Nod 32 Not Detecting Viruses

Am I missing something?
I read the entire thread and it seems that the file was harmless...
Pardon me for being confused...What was the problem with NOD not identifying a harmless file?
I am not a NOD guru, but I fail to see your points.
Maybe I am having a blond/bald moment
Cheers

 

Actually, you are missing something. As you refer to a "file" rather than files. And this thread started out with WC complaining that NOD32 had missed multiple malware items, rather than just the single harmless file described in post #67. The below malware has NOT been ruled as harmless files:

Sdbot.worm.gen.t virus
W32/Gaobot.worm.gen.f
W32/Gaobot.AAM.worm
Backdoor.Agobot.KM

All of the above were listed in WC's first post. I didn't include "Qhosts.apd trojan" in the list, since I'm assuming that's the same thing discussed in post #67.

WC also states: "McAfee Stinger found and killed 2 & with Bit Defender FREE I quarantined the other 1 and rebooted and will delete it but the thing is NOD32 found absolutely nothing and this really concerns me." So this clearly confirms the thread is not just about a single file that was ruled harmless. Which was why I also used the terms "malware" and "viruses" in my post, since my post pertained to the entire thread, rather than just the trojan.

 

Obviously YOU didn't read the thread well at ALL!!!

1) My post mentioned the trojan which worldcitizen reported that McAfee AVERT Stinger Version had detected: “Found the Qhosts.apd trojan !!!C:\WINDOWS\system32\drivers\etc\hosts has been repaired.” Whereas the post you refer to is about a trojan named Trj/Qhost.gen that flyrfan said Panda detected!!!

2) But if these two trojans are in fact the same animal, then obviously you didn't read my post well at ALL!!! Because I stated “As far as this particular thread, I just finished reading it while being distracted by a million other things, but I'd like to make a few points based on my fragmented memories of it.” Which clearly constitutes an admission on my part that I may have some of my facts wrong!!!

3) And again, IF these two trojans are in fact the same animal, WC started this thread on Aug. 4th. And flyrfan’s post is dated Aug. 13th, so up until that date, WC thought TDS had missed a trojan--yet he never held TDS 'accountable' for it. Yet you zero in on something that isn’t even relevant to the point I was making!!! And that point was the fact that he was laying all of the blame on NOD, even though he also THOUGHT the TDS program had screwed up!!!

4) You make the blanket statement that “nothing was missed”, despite the fact this thread is about NOD failing to detect multiple malware files. In other words, you don’t specify that you’re referring solely to my statements about TDS and the trojan. Which means that you obviously didn't read the thread well at ALL, or you would have remembered the other malware WC reported that NOD missed, which the other programs DID detect!!!

 

Er.. right - then clearly I missed when these files were submitted and verified, would you please direct me to that so that I may review?

Otherwise, this is all just as "real" as all those people who pop a few words into Google and believe whatever they find as heaven-sent fact and call it "research." We wouldn't want to do that, now would we?

Also as we have seen, our reporter in this case practices unsafe hex - and if the worm
he reportedly found was allowed onto the system, it will terminate both NOD and TDS processes.

 

Er.. people are sent to state prison in Texas for armed robbery based solely on the testimony of one “eyewitness“, so what people say does carry a ‘little’ weight. As you get older you'll be better able to distinguish between fact and fiction. I believe WC's story in it’s entirety, due to his previous ‘unsolicited testimonials’ about NOD, as well as other ‘things’. And the reasons he gave for being unable to provide samples are common for many people.

Er.. Aren’t YOU doing that? You accepted flyrfan’s story in post #67 as “heaven-sent fact” without considering that it could be totally fabricated. How do you know he isn’t a well paid shill working with Eset for damage control purposes?

Er… the fact that NOD’s protection can be ’turned off’ by a worm makes the program just as unreliable as it would be if faulty code or a corruptible system file was the problem. And as I understand it, you have to download some software in order to utilize online anti-virus scanners. But yet the worm was obviously not able to affect any of the software for the online scanners which WC used. So I guess the moral of the story is that if you’re using an anti-virus program from a company that isn’t competent enough to keep malware from disabling it, you should use online scanners every day.

Or better yet, since you can get malware from compromised web sites regardless of whether you practice “safe hex“, just demand a refund for worthless programs that can be ‘turned off’ without your knowledge, and use online scanners exclusively. As what’s the point in having security software if you can’t tell whether it’s working, and it can be surreptitiously disabled at any time by the malware it’s supposed to detect?

Now I’m not a computer scientist, so feel free to jump all over me for expressing my opinions.

 

Guys,
most of Agobot and Sdbot variants are detected via Advanced heuristics so why not to take the advantage of it and make your computer protected better from virus attacks? If NOD32 finds such a probable NewHeur_PE virus, just send it to sample@nod32.com and we'll add detection by name ASAP.

 

Marcos,

I’d like to complement you on your program, as I think it’s very nice after reading so much about it--and I think it has a lot of potential. Although I have no connection with the software industry, I’d venture to guess that it has a market value in excess of $1 million. But the problem is that it can be surreptitiously disabled by a 13-year-old hacker with a free worm, leaving users with ZERO protection. So after you fix this massive security hole, please let me know--as I’d love to buy NOD32 when I‘m able to rely on it.

Jack

 

I will never berate you for expressing your opinions. Please continue to state your position.
The "security hole" as you put it is a bit puzzling, as the particular 'worm', as stated in in "Detox" link, also disables Kav, Nav, Avg with others listed. So the "worm" is not selective to "Nod" only.
IMHO if you go and buy the present highly touted "Kav" it will still be adversely affected by this specific "worm".
The idea of a layed approach to stop it before it invades your PC (using other software) appears to be a better method.
Cheers

 

NOD 32 not detect all the viruses........ RIGHT !
For viruses "in the wild" nod32 is probably the best, but many (MANY,NOT ALL) trojan horses and worms are not detected.
My experience:
My Nod32 (always updated) has lost, after one year use, at last 10 viruses (almost all trojans) . I'm still using it, but I check regularly my PC with the Symantec Security Check on the Simantec site

 

No offense intended, but the new Advanced heuristics has already detected a high number of new trojans and we are continually being inundated with new samples sent from our customers. Frankly, only a very small percentage of them are false positives so telling that NOD32 is not good at trojan detection is not true (though I must concede this statement could be considered true some time ago).

 

Thanks, I appreciate that.

Sadly, I'm all too aware of these unfortunate circumstances. But if people don't complain about it, Eset will get a thick head and think they don't have to fix the problem. As they'll figure "why bother if people are willing to accept this security flaw and buy the program anyway."

Since they're exposing their customers to unacceptable and unnecessary risks, the best way to motivate them to change their unscrupulous policies is to expose them in forums.

The idea is that if you prefer NOD32, you publicly inform Eset that your business and annual fees will go to the Kaspersky program, even though it has the same flaw. But if Eset fixes their security hole, that will motivate you to come back to them. And if you prefer Kaspersky, you do the same thing with them. That way, you only have to pressure one company.

But I much prefer to have the gigantic hole in my AV software closed up. As this may prevent the occasional 'super slippery' worm from squirming through my layered defenses, and getting into my hard drive to wreck havoc. In other words, although the “layered approach” sounds comforting, the ugly reality is that nothing is absolute when it comes to computer security--as I’m sure you know. So a gaping hole in the most critical security program I have is equivalent to having an extra hole in my head. And that's something I just don't want--as with my luck, a worm would crawl through it during my next camping trip and infect my brain.

 

Congratulations on the continued improvement of your program--it’s looking better and better all the time. Now if you could just fix that darn security hole so prospective customers could rely on your program to work ALL of the time. You know, the hole that allows a kid to shut your million dollar program down with a free worm. Any chance that you could provide an estimated date as to when this hole will be patched??

I realize that your competitors subject their customers to the same security flaw. But why not be the first to set an example, and thereby establish a reputation as a TRUE leader in your industry? As this would be far better than the alternative--which is the embarrassment of a competitor beating you to the fix.

It would be a prestigious opportunity that’s lost to you forever--and probably something that your company would regret forever. Especially as the AV market heats up and becomes more competitive, since you'll need every marketing edge you can get. Remember, the $7,500 a year software programmers in India will be nipping at your heels before you know it. So NOW is the time to crank things up and establish a pace FAR ahead of the pack.

Imagine being able to prominently advertise on your web site “The industry leader in anti-virus programs. We are the first company in our industry to patch the gaping hole that allows a 13-year-old kid to shut down your defenses with a worm.” Or something along that line.

And just think of all the extra market share you’d snatch away from you’re competitors as they’re scrambling to catch up with you. The bottom line is that someone WILL fix this flaw in the near future--so why not let it be you, so you can be the industry leader instead of just part of a long line of followers?

Also, consider how much better you'll sleep at night knowing that you're no longer forcing your customers to use the equivalent of a security guard who can have sleeping pills dropped into his water bottle while he's on his rounds.

 

I am 26 and finishing up my MSCJ in the great state of Texas in a couple months. You are wrong - nobody is sent to prison on the testimony of on "eyewitness." Without plea bargaining, which indeed occurs most of the time, a verdict and sentence is handed down through a process which I won't try to explain here. Additionally, the next time you try to turn a conversation here personal in a manner such as this I will remove your post - we don't do the name game here.

Because I know the guys at Eset and I know things from behind the scenes. The file was submitted and analyzed.

Nope - the worm can only do so if it is let onto the system with NOD/TDS3/ or any other security application which can detect it is disabled None of my other applications work either when I shut them off. I'll elaborate on this for you later.

Opinions are expressed freely here, while personal comments are not. However, corrrections to opinions based on mistake are always likely to appear.

This summarizes most of the problems some people seem to be ignoring about the problems encountered in this thread.



Let's quote WC's very first line in his first post because that's the key:

Now the first scan with Stinger and what it detected:

From the McAfee site it says: "This file is dropped upon execution of the worm." <-- So, the system would have had to be previously infected and the worm executed, before the Qhosts.apd trojan could have been 'dropped' into the system and compromised the hosts file.

And Stinger also caught the W32/Sdbot.worm.gen.t (the TFTP3468 file) and deleted that one. But it didn't catch the other file (wmmon32.exe) so the system was still infected before on-line scans could be done.

Now the On-line McAfee scan didn't find the W32/Gaobot.worm.gen until after the Stinger tool removed the Qhosts.apd and repaired the Hosts file, otherwise WC would not have been able to get to any on-line scan because the Qhosts.apd 'alters' the Hosts file by adding urls to it redirecting to localhost (127.0.0.1) for all the antivirus sites to prevent the person from being able to get to them.)

Once WC's hosts file was repaired by Stinger, he was able to go to one of the on-line scan sites. He choose McAfee (1st?), then Symantec's (2nd?) then Trend Micro's HouseCall (3rd?), then BitDefender (4th?)

Now, McAfee picked up 1 file for the W32/Gaobot.worm.gen.f worm, (The name of the file isn't given, so was it deleted by McAfee's on-line scan?

Next we have Symantic catching the W32.HLLW.Gaobot.gen worm, which is another alias name for the W32/Gaobot.worm.gen.f (wmmon32.exe file).
Then Trend Micro's HouseCall catches the wmmon32.exe file (no virus name was given to the file, but Trend does call this file -Worm_RBOT.JZ on one of it's non-English sites.)
Then Panda Active Scan catches the W32/Gaobot.AAM.worm, which is another alias name for the W32/Gaobot.worm.gen.f (wmmon32.exe file).
Then Bitdefender catches the Backdoor.Agobot.KM worm, which again is another alias name for the W32/Gaobot.worm.gen.f worm (wmmon32.exe file).

I'm a bit confused here since four other anti-virus scanners are saying they all caught the exact same file as the McAfee on-line scan says it caught? They couldn't have all caught and deleted the same file at the same time. I would think once would have done it. Or was there a reason to have 4 anti-virus scanners, that were not actually running on a compromised system, detect these worms? Why would they not delete the infected file with the first on-line scan?

Keep in mind the first sentence in WC first post. "Lately my PC has been acting weird", and the fact that the Gaobot/Agobot/Rbot worms once executed do compromise the system and also the security apps on that system: firewall, anti-viruses, anti-trojans, etc., and WC did say his system was acting funning before he did a system scan with NOD.


NOD, along with TDS-3 probably were already compromised by the worms as this is one of the destructive payloads these worms have - to prevent them from updating or working properly. WC did say that NOD's GUI was all white. That sounds like it was compromised 'before' he tried to do a scan with both NOD and TDS-3. He also said he just renewed his NOD license 2 weeks prior to posting. Did NOD's license run out and he was no longer able to update it for best protection? He could well have been infected prior to renewing his license and udating NOD while infected.

That was posted in Post #9, on Aug 4th, so he could well have been behind in his updates at time of infection.

As mentioned earlier, these particular worms compromise security apps, along with allowing remote access after the compromise. What's happening with NOD's GUI is a sure indication it was compromised. Port Explorer detected something because it isn't on the worms' list.

What I am seeing here is an infected system where the worm has already executed (running) and a compromised NOD, TDS-3 and probably firewall too (maybe even remote access involved by now). Then to make matters worse, another worm W32/Sdbot.worm.gen.t (file TFTP346 gets dropped into an already compromised system, along with Qhosts.apd, which alters the hosts file. With a compromised hosts file, antivirus, and anti-trojan, they would have had little chance to update their security programs, and do a full system scan, after they realized their system was 'acting funny'.

Post #15:

So it looks like being hit by viruses isn't something new to him, and if Nod was saying "found 5, deleted 2, or found 7, deleted 1", I'd be following up on the files that were not deleted rather than continue on surfing and risk further infection.

(sooo many aliases, sooo many variants)
Alias names for the W32/Gaobot.worm.gen.f worm
Alias names for the W32/Sdbot.worm.gen.t worm


edited to correct quote - Detox

 

How so? After all, a worm hole is a worm hole, and I've just called it like it is. With the recent research I've done, I believe they've currently got the best all around AV program--when it's enabled. But the simple reality is that they’ve got a massive security hole in their superior program that allows a kid with a worm to disable it without the user knowing it. And this inexcusable flaw simply needs to be fixed.

You don’t think Marcos will send some of my posts to the owner? I’ve never had any luck sending suggestions by email, as they’re pretty much just ignored.

I’m using Kaspersky on my new emachine without any problems (running XP home), any suggestions for something that would be more effective (other than NOD)? I’m just interested in the best virus protection, as I use TDS-3 for Trojan protection.

 

In the future I would prefer you avoided such personal attacks, try to avoid demeaning people just to make your point. I am not a shill, nor do I work for or with Eset.

Regards

 

IMHO....enough is enough
I think Detox has done an excellent summary (thanks Detox) and it would serve no constructive purpose to continue to repeat what has already been stated.
Opinions are one thing, but personal attacks are not needed.
Agree to disagree, and get on with doing whatever you do.

flyrfan, that is funny. ROTFLMAO....I don't think anyone would EVER take you for a "shill" (whatever that is) ..no personal attack, just injecting a sense of humor...LOL

Cheers