Other AVs unpackin NOD32 quarantine files?

Discussion in 'NOD32 version 2 Forum' started by RejZoR, Sep 3, 2005.

Thread Status:
Not open for further replies.
  1. RejZoR

    RejZoR Lurker

    Joined:
    May 31, 2004
    Posts:
    6,426
    I was wondering why the hell are other AVs like BitDefender and Kaspersky unpacking NOD32 quarantine files? It's just stupid. Is this allowed at all or not?
    BD even detects it as Quarantine PE packer.
     
    RejZoR, Sep 3, 2005
    #1
  2. webyourbusiness

    webyourbusiness Registered Member

    Joined:
    Nov 16, 2004
    Posts:
    2,662
    Location:
    Throughout the USA and Canada
    they would almost have to check these file - otherwise it would become a virus writer's hiding strategy - name your files as if they have been detected and rendered safe by another AV solution... how would you work round that?
     
    webyourbusiness, Sep 3, 2005
    #2
  3. RejZoR

    RejZoR Lurker

    Joined:
    May 31, 2004
    Posts:
    6,426
    But thats imho not they way to "steal" quarantined samples from some other AV.
    Not to mention the mess it makes when you run two AVs (one primary and second one as backup). I tried BD9 and NOD32 this way and BD was constantly "stealing" NOD32 quarantined samples.
     
    RejZoR, Sep 3, 2005
    #3
  4. Firecat

    Firecat Registered Member

    Joined:
    Jan 2, 2005
    Posts:
    8,251
    Location:
    The land of no identity :D
    If the quarantined files are encrypted, then would other AVs still detect those files? o_O
     
    Firecat, Sep 3, 2005
    #4
  5. Brian N

    Brian N Registered Member

    Joined:
    Jul 7, 2005
    Posts:
    2,174
    Location:
    Denmark
    That's what I was thinking too, they shouldn't be able to access those file if they are encrypted.
    Very strange indeed.
     
    Brian N, Sep 3, 2005
    #5
  6. nyone

    nyone Guest

    encryption/packing - it's all been used by viruses too... if a "competitor" finds ANY type of packed or encrypted file, it MUST investigate to the best of it's abiltity - or it risks letting past a packed virus - which ironically, is EXACTLY what a quarantine file is...

    now wouldn't it be interesting to have a virus that targets quarantine files, unpacks them into protected memory, alters them, and re-releases them with different characteristics... oh what fun!
     
    nyone, Sep 3, 2005
    #6
  7. Firecat

    Firecat Registered Member

    Joined:
    Jan 2, 2005
    Posts:
    8,251
    Location:
    The land of no identity :D
    But the meanings of an encrypted file and a packed file are different.....:doubt:

    As such, the word 'reversible' is the key here, but wouldn't companies use encryption that can only be decrypted by them? o_O
     
    Firecat, Sep 3, 2005
    #7
  8. rdsu

    rdsu Registered Member

    Joined:
    Jun 28, 2003
    Posts:
    4,537
    I think that the files aren't encrypted...

    It seems that BitDefender, F-Prot, Kaspersky scan the quarantine files of NOD32...
     
    rdsu, Sep 3, 2005
    #8
  9. Firecat

    Firecat Registered Member

    Joined:
    Jan 2, 2005
    Posts:
    8,251
    Location:
    The land of no identity :D
    Add encryption of quarantine files to NOD32 future changes list! :D
     
    Firecat, Sep 3, 2005
    #9
  10. webyourbusiness

    webyourbusiness Registered Member

    Joined:
    Nov 16, 2004
    Posts:
    2,662
    Location:
    Throughout the USA and Canada
    webyourbusiness, Sep 4, 2005
    #10
  11. MichelB

    MichelB Guest

    Looks like they are 1byte encrypted, by looking in a hex editor. This is not a problem, why would it be ? Some other AV doesn't "steal" any sample, it would not need it.. if it didnt know what the virus is then no detection ? ;-)
     
    MichelB, Sep 4, 2005
    #11
  12. mrtwolman

    mrtwolman Eset Staff Account

    Joined:
    Dec 5, 2002
    Posts:
    613
    IMHO public key crypto would be a bit overkill :D
     
    mrtwolman, Sep 6, 2005
    #12
Thread Status:
Not open for further replies.
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Accept Learn More...