Sign in to follow this  
julevine

urgent Emsisoft Emergency Kit gui scanner not scanning inside packed .exe's

Recommended Posts

i was  using the Emsisoft Emergency Kit gui scanner  to scan inside some packed exe's  (not compressed with zip or rar

 

 

it did not scan  the files inside at all

 

 

scanner engines needs be able to scan files inside packed exe's

 

please  fix this issue soon as you can

 

thank you

Share this post


Link to post
Share on other sites

EAM and EEK treat self-extracting archives as normal applications which means after they have been found clean for a while they are skipped due to caching. If you always want those files to be unpacked you need to disable the cache. Even if those files are skipped though there is no risk, as malware stored in archives, self-extracting or not, is rendered harmless.

Share this post


Link to post
Share on other sites

it not unpacking  installer files  that are inside the installer 

 

sample: 

like   installer.exe it would have other files packed inside

The scan  engine would unpack these files and scan them

 

when i scanning a installer.exe  it  reports only 1 file scanned

 

it needs to be able to unpack files inside and scan them

 

i hope you understand

 

thank you

Share this post


Link to post
Share on other sites

The scan engine always counts containers (archives, setups etc.) as a single file. So you can't determine whether a container was unpacked or not based on the scanned files count.

Share this post


Link to post
Share on other sites

i tested scanner by scanning  the windows service packs installers for windows xp  it  seems it not unpacking  there no way it  unpacking  all packed files  in 1 sec

 

i scanned other large files and  same result regardless of  packer type and if it  signed installer or not

Share this post


Link to post
Share on other sites

im confused about your previous reply  do you mean it will only unpacks packed files under 64Mb  or  will only scan  files under 64MB

 

how do i  prove it unpacking files inside

 

i tested all  kinds of installers  even installers that are under  64MB they scan way too fast seems  no unpacking is taking place

 

i need to know if  scanner unpacks files packed with  most of types of file packers that files are packed with  like upx and the  others

Share this post


Link to post
Share on other sites

There is no easy way to test it. Scan times alone can be quite deceiving. I scanned a few malicious setups on my test system and the malware within those setups was detected just fine. I don't recommend a normal user doing the same though. That being said, even if the setup content isn't scanned, all files will be scanned during the actual installation by the File Guard.

 

Here is a scan log of one of my test runs:

Emsisoft Emergency Kit - Version 3.0
Last update: 1/12/2013 11:26:45 PM

Scan settings:

Scan type: Custom Scan
Objects: C:\Users\Administrator\Downloads

Detect Riskware: On
Scan archives: On
ADS Scan: Off
File extension filter: Off
Advanced caching: On
Direct disk access: Off

Scan start:	1/12/2013 11:30:00 PM

C:\Users\Administrator\Downloads\example2.exe -> (NSIS o) -> lzma_nsis0001 	detected: Application.TrojanSimulator (B)
C:\Users\Administrator\Downloads\TrojanSimulator.zip -> TrojanSimulator.exe 	detected: Application.TrojanSimulator (B)
C:\Users\Administrator\Downloads\TrojanSimulator.zip -> TSServ.exe 	detected: Application.TrojanSimulator (B)

Scanned	1587
Found	3

Scan end:	1/12/2013 11:30:17 PM
Scan time:	0:00:17

 

You can easily see that the TrojanSimulator test malware was found both in the ZIP archive as well as the NSIS setup.

Share this post


Link to post
Share on other sites

I'm very concerned about  the  scanner file size limit

 

with the current file limit of 64Mb it  very likely the scanner will miss large files that could be  infected

 

Here a example with  Emsisoft Emergency Kit

someone  scans there computer and thinks all there files  are clean and later opens a  file on there computer that is larger then 64MB and  it's infected with a known threat  then they will become infected

 

too prevent this  you  need to have scanner scan all file sizes

 

scanner engines should scan all file sizes because  you never know  if   large files  are  infected

 

hope you  resolve this  issue

 

thank you

Share this post


Link to post
Share on other sites

Sorry, but that won't happen. The Emsisoft Emergency Kit is designed to remove an active infection from a system. It is not intended to prevent a system from being infected in the first place. That is what Emsisoft Anti-Malware is for.

Share this post


Link to post
Share on other sites

i know the scanner is  for  to clean infected systems

 

but  if the source of the infection  is in a file bigger then 64MB file then the scanner will not  scan it 

 

so  the system will get reinfected when that file is opened again

 

isn't the point  of the scanner is to remove all  infected files regardless of size

 

scanner should scan all files of any size to remove all  infected  files

Share this post


Link to post
Share on other sites

so  the system will get reinfected when that file is opened again

Again, the Emsisoft Emergency Kit is not intended to prevent infections. No matter whether they are new or old infections. The only more or less reliable way to prevent infections is to use software in real time.

Share this post


Link to post
Share on other sites
...

but  if the source of the infection  is in a file bigger then 64MB file then the scanner will not  scan it

...

Do you actually have an archive of some sort that is greater than 64MB which contains an infected file?

Share this post


Link to post
Share on other sites

I scan  alot of  installer  files and other  files that are  bigger then  64MB and need to  know  there not infected

 

 

question: why  does the scan engines have file size limit?

 

please explain the reason

Share this post


Link to post
Share on other sites

There is roughly 1.2 GB of memory a 32 bit process on a 32 bit system can consume. We allow a user to scan up to 16 files at the same time. That means each scan thread con consume only up to 75 MB of RAM without risking out of memory issues.

Even if there wasn't such a limit, no scanner knows all setup and archive formats. So you will not get around using a proper real time scanner anyways.

Share this post


Link to post
Share on other sites

im  confused

 

 if i understand the more processors i have  installed  the more files get scanned at same time

 

is  it the  number of  processors in system that  limits max  file size to be scanned

 

or is it from  max  threads

 

 did you guys  just  put a  file size limit  in  scanner

 

 

 

there should never be max file size scan limit  if the  system can handle it

 

 

 

please explain simple as  possible

Share this post


Link to post
Share on other sites

is  it the  number of  processors in system that  limits max  file size to be scanned

No. The amount of available virtual memory for 32bit processes is the limiting factor.

 

there should never be max file size  limit  if the  system can handle it

Most scanners have one, whether they admit it or not.

Share this post


Link to post
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

Sign in to follow this  

  • Recently Browsing   0 members

    No registered users viewing this page.