dslreports logo
 
    All Forums Hot Topics Gallery
spc
Search similar:


uniqs
2551

StraitShoot
Who Loves Ya Baby? - Theo Kojak
Premium Member
join:2003-02-08
Clinton, MA

StraitShoot

Premium Member

NAV 2004 Improvemets and changes...?

I just thought it might be a good idea to start a thread that DEFINATELY (no speculations, please!)...that tells from people who know WHAT new improvements, changes, and added features are going to NAV 2004... I'm sure many of us, (including me) would like to know...
Tablet
Premium Member
join:2003-01-15
Czech

Tablet

Premium Member

said by StraitShoot:
I just thought it might be a good idea to start a thread that DEFINATELY (no speculations, please!)...that tells from people who know WHAT new improvements, changes, and added features are going to NAV 2004... I'm sure many of us, (including me) would like to know...
These are things I found when using it for a while. It certainly can unpack rar, zip, upx and aspack. It unpacks even archives compressed multiple times. I haven't tried any other packing formats.

agent00
join:2003-07-03

agent00 to StraitShoot

Member

to StraitShoot
NAV 2004 can't unpack UPX and ASPack.
Who the hell is telling this ? It does detect some samples because prepacking but not because it can unpack it.
Schouw
Premium Member
join:2003-05-29
Netherlands

1 recommendation

Schouw

Premium Member

Then explain us how NAV 2004 can find double packed aspack samples while NAV 2003 can not.

off-topic: have you ever made a post on this forum that's not out to bash NAV?

Next to that: it is _BETA_, so they might still have trouble with their packers.
KAV may support the most packers, but their unpackers are most certainly not bugfree.

Some of us seem to have proven that NAV 2004 has unpackers. Try to prove us wrong, instead of just shouting that we are wrong.

nitemare
join:2000-05-11
Klamath Falls, OR

nitemare to StraitShoot

Member

to StraitShoot
So then it's an issue of defs and not unpackers?

agent00
join:2003-07-03

agent00 to StraitShoot

Member

to StraitShoot
Click for full size
Click for full size
TheSpyunpacked.zip
7,220 bytes
  
First, i have the newest version (Screenshot 1 n1.jpg)

2nd it does detect it uncompressed (Screenshot 2 - n4.jpg)

3rd i pack it via UPX 1.24 (screenshot 3 - n3.jpg)

and it is undetected.

Just try it out, i attach the original unpacked sample.
Schouw
Premium Member
join:2003-05-29
Netherlands

1 recommendation

Schouw

Premium Member

NAV detects unpacked sample
McAfee detects unpacked sample.
RAV detects unpacked sample

NAV doesn't detect packed sample.
McAfee doesn't detect packed sample.
RAV doesn't detect packed sample

Take the unpacked version, pack it, unpack it again.
No AV but KAV can detect it.

Like I said before, this is _one_ sample.
I made the same mistake once, because McAfee could detect some Armadillo packed samples, while it has not got full Armadillo support.

Use at least 10 files before you make a conclusion.

Allnew
MVM
join:2003-02-01
Denmark- EU.

Allnew to StraitShoot

MVM

to StraitShoot
Good idea for a topic Strait S.
BTW. Was it in september the 2004 version was due for release??
Tablet
Premium Member
join:2003-01-15
Czech

Tablet

Premium Member

Has anyone noticed anything else apart from unpacker support? I still haven't found any samples that are detected as joke or adware for example. Don't keep it for yourself please, let us know

_anvil
@t-dialin.net

_anvil to StraitShoot

Anon

to StraitShoot
@Tablet
"I unpacked it again and NAV also didn't detect it."

This _can_ happen, because files which are first packed and then unpacked again aren't exactly the same anymore - of course, it is bad if an AV can't detect these packed-unpacked malware files... (but there are several AV, which have probs with that, not only NAV!)

@Schouw
"McAfee doesn't detect the packed sample as well."

I can't reproduce this... which version of UPX and which options did you use?

Qumahlin
Never Enough Time
MVM
join:2001-10-05
united state

Qumahlin to StraitShoot

MVM

to StraitShoot
Um using norton 2003...it detected all of those while packed except for the very first one labeled UPX1.24
other then UPX1.24.zip the rest were detected right away...Reminder, this is using 2003...not 2004

agent00
join:2003-07-03

agent00 to StraitShoot

Member

to StraitShoot
It does detect it because all other files are unpacked except upx124.zip
Tuulilapsi
Kenosis
join:2002-07-29
Finland

Tuulilapsi to StraitShoot

Member

to StraitShoot
Wouldn't it be a might easier to just ask the NAV guys if their new toy has unpackers?
Schouw
Premium Member
join:2003-05-29
Netherlands

Schouw to StraitShoot

Premium Member

to StraitShoot
I used 1.90, standard options.
But with the latest file I tested 1.90 and 1.24 and now McAfee detects both.

With the wrong samples I meant, how come that all AVs don't detect the packed sample except KAV?

The latest file goes undetected by NAV2004 when packed, so it seems you are right.
Expand your moderator at work

_anvil
@t-dialin.net

_anvil to StraitShoot

Anon

to StraitShoot

Re: NAV 2004 Improvemets and changes...?

Good opportunity for F-Secure users to see, how F-Prot- and KAV-engine "work together":
Scan this this "Trojan.Win32.Dickler" with F-Secure - it detects "a destructive program" (F-Prot's generic name) - F-Prot is obviously the 'primary' engine to scan a file.

Then pack it with UPX and scan again - now it is detected by real name: this is the KAV-engine, which can unpack, while F-Prot cannot - so no surprise, yet.

Then unpack the file again (with "upx -d") and scan it. Well, again it is the KAV engine, which detects the nasty... what does this tell us about F-Prot's signature quality?

jdong
Eat A Beaver, Save A Tree.
Premium Member
join:2002-07-09
Rochester, MI

jdong

Premium Member

LOL, Anvil, I was trying to get the AVP engine to scan before F-Prot...

The guys @ support told me that it's impossible, but they did like the idea and forwarded it to their development team...

Perhaps something to look forward to in FSAV 5.42...

Name Game
Premium Member
join:2002-07-07
Grand Rapids, MI

Name Game to Anon

Premium Member

to Anon
said by agent00:
said by Schouw:
The latest file goes undetected by NAV2004 when packed, so it seems you are right.
Oh yeah ?
BTW next toy attached

Can that NAV Beta also scan Images
Tablet
Premium Member
join:2003-01-15
Czech

1 recommendation

Tablet

Premium Member

said by Name Game:
Can that NAV Beta also scan Images
This feature has not yet been implemented. But due to increased users concern it shall be included in next liveupdate
Schouw
Premium Member
join:2003-05-29
Netherlands

1 recommendation

Schouw to Anon

Premium Member

to Anon
quote:
Oh yeah ?
BTW next toy attached
NAV only detects the unpacked sample, after packing and unpacking it misses it as before.
McAfee detects all three samples.

Guess there is no UPX support, I only tested aspacksupport very briefly and that seems present.
But then again, why would they add aspack if they don't add upx support?

jdong
Eat A Beaver, Save A Tree.
Premium Member
join:2002-07-09
Rochester, MI

jdong

Premium Member

Well, let's just hope that it means the Symantec guys plan on adding other packer support via LiveUpdate in the near future... :-\

Anav
Sarcastic Llama? Naw, Just Acerbic
Premium Member
join:2001-07-16
Dartmouth, NS

Anav

Premium Member

Isn't that the whole point of this exercise, to raise the standards and our protection by all the associated apps!!
Tablet
Premium Member
join:2003-01-15
Czech

Tablet to Schouw

Premium Member

to Schouw
Click for full size
said by Schouw:
Guess there is no UPX support, I only tested aspacksupport very briefly and that seems present.
But then again, why would they add aspack if they don't add upx support?
I have quite a few samples I packed with UPX that are detected by NAV. Look above, it shows NAV detecting a virus inside packed file. Note what it says when I click on the sample in the list.
[text was edited by author 2003-07-08 13:39:47]
Schouw
Premium Member
join:2003-05-29
Netherlands

Schouw

Premium Member

Well, look at jdong's test.
NAV even detects upx-aspack-upx compressed files, without an unpacker..
If NAV2k4 can see what kind of sig it is(sig for upx sample, sig for aspack sample etc), then it could display a message like this without having an unpacker.

Must say it's strange, because when I scan an uncompressed sample it says: scanned 1 file.
scanning compressed sample: scanned 2 files.
It could be unpacker buggyness, it could be crappy signatures.

It all is very vague, maybe it's better to wait for Symantec to come with a statement. Or wait till 2004 is out of beta.
Tablet
Premium Member
join:2003-01-15
Czech

Tablet

Premium Member

Click for full size
I do not know if this can help, but with two samples I get this interesting behaviour by NAV 2004:

i.e. this Mapson.Worm sample is UPX packed and NAV detects two viruses of the same name. One for the packed virus and one for the unpacked. This is understandable for me. But now comes the interesting part. When I further Aspack the file, NAV detects 10 viruses of same name - see above..
First detection comes from the packed file, the second comes from content of the packed file, the third comes from the content of the content of the packed file and so on.. the tenth detection is reported to be 9 levels inside the archive.

If you have any suggestions why could it behave like this, please share it with me.

Thanks

Randy Bell
Premium Member
join:2002-02-24
Santa Clara, CA

Randy Bell

Premium Member

said by Tablet:
If you have any suggestions why could it behave like this, please share it with me.
What is displayed when you click on those ten samples, as you did in your previous post?

jdong
Eat A Beaver, Save A Tree.
Premium Member
join:2002-07-09
Rochester, MI

jdong to StraitShoot

Premium Member

to StraitShoot
Is it just me, or did this and 3 other topics go offline/online a few minutes ago...?

Does anyone care to post a screenshot of the Auto-Protect config options? Is prompt an option yet? That's something I really want.
Tablet
Premium Member
join:2003-01-15
Czech

Tablet to Randy Bell

Premium Member

to Randy Bell
Click for full size
Picture is worth thousand words
From top to bottom the detections are deeper and deeper into the archive. The last one I took screenshot of is 9 levels deep as if the file was packed nine times.

Bobb5
Premium Member
join:2001-02-16
Kent, WA

Bobb5 to StraitShoot

Premium Member

to StraitShoot
said by StraitShoot:
I just thought it might be a good idea to start a thread that DEFINATELY (no speculations, please!)...that tells from people who know WHAT new improvements, changes, and added features are going to NAV 2004... I'm sure many of us, (including me) would like to know...
Great idea for a thread! I've wanted to know what, If any changes there are. I decided wasn't worth installing the Beta, Not for 30 days, So this thread will be great.

StraitShoot
Who Loves Ya Baby? - Theo Kojak
Premium Member
join:2003-02-08
Clinton, MA


1 recommendation

StraitShoot

Premium Member

said by Bobb5:
Great idea for a thread! I've wanted to know what, If any changes there are. I decided wasn't worth installing the Beta, Not for 30 days, So this thread will be great.

I come out with the good ones, eh? LOL...

Actually, I posted this because I wanted to find out what NAV's up to lately. I see NAV is REALLY getting strong in unpackers now! Great for them! Also, another purpose of my thread is to have a centralized location for NAV beta and related improvements. There has been too much "Thread Hijacking" lately..LOL..

[text was edited by author 2003-07-08 18:29:34]