nod32 detection

Discussion in 'NOD32 version 2 Forum' started by pj320, May 21, 2004.

Thread Status:
Not open for further replies.
  1. pj320

    pj320 Registered Member

    Joined:
    May 12, 2004
    Posts:
    21
    Hello!

    Hey guys can you give some confirmation in here if nod32 can scan through a different approach of a virus. I quote this from another forum where some discussions are made about nod32 and antiviruses that can scan with like this.

    --->About NOD32 not being able to scan inside archives, it may not have problems with typical ones like RAR and ZIP whose contents (such as applications) are usually decompressed to disk before being executed. However, there are some self-extracting archives that are “packed” in such a way that when decompressed, they load directly into system memory so in essence, potentially infected files are executed immediately. I believe this poses a serious threat for NOD32 and other anti-virus programs that have the same problem.

    --->Of course there won't be problems with typical self-extracting archives like ZIP and RAR but I was talking about the other kinds of self-extracting archives (like LZW or ICE, I think) that decompress to memory directly without writing to disk and we all know that once an application loads into memory, it's as good as executed.

    Please help! I'd like to know and confirm it before i make necessary answer to this discussion

    Thanks!
     
  2. Arin

    Arin Registered Member

    Joined:
    May 1, 2004
    Posts:
    997
    Location:
    India
    those programs are called packers which packs a program. common packers are UPX, ASPACK, FSG, etc. NOD32 unpacks them and scans them before the packed files gets loaded into memory so you need not worry. infact NOD32 unpacking support is second to only Kaspersky.
     
  3. sir_carew

    sir_carew Registered Member

    Joined:
    Sep 2, 2003
    Posts:
    884
    Location:
    Santiago, Chile
    Currently, AMON (on-access) monitor doesn't scan files packed with utilities like UPX, ASPack, etc. However AMON detect itw packed malware.
    When you use Advanced Heuristic, NOD uses a generic unpacker, so it's able to unpack files that are pàcked with new utilities never known before.

     
  4. Kobra

    Kobra Registered Member

    Joined:
    May 11, 2004
    Posts:
    129
    They really need to work on this I think. I love how BitDefender and AVK in my tests, found compressed/archived trojans/viruses WITHOUT even clicking on the archive.

    To me, thats a better thing, and I wish they'd do that with NOD32. Or at the very least, have an option for it.
     
  5. Mele20

    Mele20 Former Poster

    Joined:
    Apr 29, 2002
    Posts:
    2,495
    Location:
    Hilo, Hawaii
    But what about the self extracting archives that decompress to memory directly...not writing to disk? You can't use Adv heuristics because these are not written to disk. So, I agree this is a real worry.

    I don't know what you are talking about when you claim adv heuristics will unpack and scan. How, they are not written to disk so how would I use command line adv heuristics to scan them? Please don't tell me I have to use IMON. I don't use IMON and I expect Eset to understand that a lot of us don't want IMON. We want AMON to have proper powers.
     
  6. Kobra

    Kobra Registered Member

    Joined:
    May 11, 2004
    Posts:
    129
    Agreed.. Amon is sorely lacking in NOD32. IMON is lacking too, but I feel AMON should be a priority for the product at this point, it seems like its falling behind on the curve.
     
  7. pj320

    pj320 Registered Member

    Joined:
    May 12, 2004
    Posts:
    21
    reading from your posts, it seems that this posses a threat for nod users right? This means that i'm not 100% secure for now and might be needing a backup av which could do this.
     
  8. Marcos

    Marcos Eset Staff Account

    Joined:
    Nov 22, 2002
    Posts:
    14,374
    As I had already written in one of the threads, we are going to implement support for AH to AMON. It is likely that it will be introduced with program components 2.000.10.
     
  9. Mele20

    Mele20 Former Poster

    Joined:
    Apr 29, 2002
    Posts:
    2,495
    Location:
    Hilo, Hawaii
    That soon huh? Wow! That is great!!!!!!
     
  10. Arin

    Arin Registered Member

    Joined:
    May 1, 2004
    Posts:
    997
    Location:
    India
    thank you Sir Carew for pointing out my mistake.
     
Thread Status:
Not open for further replies.