2.70.32 2342 does not detect common trojans

olmer · #1 June 21st, 2007, 09:25 AM

Where to submit? I have searched eset – there is no such service.

Below is KOS log:

KASPERSKY ONLINE SCANNER REPORT
Thursday, June 21, 2007 12:32:42 PM
Operating System: Microsoft Windows XP Professional, Service Pack 2 (Build 2600)
Kaspersky Online Scanner version: 5.0.83.0
Kaspersky Anti-Virus database last update: 21/06/2007
Kaspersky Anti-Virus database records: 328408

C:\WINDOWS\system32\drivers\etc\service.exe Infected: Trojan.Win32.Agent.amg skipped
C:\WINDOWS\system32\drivers\etc\svchost.exe Infected: Backdoor.Win32.Iroffer.af skipped
C:\WINDOWS\system32\exec2.exe/data.rar/service.exe Infected: Trojan.Win32.Agent.amg skipped
C:\WINDOWS\system32\exec2.exe/data.rar/svchost.exe Infected: Backdoor.Win32.Iroffer.af skipped
C:\WINDOWS\system32\exec2.exe/data.rar Infected: Backdoor.Win32.Iroffer.af skipped
C:\WINDOWS\system32\exec2.exe RarSFX: infected - 3 skipped

pykko · #2 June 21st, 2007, 09:37 AM

Send it here: samples [AT] eset.com

#3 June 21st, 2007, 09:41 AM

In additon to what Pykko wrote , you'd better also include a link to this thread.Files you need to submit are:

C:\WINDOWS\system32\exec2.exe
C:\WINDOWS\system32\drivers\etc\svchost.exe
C:\WINDOWS\system32\drivers\etc\service.exe

olmer · #4 June 21st, 2007, 09:56 AM

Thanks. Sent. That is if ISP will not filter them out.

De Hollander · #5 June 21st, 2007, 11:52 AM

Send the files to samples@eset.com, archive the samples with rar or zip and password protected the file with the password 'infected' (without the quotes)

Marcos · #6 June 21st, 2007, 12:28 PM

Just one note re. the topic name; I don't understand why it reads "2342 does not detect common trojans". What is common? Because I could give tons of examples where other famous AVs miss "common" malware. Please understand that what is common for you may not be common for the others and every AV misses some malware.

manOFpeace · #7 June 21st, 2007, 05:45 PM

May I suggest this thread be made a sticky. I also had a trojan and Nod scanner requested to send a sample. I clicked "yes" and waited and waited and.....

Nothing.

#8 June 21st, 2007, 05:50 PM

@manOFpeace

NOD32 offered you to send a sample , then it was previously detected -> you remained protected , why would you want to add definition for something that was already detected by heuristics ... If you mean email answer , ESET Lab doesn't answer submissions .

Perhaps this should be made sticky:
Because I could give tons of examples where other famous AVs miss "common" malware

Marcos · #9 June 21st, 2007, 06:03 PM

NOD32 does not advise you to submit a sample unless it's caught by heuristics. If it's actually malicious usually no further action will be taken. If you think it's a false positive, it's better to email it to samples[at]eset.com with "FP" in the subject and enclose as much information about it as possible (e.g. the url of the program that triggered an alert, etc)

Londonbeat · #10 June 21st, 2007, 06:04 PM

Quote:

Originally Posted by HiTech_boy

NOD32 offered you to send a sample , then it was previously detected -> you remained protected , why would you want to add definition for something that was already detected by heuristics ...

I don't know the particular situation manOFpeace was in, but I think if an AV has a signature it can usually clean an infection much better than just with heuristic detections, i.e. remove all traces and registry entries whereas the heuristic just detects the particular suspicious file it is flagging.

Londonbeat

The_Duality · #11 June 21st, 2007, 06:31 PM

Quote:

Originally Posted by Londonbeat

I don't know the particular situation manOFpeace was in, but I think if an AV has a signature it can usually clean an infection much better than just with heuristic detections, i.e. remove all traces and registry entries whereas the heuristic just detects the particular suspicious file it is flagging.

Londonbeat

True, but how can you catch zero day malware without heuristics or other pro-active detection? It is better to find and delete the trojan right away, rather than have it undetected until signatures are released. If NOD saves your credit card numbers, you wont be worried about a few registry entries. In my opinion anyway. Just my 0.02.

Londonbeat · #12 June 21st, 2007, 06:40 PM

Quote:

Originally Posted by The_Duality

True, but how can you catch zero day malware without heuristics or other pro-active detection? It is better to find and delete the trojan right away, rather than have it undetected until signatures are released. If NOD saves your credit card numbers, you wont be worried about a few registry entries. In my opinion anyway. Just my 0.02.

I agree, I'm not criticising heuristics, just pointing out that not adding a signature because it is already detected by heuristics could have some disadvantages, but from reading previous posts here Eset do usually add a signature for submitted heuristic detections, especically if it's widely spreading.

Londonbeat

trjam · #13 June 21st, 2007, 06:53 PM

I know a vendor that can help you with all this.

The_Duality · #14 June 21st, 2007, 06:57 PM

Quote:

Originally Posted by Londonbeat

I agree, I'm not criticising heuristics, just pointing out that not adding a signature because it is already detected by heuristics could have some disadvantages, but from reading previous posts here Eset do usually add a signature for submitted heuristic detections, especically if it's widely spreading.

Londonbeat

Yes I totally agree with that. Any AV company that uses heuristics in its products should add a generic signature for detections flagged and subsequently submitted by the heuristics engine. As such I would certainly hope that Eset think the same way. Considering that Threatsense does submit heuristically detected threats automatically, I would think that this is the case.

On hindsight it appears I mis-interpreted your post.

Apologies

The Hammer · #15 June 21st, 2007, 09:02 PM

Quote:

Originally Posted by trjam

I know a vendor that can help you with all this.

I'm sure you do. But what about the new vendor you'll be using next week?

#16 June 22nd, 2007, 02:24 AM

Quote:

Originally Posted by The Hammer

I'm sure you do. But what about the new vendor you'll be using next week?

Next week , you must be kidding . Tomorrow he'll change the vendor and the song again

ALEX(XX) · #17 June 22nd, 2007, 02:27 AM

Quote:

Originally Posted by pykko

Send it here: samples [AT] eset.com

Also what? Speed of reaction of virus laboratory simply amazes me. I 1,5 week ago have sent 21 sample in ESET. And here only yesterday NOD32 has found out 1 trojan from 21 sent. It is pleasant to me as act DrWeb, KAV at sending a suspicious file in their laboratory. From them the automatic answer, with a serial number of inquiry comes. The answer from a virus analyst then comes. Really such it is difficult to make? I send samples in ESET, I at all do not know, send in addition they or not. Sorry for my English.

Edit ~ Virus Total log removed; please read THIS POST ~ Blackspear.

#18 June 22nd, 2007, 02:33 AM

http://www.wilderssecurity.com/showp...9&postcount=18

Marcos · #19 June 22nd, 2007, 03:52 AM

Quote:

Originally Posted by Londonbeat

I don't know the particular situation manOFpeace was in, but I think if an AV has a signature it can usually clean an infection much better than just with heuristic detections

This is true only for file infectors when submitting infected files helps us create a cleaning algorithm.

Marcos · #20 June 22nd, 2007, 03:55 AM

Quote:

Originally Posted by ALEX(XX)

Also what? Speed of reaction of virus laboratory simply amazes me. I 1,5 week ago have sent 21 sample in ESET. And here only yesterday NOD32 has found out 1 trojan from 21 sent.

Well, it's quite unbelievable that you'd find 21 threats on your or your fellow's computer. Always bear in mind that signatures are picked up on a per-need basis and samples from collectors are treated with lower priority (unless they are of a higher importance), first we need to serve our clients and not deal with obscure samples from vx sites, etc.

Inspector Clouseau · #21 June 22nd, 2007, 03:59 AM

Quote:

Originally Posted by Marcos

Always bear in mind that signatures are picked up on a per-need basis and samples from collectors are treated with lower priority (unless they are of a higher importance), first we need to serve our clients and not deal with obscure samples from vx sites, etc.

True, very true. Same here.

ALEX(XX) · #22 June 22nd, 2007, 04:46 AM

Quote:

Originally Posted by Marcos

Well, it's quite unbelievable that you'd find 21 threats on your or your fellow's computer. Always bear in mind that signatures are picked up on a per-need basis and samples from collectors are treated with lower priority (unless they are of a higher importance), first we need to serve our clients and not deal with obscure samples from vx sites, etc.

Well, actually, I 2-nd year use Nod32 EE. In due time I recommended our company to pass on NOD32 and is very happy with its work. This 21 sample, real. They have been found out on computers of different users and left by me for a collection so to say.

The_Duality · #23 June 22nd, 2007, 05:51 AM

I can see a pattern emerging here... My 0.02:

Marcos and other Eset moderators on this forum have gone to great lengths, over time, to explain their signature addition methods. It is explained quite clearly that Eset will not just add "any old rubbish" to their signature database. NOD32 is about great detection, combined with great performance. Performance would hit rock-bottom if Eset added every single sample to their database. If Eset didnt produce a great AV, they wouldnt be in business. Full stop.

With companies like Kaspersky and Avira in the market, competition is cut-throat. Yet Eset stay afloat. With a great reputation for performance; as well as detection. Eset add their signatures the way they decide to. If you dont like it, use a different AV. Its as simple as that.

This is not an attack directed at anyone who has posted in this thread, or in this forum - regarding Eset's sample submission policy. I just think that it goes beyond "flogging a dead horse".

pykko · #24 June 22nd, 2007, 06:34 AM

Quote:

Originally Posted by The_Duality

Eset add their signatures the way they decide to. If you dont like it, use a different AV. Its as simple as that.

That's the best solution.

Bunkhouse Buck · #25 June 22nd, 2007, 07:11 AM

Having worked with computers since 1968, I can say that NOD32 is one of the most effective software programs I have used. In addition, it is also the best AV program I have used in my company's computers.

Although I recently starting posting in this forum, I have read the threads for years. There is a pattern here, and it has to do (in my opinion) with competitors of ESET posting various topics that all get back to something NOD32 is doing wrong. While one can never be certain of the psychological motives involved, I can see the financial motivation to attempt to discredit NOD32 by any means possible.

Many if not most of the critical threads posted here are absurd. After reading a new topic, I often find myself -say what? The comments above me are basically if you don't like NOD32, use some other software. I could not agree more. If any user does not like what ESET provides and the way they provide it, simply use something else. But don't use this forum for unfounded assertions and cheap shots.

Thread Tools	Search this Thread
Show Printable Version Email this Page	Search this Thread: Advanced Search