At least 6 viruses skipped by NOD32 - for the first time I'm disappointed

[k!b¤]

and what's worse some of them are listed in NOD32 virus database. for example Win32/TrojanDownloader.Agent.FK.

NOD32 v25.51.8 + MS AntiSpyware are active, up-to-date and MAX configured(for nod32 same as BlackSpear recomends).

this is what happened::
-added hdd from my customer with intention do disinfect it and backup data
-scanned with nod32 whole disk and it found 155 infected files
-scanned it w/MS Anti... and it found couple more trojans and spyware

then, as I found out that disk is/was full of viruses, I decided that it was great opportunity to test nod32's reliability. so I've run Online BitDefender scan - and guess what - it found 8 more real viruses/trojans - not some 3rd grade malware!
I'll continue to use for myself and to recommend to others NOD32 so this is not somekind act of rage or bad advertising but more of a move to try to help Eset developers improve NOD32. so i'm not going to make any fast conclusions, but i'll wait for reactions from experienced members of this forum.

[Marcos]

How many samples of those detected by NOD32 were actually detected by BitDefender? Also I noticed there some joke programs in the log. I suggest to refrain from creating another flame that one AV is better than another and vice-versa. It's a matter of fact that no AV will detect all 100% of malware in the world.

[YeOldeStonecat]

As an added sidenote.....you should disable system restore on infected XP systems before attempting to clean.

[pc-support]

I wonder how many NOD would have found if BitDefender had been run first?

Probably a lot more than 6

[k!b¤]

Quote:

Originally Posted by YeOldeStonecat

As an added sidenote.....you should disable system restore on infected XP systems before attempting to clean.

as i said, scaned disk is secondary and it had Win9x on it.
beleive me, i do that on every XP machime i service.
my rig is, for years now, clear of any kind of malware. except if I intentionaly let it get inside (for testing purposes).

[k!b¤]

Quote:

Originally Posted by pc-support

I wonder how many NOD would have found if BitDefender had been run first?

Probably a lot more than 6

and why wouldn't even that 6-8 viruser and 20-30 files they infiltrated, be cleaned by NOD? my intention was to, posibly, help in improving NOD's detection... nothing more.

Please keep any flame type comments out of this thread, no matter which product they are directed at. Any further such comments will be removed. As Marcos already stated NO AV is perfect ...

Let's keep on the topic, detection and disinfection/removal and any failures to do so in this instance.

Regards;

Steve

[k!b¤]

Quote:

Originally Posted by dog

As Marcos already stated NO AV is perfect ...

Regards;

Steve

as i said before, i have no intentions of flaming anything or anybody.

it's true that it's not perfect, BUT why not try to improve it? is this thread unwanted

[Paul Wilders]

Quote:

Originally Posted by k!b¤

as i said before, i have no intentions of flaming anything or anybody.

Good to hear

Quote:

it's true that it's not perfect, BUT why not try to improve it?

Be assured all security softwares are doing their upmost to improve.

Quote:

is this thread unwanted

As long as it stays on topic, civilized: not at all. In case trolling etc. happens: we'll - say - "interfere"

regards,

paul

Quote:

Originally Posted by k!b¤

as i said before, i have no intentions of flaming anything or anybody.

it's true that it's not perfect, BUT why not try to improve it? is this thread unwanted

No not at all, Please do continue My intent wasn't to discourage you in any way. You haven't done anything wrong.

and Yes, everyone is always interested in product improvement.

Regards;

Steve

[k!b¤]

tnx Paul Wilders and dog.

[alglove]

I guess it is unfortunate that those files were deleted, since now there is no way to submit them to Eset for analysis. Well, let me rephrase that. Unfortunate from the point of view of analyzing these files and getting some sort of verdict on them (broken virus files? something that needs to be added to NOD32's definitions?). Fortunate from the point of view of getting them off the computer!

[k!b¤]

Quote:

Originally Posted by alglove

I guess it is unfortunate that those files were deleted, since now there is no way to submit them to Eset for analysis. Well, let me rephrase that. Unfortunate from the point of view of analyzing these files and getting some sort of verdict on them (broken virus files? something that needs to be added to NOD32's definitions?). Fortunate from the point of view of getting them off the computer!

that's my thought too. too bad.

[Paul Wilders]

Quote:

Originally Posted by alglove

..Well, let me rephrase that. Unfortunate from the point of view of analyzing these files and getting some sort of verdict on them (broken virus files? something that needs to be added to NOD32's definitions?).

Bolded by me: that's a pitty indeed. Thus, we'll never know, will we? Let's move on and keep away from turning this thread into a "comparison" thread. We do have a separate forum for that: "other antiviruses"

regards,

paul

[k!b¤]

Quote:

Originally Posted by Marcos

How many samples of those detected by NOD32 were actually detected by BitDefender? Also I noticed there some joke programs in the log. I suggest to refrain from creating another flame that one AV is better than another and vice-versa. It's a matter of fact that no AV will detect all 100% of malware in the world.

BitDefender scan was done AFTER NOD32 scanned/cleaned that whole drive. so it found what first didn't. and what it found doesnt seem like unimportant malware.
this one for example (found by BD in file mibxub.dll)::
http://www.viruslist.com/en/viruses/...?virusid=66410
or
one found in winsync.exe and mc104[1].exe (as shown in scan log)
http://www.sophos.com/virusinfo/anal...jmancsyna.html

i don't know, there is a chance that all theese were broken, but...who knows.
there were no bad sectors, i did chkdsk and there were no file structure or any other errors, NAV was installed but we all know how NAV is efficient ... so i'm not sure WHY would theese files become "broken"? it probably happens sometime, but when and why?
i'm confused about what to think right now. and it's time for bed hehe.
but i will apreciate constructive answers

[Paul Wilders]

Quote:

i don't know, there is a chance that all theese were broken, but...who knows.

That has been and still is the issue, since there's no way anymore to verify all this. For that reason there simply isn't an answer to "constructive answers". No samples left > no way to verify. It's as simple as that. Instead of guessing in the dark - since in the end that's all we can do - sleep well .

There's novalid answer to questions in this particular case anymore. We'll have to live with that.

regards.

paul

[k!b¤]

Quote:

Originally Posted by Paul Wilders

That has been and still is the issue, since there's no way anymore to verify all this. For that reason there simply isn't an answer to "constructive answers". No samples left > no way to verify. It's as simple as that. Instead of guessing in the dark - since in the end that's all we can do - sleep well .

There's novalid answer to questions in this particular case anymore. We'll have to live with that.

regards.

paul

well maybe there is light in the dark hehe ie some files were sent to Eset for analasys as shown in pic. Threat Sense must be very helpful in this kind of situations. if only there was file size info in that BD scanlog, maybe i could connect those A00819xx (they are still in quarantine also) with winsync.exe, mc104[1].exe and other files in BD log so i would be happy that those b*stards were delivered to right adress

[Paul Wilders]

Quote:

Originally Posted by k!b¤

well maybe there is light in the dark hehe ie some files were sent to Eset for analasys as shown in pic. Threat Sense must be very helpful in this kind of situations.

Threat Sense is indeed a very useful feature. The files in question will be analyzed for sure

Quote:

if only there was file size info in that BD scanlog, maybe i could connect those A00819xx (they are still in quarantine also) with winsync.exe, mc104[1].exe and other files in BD log so i would be happy that those b*stards were delivered to right adress

Well, that's water under the bridge, isn't it? Eset will act if necessary - and that's all there's to it. No more guessing in the dark - it's of no use in any way. Sleep well .

regards,

paul

[flyrfan111]

Quote:

Originally Posted by k!b¤

well maybe there is light in the dark hehe ie some files were sent to Eset for analasys as shown in pic. Threat Sense must be very helpful in this kind of situations. if only there was file size info in that BD scanlog, maybe i could connect those A00819xx (they are still in quarantine also) with winsync.exe, mc104[1].exe and other files in BD log so i would be happy that those b*stards were delivered to right adress

You wouldn't be able to match files by sizes either, windows compresses the files in the System restore folders, windows also renamed them, Nod doesn't generate random numbers when it quarantines files. Nod changes the extension, not the file name.

[Blackspear]

Quote:

Originally Posted by k!b¤

BitDefender scan was done AFTER NOD32 scanned/cleaned that whole drive. so it found what first didn't.

I maintain and have always maintained that once a system is infected: "All bets are off" in relation to cleaning a system by any singular anti-virus product.

Cheers

[k!b¤]

Quote:

Originally Posted by Blackspear

I maintain and have always maintained that once a system is infected: "All bets are off" in relation to cleaning a system by any singular anti-virus product.

Cheers

in this case, however, it's not the whole system that was infected(it's my main work/home rig) but just that hd that I added to clean it, backup data and repartition it for clean XP install. those viruses didn't infect my system because NOD32 AMON is running all the time.

[Itsme]

Hi k!b¤

I find this a interesting thread... and it reminds me of an evaluation/test report I read in a computer magazine recently (but I cant find it anymore). It looked for the best possible combination AV / Trojan scanners. For freeware AVG/Ms AS came out first, for paid versions Nod32 / Ewido came out first. Both categories together Nod32+Ewido was clearly the winner.

It would be intersting if someone could redo these tests and see if conclusions of the article (I cannot find anymore) were right.

Ciao
Itsme

[flyrfan111]

NOD and Eset are the same product, not a combination.

[k!b¤]

Quote:

Originally Posted by flyrfan111

You wouldn't be able to match files by sizes either, windows compresses the files in the System restore folders, windows also renamed them, Nod doesn't generate random numbers when it quarantines files. Nod changes the extension, not the file name.

well, you know what - since they were in quarantine, I could have restored them to some location and stop AMON from deleting(or getting back to quarantine) them again. and then compare size. what nod32 is doing is (i suppose) exactly extracting them from Restore compressed files and then storing them in it's quarantine format.


BUT much bigger question is:: is majority(at least) of potential/unknown viral files AT ALL DETECTED by Advanced Heuristics?
Here enters ThreatSense storry. AFAIK It's efficiency is DIRECTLY dependant of Advanced Heuristics's 'intelligence' in recognising unknown threats.
so, let's say in this perticular case, could it be that some of threats in that drive were not detected, and as a consecvence, didn't get to Eset Threat Sense 'inbox' ? (it's too too bad that I configured that BD online scanner to delete files if it can't disinfect dhem )

my question is: HOW MUCH is Eset relying on ThreatSense (and Advanced Heuristics 'sixth sense' ) lately in searching/finding new threats (and including them in threat/virus Signature database?
tnx for answers.

[flyrfan111]

Eset's Threatsense helps dramatically, I think the majority of users now submit AH detections because it is easier, right click and hit submit, you don't have to create an email, look for the address if you don't know it, attach the file, compress it and password protect it, the process alone used to discourage people, now they are getting much more files submitted which helps in a few ways, it helps identify true malware and get a definition added and helps with false positives in getting them analyzed as to why AH is picking up on them and fixing it so users put up with less false positives. I would reverse your suggestion and say AH's intelligence comes from Threatsense, it allows Eset to fine tune AH to better detect malware while reducing fasle positives. in the last week or so there were 2 updates to AH, those could have come from analyzing files submitted from users.

Yes you could have restored the files but the way sys restore works it would have been difficult to track down which files were the problem, you could have set NOD to report only and rescanned, that would have found them, sys restore compresses and renames all files in a sequential numerical format, so the name of the file in the System Volume Information folder has absolutely nothing to do with it's original name. It has more to do with when it was placed into the folder than the name of the file.