Nod32 & zip

Discussion in 'NOD32 version 2 Forum' started by Niklas Lundgren, Mar 8, 2004.

Thread Status:
Not open for further replies.
  1. I read today that KAV has developed a system for their AV to scan a zip-file for a password then use the password to scan inside protected .zip files.

    For example the virus "Bagle.J". Is Eset/Nod32 doing something similar? Otherwise that´s a pretty big gap.

    Regards

    /Niklas
     
  2. puff-m-d

    puff-m-d Registered Member

    Joined:
    Feb 13, 2002
    Posts:
    4,451
    Location:
    North Carolina, USA
    Would you please post the link where you read this information?

    Regards,
    Kent
     
  3. http://www.theregister.co.uk/content/55/36049.html
     
  4. puff-m-d

    puff-m-d Registered Member

    Joined:
    Feb 13, 2002
    Posts:
    4,451
    Location:
    North Carolina, USA
    Thanks for the link ;) ... It was an interesting article.

    Regards,
    Kent
     
  5. sir_carew

    sir_carew Registered Member

    Joined:
    Sep 2, 2003
    Posts:
    884
    Location:
    Santiago, Chile
    Yes, NOD had a similar system too. NOD system doesn't need read the body of the message to find the password and scan the file, KAV need that :)
    NOD was one of the first in implement such system.
     
  6. Sounds great! No need to worry then. :) I´ll just keep on using this great AV!

    Thx!
     
  7. steve1955

    steve1955 Registered Member

    Joined:
    Feb 7, 2004
    Posts:
    1,384
    Location:
    Sunny(in my dreams)Manchester,England
    Sir_carew am I right in thinking that you are saying NOD can scan inside this current batch of emailed password protected zip files without needing the message body?
    If that is correct it should be capable of scanning inside any password protected zip file! I dont want to rain on NODs capabilities but it cant ,try this:-download eicar.com_zip place in a folder zip that folder and password protect it ,try and scan it ,NOD cannot(KAV cannot either but as KAV gets password for zip from message body so this is expected)
    Steve
     
  8. sir_carew

    sir_carew Registered Member

    Joined:
    Sep 2, 2003
    Posts:
    884
    Location:
    Santiago, Chile
    I know that NOD doesn't need the body because a spanish page explain that, an AV experts. It's only for worm that use that type of spread. I've a original psw protected file (bagle) and nod without the body can detect it. Obviously if you password protect them no av will detect that. Indeed KAV use a heuristic detection for those psw protected zip that doesn't had a body with the password but if you protect a simple zip file, kav heuristic alert will not alert you. I've tested that with a original zip that i've.
     
  9. steve1955

    steve1955 Registered Member

    Joined:
    Feb 7, 2004
    Posts:
    1,384
    Location:
    Sunny(in my dreams)Manchester,England
    Are you saying it just applies to this particular worm if so it is not of much use because whats to stop other viruses/worms /trojans etc being sent the same way an AV either protcts against this form of delivery or it doesnt, and after all(as Eset are quick to point out) a virus inside a zip file is harmless as long as it is not accessed and remains harmless if accessed as long as the AV employed intercepts it
    Steve
     
  10. radicalb21

    radicalb21 Registered Member

    Joined:
    Jun 6, 2003
    Posts:
    164
    Location:
    USA
    You may want to check out this link and it may answer some questions. Here is that link:


    http://www.wilderssecurity.com/showthread.php?t=10337
     
  11. Got a "Bagle.J" password protected yesterday. Went right through Nod32. Guess Eset/Nod32 need to come up with a solution. :doubt:
     
  12. bugaj

    bugaj Guest

    Good to know, that NOD32 is able to detect file inside zip ;)
     
  13. Yeah but it doesn´t help when a zipfile is password protected. Then Nod32 can´t do anything.
     
  14. Lars

    Lars Guest

    Scanning inside archives for viruses is an unnecessary waste of resources.
     
  15. dos

    dos Registered Member

    Joined:
    Oct 17, 2003
    Posts:
    43
    NOD32 can't do anything? It went right through NOD32? Bah, complete rubbish. Any zip file that is password protected is harmless. If you were to unzip the file, and/or try to do anything with the contents of it, then NOD32 would stop it. This scanning of password protected zip files is just a gimmick to hog resources.
     
  16. steve1955

    steve1955 Registered Member

    Joined:
    Feb 7, 2004
    Posts:
    1,384
    Location:
    Sunny(in my dreams)Manchester,England
    Dos:-I suppose next you'll be saying"the ability to defend against most trojans is a resource hogging gimmick"
    Steve
     
  17. dos

    dos Registered Member

    Joined:
    Oct 17, 2003
    Posts:
    43
    Why do you suppose that?
     
  18. steve1955

    steve1955 Registered Member

    Joined:
    Feb 7, 2004
    Posts:
    1,384
    Location:
    Sunny(in my dreams)Manchester,England
    Because judging by your last reply it would appear that if another AV does things that NOD doesn't or does things differently to NOD you consider it a gimmick.We all have to realise that that NOD is better in some ways than some (most)other AVs but some may be better in some ways than NOD.
    I would myself prefer NOD to act the way KAV does in respect to these zip files(just for the "feeling"of extra security)and to be as strong in respect to trojans,if I was using KAV no doubt I would want it to be as light on resources and as fast as NOD,but these are the priorities of the developers but no way can a different set of priorities be considered "gimmicks".
    If we can all stop taking a blinkered view of other AVs strengths and criticising them for the sake of criticising them we may be more succesful at getting some of the good points of other AVs incorporated into NOD,then it would then be the best fullstop,but if we do slag-off these strengths then Eset are never going to incorporate features that most of us give them the impression we don't want
     
  19. dos

    dos Registered Member

    Joined:
    Oct 17, 2003
    Posts:
    43
    Then you have judged wrong. How can you compare identifying a harmless secured virus inside a file to not detecting trojans at all? That is just idiotic to be honest. My response was to someone who appeared to be under the impression he was any less secure using NOD32 than if using KAV with password protected zip file scanning. The file inside a password protected zip file is harmless until unzipped, upon which NOD32 will alert the user that the file is infected. What is the real advantage of being able to scan inside password protected zip files received via e-mail?
     
  20. Niklas

    Niklas Guest

    How "harmless" is it if one of my 50 "not so computer talented" users get a virus before Nod32 updates? They might even get the idea to test if it is a virus and shut down Nod32.

    Never underestimate the power of the stupid user. If Nod could scan the zipfile before the mail hits the box then i would feel safe. Not from the virus but from the user. Get what i mean?
     
  21. Cold

    Cold Registered Member

    Joined:
    Jan 19, 2004
    Posts:
    4
    I agree with you 100%. As the saying goes, "there is no patch for stupidity", this applies to many of the users that i manage systems for. And with the latest outbreaks this weekend of the bagle varient now rar'ing as well as zip'ing, this is something that must be addressed. I'm seeing the other major AV clients dealing with this... why does NOD32 just dismiss it?
     
  22. JimIT

    JimIT Registered Member

    Joined:
    Jan 22, 2003
    Posts:
    1,035
    Location:
    Denton, Texas
    What does that have to do with whether the file is zipped or not? If the pattern files aren't up to date, whether the file is scanned while zipped or unzipped is a moot point.

    Not if NOD32 is configured correctly.

    No I don't.

    If the zip file gets to the desktop, and is somehow opened, and the pattern files are up to date, (just like any other AV) NOD32 will either delete the file, or block access to it.

    Real-world example: One of my "not so talented" users comes in with a usb thumb drive containing SubSeven in a zip file. He plugs it in and moves the file to the desktop. He clicks on the zip file to install it. The real-time monitor of our AV smashes it, and moves it to quarantine, and he is denied access.

    Did the zip file ever get scanned? No.

    I talk to him sternly. End of story. ;)
     
  23. mrtwolman

    mrtwolman Eset Staff Account

    Joined:
    Dec 5, 2002
    Posts:
    613
    Exactly. Anyway, I wonder how many idiots are around who will:

    1. unzip password protected file
    2. execute it
    :cool:
     
  24. ragamix

    ragamix Registered Member

    Joined:
    Jun 23, 2003
    Posts:
    17
    Location:
    Bratislava, Slovak republic
    I'm afraid there will be/are many of those "not so talented" users that would, as you have mentioned:
    1. unzip password protected file
    2. execute it

    Sorry but this is not even a virus but an IQ test ;)

    -edit-
    BTW NOD32 detects the new Win32/Bagle.M virus using advanced heuristics. For those who don't know - this is another virus that comes in password protected archive. This time the password needed to unzip the file is not in plain text but in a form of bitmap(!)
     
  25. JimIT

    JimIT Registered Member

    Joined:
    Jan 22, 2003
    Posts:
    1,035
    Location:
    Denton, Texas
    :D

    Sure, but the point is that whether or not the zip is password protected or not, as soon as the "innards" are exposed, the AV's RTM will hammer it.

    ;)
     
Thread Status:
Not open for further replies.