NOD32's unpacking engine?

Discussion in 'NOD32 version 2 Forum' started by Kobra, May 23, 2004.

Thread Status:
Not open for further replies.
  1. Kobra

    Kobra Registered Member

    Joined:
    May 11, 2004
    Posts:
    129
    What kind of unpacking engine does NOD32 have, or does it have any at all?

    Curious, its missing repacked baddies for me.
     
  2. Marcos

    Marcos Eset Staff Account

    Joined:
    Nov 22, 2002
    Posts:
    14,374
    Virus detection in compressed or protected executable files, such as Pklite, Lzexe, Diet, Exepack, CPAV, UPX, AsPack, FSG, Petite, Neolite.

    Support of many archive formats, e.g. ZIP, RAR, ARJ, LZH, LHA
     
  3. Arin

    Arin Registered Member

    Joined:
    May 1, 2004
    Posts:
    997
    Location:
    India
    dear Kobra if you name the baddies and the run-time packers used to pack them, it'll surely enlighten us. if you are testing or in a real-life situation, please explain in detail so that we'll all learn a little and who knows might be able to shed a little light. as far as i know NOD32 didn't have problems with packers. it even detected the version of the packer used to compress the files.

    oh by the way Marcos CPAV is Central Point Antivirus which adds a checksum to every file it scans. if there is a packer by that name please let us know. no offense meant i just want to know.
     
  4. Kobra

    Kobra Registered Member

    Joined:
    May 11, 2004
    Posts:
    129
    I'm working with a repacked Trojan that seems to have several different rebased baddies inside it. Heres my results so far..

    So far:

    NOD32: Missed (including /AH command line option for Advanced Heuristics)
    BitDefender: Missed
    BOClean: Missed
    TDS3: Missed
    Ewido: Missed
    Trojan Remover: Missed
    Trend Online: Missed
    Panda Full Edition: Missed
    Antivir(H+Bdev): Missed (Including their new deep heuristic engine)
    Symantec Corporate: Missed (yes, super heuristics were ON)
    PCcillin(trend): Missed
    e-Trust: Missed

    Dr.Web: Found
    F-Secure: Found
    McAfee: Found
    KAV5: Found (note, their online scan MISSED, but installed product got)
    KAV4.5: Found

    I sent the sample packed/rebased file over to NOD32, BOClean, BitDefender and some others already. So far, only Kevin at BOClean has replied, and issued new updates to cover it, there was several rebased/hacked baddies inside hiding that nothing else picked up either! Only the 4 progs above managed to pick everything up so far.
     
  5. Arin

    Arin Registered Member

    Joined:
    May 1, 2004
    Posts:
    997
    Location:
    India
    what about the versions of those AV products? all those were updated upto which date?? how many trojans do you have in that collection? can you giveout the KAV and McAfee namings of those "baddies"? thank you.
     
  6. Kobra

    Kobra Registered Member

    Joined:
    May 11, 2004
    Posts:
    129
    All the latest versions.. The bundle part of the trojan was picked up by 4 of the products as various things such as:

    MultiDropper-FD
    Win32:Trojan-gen. {UPX!}
    Trojan horse Dropper.ExeBundle.AC
    Trojan.Muldrop.660
    TrojanDropper.Win32.ExeBund

    However, inside this packed bundle, with the dropper, are several new "Mystery Meats" as BOClean folks called it when they disected it. I'm assuming this to mean rebased/hacked based on what they told me.
     
  7. nil

    nil Guest

    What about ace, cab, tar, tar.gz? I did some tests with eicar txt file and noticed that NOD32 don't detect the eicar test virus within those formats.

    Can we expect a support of ace, cab, tar, tar.gz in future versions? I think it isn't less important than other formats.

    Regards
     
  8. DiGi

    DiGi Registered Member

    Joined:
    Jul 24, 2003
    Posts:
    114
    Location:
    in the middle of nowhere
    cab will be supported, I don't know about others... But AMON will catch infected files on unpacking...
     
  9. sir_carew

    sir_carew Registered Member

    Joined:
    Sep 2, 2003
    Posts:
    884
    Location:
    Santiago, Chile
    AH uses a generic unpacker, so, Ah can analyze others format than he aboves and also can analyze some packed files that are packed with a new utility never seen before.
     
Thread Status:
Not open for further replies.