eicar\eicar.exe »UPX v12_m2 - is OK
    D:\Eicar\eicar_com.exe »UPX v12_m2 - is OK
    number of scanned files: 3
    number of viruses found: 1
    time of completion: 11:14:22 total scanning time: 0 sec (00:00:00)

    See attached image for setup screen in nod32 scanner

    NOD32 Antivirus System information
    Virus signature database version: 1.852 (2004082:cool:
    Dated: samedi 28 août 2004
    Virus signature database build: 4786

    Information on other scanner support parts
    Advanced heuristics module version: 1.009 (20040817)
    Advanced heuristics module build: 1058
    Internet filter version: 1.002 (2004070:cool:
    Internet filter build: 1013
    Archive support module version: 1.019 (20040823)
    Archive support module build version: 1099

    Information on installed components
    NOD32 For Windows NT/2000/XP/2003 - Base
    Version: 2.12.1
    NOD32 For Windows NT/2000/XP/2003 - Internet support
    Version: 2.12.1
    NOD32 for Windows NT/2000/XP/2003 - Standard component
    Version: 2.12.1

    Operating system information
    Platform: Windows XP
    Version: 5.1.2600 Service Pack 2
    Version of common control components: 5.82.2900
    RAM: 768 MB
    Processor: Intel(R) Pentium(R) 4 CPU 1.80GHz (1794 MHz)
     

    Attached Files:

  2. Marcos

    Marcos Eset Staff Account

    Joined:
    Nov 22, 2002
    Posts:
    14,374
    Sisko, please have a look at our website: http://www.nod32.com/products/nt.htm:

    Virus detection in compressed or protected executable files, such as UPX, AsPack, FSG, Petite, Neolite, ExeStealth, yoda's Crypter, PECompact, Pklite, Lzexe, Diet, Exepack, CPAV .

    Support of many archive formats, e.g. ZIP, RAR, ARJ, LZH, LHA, CAB, CHM, TAR, GZIP
     
  3. Sisko

    Sisko Registered Member

    Joined:
    Jan 16, 2003
    Posts:
    42
    Thanks for your answer Marcos.

    I am not sure about what you want to tell me with your answer.

    Do you mean that NOD32 does not scan inside self extracting archive ?
     
  4. Blackspear

    Blackspear Global Moderator

    Joined:
    Dec 2, 2002
    Posts:
    15,115
    Location:
    Gold Coast, Queensland, Australia
    Sisko is asking why the following files are shown as OK?

    Scanned disks, directories and files: D:\Eicar\
    D:\Eicar\eicar.com - Eicar test file
    D:\Eicar\eicar.exe »UPX v12_m2 - is OK
    D:\Eicar\eicar_com.exe »UPX v12_m2 - is OK
    number of scanned files: 3
    number of viruses found: 1

    and number of viruses found is "1"

    Cheers :D
     
  5. Big D1

    Big D1 Registered Member

    Joined:
    Aug 20, 2004
    Posts:
    68
    IMON catches all three of those files before they are even downloaded. I just checked, and IMON caught all of them, and I was able to terminate the connection which is excellent.
     
  6. Blackspear

    Blackspear Global Moderator

    Joined:
    Dec 2, 2002
    Posts:
    15,115
    Location:
    Gold Coast, Queensland, Australia
    I found the same, just wondering if Sisko already had the files downloaded prior to the new Beta or Release.

    Cheers :D
     
  7. Sisko

    Sisko Registered Member

    Joined:
    Jan 16, 2003
    Posts:
    42
    I made these files myself from the eicar original files.
    IMON does not detect these two created files.

    IMON seems to act like the on demand scanner : It does not scan inside self extracting archive.
     
  8. Pete_x

    Pete_x Guest

    i made a text file with the eicar test sting and amon defected it, (didnt with the beta) and just went to the eicar website and imon detected them all as well

    i guess when u made the files you changed something so the string doesnt work maybe ... download the files from eicar.org with imon turned off then scan them
     
  9. blahblah

    blahblah Registered Member

    Joined:
    Aug 26, 2004
    Posts:
    11
    read his post agian.......his eicar file(uncompressed) was detected, but nod32 doesnt detect it when he put that exact same file in an archive, which nod32 should pick it up as well.
     
  10. Pete_x

    Pete_x Guest

    i just did the same thing as sisko and got the same results

    put the string in a txt file then put that in an exe archive via winrar and nod32 doesnt detect the eicar test file

    once the file is extracted it was detected and deleted

    if this was a real virus could it infect a system from within the exe archive or would you have to extract it first?
     
  11. Marcos

    Marcos Eset Staff Account

    Joined:
    Nov 22, 2002
    Posts:
    14,374
    SFX archives are not supported now - please see the list of supported archives I posted above.

    However, AMON would catch the files upon extraction so there's no way you could get infected by running a SFX archive.
     
  12. Sisko

    Sisko Registered Member

    Joined:
    Jan 16, 2003
    Posts:
    42
    An on demand scan should scan inside archive, self extracting or not
    Arguing that virus will be detected by the on access scan (amon) means that the on demand scan is useless and there is no need for it even for non self extracting archive.

    I am realy disapointed that in so many years that feature is not implemented
    I am also waiting for support of exchange server in Outlook 2003
     
  13. fredra

    fredra Registered Member

    Joined:
    Jul 25, 2004
    Posts:
    366
    HI
    Doing a "scan" or a "clean" I get a lot of these.
    This file is NOT password protected. o_O
    C:\Program Files\Lavasoft\Ad-Aware SE Personal\Skins\Ad-Aware SE default.ask »ZIP »arrow1.bmp - error - the file is password-protected

    Futhermore, if you right click on a folder which has "zip" files and choose NOD, it never checks inside the "zip" file. If you right click on the "zip" file it then checks, but never checks all the files, only if there is an .exe inside the zip file, then it will check that one file, not any other extension. :(

    Cheers :)
     
  14. profhsg

    profhsg Registered Member

    Joined:
    May 18, 2004
    Posts:
    145
    I have the same experience for files in Adaware. As for the 2d paragraph, my experience is completely different. I just scanned (from Explorer) the file strange_country_filter.zip which is a filter for use with the Spamihilator antispam program (a bit of an aside, it's a really great program and it's free). The archive has 5 files in it, none of which are exe files (3 txt. files, one dll and one html file). I scanned the archive with NOD32 and it reported that five files had been scanned and no viruses found. I also downloaded the two eicar zip files from eicar.org (yes, I turned off HTTP scanning so I could do it). After download I again scanned with NOD32 through Windows Explorer and the NOD32 dutifully reported that each archive had one infected file.
     
    Last edited: Aug 31, 2004
  15. fredra

    fredra Registered Member

    Joined:
    Jul 25, 2004
    Posts:
    366
    Hi profhsg
    Thanks for your reply.
    The first commonality we will just agree on...lol
    The second one...it works for you so it has to be something to do with my settings. I will check and verify my settings again.
    Your input is appreciated.
    Cheers :)
     
  16. Phil_S

    Phil_S Registered Member

    Joined:
    Nov 13, 2003
    Posts:
    152
    Location:
    UK
    Have you ticked the Scan all Files option in the Extensions list under the NOD32 setup tab? If not, NOD will only scan those files with extensions matching those in the list.
     
  17. sard

    sard Registered Member

    Joined:
    Apr 18, 2004
    Posts:
    175
    Location:
    UK
    I have to agree. The on demand scanner and IMON are both providing a false sense of security if they can be bypassed by non passworded self-extracting archives.

    The only minor advantage of IMON seems to be it scans normal archives whereas AMON doesn't until you access their contents.

    There seems to be plenty of scope for malware to remain dormant on your PC until it's executed, AMON will then detect it so I suppose you remain protected.

    Are there too many proprietary self extracting formats for ESET to bother supporting them all?
     
Thread Status:
Not open for further replies.