I run several small networks in the Atlanta area. When I found NOD32, the version was 2.7 and it allowed great administrative options while professing to be the best antivirus software; capable of finding virii in the wild!

I fell in love and purchased/installed it on all of my networks. Everything has been going along fine until recently.

I have been infected with the most ridiculous and pathetic virus you could ever come across. This is while running NOD32 with the maximum protection settings.

The virus is simple: It's a simple rootkit that rewrites your system time and somehow tells your BIOS to change it's date. The date in question is 12/31/99 (just seconds before the year 2000, I am guessing--real funny).

The problem is that with a server that is running demo software while waiting for the licensed disks to show up in the mail, it invalidates the install and is irreversable. This virus locks down my network and requires a full install of the server and a lot of work on every workstation.

NOD32 has not been able to detect it. NOD32 has not ever removed it. NOD32 does not even talk about the virus on their website (which every other virus software does). When I asked for help the first time it happened and I lost my server, they couldn't find my licensing information. I had to get the Office Admin (who had purchased the software) to look the information up and by the time I was able to identify my licensing information, it was too late. Not much help. The second and third times I requested help, I got the same run around and even though I faxed them my printed licenses once, they still couldn't find it.

What's worse is that if you try to update the virus database (which is immediately marked out of date because of the date change), you are told that it is up to date. It checks the version number to determine if you have the latest version, but it checks the date last synced to determine if it's up to date. So I have this throbbing red NOD32 reminder of their gross incompetence infecting my system tray at all times.

I am sure that my absolute disappointment in NOD32 is more the result of having not only loved the software blindly, but also of having promoted it wildly to anyone who asked coupled with the fact that it has repeatedly let me down and been unavailable to provide support. I am uninstalling NOD32 on all of my workstations on every network and I am contacting the Virus Bulletin that they so proudly claim "able to detect viruses in the wild".

jase

The support of ESET isn't really known to take care of the customers, sadly. Personally I find their product NOD32 quite capable of disinfecting the virues I come across on sketchy websites.

Anyhow, it's sad to read about your experience. Let's hope ESET read this and improve their product in the future.

Lots of other stuff will fail to functions on systems with skewed clocks, stuff like windows update etc will you post or send a hate e-mail to them aswell ?

/Göran

{QUOTE-> The virus is simple: It's a simple rootkit that rewrites your system time and somehow tells your BIOS to change it's date. The date in question is 12/31/99 (just seconds before the year 2000, I am guessing--real funny). <-QUOTE}How did you fix the problem back in November, when you last posted about it, or, are you still fighting that exact same infection all this time?

http://www.wilderssecurity.com/showthread.php?t=190097

http://www.wilderssecurity.com/showthread.php?t=190096

Dear LWM,

Nice digging up of older material. But isn't it true that it's a shame that Eset has done nothing (so it seems) to include a solution to this rootkit in their
products?

It may well be that they did nothing, or, that the user did not follow up with Marcos as requested at that time. Or, that he has been fighting the exact problem since Nov. We really need more information here if we are to advise him, not just a statement that "NOD32 has the worst track record ever". Or, is there not a support question here?

I am little baffled (or worried) with the ever-decreasing signature detection rate of NOD32. http://virusinfo.info/index.php?page=testseng that record isn't too convincing :|

{QUOTE-> We really need more information here if we are to advise him, not just a statement that "NOD32 has the worst track record ever". <-QUOTE}
There is nothing "we" can do to advise him. That power and responsibility rests solely with ESET, who made a promise of virus protection to him, and received his money for that promise.

{QUOTE-> Or, is there not a support question here? <-QUOTE}
I don't think so. But truth be told, I think it's a lost cause posting support questions about undetected samples anymore. Every now and then a user gets the token response of "send samples to blah@blah.com and we'll look into it", but ESET's general attitude towards such issues is clear: deal with it, or take your money elsewhere.

As an earlier poster mentioned, NOD32 is proven fairly good at disinfecting let's say some viruses, at least it's proven that much for me as a single workstation.

But it's definitely no consolation for a network chain of PC's who seem to all been inhabited at once by what may very well be some new strain which is evaded detection and thus crippled the entire group.

I would be equally at odds with it's chairman or lead sales rep and approach them in some fashion with expectation of compensation for loss, that is if it's included in the agreement, which i venture likely is not.

ESET at the very least should show some responsibility for it's customers some way in light of even new undetected risks that have proven to evade their security completely, and in this case it seems, disabled an entire network no matter the count.

Let us know what if any response you receive from them because difficult as it might be, there has to come a point where these AV's have got to do more than just rely on signature matching algorithms, and especially where concerns networked computer systems.

{QUOTE-> But truth be told, I think it's a lost cause posting support questions about undetected samples anymore. Every now and then a user gets the token response of "send samples to blah@blah.com and we'll look into it", but ESET's general attitude towards such issues is clear: deal with it, or take your money elsewhere. <-QUOTE}I'll agree with you completely if you qualify the statement just a bit. Eset unabashedly states that they don't just add undetected samples that people happen to find. Their position is clear on this and hasn't changed in all the years they've been here. It's their whole philosophy for what they consider real world threats versus collected samples. However, any time a person has posted that they have a live infection on their machine, Eset has always jumped on it, helped the person clean it and when it was over, that infection source is detected.

{QUOTE-> I'll agree with you completely if you qualify the statement just a bit. Eset unabashedly states that they don't just add undetected samples that people happen to find. Their position is clear on this and hasn't changed in all the years they've been here. It's their whole philosophy for what they consider real world threats versus collected samples. However, any time a person has posted that they have a live infection on their machine, Eset has always jumped on it, helped the person clean it and when it was over, that infection source is detected. <-QUOTE}
They're welcome to their position, of course - they're a company, and they have a philosophy to follow. Unfortunately, it is due to this position that people need to contact their support for help when their machines get infected thanks to ESET's excellent philosophy. It's almost as if people who buy NOD32 are buying a service to clean up their computers when it becomes infected, rather than a product which prevents those infections in the first place. Only when a user gets hit by a trojan and perhaps have their bank details and other confidential data stolen does ESET consider that trojan to be a real-world threat.

But like I said, I guess they're welcome to their position. :wacko:

I don't know that they are dramatically different in that part of it then any other AV company. There is always the first person infected by something new or undetected, which ultimately leads to a submission that gets added and then the rest of that products customers are protected.

{QUOTE-> I don't know that they are dramatically different in that part of it then any other AV company. There is always the first person infected by something new or undetected, which ultimately leads to a submission that gets added and then the rest of that products customers are protected. <-QUOTE}
The dramatically different part is ESET's usual attitude of "uhm, yeah, whatever ::)" in response to new samples. At least, they're the only vendor I know of with that attitude and flaunt it in such a in-your-face manner. And of course, we know what happens next. I daresay the OP is a fine example.

It's been stated numerous times in various forums that no AV is perfect and what one detects the other may miss and vice-versa. If you come across an undetected suspicious file, send it in a rar/zip archive protected with the password "infected" to samples[at]eset.com. The visitors of this forum can also include a url to the appropriate post for easier identification.

{QUOTE-> It's been stated numerous times in various forums that no AV is perfect and what one detects the other may miss and vice-versa. If you come across an undetected suspicious file, send it in a rar/zip archive protected with the password "infected" to samples[at]eset.com. The visitors of this forum can also include a url to the appropriate post for easier identification. <-QUOTE}
Marcos,

During my period of using NOD32 I've run into four separate instances where I'd have been infected were it not for other measures taken (Group Policy + SRP + NTFS access permissions). I've submitted those samples via the right-click menu. Detection has yet to be added till this day, and I imagine that those real-world samples are left free to infect other NOD32 users, who will then get to hear the typical spiel from ESET support. :thumbd:

No antivirus product is perfect, but the fact remains that different vendors go to varying lengths to ensure that their customers remain safe from infection. And when a vendor unabashedly drags its feet in adding detection signatures, the typical excuse suddenly sounds a lot more hollow than usual.

Suspicious files must be submitted by email to samples[at]eset.com. There are hundreds of already detected, corrupted, or apparently clean files submitted via the internal submission system so your samples might get lost if you submit them that way.

Well, I hope the internal submission system isn't built in there for the sole purpose of being ignored.

I don't get one or two files every week or so. It's more like around ten per day. And since I'm not an ESET employee who gets paid for doing it, nor do I enjoy logging into my email account ten times a day, I use the quick and easy right-click method.

At any rate, I personally think I've done as much as I should. It's up to ESET's prerogative whether to take it up from there.

{QUOTE-> Well, I hope the internal submission system isn't built in there for the sole purpose of being ignored.

I don't get one or two files every week or so. It's more like around ten per day. And since I'm not an ESET employee who gets paid for doing it, nor do I enjoy logging into my email account ten times a day, I use the quick and easy right-click method.

At any rate, I personally think I've done as much as I should. It's up to ESET's prerogative whether to take it up from there. <-QUOTE}

A bit off-topic, but how do you get 10 infected files a day? Or do you go 'hunting' for them? ;D

I go hunting.

{QUOTE-> Suspicious files must be submitted by email to samples[at]eset.com. There are hundreds of already detected, corrupted, or apparently clean files submitted via the internal submission system so your samples might get lost if you submit them that way. <-QUOTE}

it seems of little value to have the internal submission if anything sent via it has little or no chance of being evaluated compared to the manual system.

I hope an Eset employee will take a special interest in this problem & fix his system. It is of no value to rehash the problems with Eset in the past all anyone can do is move forward.

Threads like this one are very troubling. I recently trialed NOD32 v3 and it ran very light with no issues. However, searching this forum I found quite a few NOD32 users who had been infected or had support issues or both. There are so many good AV alternatives these days that it just seemed best to try something else. I know NOD32 has many loyal supporters and does well in many AV tests, but poor customer support is a show stopper in my book.

{QUOTE-> I hope an Eset employee will take a special interest in this problem & fix his system. It is of no value to rehash the problems with Eset in the past all anyone can do is move forward. <-QUOTE}Some aspects of this thread are puzzling to me. For example, as noted in links provided above, in November of 2007 the original poster stated that:{QUOTE-> I have read so many virus reports that I am about to explode. Could someone please help me to plot the best path out of this mess:

About two weeks ago I started having services randomly fail on my SBS2003. Then about 5 days ago I noticed the server was restarting itself randomly.

Next I started receiving errors that my server didn't have any idle time and that was potentially hazardous.

Next, I get all kinds of messages: I need to install Chinese Language Pack for page to view properly--out of nowhere. Plus the server is trying to load a series of webpages that I keep telling it to block. Also, it changed the system time (in my bios as well) to read December 31, 1999. I can reset it, but then either the year will be reset to 2000 or the month, AM sometimes, PM sometimes, all of it sometimes.

Plus, when I startup I get the message 0SVCHOST: 03-NOV-07 is not a valid date and Task Manager is disabled.

Nod32 recognizes SYSMON.exe and supposedly deletes it. But it is not only still there, it keeps getting worse. There is also another file OS something that NOD32 finds, deletes but is still there. In all, I have 40 different events that NOD32 thinks it is handling and still nothing. It has infected all of my PCs and I am desperate for help. <-QUOTE}
{QUOTE-> My users don't have many special needs. They basically use Office 2003, Outlook, Adobe Acrobat and that's about it. I could create a master image (with the NOD32 client installed) and replicate using ACRONIS Snap Deploy.

I have installed a clean image on one PC but when I connect the infected drives, even with NOD32 running, it is just a matter of time before I find the same infection on the new drive. How do I get to the data off the infected drives without re-infecting my new drives?

I thought by isolating each PC and installing a clean image, I could control the virus, but alas I cannot. <-QUOTE}
{QUOTE-> Okay, this is rich!

I removed Infected Drive A from one workstation.

I replaced Infected Drive B in another workstation with a shiny new 500 Gb Clean Drive

On the 500 Gb Clean Drive, I partitioned the drive using Windows XP install Disk and installed Windows XPSP2.

On the 500 Gb Clean Drive, I installed NOD32 and scanned the 500 Gb Clean Drive for viruses---it was clean.

I applied all necessary updates for Windows XPSP2 on the 500 Gb Clean Drive

Next I installed the Infected Drive A as a second drive.

When Windows was completely loaded, I ran NOD32 in Application mode and scaneed Infected Drive A to find about 5 virii.

I deleted all of the infected files and opened an Explorer window to "My Computer"

I clicked on Infected Drive A and was given the option to pick which application I should launch and/or associate with that action (doubleclicking a hard drive icon).

Nod32 Springs into action with a big red Virus Alert! Deletes the file and everything seems fine.

I reboot

On a hunch, I open an Explorer window to My Computer and double click a different drive. Same response. Same Virus (SOS).

I remove the Infected Drive A drive and sure enough I still have the SOS virus...only now it's on my 500 Gb Clean Drive.

What is up? I didn't even open an explorer window the infected drive....

How is this virus getting around?

Please help? <-QUOTE}and the thread dies over the course of about 24 hours. The second thread mentioned by LowWaterMark was contemporaneous, with similar information, and a similar conclusion. Fast forward five full months and the basic problem description is extremely similar to the original issue down to the clock reset.

On the face of it, this sounds like either an ongoing 5 month old issue or a repeat occurrence. If it's the latter, it would seem as though there is a structural network security and/or OS configuration issue that would seem to be at least addressable via clean installs and locked down LUA's on all user machines (if required). That's just one way to tackle it, there are others. If it's the former, I can't imagine the lack of thread activity here in the intervening period to tell you the truth.

As someone who did offer a bit of advice in the original threads, I would have hoped that the original discussion was not ended prior to an actual resolution of the problem. Any exit from those threads was not due to a lack of support from the community. As I noted at the outset, I must admit that the evolution of the entire situation is rather puzzling to me.

Blue

I am a firm believer in evaluating all the testing sites and reports before rendering my thoughts on a product. And the one thing I do know is Eset is not a unacheiver. If you say it has the worst track record, then submit proof from a unbias testing site. I have yet to find a test that supports your claim. Really gets under my skin, threads like this.>:(

Eset is one of the best AVs on the market. You may want to look at your end for the issues.

{QUOTE-> I am a firm believer in evaluating all the testing sites and reports before rendering my thoughts on a product. And the one thing I do know is Eset is not a unacheiver. If you say it has the worst track record, then submit proof from a unbias testing site. I have yet to find a test that supports your claim. Really gets under my skin, threads like this.>:(

Eset is one of the best AVs on the market. You may want to look at your end for the issues. <-QUOTE}
ESET ranks along the upper-tier product, but truth be told, it's completely undeserving of the accolades that it and its users heaps itself with. There's really nothing to distinguish it from its serious competitors, and it's just an also-ran when placed alongside them.

Worst track record... no, far from it. I'd rather call it "overhyped" instead.