NOD32 Didn't Protect Me

I had a zip file with the WIN32/Trojan Downloader. NOD did not detect anything until the file was unzipped and the virus was loose on my system. Then Nod couldn't delete it. Luckily, my fiirewall caught it trying to access the internet. Then I had to spend time picking it off my system. I'm very dissapointed that Nod didn't stop this. Yes, I had archives checked. I've only had Nod a couple of months and thought it was great but now I feel like I'm not really protected anymore.

 

Happened to me about 8 times so then I've got myself an BoClean and TDS-3 to deal with that. Nod32 is good as AV but it is NOT the greatest as an AntiTrojan. Nod32 is getting better with AT but it's still FAR WAY TO GO. I got very dissapointed when that happened before...but now with BoClean I feel protected.

For an good overall AT and AV get KAV, for a good AV get NOd32 and an good AT GET BoClean.
BoClean+Nod32 > Kav (overall protection)
Nod32 < Kav (Overall Protection)

 

Just as I use an AV as a form of insurance against my misteps, I also have an antitrojan (BOClean) as a backup measure. Often AT's are considered better overall at cleaning trojans than most AV's, even if the AV detects a particular critter.

 

We are a reseller and we don't use the deafult settings. We manually set everything to the maximum. I suggest that you manually alter all settings and don't rely on the defaults.

 

Discussions about NOD32's Trojans detection capabilities aside (since given that NOD32 happens to detect this particular one makes it a moot point), this again is a perfect illustration of NOD32's shortcomings when it comes to zip files.

The argument that is offered by many here is that NOD32 doesn't need to detect and deal with viruses/trojans in zip files, as they can't do damage until extracted (at which point AMON deals with them). Finally, lets hope this argument can be put to bed now - it fails, because AMON simply cannot deal with (i.e., delete) many pieces of malware, as amply demonstrated by your experience. Like this, many different viruses/trojans can easily get past NOD32 simply by 'hiding' them in zip files.

While I like many things about NOD32 overall, this really is its one horrendous weakness. *All* of Eset's competing A/V vendors must feel rather smug.

Eset could deal with this simply: have NOD32 scan zip files, and delete any files within them that contain detected malware. Period. Technically, there is no difficulty at all in doing this. They really have no excuse for letting this deficiency continue any longer.

To Eset: If you are unable to accept your users concerns (expressed countless times on these forums, for instance) and implement this basic function, then consider this:

Suppose a message is received with a zipped virus. AMON adds a notification to the message stating that it has been certified virus-free by NOD32. The message is then re-sent to someone else, who receives it and thinks: "OH, that's good. NOD32 (which I have heard is a really good A/V) says this message is virus free. Let me just open this attachment ...". What do you imagine that user's view of NOD32 is now??

 

Exactly - NOD32 doesn't need to detect and deal with viruses/trojans in zip files, as they can't do damage until extracted (at which point AMON deals with them). If there is no sample for the particular trojan, it will get loose. Exactly as it would if the NOD32 would scan inside the zips without the scanstring. It would be not detected too.
If there would be a scanstring for the trojan it would get detected on extraction.

 

If he is using a POP3 client like Outlook Express and IMON with "archives" marked then it would have offered the option to "Delete" the zip file.

Example:

__________ NOD32 1.653 (20040304) Notification __________

Warning: NOD32 antivirus system found the following infiltrations in the message:
part000.txt - is OK
test.zip - Eicar test file - deleted
test.zip > ZIP > eicar.com - Eicar test file - was a part of the deleted object
----------------------------------------------------------------------


Also here is an actual infected zip file sent to my e-mail inbox today which IMON stopped before it got there.

__________ NOD32 1.654 (20040305) Notification __________

Warning: NOD32 antivirus system found the following infiltrations in the message:
part000.txt - is OK
dinner.zip - Win32/Netsky.B worm - deleted

 

I'm a little confused, once the file was unzipped why didn't NOD32 detect the virus in the unzipped executable? Presumably you unzipped the file and then ran the executable file, no? And someone said in an earlier post that the virus is in the NOD database.

Tom

 

If he received the file with a POP3 client it doesn't look like he had IMON enabled or didn't have "archives" checked in IMON.

Also doesn't look like he scanned the zip with NOD32 prior to opening it or if he did then "archives" may have not been marked in NOD32.

Had he scanned the zip file prior to opening it with NOD32 and "archives" marked it should have caught it at that point.

 

Okay, I can understand those points but....

Once it was on his computer and unzipped, even if he didn't scan it with NOD32 or IMON, why didn't AMON detect it when the now unzipped executable was run? That is the part that confuses me. At some point an executable should be run, right? And when it was I would think it was AMON's job to detect it at that point.

Just curious as to what might have gone wrong at that point.

Thanks,

Tom

 

I can't tell from his post if AMON detected it when he ran it or he later did the NOD32 scan and it detected it then?

He posted, " NOD did not detect anything until the file was unzipped and the virus was loose on my system".

It would be very helpful if he would post back and provide
some more details.

 

I downloaded the file. It did not come in my email. I then scanned it manually for some reason and nothing was detected. The Firewall popped up that a program wanted to access the internet before NOD32 virus alert popped up. Then I hit delete and quarantine and nothing would work. I closed NOD32 and started deleting the file myself.

The point is why didn't NOD detect it before it was unzipped or at the very least why did NOD allow it to execute before it alerted me and then it did nothing. I had archives checked. This is the whole point of an AV to stop the infection before it spreads. It may have been a Trojan but NOD detected it and then should of dealt with it. I was just lucky it didn't do any real damage.

The last time I emailed NOD they got back to me within 24 hrs. over something that was no big deal. It's been 2 days on this and I haven't heard from them yet.

 

Sorry, I didn't save the file. At the time, I just wanted it off my computer.

 

Post by writerguy was O/T so it was split to a new thread. Follow the link,

http://www.wilderssecurity.com/showthread.php?t=23759




snowbound

 

Finally got my friend over to look at my computer, and it may not have been a trojan in the zip file. A trojan scan came up clean. He said I had some spy program called Purity Scan. I never heard of it before but he figures it might have triggered a false positve with Nod. I will be getting an anti-trojan program just to be on the safe side.