Any reason why NOD32 scan missed a Trojan?

Is there why the trial version of NOD32 apparently missed trojans in two files DFRSRV.EXE (Trojan.Small) and WinXPA32.DLL (Trijan.Agent.qt) even when a scan was done in safe mode as well as realtime mode? The trial software is installed on a friend's computer who was having problems with it. The infections were found with Ewido malware scanner. In order to ensure that the C: drive was clear the friend restored a backup of the partition back to it.

 

If I were you, I would send those files to Eset for further analyse.

 

Well they are currently in Ewido's quartine area and I can not restore them other than to their original locations which I would like to avoid since it was a hassle cleaning the computer out.

 

Have worked your way through Blackspears extra settings for NOD32 thread (it's a sticky at the top of the list) to max out all your scan settings?

 

We'll need to get those files for analysis, otherwise we cannot check them and add detection, if necessary. Bear in mind that no AV detects 100% of all threats and there are tons of others detected by NOD32 that are missed by other AVs.

 

I have now for that machine. I have other friends who are also using NOD32 does that mean I should do the same with their installs of the product? How safe are those settings for the normal user who may have one or two computers on a LAN? Is NOD's quarantine area like other virus scanning software in that a false positive file can be restored at a later date?

 

Do I send the files to samples@eset.com ? Does one ever receive any reply back regarding sample files sent to that address?

 

Never

 

If you submit a sample to samples[at]eset.com, it will be added as quickly as the risk level it poses. Replies are received only in the case of large enterprise clients (on demand).

 

The default settings are certainly adequate, however (and correct me please if I am wrong) they are designed to provide a high default level of compatability for all the different environments NOD32 may be installed in. I do ordinarily recommend to use the settings from Blackspears guide as those settings provide the highest available level of protection and automation. The only time I would not is if they cause some kind of conflict on your machine, or if you have some other specific requirement that those settings would not be compatable with. In either case, issues with Blackspears settings are generally very few and very far between.
HTH

Cheers

 

Also I'd add that it's not recommended to enable Potentially dangerous applications in network environment where tools for remote administration are used.

When you enable the "Automatically deny download of infected files" option in the IMON - HTTP setup, it is strongly recommended to set the browser you use to Higher efficiency mode due to different ways of how browsers handle download of files.

 

Thank you Marcos - I learn every day from your posts.

Cheers

 

The network environment you are referring to does not refer to a small WinXP/Win2k LAN that an end user would have in their home environment?

So the quarantine that NOD32 has implemented is not like that used by other virus scanners on the market where a problem/suspicious file is placed/removed from the O/S?

 

Hope so.....

 

No, this does not apply to a small Home LAN setup.

NOD32 quarantine *does* work like other AV quarantine systems, I'm not sure which info here made you think that?

 

size doesn't matter. Potentially dangerous applications in network environment may cause conflict if tools for remote administration are used.

 

Post #23 of BlackSpear settings has the following:

"NOTE: Quarantine ONLY makes a secure copy of the Virus or Trojan found so it
can be sent to Eset for further analysis, it does NOT isolate the Virus or
Trojan."
--------------------
Just talked to my friend and they are now using BlackSpear's settings and had initiated their weekly scan job on their computer via the Schedule menu and selecting "Run Now" option. The scan status still shows SCANNING even though there is no scan window open or other evidence that in fact NOD32 is indeed still scanning! In other words the job terminated without any error window! When they initiated another scan using the same method NOD32 showed the following in the event log:

Time Module Event User
4/17/2006 12:29:08 PM NOD32 An alert has been generated. See the on-demand scanner Log for details. NT AUTHORITY\SYSTEM

----------------------

When they looked through the quarantine and through the NOD32 Scanner Logs the only item that is around this time is the log showing the startup of the first on demand job but it shows no list of files whatsoever that were scanned or where unable to be opened. It is almost as if NOD32 never did anything. They looked through the XP System logs and there is nothing there showing any errors whatsover!

They are doing another scan and will see if this one terminates like the first one did.

Needless to say they are not too impressed with my recommendation of NOD32.

Their computer is an Win2k SP4 (fully updated ) w 512MB RAM on a P///-600.

 

From the Help File:

I saw that other info in BlackSpear's stuff but took it as a mistake.

 

I need confirmation from someone representing ESET. Why else does NOD32 have a SCAN ONLY button and SCAN and CLEAN buttons on the NOD32 On Demand Screen?

 

If you are asking why there are 2 buttons, I must say that it's essential for my work and I could not live with just one button. I'm quite positive that there are lots of other people who like the way it is.

 

I also like it that way - I don't care to "exclude" files myself; I simply prefer to see them detected every time. Generally speaking, the ones I have are RATs that a small network of friends around the world use to control our servers. Mostly the use is for me to start a different game server on a machine in a friend's house in Nederlands while he is at work and other such scenarios including the reverse. It really is nice to have an idle friend's machine hosting to save your own bandwidth ;-)

Long story short, I like to see them detected on a regular scan but obviously not automatically cleaned. Should I find something elsewhere, I can then go to the directory in which the threat is located and scan to clean it on a more "local" level.

 

Well went over to my friend's place last night and as soon as I tried to restore two of the infected files from Ewido's quarantine so that they could be sent to Eset, NOD32 flashed up a warning that they were infected with TrojanDownloader.Zlob.LP.Trojan and Win32/TrojanDownloader.Small.CML trojan!

The only thing that has changed was the BlackSpear's settings were used. However that should not be the reason why NOD32 never caught these two infected files when they were sitting out on my friend's hard drive. A scan in Windows Safe mode as well as Normal mode (before Ewido was run) found neither of the above two infections!

 

hi,

TrojanDownloader.Zlob.LP.Trojan was added in NOD32 - v.1.1493 (20060417)
AND
Win32/TrojanDownloader.Small.CML was added in NOD32 - v.1.1492 (20060416)

lee

 

Well, I could not find that exact variant of Zlob, but here are actual scan results of another TD Zlob:

AntiVir 6.34.0.24 04.18.2006 no virus found
Avast 4.6.695.0 04.18.2006 no virus found
AVG 386 04.18.2006 no virus found
Avira 6.34.0.56 04.18.2006 no virus found
BitDefender 7.2 04.18.2006 no virus found
CAT-QuickHeal 8.00 04.18.2006 (Suspicious) - DNAScan
ClamAV devel-20060202 04.18.2006 no virus found
DrWeb 4.33 04.18.2006 Trojan.Popuper
eTrust-InoculateIT 23.71.132 04.18.2006 no virus found
eTrust-Vet 12.4.2165 04.18.2006 no virus found
Ewido 3.5 04.18.2006 no virus found
Fortinet 2.71.0.0 04.18.2006 suspicious
F-Prot 3.16c 04.18.2006 no virus found
Ikarus 0.2.59.0 04.18.2006 no virus found
Kaspersky 4.0.2.24 04.18.2006 Trojan-Downloader.Win32.Zlob.lq
McAfee 4742 04.17.2006 no virus found
NOD32v2 1.1494 04.18.2006 Win32/TrojanDownloader.Zlob.NAV
Norman 5.90.15 04.18.2006 W32/Malware
Panda 9.0.0.4 04.17.2006 Suspicious file
Sophos 4.04.0 04.18.2006 no virus found
Symantec 8.0 04.18.2006 no virus found
TheHacker 5.9.7.130 04.16.2006 no virus found
UNA 1.83 04.17.2006 no virus found
VBA32 3.10.5 04.18.2006 Trojan.Win32.TrojanDownloader.Zlob.NAV

 

So are you saying that my friend just had the misfortune of getting two infected files on his computer before NOD32 release signatures for them? By the way here is the exact wording of the threats:

a variant of Win32/TrojanDownloader.Zlob.LP trojan
Win32/TrojanDownloader.Small.CML trojan