variant of J2ME/TrojanSMS.Konov.L trojan not captured through http scanning

[vtol]

the urls might need to be blocked too. submitted to Eset for analysis through build-in submitter. on demand scan detects it but does not move it into quarantine.

link distributed via ICQ

variant of J2ME/TrojanSMS.Konov.L trojan

/sokrati.ru/1h4p referred to /z5.gryzi.org/1737/*.jar

bypasses FF redirection protection, noScript may save you from a drive-by infection

[Marcos]

Please make sure you didn't run a scan without cleaning. Jar files are archives so you must be offered action selection after a scan completes. ICQ doesn't communicate via http, hence the web scanner didn't detect it in the first place.

[vtol]

put the link from ICQ into sandboxed FF 4 with javascript off, then downloaded the file into sandboxed location and ran on demand scan. during the download in FF NOD did not detect it.

that is what the on demand scan ended with, no offer to clean or quarantine or anything...



just realized that FF was excluded from http scanning due to the incompatibility between NOD https scanner and FF. Repeated the same with Safari and NOD caught the bugger during the download... ...my bad. On the other hand users of FF who would have excluded the browser from http scanning for the same reason would be unprotected then. there should be an option to exclude https scanning only if an application is incompatible with NOD and not to have to exclude such application entirely from protocol filtering

[Marcos]

If you ran the scan from within the context menu, make sure you selected "Clean with ESET NOD32 Antivirus" and not "Clean with ESET NOD32 Antivirus".

If you ran a custom scan from within the main program panel, make sure the "Scan without cleaning" check box is unticked before clicking the Scan button.

[vtol]

from the context menu, it is either A or B, and I chose A with the result shown above bot no offer to clean or quarantine

[toxinon12345]

The first option (A) is for diagnostic purposes
The other option (B) is for cleaning

Use B

[vtol]

that is obvious. the logic of an AV is supposedly to offer clean/quarantine when detecting something malicious like that during a manual invoked scan

[Marcos]

Not everyone wants to remove found threats automatically during a scan. For this purpose, there are two options - "Scan with ESET..." serves to scan files without carrying out any action while "Clean files" enables cleaning/removing during a scan. The context menu can be customized so you can reverse the order of the options or completely remove some if you mind.

[vtol]

Quote:

Originally Posted by Marcos

Not everyone wants to remove found threats automatically during a scan.

did not mentioned that, it is more like popping up a window offering a choice when threats are recognized during a manual scan - options to clean or quarantine or ignore once or white-list permanently plus submit for analysis. that would easily serve those who do not wish to clean or quarantine as well as those wanting to get rid of a bugger.

how much code is that to achieve, will it bloat NOD or make it incompatible or reduce functionality? probably not, as most of it is coded into NOD already related to ThreatSense.

as it stands right now, user has to close the scan window, go back to back to explorer, right click again to pop up that menu, which easily could result in a left click and thus execution of a file, and choose one from B.

afaik most of the other mainstream AV do offer a choice when detecting a threat during manually scan, asking the user how the AV is supposed to handle the threat.

[Marcos]

You can achieve that by editing the context menu scan profile and setting the cleaning level to none. At the end of a scan you will be prompted to select an action for each of the detected files.

[vtol]

good to know that it is there, just extremely hard to find and to know what is actually achieved by each preset profile as the NOD help does not offer much insight.

Quote:

Originally Posted by NOD Help

Scan profiles
The preferred computer scan parameters can be saved to profiles. The advantage of creating scan profiles is that they can be used regularly for scanning in the future. We recommend that you create as many profiles (with various scan targets, scan methods and other parameters) as the user regularly uses.

To create a new profile that can be used repeatedly for future scans, navigate to Advanced setup (F5) > On-demand computer scan. Click the Profiles... button on the right to display the list of existing scan profiles and the option to create a new one. The following ThreatSense engine parameters setup describe each parameter of the scan setup. This will help you create a scan profile to fit your needs.

Example:
Suppose that you want to create your own scan profile and the configuration assigned to the profile “Smart Scan” is partially suitable. But you don’t want to scan runtime packers or potentially unsafe applications and you also want to apply strict cleaning. From the Configuration profiles window, click the Add button and then select the "Smart Scan" profile from the copy settings from the profile drop-down menu. Then adjust the remaining parameters to meet your requirements.

what are the differences between the 3 preset profiles context menu scan, in-depth scan and smart scan? I doubt that there is any with regard of what the user is presented upon the detection of a threat from a manual scan, the profiles differ only in targets and scan methods, which can be altered to the users liking. however for the user notification/intervention the cleaning level seems to be relevant. in each profile there is the same choice of 3 cleaning levels, all of them stating 'may be displayed' - so who is to decide whether it may or may not?



and in this case the cleaning level was set to 1 (slider in the middle), which as far as said should have attempted an automatic clean or delete, but it did not - just did nothing - Note for Marcos - could be a bug in the exe/dll DEV builds

[Marcos]

Quote:

Originally Posted by vtol

what are the differences between the 3 preset profiles context menu scan, in-depth scan and smart scan?

Context menu scan - a scan run via the right-click context menu. There are two options in the context menu related to scanning by default: "Scan with %ProductName%" and "Advanced options -> Clean files". While the former merely triggers a scan without taking any action if malware is found, the latter triggers cleaning according to the cleaning mode set for the context menu profile.
The order of the scan / clean option as well as their appearance in the context menu can be customized in the main setup -> User interface -> Context menu.
As for the problem with not getting a prompt window when cleaning the archive in question after selecting "Clean files" from the context menu, I'm yet to reproduce it with the module on the pre-release servers which is responsible for deciding about actions on infected files.

In-depth scan - a scan of all drives with all settings enabled. The settings can be altered but not saved to retain the purpose of that profile.

Smart scan - a scan of all drives with settings pre-defined by the vendor or later altered by the user.

As for various cleaning levels, "None cleaning" means that the user will be prompted for an action at the end of a scan if threats are found. "Standard cleaning" (the middle slider position) cleans/deletes files automatically unless they fulfill certain conditions when the program cannot decide itself if it's safe to delete a file (e.g. if it's a system file infected with a virus or an archive containing clean files besides an infected file). "Strict cleaning" should delete archives also containing clean files without prompting the user.

[tipo]

Quote:

Originally Posted by vtol

the urls might need to be blocked too. submitted to Eset for analysis through build-in submitter. on demand scan detects it but does not move it into quarantine.

link distributed via ICQ

variant of J2ME/TrojanSMS.Konov.L trojan

/sokrati.ru/1h4p referred to /z5.gryzi.org/1737/*.jar

bypasses FF redirection protection, noScript may save you from a drive-by infection

thats why you should think to a different approach in your PC security....

[vtol]

your point being after reading the entire thread?