Scan and detect virus in Archive with real time scanner

Discussion in 'ESET NOD32 Antivirus' started by DavidNL, May 20, 2008.

Thread Status:
Not open for further replies.
  1. DavidNL

    DavidNL Registered Member

    Joined:
    May 20, 2008
    Posts:
    9
    Hi,

    If i download a zip or rar file containg a virus to my desktop (for example http://www.eicar.org/download/eicar_com.zip) Nod32 will not automatically scan & detect this virus.
    It will only detect the virus when i extract the archive.


    I would like to configure Nod32 so it will automatically scan and detect viruses in archive files, as soon as they get created/written to disk (even if they never get extracted.)

    I'm aware of the fact that this will have a negative impact on performance.

    How can i accomplish this ?

    I'm using ESET NOD32 Antivirus Business Edition 3.0.650.0

    Thanks in advance for any help.
     
  2. Capp

    Capp Registered Member

    Joined:
    Oct 16, 2004
    Posts:
    2,125
    Location:
    United States
    Hello and welcome to Wilders!

    Open your Advanced Setup.

    On the left hand side, expand "Antivirus and Antispyware"
    Click on "Real-time file system protection"

    I have included a screenshot of how mine is configured and mine detects the eicar link you provided.

    Also, click the button titled "Setup" at the top after "Threatsense Engine Parameters". Click through the options in here and make sure everything is configured the way you want.

    HTH :)
     

    Attached Files:

  3. DavidNL

    DavidNL Registered Member

    Joined:
    May 20, 2008
    Posts:
    9
    Hi,

    thanks for the quick reply.

    I have enabled all the settings in the section you mentioned, but NOD still doesn't recognize a virus inside a zip file.

    I should add this info:
    When i download the http://www.eicar.org/download/eicar_com.zip with internet explorer NOD does correctly pick it up. This is the HTTP scan i suppose.

    But, if i copy this zip file from an USB stick to my desktop, Nod does not detect it.

    So this is my problem, the Real time scanner does not seem to scan inside archives.
     

    Attached Files:

  4. Capp

    Capp Registered Member

    Joined:
    Oct 16, 2004
    Posts:
    2,125
    Location:
    United States
    Ok, I see what you are saying.

    The reason NOD is jumping all over it when you copy it, is because, when you copy it in .zip format from 1 location to the other, it is not actually an active threat. It can't actually do anything while it is zipped.

    Try this, unzip the eicar.com file from within the zip file and see if NOD catches it.

    I just test this. i downloaded the zip file to my desktop. I then copied it around to different folders and drives without it being detected. But, as soon as I extracted the file from the .zip file, NOD32 deleted it.

    NOD32 is designed to catch files on creation if it is an active threat. If a file is sitting on your computer that is not an actual threat (i.e. .zip files), NOD will only take necessary action when the file becomes a threat (i.e. extracting the files).

    Let me know if it catches it upon unzipping :)
     
  5. dannyboy

    dannyboy Registered Member

    Joined:
    Jul 21, 2005
    Posts:
    113
    Location:
    UK
    this is normal behaviour, the realtime scanner will not scan inside archives (however, the on-demand scanner does. Try right-clicking the zip file and scanning it with NOD32 to see this).

    As Capp says, the contents of the archive will only be scanned in realtime if you attempt to extract them, which is the important thing.
     
  6. DavidNL

    DavidNL Registered Member

    Joined:
    May 20, 2008
    Posts:
    9
    @Capp
    Yes, if i extract the zip file the virus is detected correctly. But this doesn't solve my problem i'm affraid because the files i want to scan never get extracted.

    Isn't there any way to make the real time scanner scan inside archives?
    I can't imagine its not possible..

    The reason i want this is because i want to run NOD32 on a windows FTP box and i need to scan all files when they get uploaded, including files in archives, before they get downloaded by any customers.


    Regards,
    D.
     
  7. Capp

    Capp Registered Member

    Joined:
    Oct 16, 2004
    Posts:
    2,125
    Location:
    United States
    Try this.

    Go back to the Advanced Setup.

    Click on the 'Web Access Protection and then click on HTTP.
    In the text box with "80, 8080, 3128" listed, Add a comma and add port 21 (ftp) so it woud look like "80, 8080, 3128, 21".

    This will make the HTTP scanner look for port 21 while doing its scans.
    Then, it will function as if you were downloading the files.
     
  8. Marcos

    Marcos Eset Staff Account

    Joined:
    Nov 22, 2002
    Posts:
    14,374
    The real-time scanner only scans inside self-extracting archives. Archives are not scanned as it is a time consuming operation and it might take minutes to access archives. Executable files would be detected upon extraction.
     
  9. edwin3333

    edwin3333 Registered Member

    Joined:
    Aug 29, 2007
    Posts:
    244
    My concern with this statement is that it may not always be true. (Though I admit, I may be wrong.)

    When we were with CA we also did not scan archive files with the realtime scanner. Then an archive came into our network which was corrupt. CA did not scan it because it was corrupt. The archive was crafted a certain way. A buffer overflow executed the virus directly into memory.

    We turned on the realtime scanning of archive files then. But that really didn't help either, because CA said the archive was corrupt and just didn't scan it.

    At first they added a pattern which detected this virus based off of something in the file (pattern match.) Then they updated their archive handling code to catch the variants. Over the years more buffer overflows & underruns became know, and more viruses, and more updates to the arclib.dll. You'd think they would have scanned the entire DLL for the same problem elsewhere, but they never did.

    Is this not a threat with NOD32 *not* scanning these type of files?

    http://secunia.com/advisories/12878/
    http://secunia.com/advisories/10874/
    http://secunia.com/advisories/25570/
    http://secunia.com/advisories/12877/ * while it says it's not critical, it is in cases where the exploit buffer overflows and executes in memory.
    http://secunia.com/advisories/26155/


    Other similar cases;
    http://secunia.com/advisories/14084/
    http://secunia.com/advisories/26038/
    http://secunia.com/advisories/24187/
    Secunia has a ton of them

    I ask because in Nod 2.7 I had EVERYTHING enabled. With 3.0 I have had to use the recommended settings of not scanning archives nor executable archives due to the enormous amount of resources 3.0 requires to do this. This leaves me with wondering if the problems I had with CA and these settings will resurface as another 0 day virus that hits me.
     
  10. DavidNL

    DavidNL Registered Member

    Joined:
    May 20, 2008
    Posts:
    9
    Hi Capp,

    Nice try, but unfortunately it didnt work. I also entered all the FTP ports i use for FTP transfer (pasv port range) but still NOD doesn't detect the virus in the archive :'(
     
  11. Marcos

    Marcos Eset Staff Account

    Joined:
    Nov 22, 2002
    Posts:
    14,374
    If you actually download files via HTTP (not HTTPs), the web access protection will scan even inside archives. FTP is not supported.
     
Thread Status:
Not open for further replies.