New virus but Nod don't find it.

[guilijan]

I've done a full online scan with Kaspersky and it found in C:\archivos de programa\ESET\Cache\FND0.NFI a virus, Trojan-Proxy.win32.Horst.bl
After it I do a scan in http://virusscan.jotti.org/
and
Dr. Web found Trojan.Spambot
F-Prot found W32/Methodbod.gen
BitDefender found Trojan.Proxy.Horst.Q
Kaspersky found Trojan-Proxy.Win32.Horst.bl

Look where the file is.

I've send the file to Eset but no answer yet.

[Blackspear]

Hi guilijan, welcome to Wilders.

This Trojan is detected by NOD32 as Win32/TrojanProxy.Horst.BF

Please check your settings against those found in this thread and run a further scan.

Cheers

[Bubba]

Quote:

Originally Posted by guilijan

it found in C:\archivos de programa\ESET\Cache\FND0.NFI

false positive from KAV ?

http://www.wilderssecurity.com/showt...989#post772989

Quote:

Originally Posted by Marcos

It's definitely a false positive from KAV, nqi files only contain information about files stored in NOD32's quarantine

[Blackspear]

Quote:

Originally Posted by Bubba

false positive from KAV ?

http://www.wilderssecurity.com/showt...989#post772989

Nice catch Bubba

Cheers

[guilijan]

Hi thank for your answer, but Nod don't find it.
I do a scan with it and don't find.
Then after kaspersky scan and when it found it, i do a file scan with http://virusscan.jotti.org/ an it says Nod dont found nothing, as I know but say that Kav, DrWeb, F-Prot and Bit Defender found a trojan.
So I do a new file sacan with Nod (1.1647) and again don't found nothing.
I send the file to Eset but no answer yet so I don't know what to do with the file.

False positive from Kav?
And F-Prot
And DrWeb
And BitDefender

[Bubba]

Quote:

Originally Posted by guilijan

Hi thank for your answer, but Nod don't find it.

What is there for Nod to find since it is already in Nod's cache from a previous Nod find

[guilijan]

Bubba sorry but I don't undestand you.
Have I a trojan or not?
And most important, what to do with it?

Oh I remember that same days ago I used Kav 6.0.300, the last version.
So I set it not to start with WXP and install Nod to see how it works, and it found in Windows System this trojan (as I can remember it was smss.exe or something like that) Of course I delete it with nod an unistall Kav and now I'm using Nod.
So can it be that that file in cache are taht what I scan and delete?

[Bubba]

Quote:

Originally Posted by guilijan

Bubba sorry but I don't undestand you.
Have I a trojan or not?
And most important, what to do with it?

I suggest you visit the link I placed in my first post above and read the posts by Marcos concerning this where he states it is a False positive and also posts what you can do with it.

[Blackspear]

Quote:

Originally Posted by guilijan

Have I a trojan or not?

No you do NOT have a trojan at all.

Quote:

Originally Posted by guilijan

And most important, what to do with it?

Nothing, there is nothing wrong with that file, see the link Bubba posted.

Cheers

[guilijan]

Thanks for your advice.
I will dete it.
Sorry guys but I speak spanish and ther are some words that I don't know to say in english.

[Blackspear]

Quote:

Originally Posted by guilijan

Thanks for your advice.
I will dete it.
Sorry guys but I speak spanish and ther are some words that I don't know to say in english.

No worries.

Cheers

[ragnarok]

Quote:

Originally Posted by guilijan

Thanks for your advice.
I will dete it.
Sorry guys but I speak spanish and ther are some words that I don't know to say in english.

este tipo de archivos son, tal y como se señala en el vinculo dado por mr. bubba, informativos sobre virus/trojanos/etc que nod32 ha previamente neutralizado, asi es que no hay nada que hacer ahi, son falsos positivos para los demas antivirus que los detectan, (lo puedes revisar en tu vinculo de virusscan jotti, ya han sido reportados como tal).

[Marcos]

NQI files only contain information about files detected by NOD32 that are stored in NOD32's quarantine.

If an AV detects them, it's a serious FALSE POSITIVE as it does not contain anything malicious, just information about a particular file.

NOD32 detects all variants of TP.Horst by ThreatSense without update.

I'd suggest you check files at Virus Total (www.virustotal.com) which gives 100% correct results. Sometimes files uploaded to Jotti's scanner are shown as undetected though they actually are.

[Schouw]

Both in this thread and in the thread that is referred to the reports talk about NFI files, not NQI files Marcos.

NFI files are xored(encrypted) (malware)samples from nod's quarantine which KAV is able to unpack.

So, those detections from KAV are definitely not false positives.

[pykko]

Quote:

Originally Posted by guilijan

Thanks for your advice.
I will dete it.
Sorry guys but I speak spanish and ther are some words that I don't know to say in english.

your NOD32 previously detected this Trojan and put it into quarantine as a NFI file. No worries. You could leave it there or delete it. NOD32 protects you anyway against it.

[NOD32 user]

Quote:

Originally Posted by Schouw

Both in this thread and in the thread that is referred to the reports talk about NFI files, not NQI files Marcos.

NFI files are xored(encrypted) (malware)samples from nod's quarantine which KAV is able to unpack.

So, those detections from KAV are definitely not false positives.

Any detection of a NFI or NQI file from the NOD32 quarantine is a false positive.

If you do not want theses files kept in the NOD32 quarantine you are free to delete them.

A detection of an encrypted un-executable file is a serious false positive.

Cheers

[Schouw]

Quote:

Originally Posted by NOD32 user

Any detection of a NFI or NQI file from the NOD32 quarantine is a false positive.

Of course not. NQI yes, but not NFI. NFI files are simply encrypted versions of files.

Quote:

A detection of an encrypted un-executable file is a serious false positive.

But when you decrypt it, it's executable.
So it's not a false positive.

test.nfi packed PE-Crypt.XorPE
test.nfi infected Trojan-Proxy.Win32.Horst.bl

Perhaps it's time that someone gives me an AV expert tag.

[NOD32 user]

Quote:

Originally Posted by Schouw

Of course not. NQI yes, but not NFI. NFI files are simply encrypted versions of files.

But when you decrypt it, it's executable.
So it's not a false positive.

test.nfi packed PE-Crypt.XorPE
test.nfi infected Trojan-Proxy.Win32.Horst.bl

Perhaps it's time that someone gives me an AV expert tag.

Of course it's executable when it's decrypted - but it's not is it.

[steve1955]

Quote:

Originally Posted by Schouw

Perhaps it's time that someone gives me an AV expert tag.

I have often wondered how people "get" that tag:-do you have to ask for it? lol

[Blackcat]

Schouw is an AV expert, he works for Kaspersky

[Inspector Clouseau]

As long as the file is XOR'ed this particular file is not executable via CreateProcess, ShellExecute API or whatever. However, i do partly agree with Schouw that it's not really a completely false positive. Reason is being that a lot of droppers using such XOR'ed files, meaning they carry a XOR'ed file (malicious) at the end of their own file (or somewhere else "inside"), dropping it, decrypting it with the correct XOR key and executing it. Now since XOR'ing is a wellknown (older) XRay method and because it goes reasonable faster than bruteforcing other algorithms (such as combined ROR/ROL/NEG/SUB/ADD/XOR etc) some of the vendors have included it into "generic file processing". We did this too for example, the reason is stated a few lines before. I mean a simple XOR encryption is one of the oldest (and easiest) tricks to hide maleware. Basically XOR'ing is enough to prevent execution by accident in quarantine, but it is not a reason to claim that other av vendors having "false positives" on it.

[NOD32 user]

Quote:

Originally Posted by Inspector Clouseau

As long as the file is XOR'ed this particular file is not executable via CreateProcess, ShellExecute API or whatever. However, i do partly agree with Schouw that it's not really a completely false positive. Reason is being that a lot of droppers using such XOR'ed files, meaning they carry a XOR'ed file (malicious) at the end of their own file (or somewhere else "inside"), dropping it, decrypting it with the correct XOR key and executing it. Now since XOR'ing is a wellknown (older) XRay method and because it goes reasonable faster than bruteforcing other algorithms (such as combined ROR/ROL/NEG/SUB/ADD/XOR etc) some of the vendors have included it into "generic file processing". We did this too for example, the reason is stated a few lines before. I mean a simple XOR encryption is one of the oldest (and easiest) tricks to hide maleware. Basically XOR'ing is enough to prevent execution by accident in quarantine, but it is not a reason to claim that other av vendors having "false positives" on it.

Thanks for the clarification Inspector. I'll take that on-board.

Would it be better then to say 'unnecessary positive' since detecting files encrypted and quarantined by an AV serves no real purpose in threat protection?
Obviously if an AV checks for an XOR result it can not be expected to take notice of if a file is in a quarantine folder or not since this would result in a security hole, but surely not every file is XOR-ed and the result re-tested....?

My point is that it's confusing for people - note the original posters confusion and hence the reason this thread was started was because a file that in it's present benign state was detected as a threat, causing that user to become worried they may have had an active threat on their PC which in this instance was clearly not the case.

[Bubba]

Quote:

Originally Posted by Inspector Clouseau

Basically XOR'ing is enough to prevent execution by accident in quarantine, but it is not a reason to claim that other av vendors having "false positives" on it.

Ok....let's set aside the use of the word False positive....what should the thread starter get out of all this as it relates to Nod support ?

That NFI or NQI files contained in Nod's quarantine are prevented from execution and to be aware that from time to time other AV's will report malware found in Nod's cache after they have been unpacked by other AV's during a scan

[guilijan]

Hi I'm again.
i Think (in my poor english) that Nod and Kav are the best antivirus, at least for home users.
I've used Kav for a long time but when I try Nod to see how it works (two o three weeks ago) it find a virus in Windows-System as I say before, smss or something like that.
Of course I send that file to Kav and it answear to me in about five minutes saying that it was a virus (I don't remember the name but trojan horse x x x x x)
Then I decide to unistall Kav and go ahead with Nod.
But when I did the Kav online scan that make this thread, Kav find a virus as I said.
So I' become to be crazy.
Thanks to people that answer to my post I feel good again.
Perhaps Nod must answer more quickly, because I send the file to Nod and today no answear, and I think they will never answear to me.
That is a point to Kav.
Tahnk to all who discus this problem.

You can see my questions in kav forum about my first problem
http://forum.kaspersky.com/index.php...opic=16080&hl=

[Firecat]

Quote:

Perhaps Nod must answer more quickly, because I send the file to Nod and today no answear, and I think they will never answear to me.

This has already been discussed earlier; Eset does not answer any emails regarding virus samples. If the sample is malware; it will be detected on priority basis.

Anyway, I agree with Inspector Clouseau on this, its not really a false positive or false negative IMO.