NOD32 scanning archives with AMON !?

Discussion in 'NOD32 version 2 Forum' started by RejZoR, Nov 26, 2005.

Thread Status:
Not open for further replies.
  1. RejZoR

    RejZoR Registered Member

    Joined:
    May 31, 2004
    Posts:
    6,426
    Funny thing i am noticing all the time is that AMON detects things inside ZIP archives. How's that possible? Here are the steps to reproduce it:

    I drag that file from desktop into my Virus Storage folder (which is completely excluded from AMON).
    http://img395.imageshack.us/img395/3460/step14zf.jpg

    This is what i get the very same moment i release the mouse button.
    http://img395.imageshack.us/img395/8740/step29pd.jpg

    Now it's clear that NOD32 scanned that ZIP file with AMON. How comes we can't enable archive scanning for AMON while NOD32 does that without our knowledge? Bug or a feature? Honestly i'd prefer option that would allow us to scan archives in realtime using AMON. If it's bug, try to fix it.

    If you need this exact Sober.U sample you can get it in Malware Research under UNA or avast! subsection (i guess Mike could sniff it out ;) ). I can also mail it on your request though...
     
  2. Brian N

    Brian N Registered Member

    Joined:
    Jul 7, 2005
    Posts:
    2,148
    Location:
    Denmark
    blabla.zip.com ?
     
  3. RejZoR

    RejZoR Registered Member

    Joined:
    May 31, 2004
    Posts:
    6,426
    No it's a ZIP archive with file inside, not a renamed executable.
     
  4. vlk

    vlk AV Expert

    Joined:
    Dec 26, 2002
    Posts:
    618
    Most likely the ZIP compression "method" in this case is store, i.e. no compression. I.e. the virus string is still there.:p

    Many "ZIPed" viruses are in fact just stored (because the virus then doesn't have to contain compression code).
     
  5. RejZoR

    RejZoR Registered Member

    Joined:
    May 31, 2004
    Posts:
    6,426
    What about CAB archives? Happens many times that AMON triggers when i use Windows Search and it passes over excluded! Virus Storage folder.
     
  6. Marcos

    Marcos Eset Staff Account

    Joined:
    Nov 22, 2002
    Posts:
    14,374
    I assume we picked a signature both from the zip and unzipped files, that's why AMON detected it in the zip archive (which was actually treated as a normal file and not as an archive).
     
Thread Status:
Not open for further replies.