How to handle threats that are not cleaned or quarantined?

NOD32 4.2 BUSINESS EDITION: web protection encountered threat "SWF/Exploit.Agent.EA trojan" and reported action of "connection terminated - quarantined". User saw fake AV window while browsing Internet using IE8. Restarted PC but still got the fake AV screen...

I then had customer restart PC and then I ran an in-depth scan from ERAC (with nobody logged on to the infected PC). Scan came back clean.

Next I remoted into PC and used AutoRuns tool and found a RUNONCE registry link to a suspicious executable file (which I did submit to ESET). A bit later I ran an on-demand scan on this file and it now is detected as "a variant of Win32/Kryptik.ACQS trojan”. But again, it was not cleaned or quarantined. A definition update had just occurred prior to this on-demand scan, which explains why the file was now detected as a threat. Did my suspicious file submission really get processed that fast?

So ESET detected some form of web threat, but apparently does not fully protect the computer What are we supposed to do when a threat is detected, but not cleaned/quarantined? I checked the list of manual removal tools on ESET's site but saw no mention of "kryptik".

Suggestion to ESET: why not provide some form of guidance to us admins back at the ERAC console as to how we are supposed to handle cases like this? Maybe link us to a KB article, or manual removal tool for the specific threat. The way it is now, we will have to call ESET - which wastes both of our times and monies...

 

What happened was that the computer got infected with a threat not recognized at the point of infection. After the signature database updated to a version which had detection for the threat added, the threat should have been detected and removed by the startup scan.
Unfortunately, you didn't enclose the complete record from the on-demand scanner log. If there was an error cleaning/quarantining the file, it must have been logged. Another possibility is that the on-demand scan was run in "scan-only" mode so threat was only reported but not clean. Hovewer, as I have already written, the threat was supposed to be cleaned during a startup scan after update without the need to run an on-demand scan. It'd be interesting to see the Threat log from the computer in question, maybe some detections or errors logged were logged there.

 

I am not sure I understand you Marcos, as the threat was recognized at the time of infection (the web protection module detected it as SWF/Exploit.Agent.EA trojan):

Here is the threat log for the time of initial infection:
Column Name Value
Threat Id Threat 390
Client Name Office1-new
Computer Name Office1-new
MAC Address 6c626d4bec1d
Primary Server Win2k8-vm1
Date Received 2012-03-15 14:00:20
Date Occurred 2012-03-15 13:58:27
Level Warning
Scanner HTTP filter
Object file
Name http://91.200.176.24/content/field.swf
Threat SWF/Exploit.Agent.EA trojan
Action connection terminated - quarantined
User SJS\Witczak_C
Information Threat was detected upon access to web by the application: C:\Program Files\Internet Explorer\iexplore.exe.
Details Ready
[/1]

Here is the 1st In-depth scan log (which I initiated from ERAC):
Log
Scan Log
Version of virus signature database: 6969 (20120315)
Date: 3/15/2012 Time: 2:51:14 PM
Scanned disks, folders and files: Operating memory;C:\Boot sector:\Boot sector;C:\:\
Operating memory » C:\Program Files\RealVNC\VNC4\WinVNC4.exe » ZIP » - archive damaged
C:\hiberfil.sys - error opening [4]
C:\pagefile.sys - error opening [4]
C:\compaq\ISOs\HP Restore Plus! for HP Pro 3000 Microtower PC.ISO » ISO » readme.txt » MBOX - is OK (internal scanning not performed)
C:\compaq\ISOs\Vision Diagnostics.ISO » ISO » HP_MEMORY_TEST.ISO » ISO » CWSDPMIX.ZIP » ZIP » doc/cwsdpmi/cwsdpmi.doc » CWS » file.swf - archive damaged - the file could not be extracted.
C:\compaq\ISOs\Vision Diagnostics.ISO » ISO » HP_MEMORY_TEST.ISO » ISO » CWSDPMIX.ZIP » ZIP » doc/cwsdpmi/cwsparam.doc » CWS » file.swf - archive damaged - the file could not be extracted.
C:\Program Files\RealVNC\VNC4\winvnc4.exe » ZIP » - archive damaged
C:\Temp\Office2\IE5\EN\IENT_S1.CAB » CAB » IENT_1.CAB » CAB » MSHTMLED.DLL - next archive volume not found
C:\Temp\Office2\IE5\EN\IE_S1.CAB » CAB » IE_1.CAB » CAB » SHDOCVW.DLL - next archive volume not found
Number of scanned objects: 782946
Number of threats found: 0
Time of completion: 3:22:21 PM Total scanning time: 1867 sec (00:31:07)

Notes:
[4] Object cannot be opened. It may be in use by another application or operating system.


Here is the log from an On-demand scan of the suspicious file, AFTER the definitions had updated to 6970:

Log
Scan Log
Version of virus signature database: 6970 (20120315)
Date: 3/15/2012 Time: 4:04:26 PM
Scanned disks, folders and files: C:\Documents and Settings\Witczak_C\Local Settings\Application Data\dtwbbsn.exe
C:\Documents and Settings\Witczak_C\Local Settings\Application Data\dtwbbsn.exe - a variant of Win32/Kryptik.ACQS trojan
Number of scanned objects: 1
Number of threats found: 1
Number of cleaned objects: 0
Time of completion: 4:04:26 PM Total scanning time: 0 sec (00:00:00)


And here is a threat log that shows NOD32 finally deleting the file (I tried to rename the file, hoping it would cause NOD32 to scan it):
Column Name Value
Threat Id Threat 392
Client Name Office1-new
Computer Name Office1-new
MAC Address 6c626d4bec1d
Primary Server Win2k8-vm1
Date Received 2012-03-15 17:11:34
Date Occurred 2012-03-15 17:09:42
Level Warning
Scanner Real-time file system protection
Object file
Name C:\Documents and Settings\Witczak_C\Local Settings\Application Data\dtwbbsn.exe(INFECTED)
Threat a variant of Win32/Kryptik.ACQS trojan
Action cleaned by deleting - quarantined
User SJS\administrator
Information Event occurred on a file modified by the application: C:\windows\explorer.exe.
Details Ready


My thought is that this web-based malware downloaded and executed the suspicious exe file. NOD32 says it terminated the connection to that web site, but not until *after* a malicious file was downloaded and run. That does not seem like very good protection

So, back to my original question: what are we supposed to do when a threat is detected, but NOD32 is unable to clean or quarantine it? No suggestions are offered by the ERAC console, leaving users without any clue as to what to do...

If there are other logs that you want to see, please give me precise directions as to how/where I can get these logs. Remember - I am a newbie to this software...

 

Definitely it was not the malware that was detected because of this message:
Action connection terminated - quarantined
That means ESET blocked this particular piece of malware at the network level before it could make it to the computer disk or memory. I assume there must have been other malware or exploit that downloaded the rogue app.

This shouldn't happen at all and this was not such a case either.

In the on-demand scanner log, there was no mention of an error while cleaning or quarantining the file:
C:\Documents and Settings\Witczak_C\Local Settings\Application Data\dtwbbsn.exe - a variant of Win32/Kryptik.ACQS trojan

This indicates that the scan was not run in "cleaning mode". If you right-click a client and select New task -> On-demand scan (cleaning enabled), the "Scan without cleaning" check box will be unticked so any threat found will be removed.

As I mentioned before, it'd be of interest to see all recent threat log records. Check if there are some with something like "Startup scanner" listed in the Scanner column. If the threat was actually active and registered in the system, the startup scan must have detected and removed it automatically after the update. If there's no mention of the startup scanner in the Threat log, I assume the threat was either not active on the computer or startup scan tasks are not run for some reason (e.g. most likely they were disabled).

 

Hmmm, I think it is too coincidental that the web protection module (sort of) caught a threat, and then some other piece of malware infected the PC. No, it is very likely that the two incidents are very related. The date/time stamp of the malicious .exe file matches the date/time stamp of the threat that the web filter (sort of) blocked.

Again, I am new to your product, so you'd have to give me precise instructions on whatever other logs you want to see.

I can tell you when I executed the In-depth scan that I chose CLEANING ENABLED. Why don't these logs state whether cleaning was enabled or not? It tells us the definitions version, so why not tell us other important settings like cleaning enabled/disabled?