Nod has some issues

During a virus trial that we have been running Nod32 is consistantly failing to find viruses. These are not eicar viruses, these are real live virii. Currently we send 15 at a time and Nod is catching 8. We are using the command line scanner. I have tried their web site looking for a human to get in touch with but I can't seem to find the number to talk to a human.

If any of you have any ideas why it is missing so many virii and it scores so high in virus testing. It catches the eicar strains but is failing on real ones.

All return codes are either a 0 or 1. Does anyone know if Nod has any other return codes? The whole thing has me looking pretty bad as I touted Nod32.

Here is the call to the cl scanner.
SCANFILE C:\progra~1\eset\NOD32.exe /selfcheck- /sound- /quit+ /scanboot- /scanmbr- /arch+ /all
VIRUSCODE 1
VIRUSCODE 13

 

These are for Sales. Tech support just has a contact form.

 

How do you know they are real viruses? Are you positive the files aren't actually corrupted? Are they real executable files which do malicious actions? Have you sent them to samples@eset.com for Eset's engineers to have a look at them?

 

They are live viruses. AVG, Symantec and F-Prot catch all of them but Nod32 fails almost half of the time. I would tell you the names of the virii but, I don't want people to exploit it.

 

You might also try http://www.virustotal.com/flash/index_en.html
to check your results plus http://virusscan.jotti.org/ and post screen captures.

 

This command line scan above is not using all the NOD32 parameters (/pack+ for runtime packers is very essential). Why not use the On-Demand Scanner with all options checked?

Here is a brief overview of the settings one can use.

/clean = gives option to remove upon detection of infection
/ah = Scan with Advanced Heuristics
/all = Scan all files regardless of their extension
/subdir+ = Scan sub-directories
/heur+ = Enable heuristic analysis
/scanfile+ = Enable scanning of the files
/scroll+ = Enable scrolling
/arch+ = Enable archives (ZIP, ARJ and RAR) scanning
/pack+ = Enable internal runtime packer files scanning
/mapi- = Disable Outlook Error Message
/pattern+ = Enable testing using virus signatures/patterns
/scanboot+ = Enable boot sectors scanning
/scanmbr+ = Enable MBS scanning
/heurdeep = Set deep heuristic sensitivity
/log+ = Enable Log file generation
/prompt = Prompt user for action upon detection
/program = Potentially dangerous application scanning

 

Try NOD32 with advanced heuristic enabled. Just add /ah

 

Also don't forget about the /program parameter which enables detection of spyware/adware/dialers/keyloggers and other potentially dangerous applications

 

I will try the additional parameters. The only caveat is NOD was supposed to be kind to the CPU, it is not showing up as such on a dual 2.6 Intel test box. It's hitting the cpu hard and using very little ram. I guess that makes sense because I am only using the CL scanner. But, I noted the Advanced Heuristics take more cpu (obviously) - this being the case, I think it's going to peg the CPUs at 100% ( it's getting ALOT of emails). This is an email server running Imail and Declude. The AV CL switch's come from Declude AV set-up page. I let one of the Declude guys TS into the box and look over what we were doing to see if I had something set up wrong. He was really surprised by Nod failing but, did not see anything wrong with our testing.

What concerns me is that there may be something in the viruses themselves that makes them ignored by NOD32. I.E. it doesn't see them as a threat for some reason that is logical. But why does F-Prot see them as Viruses...

Stan999 - your link looks real promising. I will ask that the virii be uploaded to this box and see what happens. Unfortunately like most of you who are Sys Admins, we are really busy, so this virii trial is sort of "do it as you get time" kind of thing. I have to create the written report tomorrow - the test bed will get wiped Monday, as next week we are evaluating some different software. Never enough time to do things the way I want to do them.

 

This is thanks to Stan999 for the link to http://virusscan.jotti.org/

There were a total of 15 live viruses uploaded. Kaspersky caught 13, F-Prot 12, here is the list.

Service load: 0%

100%

File: main.mbx
Status: INFECTED/MALWARE
Packers detected: CRYPTCOM

AntiVir Diamond #3, VGEN/6.0, Jerusalem-USA, Albania-429, Albania-506, MPC #1a, Ice #2, Clonewar-923 (A), Adolph #3, BadBoy #1,Badguy-B, Pirate #2, VGEN/28.0 (1.91 seconds taken)

Avast Albania (3.00 seconds taken)

AVG Antivirus No viruses found (0.40 seconds taken)

BitDefender PS-MPC.0433.DZ.Gen, Diamond.1173, Jerusalem.1808.AT, Albania.429, Albania.506.A, PS-MPC.0576.AN.Gen, ARCV.571, Clonewar.923.A, Chameleon.1993, Bad_Boy.1000.A, Trivial.079.Gen, Burger.609.A, PS-MPC.0535.BY.Gen (1.09 seconds taken)

ClamAV VGEN.6.0 (0.62 seconds taken)

Dr.Web VirusConstructor.based, Diamond.David, Jerusalem.based, Albania.429, Albania.506, XRCV.571, CloneWar.924, V2Px.V2P6.1993,
BadBoy.Rainbow.1000, Milan.BadGuy.208, Burger.609 (1.07 seconds taken)

F-Prot Antivirus PS-MPC.432, corrupted or intended, Jerusalem.1808.CE, Albania.429, Albania.506.A, PS-MPC.546 (generic) - Dropper, ARCV.571, Clonewar.923.A, Milan.208.A, Burger.609.A, PS-MPC.535 - Dropper, Bad_Boy.1000.A (0.37 seconds taken)

Fortinet Anti-Pascal_II.fam (0.44 seconds taken)

Kaspersky Anti-Virus Virus.DOS.PS-MPC-based, Virus.DOS.Murphy.David, Virus.DOS.Jerusalem.b, Virus.DOS.Albania.429, Virus.DOS.Albania.506.a, Virus.DOS.ARCV.571, Virus.DOS.Companion.923, Virus.DOS.Chameleon.1993, Virus.DOS.BadBoy.1000.a, Virus.DOS.Badguy.208, Virus.DOS.Burger-based, Virus.DOS.PS-MPC.Bamestra.535, Virus.DOS.BadBoy.1000.b (2.72 seconds taken)

mks_vir No viruses found (0.72 seconds taken)

NOD32 No viruses found (1.38 seconds taken)

Norman Virus Control No viruses found (0.76 seconds taken)

Looks like we have a lot of pudding.

 

Isn't it a special kind of a mailbox?

 

Hi, I’d like to ask you a few questions to clarify some details;

1. How are you performing the tests?

2. Do you know what you are doing?

3. Are you testing the whole virii file or just the signatures?

4. How do you know the virus samples you have are not corrupt?

5. Where did you obtain the samples?

I ask these questions as in a previous thread of yours, you ask for assistance to find virus samples and also how to test only the signatures of the virii file not the whole executable that would be delivered in a "In the wild" situation".
(Link to threads mentioned above 1. 2.

The testing of Antivirus scanners using "In the wild" virus samples is best left to experts, firstly you need actual current "In the wild samples", that have not been cleaned/deleted by a previous Antivirus, A sterile PC with exactly the same settings for every test run. If you merely load and delete the samples one after the other you will get errors in your test.

The basic fact that you did not have Nod32 set to scan with full settings renders your results useless, amateur testing like this, especially when you post the results as definitive can mislead and misinform people.

 

yes, you are right, it's a unix mailbox format. also used by eudora and pegasus mail.

 

Those are some really old DOS viruses from around 1989 and the 1990's.
They mainly infect COM files in a DOS environment and don't really pose a current threat.

IMHO, I personally wouldn't use results from that test file you have to influence a decision on which AV provides good protection from current day infections and zero-day threats.

 

First of All, thanks for Stan999 for the link.

I tried to solve my problem in this thread:

https://www.wilderssecurity.com/showthread.php?t=68013

So, I sent my file and got this answer:

File: cartaovirtual
INFECTED/MALWARE
Packers detected:
UPX

AntiVir
No viruses found (1.19 seconds taken)
Avast
No viruses found (4.53 seconds taken)
AVG Antivirus
No viruses found (1.15 seconds taken)
BitDefender
No viruses found (1.47 seconds taken)
ClamAV
No viruses found (1.89 seconds taken)
Dr.Web
No viruses found (2.41 seconds taken)
F-Prot Antivirus
No viruses found (0.23 seconds taken)
Fortinet
No viruses found (1.22 seconds taken)
Kaspersky Anti-Virus
Trojan.Win32.VB.ta (1.90 seconds taken)
mks_vir
No viruses found (0.27 seconds taken)
NOD32
No viruses found (0.54 seconds taken)
Norman Virus Control
No viruses found (0.67 seconds taken)

Well, I´ve sent this file yesterday to Eset and Kaspersky, and unfortunately I didn´t get any answer yet.

Best Regards,

DonKid.

 

That’s what I was thinking Stan, I like Nod. But that is a random pulling of about 500 or so live Windows viruses I have on a linux machine. If because some of them are old does that mean they shouldn't be caught? I wondered if Nod doesn't catch them because they are not considered a threat anymore. If so why do the other AV's catch them if they are unimportant? I will try another round of different Virii. I think your on the right track.

Sweetie,I don't understand your childish attacks. Please read all the posts and you will see that I have live virus pool and I am sending them as attachments to a test bed email server running an Imail interface and sending the emails to be scanned using the command line scanner functions of the AV. This is a project. I am a network admin. I really don't care if I stepped on your toes because you are affiliated with NOD or think you know what you are doing. I just want a product that catches the viruses, has the lowest cpu usage and that works from a command line. I’m not picking on your pet av. The test viruses are caught by several well-known AV and not caught by Nod32. Why? I posted the results. You see it fails. My testing obviously concurs with Jotti's site. I have had a third party review my testing procedures and agree I was doing it right. Ranting like a teenager doesn't explain the discrepancy.

I thought this was a professional site for people who do IT for a living.

 

Hi variable125,
I wonder if you have already submitted those files to Eset. Without doing so, it's impossible for people from Eset to tell why they weren't picked up by NOD32. Also I can assure you NOD32 detects a huge bunch of old DOS virii.

 

Edit; removed my post.

 

Marcos, we sent the original 15 and 9 newer W32 virii that are listed below to Eset. Hopefully, we will hear something back. Perhaps they monitor the threads here.

Stan999, in keeping with your line of thinking about the virii being old, we sent a new round of W32 viruses through the test bed and to the Jotti web site. The results are listed below. Again, these are not eicar signatures but live viruses.

Service load: 0% 100%

File: main.mbx
Status: INFECTED/MALWARE
Packers detected: None

AntiVir WIN/CERE1482, W32/Idele.2560.DR, W32/Lames.4096.A, W95/Millenium, W32/Cabinfector.1, W32/Volcano.Dr, WIN/ZOMBIE (0.42 seconds taken)

Avast No viruses found (1.53 seconds taken)

AVG Antivirus No viruses found (0.40 seconds taken)

BitDefender Win32.Cerebrus.1482, Win32.Idele.2108.Dr, Win32.Lames.4096, Win98.Milen.3205, Win32.CabInfector, Win32.Vulcano, Win32.Intended.Zombie (0.59 seconds taken)

ClamAV CERE1482 (0.59 seconds taken)

Dr.Web Win32.Cerebrus.1482, Win32.Idele.2108, Win32.Deviator.4096, Win32.Benny.3205, Win32.Prizzy.4096, Win32.Benny.6416, modification of Win95.Zombie.4600 (0.96 seconds taken)

F-Prot Antivirus W32/Cerebrus.1482, W32/Idele.2108, W32/Lameness.4096, W32/Milennium.3205, W32/Cabinf.A, W32/Vulcano.A, W32/Zombie.4576 (12.27 seconds taken)

Fortinet No viruses found (1.09 seconds taken)

Kaspersky Anti-Virus Virus.Win32.Cerebrus.1482, Virus.Win32.Idele.2108, Virus.Win32.Lames.4096, Virus.Win32.Levi.3205, Virus.Win32.CabInfector, Virus.Win32.Vulcano, Virus.Win32.Zombie (3.46 seconds taken)

mks_vir No viruses found (0.79 seconds taken)

NOD32 No viruses found (1.49 seconds taken)

Norman Virus Control No viruses found (0.75 seconds taken)


Interesting aside.. Testing AVG with these 9 resulted in many getting through. Once in the mail box however and using a manual scan, AVG found most of them. So this lead us to believe it could be a switching issue with the CL scanning. So far this has held to be true for Nod 32 as well. The obvious deduction from this is that a crucial switch is not set. We have tried all those suggested. The /pack+ actually crashed the test box Looked like a loop.

We will continue to try tomorrow. If we come up with any solution I will post it.