Nod32 did not detect this...Why not?

On a whim,I decided to testdrive Avast and RAV, because the email scanner in the NOD beta kept crashing on me whenever I would get an email virus.. Now here's the clincher.. When I downloaded Avast, I ran a scan.. Of, course, I uninstalled every other AV, including NOD32. Avast found Win32.Huang in the system restore folder..

I Uninstalled Avast, and reinstalled NOD32 (NOT the Beta) .. NOD did not find it. Then uninstalled NOD and reinstalled Avast. It found it again..

Why won't NOD find this?

Here is a screenshot...

[anders]

Should be no problems detecting the file (if extensions are correct for example).

Please send a copy of that file to me at anders @ eurosecure.com. Could also be a false positive by Avast.

Best regards,
Anders
EuroSecure

Chalk up another victory for NOD32!

I think it is a false positive.. I moved the "infected files" and they don't seem to be a virus.. You would know better. I am sending them to you with the heading, thanks from Straight Shooter.

2 of the files have been renamed simply by adding ".vir" at the end..

the other one is in original condition..

I have a feeling that "infected" file is from Panda antivirus.. I tested that too..

Although the regular version of NOD is fine, the beta version really crashes my Outlook Express when I get infected email.. I am in a "slight panic mode", and went around checking other av's.. just in case NOD VER 2 is something I can't use..

FYI
Win XP with latest Service pack 1
512 ram
Athlon Processor

Thank you for your time. I appreciate it..

[anders]

Hi.

Sorry about forgetting to post here..

The files you sent are clean, so it's a false positive from Avast.

Regards,
Anders
EuroSecure

Thanks. I thought it was too. I appreciate your "analysis"..

[vlk]

Hi, I'm from Alwil Software (the producer of avast!) and would like to explain this issue.

If you're seeing this on a Panda antivirus file (actually, a virus definition file), it is because the file really contains the virus string. I don't understand how Panda can have some of the strings unencrypted - but we are aware of this "problem"

Thanks

[Technodrome]

It’s not only avast! that detects this panda file as a virus, I've seen other AVs doing so....


Technodrome

LOL yes i can confirm this

[sk]

That damned Panda file wreaked havoc on my system until I finally figured out it was a false positive. Fortunately, I found it out one step short of a total reinstall!

sk

Everyday, you learn a little more...

Well. I did the following on my computer before that virus (or whatever it was, showed up...)

I uninstalled NOD32 ..
I then installed the Panda Antivirus 7.0
Hated it, and took it out.. (Too slow, other issues I don't care to write about., Never got an answer from Panda's tech support over email)..

Then I downloaded Avast..

To be honest, I liked it. It ran pretty fast, easy, and light.. No firewall with it, which I REALLY liked...

Then came the fales positives, or true positives according to the Avast developer...

So, I sent them the samples by sending them a virul report and have still yet to hear from anyone at Avast..

Then I came here, got an answer in an hour from Jan.
if what I am reading about that Panda file string being a virus. then NOD32 should have detected it, right?

No harsh judgements or anything like that, I am simply trying to get the best for my needs..

I think it should.. That now goes to what the defination of a virus is...

So, if the Alwil Avast developer is still reading this, let me ask you, do you have a forum? How would I get a question asked?

A virul string to me, is the same as the virus.. Or, it is better to be safe than sorry...

Irregardless, that Panda messed up my computer pretty bad.. I think I will wind up Fdisking and reinstalling...
Oh,well...

Well you can detect viruses with different scan strings.
This means NOD can search for other bytes and detects this kuang.
There is no unique scan string for a virus/backdoor.

Michael

Right Michael, to be honest.. I already had your answer in mind.. What the Avast guy is saying, if I am interpreting him correctly, is that Panda is actually using the Kuang string or a part of it itself to detect that virus.. Is that ethical? Or is NOD correct because their system approaches it in a different way and then it doesn't report it as a virus because it is in fact, a false positive...?

i had some promblems too - because pandy is not encrypting the scan stirings

The same will happen with MSSAV (microsoft AV) under MS-Dos - there are also nothing is encrpyted - pure virus signs

Michael

[Paul Wilders]

Shooter,

Quote:

Or is NOD correct...

In the end: yes .

regards,

paul

Thank you...

[anders]

In my opinion, this should definitely NOT be detected.

It's not a virus, it's not malware or anything, so it shouldn't be flagged as one.

Detecting it would be producing a false positive.

Of course it's not wise to have any "such things" unencrypted (or even un-obfuscated ;P) but it's still not good to detect it.

It's stated here, and it has happened many times before... detecting a false positive could also cost you time/money/data.

The use of non-malware in ZDNet /CNet (and other tests) has, as you ought to know by now, highly criticized.

Best regards,
Anders
EuroSecure