Email came in yesterday with an attachment, which got delivered to my mailbox. Email sat in there unread (didn't have time to open it). More than 24 hours later XMON decides it's a virus (while it was running a manual scan). Both EAV 3.0 and XMON 2.7 Real Time scans didn't pick it up.

Virus turned out to be:

UPS_INOICE_107.zip - Win32/TrojanDownloader.Small.ODR trojan - deleted<BR>
UPS_INOICE_107.zip > RAR > UPS_INOICE_107\UPS_INVOICE_107.exe - Win32/TrojanDownloader.Small.ODR trojan

What's all this about?

{QUOTE-> What's all this about? <-QUOTE}Perhaps the "24 hours later" issue is because update 3267 (http://www.eset.eu/podpora/aktualizacia-3267?lng=en) came out late in the PM last night with Win32/TrojanDownloader.Small.ODR added :-\

The UPS_INVOICE_107.exe being targeted, try using Federal Express next time :ouch:

Just kidding ;)

But my point is shouldn't EAV have detected it anyway? ESET reckon they're better at catching in the wild viruses than any other provider, but they failed this time...

{QUOTE-> but they failed this time... <-QUOTE}
My users live life on the edge and our customer base includes many countries with dodgy old software and often little or no anti virus software. As a result, we are often at the forefront of new threats. XMON deletes several thousand incoming viruses per year. XMON has missed only two new threats in the five years we've been running it. Both of these were correctly identified as suspect by my users and referred to me and both were added to the definitions within 24 hours.

I'm more than happy with their anti-virus performance but far from impressed with ESS, which has been completely removed from our Network.

{QUOTE-> But my point is shouldn't EAV have detected it anyway? <-QUOTE}

No , because they use the same techniques and threat database . They update at the same time and that is why it happened that way . Having an antivirus doesn't mean you are fully protected - you should still follow basic rules such as common sense , don't open/read/answer to emails from unknown sourses , etc

This is similar to my last post, but again, both XMON and EAV missed a virus. Got an email yesterday mid-morning with an attachment:

" UPS_INVOICE_978172.zip"

Knew from the last similar looking attachment this was a virus. Did a manual scan from within Outlook using EAV... No virus. Copied on to desktop, scanned, no virus (1 file found in attachment according to EAV). Submitted to ESET.

More than 24 hours later I received the following email:

"22/07/2008 11:09:35 - XMON - Antivirus Monitor for MS Exchange Server Threat Alert triggered on SBSVR1: UPS_INVOICE_978172.zip > ZIP > UPS_INVOICE_978172.exe is infected with Win32/PSW.Agent.NIF trojan."

But this is too late. If every user in the company received this and opened it, they'd all have a virus by now, which both the server and client AV failed to detect. A zero-day virus, and nothing, no warning from the AV!

I scanned the ZIP file last night on VirusTotal. A number of other AV companies detected it as a trojan, others said "suspicious file". Yeah it's suspicious... EAV and XMON have the option to scan-for and remove potentially unsafe applications, adware, spyware and riskware. Surely this suspicious looking file should have fit into one of those categories?

Clearly not...

This is useless to me! 24+ hours is too long. And with damage already done, it makes the investment into ESET's AV a pointless one, especially if other AV providers knew this was a virus before ESET did.

What does ESET have to say about this?

This question been asked/answered a million times before in this forum and other forums for other av software. I guess some people expect the AV software to be 100% bullet proof which is not the case. Sometimes nod32 is the first one to detect a threat and sometimes they might be the last. Eset, Symantec, Trend, Kaspersky and everyone else work hard to stop threats fast and it's not like Eset can be the first one every time. So if you find eset to be useless because they didn't find it first i guess you might find any AV software useless since they all might be late to stop a threat sometimes. It's not like the "potentially unsafe applications" feature never fails to find a threat.

You might consider using a AV software running on the server which is from another vendor then the AV software running on the client. A lot of companies choose to do so and that will give some extra security since there are two different engines scanning the mail.

I agree that 24+ hours is not very impressive, but you cannot expect eset to always detect any threat before any other AV software.

{QUOTE-> I guess some people expect the AV software to be 100% bullet proof which is not the case. <-QUOTE}

ESET Secures Record-Breaking 50th Virus Bulletin Award for Security Excellence
June 04, 2008

Detects 100 Percent of Viruses, Worms and Bots with Zero False Positives (http://www.eset.com/company/article/ESET-Secures-Record-Breaking-50th-Virus-Bulletin-Award-for-Security-Excellence/4811.php?contentID=4811)

But it is what they advertise... ;)

{QUOTE-> ESET Secures Record-Breaking 50th Virus Bulletin Award for Security Excellence
June 04, 2008

Detects 100 Percent of Viruses, Worms and Bots with Zero False Positives (http://www.eset.com/company/article/ESET-Secures-Record-Breaking-50th-Virus-Bulletin-Award-for-Security-Excellence/4811.php?contentID=4811)

But it is what they advertise... ;) <-QUOTE}No it isn't. "ESET's antivirus products boast a success rate of over 96 percent." Read the whole press release. Don't just skim it.

{QUOTE-> No it isn't. "ESET's antivirus products boast a success rate of over 96 percent." Read the whole press release. Don't just skim it. <-QUOTE}

Actually I did read the entire article. Your quote above omits a very important part of the entire sentence. "Since the inception of VB100 awards in 1998, ESET's antivirus products boast a success rate of over 96 percent..."

Also if you visit the VB100 website (http://www.virusbtn.com/vb100/about/100use.xml) you'll find this statement:

"In order to display the VB100 award a product must have been tested by Virus Bulletin and in those tests it must have demonstrated, in its default mode, 100 per cent detection of In the Wild test samples and no false positives in a selection of clean files."

{QUOTE-> Actually I did read the entire article. Your quote above omits a very important part of the entire sentence. "Since the inception of VB100 awards in 1998, ESET's antivirus products boast a success rate of over 96 percent..."

Also if you visit the VB100 website (http://www.virusbtn.com/vb100/about/100use.xml) you'll find this statement:

"In order to display the VB100 award a product must have been tested by Virus Bulletin and in those tests it must have demonstrated, in its default mode, 100 per cent detection of In the Wild test samples and no false positives in a selection of clean files." <-QUOTE}

In any case there is a difference between 100% for the "wild test samples" and 100% in general. The wild test samples does not include every existing threat so it's not even relevant to my statement.
Can you show me a statement from eset where they say that nod32 detect 100% of all existing threats?.....well i didn't think so....

I think what i said in my post is pretty clear and i was not talking about the "wild test samples". There is a difference between a statement that says 100% of the wild test samples and 100% period.

{QUOTE-> I think what i said in my post is pretty clear and i was not talking about the "wild test samples". <-QUOTE}

I'm sorry, but it wasn't clear to me that you were generalizing about AV software. From the OP's own statements I assumed that this discussion centered on In the Wild and Zero Day threats. My mistake.