Other AVs unpackin NOD32 quarantine files?

Discussion in 'NOD32 version 2 Forum' started by RejZoR, Sep 3, 2005.

Thread Status:
Not open for further replies.
  1. RejZoR

    RejZoR Registered Member

    Joined:
    May 31, 2004
    Posts:
    6,426
    I was wondering why the hell are other AVs like BitDefender and Kaspersky unpacking NOD32 quarantine files? It's just stupid. Is this allowed at all or not?
    BD even detects it as Quarantine PE packer.
     
  2. webyourbusiness

    webyourbusiness Registered Member

    Joined:
    Nov 16, 2004
    Posts:
    2,640
    Location:
    Throughout the USA and Canada
    they would almost have to check these file - otherwise it would become a virus writer's hiding strategy - name your files as if they have been detected and rendered safe by another AV solution... how would you work round that?
     
  3. RejZoR

    RejZoR Registered Member

    Joined:
    May 31, 2004
    Posts:
    6,426
    But thats imho not they way to "steal" quarantined samples from some other AV.
    Not to mention the mess it makes when you run two AVs (one primary and second one as backup). I tried BD9 and NOD32 this way and BD was constantly "stealing" NOD32 quarantined samples.
     
  4. Firecat

    Firecat Registered Member

    Joined:
    Jan 2, 2005
    Posts:
    7,927
    Location:
    The land of no identity :D
    If the quarantined files are encrypted, then would other AVs still detect those files? o_O
     
  5. Brian N

    Brian N Registered Member

    Joined:
    Jul 7, 2005
    Posts:
    2,148
    Location:
    Denmark
    That's what I was thinking too, they shouldn't be able to access those file if they are encrypted.
    Very strange indeed.
     
  6. nyone

    nyone Guest

    encryption/packing - it's all been used by viruses too... if a "competitor" finds ANY type of packed or encrypted file, it MUST investigate to the best of it's abiltity - or it risks letting past a packed virus - which ironically, is EXACTLY what a quarantine file is...

    now wouldn't it be interesting to have a virus that targets quarantine files, unpacks them into protected memory, alters them, and re-releases them with different characteristics... oh what fun!
     
  7. Firecat

    Firecat Registered Member

    Joined:
    Jan 2, 2005
    Posts:
    7,927
    Location:
    The land of no identity :D
    But the meanings of an encrypted file and a packed file are different.....:doubt:

    As such, the word 'reversible' is the key here, but wouldn't companies use encryption that can only be decrypted by them? o_O
     
  8. rdsu

    rdsu Registered Member

    Joined:
    Jun 28, 2003
    Posts:
    4,456
    I think that the files aren't encrypted...

    It seems that BitDefender, F-Prot, Kaspersky scan the quarantine files of NOD32...
     
  9. Firecat

    Firecat Registered Member

    Joined:
    Jan 2, 2005
    Posts:
    7,927
    Location:
    The land of no identity :D
    Add encryption of quarantine files to NOD32 future changes list! :D
     
  10. webyourbusiness

    webyourbusiness Registered Member

    Joined:
    Nov 16, 2004
    Posts:
    2,640
    Location:
    Throughout the USA and Canada
  11. MichelB

    MichelB Guest

    Looks like they are 1byte encrypted, by looking in a hex editor. This is not a problem, why would it be ? Some other AV doesn't "steal" any sample, it would not need it.. if it didnt know what the virus is then no detection ? ;-)
     
  12. mrtwolman

    mrtwolman Eset Staff Account

    Joined:
    Dec 5, 2002
    Posts:
    613
    IMHO public key crypto would be a bit overkill :D
     
Thread Status:
Not open for further replies.