NOD32 Quarantine... good?

Discussion in 'NOD32 version 2 Forum' started by OPETH, Nov 22, 2005.

Thread Status:
Not open for further replies.
  1. OPETH

    OPETH Guest

    What about NOD32 quarantine? I´ve heard that it is not good, and that some viruses may be reactivated inside the NOD32´s quarantine.. is it true? Or NOD32 quarantine is as good as McAfee and others AVs` quarantine?
     
  2. RejZoR

    RejZoR Registered Member

    Joined:
    May 31, 2004
    Posts:
    6,426
    It wouldn't be quarantine if you could execute files in it? Quarantine is quarantine. Doesn't make a difference if it comes from ESET, McAfee or Kaspersky. They all work same way.
     
  3. OPETH

    OPETH Guest

    McAfee rename the file putting a ".vir" extension on the infected file... does nod32 do this?
     
  4. zashita

    zashita Registered Member

    Joined:
    May 17, 2005
    Posts:
    309
    Nod32 split it in 2 files with extentions NQI and . NQF, and it is not only an extension change ...
    I renamed a file in my quarantine folder (original extension) and ran a scan ... nothing detected.
    I restored the file and ran a scan ... and a threat was detected.

    Thrn it is not only an extension change
    It is safer like this ;)
     
  5. DonKid

    DonKid Registered Member

    Joined:
    Jun 27, 2004
    Posts:
    566
    Location:
    S?o Paulo, Brazil
    KAV can read the quarentine folder and can say what kind of file is.
     
  6. OPETH

    OPETH Guest

    I don´t really know how NOD32 quarantine works... I tried to execute the file in quarantine (eicar test file), the windows asked me in wich program I want to execute the file, so I choosed wordpad and the file opened!! Is there any problem? With McAfee enteprise, I couldn´t even click in the file quarantined...

    http://img400.imageshack.us/img400/5659/desknod2vz.jpg
     
  7. DonKid

    DonKid Registered Member

    Joined:
    Jun 27, 2004
    Posts:
    566
    Location:
    S?o Paulo, Brazil
    All that I know those files are encrypted.
     
  8. pc-support

    pc-support Registered Member

    Joined:
    Mar 10, 2005
    Posts:
    285
    Location:
    Edinburgh, UK
    Of course the file opened. Using notepad you can open almost any file...

    As you can see from your screen shot the file is NOT the eicar test virus... This is:

    X5O!P%@AP[4\PZX54(P^)7CC)7}$EICAR-STANDARD-ANTIVIRUS-TEST-FILE!$H+H*



    Ooh look, i'm now classed as a regular poster. Whoo hoo!!! :D
     
  9. RejZoR

    RejZoR Registered Member

    Joined:
    May 31, 2004
    Posts:
    6,426
    First of all you CANNOT execute it from Quarantine from inside NOD32 Control Center. Second, does that string looks like EICAR string? I don't think so...
    Thats because it's encrypted and thus useless as a file.
     
  10. OPETH

    OPETH Guest

    So nod32 quarantine is so good as mcafee´s quarantine? I´ve read somewhere (think PcMagazine) that McAfee was the best in quarantine...
     
  11. RejZoR

    RejZoR Registered Member

    Joined:
    May 31, 2004
    Posts:
    6,426
    What difference does it make? It's quarantine like any other. They all work the same. But i found those that just change extension into .vir to be less effective because files tend to get detected over and over again when you use option that scans all files regardless of extension. McAfee and AntiVir are one of such...
     
  12. rumpstah

    rumpstah Registered Member

    Joined:
    Mar 19, 2003
    Posts:
    486
    Even if one takes the .NQF file and renames it to the original name, it will not execute (file is encoded). The Quarantine module does allow for proper decoding of the file using the Restore and/or Restore to functions. Programs that tag the file(s) with the .NQF extension as an infection are doing so incorrectly (false positive).

    For example:
     

    Attached Files:

  13. OPETH

    OPETH Guest

    So there is not any kind of vulnerability in nod32´s quarantine?
     
  14. Manager

    Manager Registered Member

    Joined:
    Nov 22, 2005
    Posts:
    2
    The best quarentine is of Mcafee products. The quarentine is important when the antivírus detect an viroses because it´s the moment that the app isolate the infected extension.
    The Nod´s quarentine is moderate, with some mistakes and failures!
     
  15. OPETH

    OPETH Guest

    What kind of mistakes? Marcos and Happy Bytes should comment in this Thread...
     
  16. Manager

    Manager Registered Member

    Joined:
    Nov 22, 2005
    Posts:
    2
    A Albanian´s hacker (Justmt) announced that Nod32 can to have some vulnerability in the quarantine with specific infected extension when the antivirus was submeted experience in the laboratory!
     
  17. rumpstah

    rumpstah Registered Member

    Joined:
    Mar 19, 2003
    Posts:
    486
    Hi Manager:

    Since the NOD32 quarantine encrypts files and does not "simply" rename them with a "specific infected extension" (i.e. badfile.exe.vir)... How about pointing readers to the article or thread.

     
  18. OPETH

    OPETH Guest

    Mananger does not have an article... this vulnerability does not exists...
     
  19. RejZoR

    RejZoR Registered Member

    Joined:
    May 31, 2004
    Posts:
    6,426
    Omg, people are incredible. They make all weird things about quarantine.
    It's just QUARANTINE. What vulnerability,what complications!?!?!? It's there and it works. I wonder how can you say McAfee's one is better than NOD32's? Based on what? Then i can say avast!'s one is even better. Quarantine just stores files in safe state so you can't execute them by mistake. But if you tend to do all that to execute it, resident scanner would pick it again anyway. If you go even further and disable AMON (the resident part) well then it's solely your fault about getting infected. So please, PLEASE stop complicating :rolleyes: You can't expect some high grade 4096bit encryption just to store infected files :rolleyes:
     
  20. rumpstah

    rumpstah Registered Member

    Joined:
    Mar 19, 2003
    Posts:
    486
    That was the point. ;)
     
  21. mrtwolman

    mrtwolman Eset Staff Account

    Joined:
    Dec 5, 2002
    Posts:
    613
    Using public key cryptography just to prevent others to scan your quarantine could be a bit overkill :D
    On the other hand "they" have some experiences in code-breaking :cool:
     
  22. gue_st

    gue_st Guest

    For sure, Kaspersky AV doesn't tag any file with .NQF extension as infection.
     
  23. POS

    POS Guest

    @guest_st

    Yes it does... I´ve made a online scan with kaspersky and it detected the files in NOD32´s quarantine as some trojans
     
  24. Brian N

    Brian N Registered Member

    Joined:
    Jul 7, 2005
    Posts:
    2,148
    Location:
    Denmark
    Currently KAV and 2 other AV's can scan the files that NOD has in quarantine (last time I checked anyways).
     
  25. gue_st

    gue_st Guest

    I encrypted two viruses, changed extension to .NQF and KAV online scanner does not detect them as infected.
    Probably, you just need to encrypt better...
     
Thread Status:
Not open for further replies.