Update 2431 and archives

Discussion in 'NOD32 version 2 Forum' started by Kosak, Aug 1, 2007.

Thread Status:
Not open for further replies.
  1. Kosak

    Kosak Registered Member

    Joined:
    Jul 25, 2007
    Posts:
    711
    Location:
    Slovakia
    Before update 2431 with upgrade archive module NOD32 detects in one .zip file this: probably variant of Win32/Small trojan. After this update NOD32 cannot test this file and write this: unpack error.

    I tried test file in archive .zip and then unzip as .exeo_O


    note: 15.07.2007 NOD32 cannot test this file, but 01.08.2007 NOD32 could test it and this update changed it back.
     
    Last edited: Aug 2, 2007
  2. Kosak

    Kosak Registered Member

    Joined:
    Jul 25, 2007
    Posts:
    711
    Location:
    Slovakia
    What do you think, where is the problem? Will ESET solve it?
     
  3. Seer

    Seer Registered Member

    Joined:
    Feb 12, 2007
    Posts:
    1,596
    Location:
    Singidunum
    Have you tried the same with 2434?
     
  4. Kosak

    Kosak Registered Member

    Joined:
    Jul 25, 2007
    Posts:
    711
    Location:
    Slovakia
    of course
     
  5. Seer

    Seer Registered Member

    Joined:
    Feb 12, 2007
    Posts:
    1,596
    Location:
    Singidunum
    Well, I don't allow my NOD to update automatically, I prefer to do it manually. So I have noticed that there was an update for advanced heuristics in 2432. This "probably variant" is detected heuristically. Perhaps an ESET official would clear this up for us... :)
     
  6. Kosak

    Kosak Registered Member

    Joined:
    Jul 25, 2007
    Posts:
    711
    Location:
    Slovakia
    This problem isn't in heuristic module. NOD32 cannot open and test this file in .zip archive and extracted with extension .exe:(
     
  7. cupez80

    cupez80 Registered Member

    Joined:
    Jun 28, 2005
    Posts:
    605
    Location:
    Surabaya Indonesia
    have you send .zip file to ESEt ? it could be FP.
     
  8. Kosak

    Kosak Registered Member

    Joined:
    Jul 25, 2007
    Posts:
    711
    Location:
    Slovakia
    I sent this sample to ESET at 24th July with another files. I attached results from http://www.virustotal.com/


    This sample was marked as TR/Crypt.FSPM.Gen (Avira) = Trojan.Small.APJ (BitDefender). At that time NOD32 wrote unpack error, too. It changed to heuristic detection and came back. (but this I wrote)
     
  9. Kosak

    Kosak Registered Member

    Joined:
    Jul 25, 2007
    Posts:
    711
    Location:
    Slovakia
    Today ESET upgrade archive module, but my problem is still actual.:(
     
  10. Marcos

    Marcos Eset Staff Account

    Joined:
    Nov 22, 2002
    Posts:
    14,374
    The archive is being looked at, please hold on.
     
  11. ugly

    ugly Registered Member

    Joined:
    Mar 21, 2005
    Posts:
    276
    Location:
    Romania
    Some time ago I sent a trojan to ESET that is still not detected.
    On virustotal today :

    removed attachment....Bubba

    Is this an archive problem too ?
     
    Last edited by a moderator: Aug 5, 2007
  12. Marcos

    Marcos Eset Staff Account

    Joined:
    Nov 22, 2002
    Posts:
    14,374
    It's a password protected archive, the file(s) inside are usually detected.
     
  13. ugly

    ugly Registered Member

    Joined:
    Mar 21, 2005
    Posts:
    276
    Location:
    Romania
    No , it is not password protected. o_O
    Others are detecting it without any problems.(DNSChanger)
     
  14. Marcos

    Marcos Eset Staff Account

    Joined:
    Nov 22, 2002
    Posts:
    14,374
    These usually contain password protected archives, I'm very doubtful NOD32 would give you that message otherwise.
     
  15. ugly

    ugly Registered Member

    Joined:
    Mar 21, 2005
    Posts:
    276
    Location:
    Romania
    I get that message on virustotal only.
    If I scan that file with NOD32 it founds nothing.
    Anyway I'll resend that to ESET and perhaps it will finally get fixed.
     
  16. Marcos

    Marcos Eset Staff Account

    Joined:
    Nov 22, 2002
    Posts:
    14,374
    As I said, the archive contains other password protected archives:
     

    Attached Files:

    • scan.jpg
      scan.jpg
      File size:
      26.8 KB
      Views:
      389
  17. ugly

    ugly Registered Member

    Joined:
    Mar 21, 2005
    Posts:
    276
    Location:
    Romania
    Suppose you are right I still have a very big question.
    How do others manage to scan inside those protected archives and detect that threat o_O .
     
  18. flyrfan111

    flyrfan111 Registered Member

    Joined:
    Jun 1, 2004
    Posts:
    1,224
    Either guess/know the password or brute force/dictionary it.
     
  19. ugly

    ugly Registered Member

    Joined:
    Mar 21, 2005
    Posts:
    276
    Location:
    Romania
    :eek:
    For sure nothing like that.:p
     
  20. ugly

    ugly Registered Member

    Joined:
    Mar 21, 2005
    Posts:
    276
    Location:
    Romania
    No answer o_O o_O o_O
     
  21. pykko

    pykko Registered Member

    Joined:
    Apr 27, 2005
    Posts:
    2,236
    Location:
    Romania...and walking to heaven
    they detect the whole package either by heuristics or signatures.
     
  22. Kosak

    Kosak Registered Member

    Joined:
    Jul 25, 2007
    Posts:
    711
    Location:
    Slovakia
    Last edited: Aug 6, 2007
  23. pykko

    pykko Registered Member

    Joined:
    Apr 27, 2005
    Posts:
    2,236
    Location:
    Romania...and walking to heaven
  24. Marcos

    Marcos Eset Staff Account

    Joined:
    Nov 22, 2002
    Posts:
    14,374
    The file was patched fsg so there's nothing to fix. However, Advanced heuristics was able to emulate the code so if it was malicious AH would have caught it.
     
  25. Kosak

    Kosak Registered Member

    Joined:
    Jul 25, 2007
    Posts:
    711
    Location:
    Slovakia
    But before this update NOD32 could test that file. I think that problem is certainly in archive module.
     
Thread Status:
Not open for further replies.