NOD missed Zlob

I have NOD32, and today got infected by Zlob, I keep AMON and IMON on all the time, so can't see how this happened. My database is 1897 (20061201).

Even after I was infected, I scanned with NOD and it didn't find anything, I ran Spybot which found and identified it but didn't remove it, so I bought Webroot's Spy Sweeper which detected it.

I am really confused as to how this got in, can anyone advise me what I may need to tweak, as NOD seems to function fine for the vast majority of cases, detecting virus in e-mails and on websites.

TIA

 

Make sure you have the HTTP scanner enabled in IMON. By using cracks you account for getting infected.

 

I have "enable HTTP checking" ticked.....Is this ok?

I am not sure I understand what you mean in the second part of your reply, could you clarify please.

 

It means that IMON will block the websites with fake codecs, but in order to be fully protected against new Zlobs you must refrain from using cracks as they usually have Zlob embedded.

 

In other words, is your NOD 32 license legitimate?

 

Doesn't NOD32 catch all Zlob variants or was it another recent malware?
Argh I can't remember ...

 

Does not have to be Nod32.
Just that zlob is generally associated with cracks

 

Stration

 

Thanks guys, my version of NOD is registered, and I don't have any cracks, though I was trialling various shareware software this morning to do with video editing.

So basically I am non the wiser, I assumed that if I downloaded some rogue shareware NOD would pick it up, but I now need to assume that anything from a less than well know site could infect my NOD protected Pc?

Cheers

 

No , NOD32 is excellent (one of the best) products . However , no product can detect 100 % of all the crap out there . Since you visit such sites and download software , I would suggest you add McAfee Site Advisor to your list of protection tools (free browser add-on which checks sites you visit and informs you if they can send you spam , if they contain malicious downloads,if they use browser exploits,if they link to other mal sites ... ) Site Advisor works with IE and Firefox

 

No AV protects you 100% all the time, it can't be done.
I suggest that you surf safe, don't visit any crack/porn sites etc. and you'll be just fine. NOD32 is capable of detecting a large amount of new malware before any signature has been released, but it doesn't make you immune to new threats.

Common sense is your best weapon.

 

One live example from an old Zlobby tread
https://www.wilderssecurity.com/showpost.php?p=760705&postcount=35

 

Thanks guys....I will look into the other suggestions. I usually use Firefox, but had strayed into IE today.

As for visiting the porn sites, you would be calling an ambulance, not IT support if I did that at my age

Thanks again, have a good evening.

 

Sorry, I was just listing some general sites where you will most likely run into some nasty malware
I wasn't saying that you visit them or anything like that.

 

No need to apologise Brian, I was just joking, I appreciate all the input from everyone here....

 

Alternatives to SiteAdvisor are Scandoo, CallingID and Link Scanner Lite/Pro(my favourite)

 

No slant here towards NOD but i think the entire AV industry needs to improve it detection for these malware. The security cleaning forums are absolutely full of these infections. And there are many ways to catch this infection not just 'Cracks'!.

The other day while browsing, one link led to another and saw a chance to view 'JLO'. Well i couldn't turn that down could I! . Clicked another link and it said that i was missing a codec and knowing is was a nasty in waiting, clicked off the popup box. A few moments later, it started trying to download anyways but i didn't care because i was running 'Bufferzoned'. Cleaned the Zone and all is well. Bad news is, i never did get to see 'JLO'!

 

if you check NOD 32 signatures, lots of Zlobs variants are added each day
But you hit the point: sandbox HIPS are the best option for this kind of threat

 

Zlob has a new variant ready every hour or less

 

The same can be said for Strations, Lineage trojans and others of this kind

 

And a lot of these variants are tested against up-to-date AV solutions to make sure they have some survival time...

 

As soon as eset find a new zlob-transmitting site they add a block to it, so if you have IMON enabled with the "website access blocking" you can't even access most of the zlob-transmitting sites. That's one of the best protective features I've seen so far against these zlobs, as they release so many new variants of zlob every day each one different from the last you can't rely on the generics of any antivirus to detect all of them, as far as I know Nod32 is the only AV that blocks access to known zlob websites.

Londonbeat

 

Is "website access blocking" a new feature? I never renewed NOD32 2.5 as I didn't ever get a renewal price email. I'm running AVS now.

 

No, it has been around for a while.

Cheers

 

If you do all that(especially, if you have scripts disabled in your browser and are behind router or other firewall), then you generally do not need NOD32 or any other antivirus - except for scanning email attachments and downloaded files - in which case free online scanner would most likely do.

The only case I can remember common sense was of no help was Blaster infecting PC's during startup, due to bug in ZoneAlarm(and maybe, some other firewalls too).