Question for ESET

Discussion in 'ESET NOD32 Antivirus' started by wrathchild, Jun 24, 2008.

Thread Status:
Not open for further replies.
  1. wrathchild

    wrathchild Registered Member

    Joined:
    Feb 7, 2008
    Posts:
    170
    Location:
    Neoplantesis
    I've downloaded archive with Anti-Malware Testfile from EICAR site, over SSL and because of that Web scanner doesn't cacthed Anti-Malware Testfile in that archive.

    Now, because Real-time module don't scan archives I can easily attach that file to email and send it without detection because Email protection don't scan for outgoing emails (I don't talk about module for Microsoft Outlook...I use TheBat).

    Btw...when I try to download that archive via http everything is ok because Web module scan archives and can detect Anti-Malware Testfile in that archive.

    My question is, how you ESET guys look at this scenario? Is this the way AV should work?
     
    Last edited: Jun 24, 2008
  2. Marcos

    Marcos Eset Staff Account

    Joined:
    Nov 22, 2002
    Posts:
    14,374
    Let's assume we are able to scan inside archives using the real-time scanner and that POP3s / SMTP is scanned. If you receive email via a secured connection POP3s, I assume you'll get it from a Gmail account where you received some malware. Since it's usually spread in password protected archives with the password listed in attached images as captcha, it would be skipped by both the email and real time time scanners. In your example you say that you won't extract the archive, but send it immediately. My question is, what antivirus would intercept the threat in such case?
     
  3. wrathchild

    wrathchild Registered Member

    Joined:
    Feb 7, 2008
    Posts:
    170
    Location:
    Neoplantesis
    Sending email with that archive was only for testing how NOD32 work.
    The real question is why the virus (testfile) in that archive is on my HD?!...even with NOD32 is active.
    I don't want that archive with viruses on my HD...that's the reason why I use AV software or I missed something?
    If you're able to scan archives in Real-time protection why not implement it?
     
  4. Marcos

    Marcos Eset Staff Account

    Joined:
    Nov 22, 2002
    Posts:
    14,374
    For the same reason why advanced heuristics and runtime packers are not enabled by default on access. Scanning archives in real time would be much more time consuming; just imagine scanning an archive with a couple of files (let's assume 5) out of each would take 5 seconds for advanced heuristics to emulate. In this case, ekrn would utilize the cpu for 25 secs during which you could not do almost anything (unless you have a multiple core cpu). Needless to say that scanning archives in real-time is completely unnecessary unlike scanning runtime-packed files.
     
  5. wrathchild

    wrathchild Registered Member

    Joined:
    Feb 7, 2008
    Posts:
    170
    Location:
    Neoplantesis
    Same scenario, but now with Avira on my primary machine.
    Archive is intercepted by Guard module (realtime protection...and I didn't noticed any slowdown because scan of archives). With disabled Guard module mail can't be sent because Mail module catch it (even if I use TheBat).

    Marcos, can we expect that you'll implement support for other email clients in future versions?
     
  6. Marcos

    Marcos Eset Staff Account

    Joined:
    Nov 22, 2002
    Posts:
    14,374
    Try sending an actual malware, ie. a password protected file with the password shown in an attached image file like the current worms do it. Let's speak about the reality and not about some theory ;)
     
  7. wrathchild

    wrathchild Registered Member

    Joined:
    Feb 7, 2008
    Posts:
    170
    Location:
    Neoplantesis
    Heh...but in this case reality is that I've downloaded archive with Anti-Malware test file and sent it via email without interception from NOD32 ;)
     
Thread Status:
Not open for further replies.