Eset Virus Radar Online

[Benvan45]

My firewall keeps blocking ip: 82.208.27.26. I've looked up the ip and it seems to be a page named: Eset Virus Radar Online.

Is this normal for Eset to keep on hitting me with this? Has anyone else noticed this and maybe someone can explain to me what this is?

This is the info on that site:

Basic information about the project

The project "Virus radar on-line" serves for monitoring and statistic analysis of computer infiltrations spread via electronic mail.

The project is made by antivirus company Eset spol. s r. o., which is the leader in the field of antivirus systems and is providing the NOD32 antivirus system for a complex antivirus protection for corporate and home users as well.

The main project partner is Seznam.cz.

I use Nod32 2.50.16.

Thanks for the info in advance.

Greetings,

Putin

[SSK]

It could have a link to the new function in NOD32 2.5, that sends statistical info about NOD running on your computer.

Take a look at: NOD32 control center -> NOD32 sytem setup -> setup -> ThreatSense.NET -> Advanced settings -> statistics.

[Benvan45]

Quote:

Originally Posted by SSK

It could have a link to the new function in NOD32 2.5, that sends statistical info about NOD running on your computer.

Take a look at: NOD32 control center -> NOD32 sytem setup -> setup -> ThreatSense.NET -> Advanced settings -> statistics.

The ThreatSense section (if enabled), submits information to Eset and I cannot find any information there about any incoming information.

Putin

[Marcos]

The aforementioned VirusRadar has absolutely nothing to do with the ThreatSense.Net Early Warning System. VirusRadar only monitors incoming emails at a Czech ISP.
Note that upon opening Eset's website, a figure with the actual results is downloaded from virusradar's website.

[SSK]

Marcos, I stand corrected...

[Benvan45]

Quote:

Originally Posted by Marcos

The aforementioned VirusRadar has absolutely nothing to do with the ThreatSense.Net Early Warning System. VirusRadar only monitors incoming emails at a Czech ISP.
Note that upon opening Eset's website, a figure with the actual results is downloaded from virusradar's website.

But can you explain to me why and how my firewall detects this...... What is this Radar doing at my computer?

Putin

[LowWaterMark]

Actually, if you could provide more details from your firewall log, it'd help a lot. Just saying the IP address that was blocked doesn't help much. Was it inbound attempts from that address, or was it outbound connections from your PC to the Eset site? Also, what program was making the connection, one of the NOD32 modules or your browser? Ports used, would help, too.

Now what Marcos was saying is that the image with the virus radar info display on the main Eset home page comes from the server at the IP you mentioned. When I go to the nod32 home page, I also see my browser connecting out to www.virus-radar.com to pull the image down. So it is my browser touching that IP address to complete the page, nothing more.

Quote:

Originally Posted by LowWaterMark

When I go to the nod32 home page, I also see my browser connecting out to www.virus-radar.com to pull the image down. So it is my browser touching that IP address to complete the page, nothing more.

Almost a six pack beer... ALMOST

[Benvan45]

Quote:

Originally Posted by LowWaterMark

Actually, if you could provide more details from your firewall log, it'd help a lot. Just saying the IP address that was blocked doesn't help much. Was it inbound attempts from that address, or was it outbound connections from your PC to the Eset site? Also, what program was making the connection, one of the NOD32 modules or your browser? Ports used, would help, too.

Now what Marcos was saying is that the image with the virus radar info display on the main Eset home page comes from the server at the IP you mentioned. When I go to the nod32 home page, I also see my browser connecting out to www.virus-radar.com to pull the image down. So it is my browser touching that IP address to complete the page, nothing more.

I have been trying to get the log copied, but won't work!!!
The attempts were inbound, protocol was TCP and there was no application logged. Port was: 1289. Remote port: 80.
All I know, I was not visiting the Nod homepage at the moment of blocking.

[LowWaterMark]

Quote:

Originally Posted by putin

I have been trying to get the log copied, but won't work!!!
The attempts were inbound, protocol was TCP and there was no application logged. Port was: 1289. Remote port: 80.
All I know, I was not visiting the Nod homepage at the moment of blocking.

Remote port being 80/tcp definitely means it was webserver related traffic. It could have been delayed responses from a previous connection that were finally completing, but it's hard to say without more information.

[Benvan45]

Quote:

Originally Posted by LowWaterMark

Remote port being 80/tcp definitely means it was webserver related traffic. It could have been delayed responses from a previous connection that were finally completing, but it's hard to say without more information.

Thanks for the info, but as I understand, it is not really something to worry about? I just thought it to be a bit weird, to get this kind of alerts from Nod, that's all.

Putin

[NOD32 user]

It could just be spoofed traffic.
Seperately to that, I'd be interested to hear what firewall it is that you're using - just for interest sake.

[Benvan45]

Quote:

Originally Posted by NOD32 user

It could just be spoofed traffic.
Seperately to that, I'd be interested to hear what firewall it is that you're using - just for interest sake.

I'm using PrivateFirewall4.0 from Privacyware. http://www.privacyware.com/

Putin

[Primrose]

Quote:

Originally Posted by putin

I'm using PrivateFirewall4.0 from Privacyware. http://www.privacyware.com/

Putin

I thought so.. which specific version and is it the trial version ? and do you have any logs from that firewall and what feature do you have enabled ?
http://www.privacyware.com/PF_support.html

and

Tutorial and Features

http://www.privacyware.com/pf_tutorials.html#


http://www.privacyware.com/personal_..._features.html

[Primrose]

Also allow me please this electronic translations..and the last thing you want to do is stop any process this new NOD is doing to help you protect you PC and Sytems.

**********************

Subject: VSantivirus no. 1740 Year 9, Tuesday 12 of April of 2005
Date: Tuesday, 12 of April, 2005 09:33:44 (-0300)
Author: VSAntivirus.com <vsantivirus @...........com>



VSantivirus no. 1740 Year 9, Tuesday 12 of April
of 2005 _____________________________________________________________
the daily bulletin of VSANTIVIRUS - http://www.vsantivirus.com
VIDEO SOFT
(Maldonado, Uruguay) - http://www.videosoft.net.uy
_____________________________________________________________
1 - Win32/Mytob does not deceive Virus-Radar 2 - W32/Mytob.AL.
One propagates by email, it uses 3 LSASS - W32/Mytob.AK.
One propagates by email, it uses 4 LSASS - W32/Mytob.AJ.
One propagates by email, it uses 5 LSASS - W32/Mytob.AI.
One propagates by email, it uses 6 LSASS - W32/Mytob.AH.
One propagates by email, it uses 7 LSASS - W32/Mytob.AG.
One propagates by email, it uses 8 LSASS - W32/Mytob.AF.
One propagates by email, it uses 9 LSASS - W32/Mytob.AE.
One propagates by email, it uses 10 LSASS - W32/Mytob.
Generic description (versions H to A)
_____________________________________________________________ 1 -
Win32/Mytob does not deceive Virus-Radar
_____________________________________________________________

http://www.vsantivirus.com/12-04-05.htm

Win32/Mytob does not deceive Virus-Radar
By VSAntivirus



The beauty of an proactive system like the one of Virus-Radar (www.virusradar.com), is that it can discover new virus, from the first time that they are seen. Using the heuristic outpost of the awarded antivirus NOD32, Virus Radar it is designed for "listening to the messages" that can warn to us when a new virus scatters itself (and of course, of that form it helps to prevent them). The recent and progressive capture of the family of Mytob worms, (at the moment almost 40 variants), is a great example of the effectiveness of the heuristic one of NOD32. Some of these variants, that very few systems antivirus detect without being updated, began to propagate of very fast form, and in the case of the Mytob.D, had a significant propagation to see image: http://www.vsantivirus.com/12-04-05.htm the worms of the Mytob family is a typical case of malwares created by imitadores (calls "Copy-cats"), to a large extent based on the source code of the Mydoom, a very predominant virus during the 2004. Hardly something is modified to them and small differences are added to them, but its high frequency of appearance, combined with slight variations of its code, is sufficient to deceive many detectors. Releasing a great amount of versions in fast succession, which only allows that each one propagates by a short space of time, the detection based on companies (data bases), little gets to be effective. When a company antivirus has released a new company/signature, the next variant is already being scattered. That way the fact that already a detection available for a previous variant exists, is not important for the author. This can seem a strange strategy, but it is an increasing tendency in the criminal operation of malicious software, specially used to create true networks of machines zombis that can be used for the Spam shipment. This type of worm of short life, if it is successful can jeopardize to many systems of very fast form, scattering itself at very high speed. The infected machines can be used (although single it is by few hours), for infames intentions, and then the cycle will be repeated with a new variant. A similar technique was recently used, when multiple versions of the family of the Bagle (that did not have any code to propagate by itself) were sent like Spam, in fast succession. Again the effectiveness of the companies of the antivirus was almost null. When the troyanos could be detected, the Spam was executed again, and the next variant was released. This tendency only emphasizes the necessity of truely proactive technologies, such as the Heuristic Outpost of NOD32. The time window to obtain a protection is very small, and the very high vulnerability. And of the increasing action of criminals who write and propagate his quickly malwares, this situation every time takes control worse for those who authentic proactive technologies do not use. Video Soft, creative company of the VSAntivirus site, represents in Uruguay antivirus NOD32
(registered tradename of ESET). More information: http://www.nod32.com.uy/


Source:
http://www.pcmag-mideast.com


* Related: Current Threats - Last 24 Hour Analysis

http://www.virusradar.com/stat_01_cu...x_all_enu.html

you can read the rest here in Spanish

http://listas.vsantivirus.com/lista/...e/781/msg/790/

[Benvan45]

Quote:

Originally Posted by Primrose

Also allow me please this electronic translations..and the last thing you want to do is stop any process this new NOD is doing to help you protect you PC and Sytems.

**********************

Subject: VSantivirus no. 1740 Year 9, Tuesday 12 of April of 2005
Date: Tuesday, 12 of April, 2005 09:33:44 (-0300)
Author: VSAntivirus.com <vsantivirus @...........com>



VSantivirus no. 1740 Year 9, Tuesday 12 of April
of 2005 _____________________________________________________________
the daily bulletin of VSANTIVIRUS - http://www.vsantivirus.com
VIDEO SOFT
(Maldonado, Uruguay) - http://www.videosoft.net.uy
_____________________________________________________________
1 - Win32/Mytob does not deceive Virus-Radar 2 - W32/Mytob.AL.
One propagates by email, it uses 3 LSASS - W32/Mytob.AK.
One propagates by email, it uses 4 LSASS - W32/Mytob.AJ.
One propagates by email, it uses 5 LSASS - W32/Mytob.AI.
One propagates by email, it uses 6 LSASS - W32/Mytob.AH.
One propagates by email, it uses 7 LSASS - W32/Mytob.AG.
One propagates by email, it uses 8 LSASS - W32/Mytob.AF.
One propagates by email, it uses 9 LSASS - W32/Mytob.AE.
One propagates by email, it uses 10 LSASS - W32/Mytob.
Generic description (versions H to A)
_____________________________________________________________ 1 -
Win32/Mytob does not deceive Virus-Radar
_____________________________________________________________

http://www.vsantivirus.com/12-04-05.htm

Win32/Mytob does not deceive Virus-Radar
By VSAntivirus



The beauty of an proactive system like the one of Virus-Radar (www.virusradar.com), is that it can discover new virus, from the first time that they are seen. Using the heuristic outpost of the awarded antivirus NOD32, Virus Radar it is designed for "listening to the messages" that can warn to us when a new virus scatters itself (and of course, of that form it helps to prevent them). The recent and progressive capture of the family of Mytob worms, (at the moment almost 40 variants), is a great example of the effectiveness of the heuristic one of NOD32. Some of these variants, that very few systems antivirus detect without being updated, began to propagate of very fast form, and in the case of the Mytob.D, had a significant propagation to see image: http://www.vsantivirus.com/12-04-05.htm the worms of the Mytob family is a typical case of malwares created by imitadores (calls "Copy-cats"), to a large extent based on the source code of the Mydoom, a very predominant virus during the 2004. Hardly something is modified to them and small differences are added to them, but its high frequency of appearance, combined with slight variations of its code, is sufficient to deceive many detectors. Releasing a great amount of versions in fast succession, which only allows that each one propagates by a short space of time, the detection based on companies (data bases), little gets to be effective. When a company antivirus has released a new company/signature, the next variant is already being scattered. That way the fact that already a detection available for a previous variant exists, is not important for the author. This can seem a strange strategy, but it is an increasing tendency in the criminal operation of malicious software, specially used to create true networks of machines zombis that can be used for the Spam shipment. This type of worm of short life, if it is successful can jeopardize to many systems of very fast form, scattering itself at very high speed. The infected machines can be used (although single it is by few hours), for infames intentions, and then the cycle will be repeated with a new variant. A similar technique was recently used, when multiple versions of the family of the Bagle (that did not have any code to propagate by itself) were sent like Spam, in fast succession. Again the effectiveness of the companies of the antivirus was almost null. When the troyanos could be detected, the Spam was executed again, and the next variant was released. This tendency only emphasizes the necessity of truely proactive technologies, such as the Heuristic Outpost of NOD32. The time window to obtain a protection is very small, and the very high vulnerability. And of the increasing action of criminals who write and propagate his quickly malwares, this situation every time takes control worse for those who authentic proactive technologies do not use. Video Soft, creative company of the VSAntivirus site, represents in Uruguay antivirus NOD32
(registered tradename of ESET). More information: http://www.nod32.com.uy/


Source:
http://www.pcmag-mideast.com


* Related: Current Threats - Last 24 Hour Analysis

http://www.virusradar.com/stat_01_cu...x_all_enu.html

you can read the rest here in Spanish

http://listas.vsantivirus.com/lista/...e/781/msg/790/

Great story, but I can't do anything with this at all. All I asked in this topic, is about an ip that keeps on blocking that Virus Radar section from Nod. I just wanted to know if this is a normal action......that's all.
This firewall showed these inbound attempts anf I'm just curious. I've not seen these attempt with other firewalls, so maybe this firewall show too much or the others show too little. I'm not an expert in these matters and just wanted to know.

Thanks for the information.

Putin

[Benvan45]

Quote:

Originally Posted by Primrose

I thought so.. which specific version and is it the trial version ? and do you have any logs from that firewall and what feature do you have enabled ?
http://www.privacyware.com/PF_support.html

and

Tutorial and Features

http://www.privacyware.com/pf_tutorials.html#


http://www.privacyware.com/personal_..._features.html

Why do yo state here: " I thought so...." is this a specific matter of this firewall? I use the full version and configured nothing, except for a few programs I allowed permanently.
I also have been trying to copy the logs, but couldn't get this done.!!!!

Putin

[webyourbusiness]

Quote:

Originally Posted by LowWaterMark

Now what Marcos was saying is that the image with the virus radar info display on the main Eset home page comes from the server at the IP you mentioned. When I go to the nod32 home page, I also see my browser connecting out to www.virus-radar.com to pull the image down. So it is my browser touching that IP address to complete the page, nothing more.

I think you're heading down the right track, but actually, on the Eset home page is an IFRAME - this IFRAME calls in an HTML document from virus radar, which then contains the call to the image for the virus-radar realtime graph displayed on the eset home page.

The HTML document on the virus-radar site obviously calls some side of server side include, which generates the image in real-time, from the stats currently available on the virus-radar database.

regards

Greg

[Primrose]

Quote:

Originally Posted by putin

Why do yo state here: " I thought so...." is this a specific matter of this firewall? I use the full version and configured nothing, except for a few programs I allowed permanently.
I also have been trying to copy the logs, but couldn't get this done.!!!!

Putin

They have two different full versions of 4.0 which one do you have ?

http://www.privacyware.com/products.html

And I placed the links above for the toutorial on the firewall..wondering if you have ever set it up ?

[Primrose]

Also then to help you..this is the link to the manual and guide

http://privacyware.com/PF_UserGuide/

on the left side of the page click on the + sign next to the words Privatefirewall Main Features

You will then see something called Firewall LOG in the tree.

Click on that ..then in the right side of the screen..it will tell you all you need to know about LOGS for that firewall

[Benvan45]

Quote:

Originally Posted by Primrose

They have two different full versions of 4.0 which one do you have ?

http://www.privacyware.com/products.html

And I placed the links above for the toutorial on the firewall..wondering if you have ever set it up ?

I have the firewall without the Spyware program. I also read the tutorial......but I find it all difficult! I configured the firewall through the wizard and accepted the rules as they were made and I presume that's ok for a newby.
I'm also behind a router, so I'm quite secure, I think.

Thanks again for all the information.

Greetings,

Putin

[Primrose]

Quote:

Originally Posted by putin

I have the firewall without the Spyware program. I also read the tutorial......but I find it all difficult! I configured the firewall through the wizard and accepted the rules as they were made and I presume that's ok for a newby.
I'm also behind a router, so I'm quite secure, I think.

Thanks again for all the information.

Greetings,

Putin

Yup i think you are doing just great with that firewall..and now you know in the future that this thread has additional links for you to find out more about your firewall when you want to begin to configure it for your special needs.

The more you use it..the better you will understand what it is doing..