Disinfecting of Sality.

[Roman Rashevskiy]

Hello!

My name is Roman Rasheskiy, I am from Russia. I use Eset Antivirus NOD32, version is 4.0.474.
I have infected my computer with Sality, I want to check Eset on disinfection of this malware-sample.
Eset deleted all files (and "good" file, e.g. documents, files of programms etc.), which was infected with Sality. I think this fact is not good, because Eset can delete very important user files, but others vendors can clean "good" files and cure infect computer.


--
Best regards,
Roman Rashevskiy.

[nikanthpromod]

Its a polymorphic virus that targets executable files.

http://www.2-spyware.com/remove-sality.html

Once infected its hard to cure those viruses.

[nikanthpromod]

once i was infected with Virut ( a ploymorphic virus)
It destroyed all my system files.My system crashed. Eset deleted that files but made my system unbootable.

[Marcos]

It sounds like you infected your computer intentionally so you actually didn't lose any important data. I'd suggest submitting a couple of such files to ESET per the instructions here.

Infected files that cannot be cleaned are NEVER deleted automatically, however, the user can choose to delete them if he's sure the files are not that important or that they can be replaced with a clean copy easily. At any rate, the original files are always stored in quarantine so it's possible to revert to them at a later time, if necessary.

If the entire infected file comprises only of the virus itself, it's deleted automatically.

[Roman Rashevskiy]

Quote:

Originally Posted by nikanthpromod

Its a polymorphic virus that targets executable files.

http://www.2-spyware.com/remove-sality.html

Once infected its hard to cure those viruses.

I know, what it is. I am malware-researcher.
But thank you for your help.

I want to tell you, that other vendors realised special cure-procedure in their products and their products don't delete user's files, but cured it, i.e. delete "body" of virus from legitimate (user's files, system files etc.) files. But Eset's products just deletes files with virus, and it is very bad...

[Roman Rashevskiy]

Quote:

Originally Posted by Marcos

It sounds like you infected your computer intentionally so you actually didn't lose any important data.

Yes, you understand me.

Quote:

Originally Posted by Marcos

Infected files that cannot be cleaned are NEVER deleted automatically, however, the user can choose to delete them if he's sure the files are not that important or that they can be replaced with a clean copy easily. At any rate, the original files are always stored in quarantine so it's possible to revert to them at a later time, if necessary.

But Eset's products deleted files, which can be cleaned (other products can clean this files, and this file does not comprises only "body" of virus).

Quote:

Originally Posted by Marcos

If the entire infected file comprises only of the virus itself, it's deleted automatically.

But user's files does not comprises only "body" of virus, they comprises some important user's information.


P.S. If you do not mind, I would like to discuss with you this problem in PersonalMessages or Skype.

[nikanthpromod]

discuss here. That will help us too

[Marcos]

Quote:

Originally Posted by Roman Rashevskiy

But Eset's products deleted files, which can be cleaned (other products can clean this files, and this file does not comprises only "body" of virus).

Are you saying that a backup copy of the original file was not put in quarantine before cleaning(deletion) took place?

Quote:

But user's files does not comprises only "body" of virus, they comprises some important user's information.

Are you saying that these files were deleted automatically with standard cleaning mode (default setting) and you were not prompted for an action at all?

Could you submit the files to ESET as I instructed you before so that we can take a look at them to see if they actually contain also usable code (previously clean file) and cleaning of the files actually fails ? Even if cleaning was not possible for whatever reason, such files should not be deleted automatically by EAV / ESS.

[Roman Rashevskiy]

Quote:

Originally Posted by Marcos

Are you saying that a backup copy of the original file was not put in quarantine before cleaning(deletion) took place?

No. Eset put backup copy of files in Quarantine module.

Quote:

Originally Posted by Marcos

Are you saying that these files were deleted automatically with standard cleaning mode (default setting) and you were not prompted for an action at all?

In my computer I setting "Advanced disinfection" and in this mode Eset delete all files without asking me. But in standard-mode Eset asking me, but I can choose only 2 functions in dialog-box - Delete and "skip this file".

Quote:

Originally Posted by Marcos

Could you submit the files to ESET as I instructed you before so that we can take a look at them to see if they actually contain also usable code (previously clean file) and cleaning of the files actually fails ? Even if cleaning was not possible for whatever reason, such files should not be deleted automatically by EAV / ESS.

Ok, no problem.
How can I submit files?

P.S. What can you say about cured of TDL3?
P.P.S. Every day I analyse a lot of malware-samples, which ESET's products not detected, but submit all these samples to ESET with help of standard form for submiting file - it is very inconvenient for me. How can I submit files directly to malware-analysts?

[Marcos]

Please submit a couple of files that cannot be cleaned to ESET per the instructions here with this thread's url in the subject.

As for the TDS3 rootkit, we most likely detect it as Olmarik/Kryptik. I barely see files undetected by all protection layers that ESET uses. However, if you come across one feel free to submit it for perusal.

[Roman Rashevskiy]

Quote:

Originally Posted by Marcos

Please submit a couple of files that cannot be cleaned to ESET per the instructions here with this thread's url in the subject.

Ok.

Quote:

Originally Posted by Marcos

As for the TDS3 rootkit, we most likely detect it as Olmarik/Kryptik. I barely see files undetected by all protection layers that ESET uses. However, if you come across one feel free to submit it for perusal.

But ESET's products can't remove this threats from computer, if computer was infected before ESET was installed.
In my question I mean - "When will ESET's products can remove active TDL3 from computer?"

Quote:

Originally Posted by Marcos

However, if you come across one feel free to submit it for perusal.

Ok.

[Marcos]

In order to keep discussion on the thread subject and to allow others to participate in the ongoing discussion about the Olmarik/TDL3 rootkit, we've split the thread and created a new one dealing with Olmarik/TDL3. Please continue discussing it here.