NOD32 scanning archives with AMON !?

Funny thing i am noticing all the time is that AMON detects things inside ZIP archives. How's that possible? Here are the steps to reproduce it:

I drag that file from desktop into my Virus Storage folder (which is completely excluded from AMON).
http://img395.imageshack.us/img395/3460/step14zf.jpg

This is what i get the very same moment i release the mouse button.
http://img395.imageshack.us/img395/8740/step29pd.jpg

Now it's clear that NOD32 scanned that ZIP file with AMON. How comes we can't enable archive scanning for AMON while NOD32 does that without our knowledge? Bug or a feature? Honestly i'd prefer option that would allow us to scan archives in realtime using AMON. If it's bug, try to fix it.

If you need this exact Sober.U sample you can get it in Malware Research under UNA or avast! subsection (i guess Mike could sniff it out ). I can also mail it on your request though...

 

blabla.zip.com ?

 

No it's a ZIP archive with file inside, not a renamed executable.

 

Most likely the ZIP compression "method" in this case is store, i.e. no compression. I.e. the virus string is still there.

Many "ZIPed" viruses are in fact just stored (because the virus then doesn't have to contain compression code).

 

What about CAB archives? Happens many times that AMON triggers when i use Windows Search and it passes over excluded! Virus Storage folder.

 

I assume we picked a signature both from the zip and unzipped files, that's why AMON detected it in the zip archive (which was actually treated as a normal file and not as an archive).