nod32 use PE-CRYPT.XORPE

Today download a malware that nod said maybe a variant of downloader and add to quarantine, i submit the file from C:\Program Files\ESET\infected, this is the result
File: PYB3AYCA.NQF
Packers detected: PE-CRYPT.XORPE
Scanner results
Dr.Web
Found Trojan.DownLoader.10891

Kaspersky Anti-Virus
Found Packed.Win32.Tibs

NOD32
Found nothing

If some one use this packer, nod32 can't detect it? I know it is normal not to detect the file added to the quarantine, but the scaner can't find it anymore.

 

It gets encrypted when it's quarantined, and why should NOD32 detect its own quarantined files? That are encrypted and not executable?

 

As a related question, does this also apply to independently XORed files?

I mean, suppose I take a malware-infected file and encrypt it with this XORPE and place it in any random directory (except the folder where NOD is installed), will NOD32 still detect the malware in this XORPE encrypted file?

 

I just find a way that nod32 used itself to aviod detection. No matter where you put it, the scaner can't find. I think only dr.web can find it correctly, it is a trojan downloader.

 

In it's xored state the quarantine item is not executable. NOD32 would detected it upon decryption. More importantly, if a malware was to try and decrypt the NOD32 xored files then it would be more imortant IMHO for this decrypting malware to be detected since it is the real threat, not the benign quarantine item.

Cheers

 

If it is non-executable up to the time of decryption, then why do some AV scanners do automatic decryption of this type of files? I don't see the need considering that the malware will be detected anyway on decryption.

 

Exactly
Although I have heard what I believe to be some valid arguments for it, I still just seems unnecessary to me.
I wish that at least when they do detect it they would mention it as 'a (possible) NOD32 quarantine item' - but this is nothing to do with NOD32

Cheers