Very often I see this reported as the name of malware that my files are infected by. I'm especially curious as to what the "novirus" part means. Thanks in advance for answers.

Solcroft

Thank you for your report.

I have escalated this report to the Technical Support team.

They will respond to your query soon.

Kind regards,

Nicholas
PC Tools Support Services

I think 'novirusPacked/NSPack' is the name PCTAV gives to code that it suspects is related to a particular family of backdoor/trojans, e.g. Ewido/AVG Antispyware might call it 'Hupigon'.

Pete :cool:

Hrm. I suppose that's possible, but the part that makes me curious is that NSPack is the name of a "packing" format used to compress and encrypt executable files. PCTAV reports this string by other names as well, the ones I've recall off the top of my head right niw include Packed/Upack and Packed/NSAnti.

The reason why I'm curious as to this is that I'd like to understand what PCTAV means when it flags files as infected by this malware - whether it's triggering its heuristics on a packed file, or simply marking a packed file as somehow corrupt or unusable, or something else. I could then have an easier time sorting out the malware undetected by PCTAV that I intend to submit to PC Tools, so they coul in turn have an easier time analyzing them.

AFAIK this is not an infection! It is a simple executable packed with an exe protector/compressor. For example download FSG and use it on an executable. After that scan it and you'll see that PCTools reports it as Novirus.FSG or something like that. This is because the engine does not have unpacking support for runtime-compressed files like UPX, Petite, FSG, Mew and others.

;) Note for the developers ;)
This should be added, it would improve the detection rate dramatically !!!

Ah, damn.

Are you sure PCTAV flags UPX executables as well? Because if it does, and if it performs the judiciously indiscriminate flagging that you describe, this is very bad news for PCTAV...

Well, I tested this with all UPX versions I could download and it seems PCTAV scans the file as-is if it's runtime compressed. Some other packers (like morphine for instance) are a bit harder to uncompress and may contain scrambling/encryption so it's a bit hard to write a depacker for each version. I guess that's why PCTAV flags them as potential threats. However the UPX compressed files are not flagged as containing the 'no-virus sequence' so i guess they are scanned as normal exes.

Sorry for talking before testing with the UPX packer.