Why is the NOD32 Virus Definitions support so scrappy?

I have recently ditched Nortons in favour of NOD32 which appears to be a considerably superior product in many regards, but then I find it is missing the basic housekeeping and support capability that is absolutely essential to this style of product. Am I missing something blindingly obvious? The problem unfolds like this:

1) Ask eset about some virus reports that turned up on a scan of my pc but weren't in the database. Their answer was "ask Australia" (where I am).

2) Ask Oz - the very polite answer is look in the database again and then look again again then come here, so now I'm here.

3) Searches here tell me nothing constructive about my problem, fair enough you get that!

This is the essence of the email chain that defines the problem, can anybody here give me a couple of pointers about what to do, thank you:

Vince: I am a little puzzled why the threats database seems to be so incomplete. a scan shows up threats like Win32/AdInstaller, Win32/TrojanDownloader.Small.EDB and Win32/Bifrose.NAM, and some I click don't have a page (like Win32/TrojanDownloader.Small.ZL). Yet a search shows them up as released threats. Surely any threat in the definitions update should be in the threats encyclopoaedia, even if it is just to say not documented yet - I don't know why these wouldn't come from the same master database?

~ Snip ~ Private email correspondence removed for a second time ~ Blackspear.

(Vince: and so it is, but it doesn't answer the q!)

 

Hi VinceS, welcome to Wilders.

Private email correspondence can not be posted.

Please refrain from doing so in the future.

Blackspear.

 

No, only important definitions are written about and only when and where time permits.

ESET's main function is to protect the computers of their customers, where possible they will also try educate them after this.

Cheers

 

Streuth Blackspear, I got a post error and re-posted, I am not trying to cause a problem - I didn't know what was going on (and frankly still don't). I would also note that everything in the so-called "private email" is solidly in the public domain, nor was there anything untoward or embarrassing in the content, just a non-answer. Possibly this means that the true question is not going to be able to be answered huh?

On the off chance that somebody else can give a more helpful response I shall put back the clipped but necessary support details I originally provided to ask the q hopefully without causing further annoyance:

Each of Win32/AdInstaller, Win32/TrojanDownloader.Small.EDB and Win32/Bifrose.NAM showed up in the scan results and I was trying to find out what they might mean. These must have been in my system for a while. The first one is in the current update to Nero and I am suspecting it is OK. The others showed up in .exe files that I KNOW I have run, but I was not requested to take any other action than delete the specific files. There were a bunch of reports in the scan log of password locked files and other inaccessible ones that obviously weren't checked, maybe they are bits of a virus - I certainly don't make a habit of password protecting files and doubt if I have put any there apart from issued .pdfs which is not what was being complained about.

I have been noticing some odd PC performance issues and used a battery of things like CCleaner, TUT, OutlookSpy, NOD32 trial (since I am sick to death of the rubbish that is Nortons) and some other things I don't remember at this moment. I uninstalled my somewhat out of date Norton and put NOD32 on as a trial thinking I will convert to that - but unless I get much more helpful info I will not be proceeding beyond the trial, which is a pity as the minimalist impact aspect of NOD32 is quite attractive - but it must work for a regular pleb like ME, not just some anti-virus expert type! However I have never clicked on a link / attachment in an email where I am not absolutely sure of the sender and I have pretty good housekeeping set up on this single user xp sp2 pc.

So, can I get real info for my current virus reports or not? What about in the future? Thanks.

 

So maybe that means there is nothing to worry about? I am not looking for education per sé, but appropriate actions that follow on from the discovery of a threat. At the moment I could hardly say that I am comfortable that an appropriate response has been implemented.

I still have issues with the PC, very plainly they could be none virus related, and indeed are likely to be. But I just want a secure reliable anti virus package operating - and when I do a bunch of my friends will likely take the same action as that's how it is. All I know for sure is it ain't Nortons!

 

Still digesting all of what you have written but will at least provide an FAQ link concerning the [4] Locked Files portion of your log.

From the Nod32 Forum FAQ:

Bubba

 

It depends upon what actions you have taken when NOD32 has detected the threat.

I would suggest a run through THIS THREAD and then a rescan of your system twice with the On Demand Scanner.

Let us know how you go...

Cheers

 

Just posting some feedback while it is fresh in my mind, I have not yet completed the allotted tasks but am doing it precisely as requested - have only got through one scan at present - will reboot soon and run again later. Comments are:

1) For a reason/s I do not currently understand I had 345 entries in the screen which needed them to be changed from compatible to efficient. That is 23 pages at 15 lines each and it took a long time to get through them all. I think this needs a "select all" type of option. Perish the thought that I will find some valid reason for this and have to go and change a lot of them back...? The file listings were mostly quite bizarre formats and I could see no good reason for most of them to exist, but I'll worry about that later too!

2) The procedure given basically says to go do a command line scan, which works of course but it is not clear and would seem to be not desirable to take this approach in the longer term, when it SEEMS that the control panel settings version is doing the same thing, possibly the command line run is using the control panel settings? I am not clear on this and would have to go read a fair bit more to "get it". Considering how brilliantly clear the rest of the instructions are it may not be much of an edit to explain this bit. I do doubt that the implied reason that the only reason you would use the control panel version is if multiple users exist and they might be of a mind to just shut a scan down for their own convenience. But like I said, I remain a little confused about this bit.

3) The Clean then delete with quarantine ticked in both scenarios has the undesirable outcome that you don't know what really happened when looking at files in quarantine. Are these ones that genuinely may be new variants that should be submitted to Eset, or would that just be burying them in so much more unnecessary crap since this is just a copy and the cleaned version persists. The confusion is added to by my understanding that often the word "cleaned" and "deleted" are interchangeable, so the lack of a new cleaned file does not really mean that there was any doubt by eset as to the correct action.

Obviously this is all off topic, but if these comments are of any use you will know what to do with them.

 

In answer to:

1. I have never seen 345 items in that list, ever. I have 34 items.

2. The Scheduled scan is designed like the rest of the Tutorial to automate the process, in this instance it is to run a "scheduled scan" at a set period, that being once a week.

The silent scan is designed for those in a multi-user environment where a visible scan might be turned off. A silent scan can not be stopped.

3. NOD32 will attempt to clean an infection, if it is unable to it will delete it. In either scenario the infection will be backed up to quarantine as a measure of safety for a period of 30 days, after which it will be discarded.

Cheers

 

Gents, I guess one of the key things that goes on in the world is that with understanding is the opportunity for improvement. I do not have the benefit of significant understanding in this area, consequently frustration is a close ally. However, I do get to stumble around in the real world and find stuff that is relevant, here is that enlightenment such as it is:

Question to Nero:
NOD32 reports the downloaded trial file is infected with the Win32/AdInstaller application and then deletes the file, therefore I can't use it!

~removed private e-mail per same reasons given above here....Bubba~

Well, it was certainly complete and informative, and sounds reasonable - you guys can decide about the substance but it seems NOD32 is still happy to reject it so I don't know about how good their communication is with the anti-virus developing community. And of course I still don't know what a variant of Win32/AdInstaller is anyway, not that this is so important really - but I should definitely be able to run safe software without having it whisked away to quarantine!

On the matter of the 345 entries, this is real. There are several things going on here, only one of which I now understand, however I still believe my original comment is highly valid. Despite totally uninstalling and then removing Nortons residuals I have found that the last 14 screens of these (ie ~210 entries) are a long alphmeric starting with yF5NxN9Q... then LUCOMS~1.EXE. These are apparently what you get when you don't renew your Nortons licence and Live Update continually tries to update itself daily, it looks like I didn't bother doing anything about keeping my virus protection up to date for 6 months or so eh? I would have to suspect it would not be uncommon for future NOD customers to rock up in this condition, you guys should expect and understand the implications of it.

Looking through the remaining 130 entries I see there is seemingly a lot of duplication or close to duplication. I can't sort this window or copy it to paste and thereby make it easier to diagnose / inform, except by making a bunch of screen dump .jpg's anyway. I can see software referenced in the list that I have long since (or even recently) uninstalled. Neither CCleaner or TUT have enabled me to fix these things - and I don't understand what the line items really mean anyway.

An example of the "why is it so" kind is that iexplore.exe is listed as a program run by about 20 different user agents, many of which I don't recognise but sound cocher. And on this PC I only use IE6! Just to rattle off the first handful of iexplore.exe agents they are contype; ISUA 4.50/wa; Microsoft-CryptoAPI/5.131.2600.2180; Mozilla/4.0; NSPlayer/(3 different version No's); OWAMIMECTL/1.0; QuickTimeWinInet;SCAgent; Shockwave Flash

Finally I have got my HP all-in-one printer working how it should, this is about nothing except HP's lousy software integration, much like Nortons after Pete let go of the reins after making all those neat little things like DS, SI, LP and whatever. But there are still little things broken around the edges of this PC and better things to do in life than bang yer head against fixing them if they ain't truly broke huh?

I think it is great to encourage, support and buy excellent products. It is great that NOD32 is really on the ball in the actual protection of the PC game, that is really important and is a solid basis from which customers will tolerate a little of the rough-around-the-edges stuff. However the world is full of people who expect more than is reasonable, until this sort of stuff hangs together better you will probably not see the success that I suspect you guys actually deserve! The bit about making the core piece work well is no small feat, but it needs the peripheral stuff to be a bit less cludgy. Sorry, I know how easy it is to complain, this is meant to be more about useful feedback than a good ol' whinge.

 

Hello VinceS,

Concerning the Private email correspondence removed from your latest post....Please see this post by a site owner in regards to the posting of Private email correspondence as it relates to our policy on such removals.

Please take a look at the below recent thread in regards to Nero and it's Ask toolbar.

This thread---> False positive Toolbar.exe ??

Regards,
Bubba

 

OK, Blue Zanetti has kindly taken a moment to privately explain what the go is with "private email". The reasoning is obvious when it is explained - which is much better than my previous (and private) interpretations of such auto-removal behaviour. Really, pasting is just being lazy, there is no drama summarizing and anon-amizing when there is a possibility (rather than necessarily the fact) of an unintended problem for an involuntary participant.

I have also come in the intervening period to realize that the response I got from Nero was a bald faced lie! So, I guess the individual was a bit vulnerable there. I went on to defeat the quarantining and run the thing anyway - and it wanted to install the Ask toolbar along with some other less obvious junk all of which I rejected.

Obviously the NOD quarantine delete of the setup file was purely related to the included Ask toolbar which is bound to have advertorial inclusions. However, the guts of what Nero had to say about this was "As part of the development of Nero 7, we are using innovative methods to display pictures and videos. Some of these methods were used for the first time in version 7.7.5.1 and adapted to Windows Vista.

As these methods were previously unknown to antivirus software manufacturers, this resulted in a virus warning being displayed in some antivirus software during the installation of Nero 7.7.5.1.

In the meantime, these methods have been examined by some manufacturers, have been classified as harmless, and the relevant updates of the virus definitions have been carried out. Once the antivirus software has been updated, virus warnings should no longer appear during the installation of Nero 7.7.5.1.

Warnings in spyware and malware which appeared while initially installing Nero should also no longer appear after updating the relevant software (e.g. Adaware, Spybot Search & Destroy)."

OK, I hope that is posted in an OK way. It shows that Nero may have successfully bludgeoned a couple of the popular ones into submission but not all have accepted their line re Ask. But I sure don't see where their answer has anything to do with the problem, I do believe I shall enquire further about that little porky!

However, there is the substance at the NOD side of it re what to do with this sort of thing, undoubtedly debated at length elsewhere here. Personally I would rather have a warning about this sort of stuff, but I'm not so nieve as to assume there wouldn't be a heck of a lot of tricky issues handling that correctly and reliably in protection oriented software. But the end result of not providing intelligent direction to an unknowing / uncertain user is that they either deprive themselves of the use of the software or they take a chance as I did that any problems can be headed off during installation or at worst Restored from - there are merits and traps to both arguments obviously!