StraitShootWho Loves Ya Baby? - Theo Kojak Premium Member join:2003-02-08 Clinton, MA |
NAV 2004 Improvemets and changes...?I just thought it might be a good idea to start a thread that DEFINATELY (no speculations, please!)...that tells from people who know WHAT new improvements, changes, and added features are going to NAV 2004... I'm sure many of us, (including me) would like to know... |
|
Tablet Premium Member join:2003-01-15 Czech |
Tablet
Premium Member
2003-Jul-8 9:22 am
said by StraitShoot: I just thought it might be a good idea to start a thread that DEFINATELY (no speculations, please!)...that tells from people who know WHAT new improvements, changes, and added features are going to NAV 2004... I'm sure many of us, (including me) would like to know...
These are things I found when using it for a while. It certainly can unpack rar, zip, upx and aspack. It unpacks even archives compressed multiple times. I haven't tried any other packing formats. |
|
|
to StraitShoot
NAV 2004 can't unpack UPX and ASPack. Who the hell is telling this ? It does detect some samples because prepacking but not because it can unpack it. |
|
Schouw Premium Member join:2003-05-29 Netherlands
1 recommendation |
Schouw
Premium Member
2003-Jul-8 9:33 am
Then explain us how NAV 2004 can find double packed aspack samples while NAV 2003 can not.
off-topic: have you ever made a post on this forum that's not out to bash NAV?
Next to that: it is _BETA_, so they might still have trouble with their packers. KAV may support the most packers, but their unpackers are most certainly not bugfree.
Some of us seem to have proven that NAV 2004 has unpackers. Try to prove us wrong, instead of just shouting that we are wrong. |
|
nitemare join:2000-05-11 Klamath Falls, OR |
to StraitShoot
So then it's an issue of defs and not unpackers? |
|
|
to StraitShoot
First, i have the newest version (Screenshot 1 n1.jpg) 2nd it does detect it uncompressed (Screenshot 2 - n4.jpg) 3rd i pack it via UPX 1.24 (screenshot 3 - n3.jpg) and it is undetected. Just try it out, i attach the original unpacked sample. |
|
Schouw Premium Member join:2003-05-29 Netherlands
1 recommendation |
Schouw
Premium Member
2003-Jul-8 10:51 am
NAV detects unpacked sample McAfee detects unpacked sample. RAV detects unpacked sample
NAV doesn't detect packed sample. McAfee doesn't detect packed sample. RAV doesn't detect packed sample
Take the unpacked version, pack it, unpack it again. No AV but KAV can detect it.
Like I said before, this is _one_ sample. I made the same mistake once, because McAfee could detect some Armadillo packed samples, while it has not got full Armadillo support.
Use at least 10 files before you make a conclusion. |
|
Allnew MVM join:2003-02-01 Denmark- EU. |
to StraitShoot
Good idea for a topic Strait S. BTW. Was it in september the 2004 version was due for release?? |
|
Tablet Premium Member join:2003-01-15 Czech |
Tablet
Premium Member
2003-Jul-8 11:55 am
Has anyone noticed anything else apart from unpacker support? I still haven't found any samples that are detected as joke or adware for example. Don't keep it for yourself please, let us know |
|
|
to StraitShoot
@Tablet "I unpacked it again and NAV also didn't detect it."
This _can_ happen, because files which are first packed and then unpacked again aren't exactly the same anymore - of course, it is bad if an AV can't detect these packed-unpacked malware files... (but there are several AV, which have probs with that, not only NAV!)
@Schouw "McAfee doesn't detect the packed sample as well."
I can't reproduce this... which version of UPX and which options did you use? |
|
QumahlinNever Enough Time MVM join:2001-10-05 united state |
to StraitShoot
Um using norton 2003...it detected all of those while packed except for the very first one labeled UPX1.24 other then UPX1.24.zip the rest were detected right away...Reminder, this is using 2003...not 2004 |
|
|
to StraitShoot
It does detect it because all other files are unpacked except upx124.zip |
|
|
to StraitShoot
Wouldn't it be a might easier to just ask the NAV guys if their new toy has unpackers? |
|
|
Schouw Premium Member join:2003-05-29 Netherlands |
to StraitShoot
I used 1.90, standard options. But with the latest file I tested 1.90 and 1.24 and now McAfee detects both.
With the wrong samples I meant, how come that all AVs don't detect the packed sample except KAV?
The latest file goes undetected by NAV2004 when packed, so it seems you are right. |
|
your moderator at work
hidden :
|
|
to StraitShoot
Re: NAV 2004 Improvemets and changes...?Good opportunity for F-Secure users to see, how F-Prot- and KAV-engine "work together": Scan this this "Trojan.Win32.Dickler" with F-Secure - it detects "a destructive program" (F-Prot's generic name) - F-Prot is obviously the 'primary' engine to scan a file. Then pack it with UPX and scan again - now it is detected by real name: this is the KAV-engine, which can unpack, while F-Prot cannot - so no surprise, yet. Then unpack the file again (with "upx -d") and scan it. Well, again it is the KAV engine, which detects the nasty... what does this tell us about F-Prot's signature quality? |
|
jdongEat A Beaver, Save A Tree. Premium Member join:2002-07-09 Rochester, MI |
jdong
Premium Member
2003-Jul-8 1:16 pm
LOL, Anvil, I was trying to get the AVP engine to scan before F-Prot...
The guys @ support told me that it's impossible, but they did like the idea and forwarded it to their development team...
Perhaps something to look forward to in FSAV 5.42... |
|
Name Game Premium Member join:2002-07-07 Grand Rapids, MI |
to Anon
|
|
Tablet Premium Member join:2003-01-15 Czech
1 recommendation |
Tablet
Premium Member
2003-Jul-8 1:19 pm
said by Name Game: Can that NAV Beta also scan Images
This feature has not yet been implemented. But due to increased users concern it shall be included in next liveupdate |
|
Schouw Premium Member join:2003-05-29 Netherlands
1 recommendation |
to Anon
quote: Oh yeah ? BTW next toy attached
NAV only detects the unpacked sample, after packing and unpacking it misses it as before. McAfee detects all three samples. Guess there is no UPX support, I only tested aspacksupport very briefly and that seems present. But then again, why would they add aspack if they don't add upx support? |
|
jdongEat A Beaver, Save A Tree. Premium Member join:2002-07-09 Rochester, MI |
jdong
Premium Member
2003-Jul-8 1:30 pm
Well, let's just hope that it means the Symantec guys plan on adding other packer support via LiveUpdate in the near future... :-\ |
|
AnavSarcastic Llama? Naw, Just Acerbic Premium Member join:2001-07-16 Dartmouth, NS |
Anav
Premium Member
2003-Jul-8 1:35 pm
Isn't that the whole point of this exercise, to raise the standards and our protection by all the associated apps!! |
|
Tablet Premium Member join:2003-01-15 Czech
|
to Schouw
said by Schouw: Guess there is no UPX support, I only tested aspacksupport very briefly and that seems present. But then again, why would they add aspack if they don't add upx support?
I have quite a few samples I packed with UPX that are detected by NAV. Look above, it shows NAV detecting a virus inside packed file. Note what it says when I click on the sample in the list. [text was edited by author 2003-07-08 13:39:47] |
|
Schouw Premium Member join:2003-05-29 Netherlands |
Schouw
Premium Member
2003-Jul-8 1:48 pm
Well, look at jdong's test. NAV even detects upx-aspack-upx compressed files, without an unpacker.. If NAV2k4 can see what kind of sig it is(sig for upx sample, sig for aspack sample etc), then it could display a message like this without having an unpacker.
Must say it's strange, because when I scan an uncompressed sample it says: scanned 1 file. scanning compressed sample: scanned 2 files. It could be unpacker buggyness, it could be crappy signatures.
It all is very vague, maybe it's better to wait for Symantec to come with a statement. Or wait till 2004 is out of beta. |
|
Tablet Premium Member join:2003-01-15 Czech |
Tablet
Premium Member
2003-Jul-8 2:03 pm
I do not know if this can help, but with two samples I get this interesting behaviour by NAV 2004: i.e. this Mapson.Worm sample is UPX packed and NAV detects two viruses of the same name. One for the packed virus and one for the unpacked. This is understandable for me. But now comes the interesting part. When I further Aspack the file, NAV detects 10 viruses of same name - see above.. First detection comes from the packed file, the second comes from content of the packed file, the third comes from the content of the content of the packed file and so on.. the tenth detection is reported to be 9 levels inside the archive. If you have any suggestions why could it behave like this, please share it with me. Thanks |
|
Randy Bell Premium Member join:2002-02-24 Santa Clara, CA |
said by Tablet: If you have any suggestions why could it behave like this, please share it with me.
What is displayed when you click on those ten samples, as you did in your previous post? |
|
jdongEat A Beaver, Save A Tree. Premium Member join:2002-07-09 Rochester, MI |
to StraitShoot
Is it just me, or did this and 3 other topics go offline/online a few minutes ago...?
Does anyone care to post a screenshot of the Auto-Protect config options? Is prompt an option yet? That's something I really want. |
|
Tablet Premium Member join:2003-01-15 Czech |
to Randy Bell
Picture is worth thousand words From top to bottom the detections are deeper and deeper into the archive. The last one I took screenshot of is 9 levels deep as if the file was packed nine times. |
|
Bobb5 Premium Member join:2001-02-16 Kent, WA |
to StraitShoot
said by StraitShoot: I just thought it might be a good idea to start a thread that DEFINATELY (no speculations, please!)...that tells from people who know WHAT new improvements, changes, and added features are going to NAV 2004... I'm sure many of us, (including me) would like to know...
Great idea for a thread! I've wanted to know what, If any changes there are. I decided wasn't worth installing the Beta, Not for 30 days, So this thread will be great. |
|
StraitShootWho Loves Ya Baby? - Theo Kojak Premium Member join:2003-02-08 Clinton, MA
1 recommendation |
said by Bobb5: Great idea for a thread! I've wanted to know what, If any changes there are. I decided wasn't worth installing the Beta, Not for 30 days, So this thread will be great.
I come out with the good ones, eh? LOL... Actually, I posted this because I wanted to find out what NAV's up to lately. I see NAV is REALLY getting strong in unpackers now! Great for them! Also, another purpose of my thread is to have a centralized location for NAV beta and related improvements. There has been too much "Thread Hijacking" lately..LOL.. [text was edited by author 2003-07-08 18:29:34] |
|