Not clean/deleted file in system?

Hi,


Anyone ideas?


I was surprised - Default settings NOD32 v2



Cheers

 

Hi, this file inst't detected => ht tp://fpdownload.macromedia.com/get/flashplayer/current/install_flash_player.exe

Give us link for download your file, please.

 

the file you download is Win32/Genetik virus family and detect by EAV heuristics
install_flash_player.exe size is 90kb but orignal install_flash_player.exe size is 1.42mb
download macromedia flash player from there own site
install_flash_player(Firefox, Mozilla, Netscape, and Opera) v9.0.115.0
h**p://fpdownload.macromedia.com/get/flashplayer/current/install_flash_player.exe
install_flash_player_active_x(IE) v9.0.115.0
h**p://fpdownload.macromedia.com/get/flashplayer/current/licensing/win/install_flash_player_active_x.exe

 

I know where to go to get the codecs genuine, but you for your attention.

What is here in this topic and what is at stake ... and if they had read the previous answers had seen that I was to show that v3 not mete files in quarantine but simply removes the malicious code of the same, with this in desktop as garbage.


As you can see the HiTech_boy advised me to try the v2 to see if it happened .... to my surprise the unexpected happened.


The v2 not left any part or trace of the file on the desktop that was the place where they had this file as a destination even with their definitions in default mode.


One question: The v3 has no " display warning windows"?

Sorry not happen again



Regards,

nodyforever

 

Tried it with EAV 3.0.642 last updated 2960 , on Vista SP1 final fully updated . IE7 . No such things . Everything is blocked and eliminated.

I told it save the file on my Desktop subfolder called "try"

 

I use Windows Xp Pro Sp2 ESS 3.0.642 - Vista theme XP


see: https://www.wilderssecurity.com/showpost.php?p=1205621&postcount=24

ESS 3.0.642 - Firefox 2.0.0.12 - Win Xp Pro Sp2 - Blackspear settings


see: https://www.wilderssecurity.com/showpost.php?p=1205983&postcount=26

NOD32 2.70.39 - Internet Explorer - Win Xp Pro Sp2 - Default settings

 

Ok , I'll try it with XP , too and will report back again

 

Finally discovered ... The problem is not the ESS/EAV/NOD32 but Firefox, it will download the file but...ESS/EAV/NOD32 not delete the file created on the desktop, thereby generating a file is useless "without malicious code"



What will be the reason for ESS/EAV/NOD32 not put in quarantine and unable to delete the files through Firefox?



Anyone Ideas?




Cheers

 

Try to set up active mode for web browsers.

 

Hi,


Bingo! Lukas K.



Only active mode selected Firefox - deleted/clean files desktop parts


Normal mode - no deleted/clean files desktop parts


image:

 

Hi,


Active mode - Firefox slow pages, slow video streams no progress bar and crash pdf downloads


back normal mode browsers.



There has to be another solution




Regards

 

Yes , very simple one - no Firefox

 

Look, when passive mode is enabled, then file is checking on the fly during downloading. If active mode is enabled, then file is downloaded only for scanner and after scan is forwarded to final application. But when file has got more than 2 MB or his downloading is running longer than 2 minutes, then passive mode will be enabled (in v2 it was).

For PDF files you can use PDF Download plugin and I think that loading isn't very slower than in passive.

 

NOT a solution, and it also happens with Opera 9.5 beta, ESS terminates the connection but the program is still on the download folder, just like the pictures shown here by nodyforever. If it is a zip or rar then the compressed files are empty, but still downloaded..

 

BUT (it is very important) even though you see the files downloaded in your download folder , can you run them afterwards ? Does EAV still detect them even after connection is terminated ? Are they full files ?

Because in nodyforever's case the files that are left are just ... browser cache which Firefox doesn't clean.

 

My thesis was again by water below once more.

Version 2 has shown once again that it has no problem in removing any part of the downloaded file in which site is, whether on the desktop or in the cache of the browser in this case is Firefox.



Picture 1

-- Download file
-- Popup - Threat Detected - win32/Genetik
-- No copy to quarantine
-- Close popup



Picture 2

-- Popup - Threat Detected - win32/Genetik
-- Warning - Click Yes


Picture 3

-- Popup - Threat Detected - win32/Genetik
-- Download Error - click OK
-- Detected part file cache Firefox
-- They can see that the files no longer appears on the desktop?
-- Close Popup


Image 4

-- Popup - Threat Detected - win32/Genetik
-- Close Popup



Image 5

-- Conclusion: No parts Desktop files and cache Firefox.




Win Xp Sp2 - Firefox 2.0.0.12 - NOD32 2.70.39 - Default settings




Regards

 

Hi,

Example 1 - Win Xp Pro Sp2 - Firefox 2.0.0.12 - ESS 3.0.642 - No active mode - Cleaning Level - No Cleaning "Display warning Popup"


ESS-1

-- File Download
-- After a few seconds
-- No click "save file"
-- Popup - Display Threat detected - win32/genetik
-- Click Disconnected


ESS-2

-- Unable to open file
-- Click OK


ESS-3

-- Popup - Display Threat detected - win32/genetik
-- ESS popup-balloon Deleting-quarantined

 

Example 2 - Win Xp Pro Sp2 - Firefox 2.0.0.12 - ESS 3.0.642 - No active mode - Cleaning Level - No Cleaning "Display warning Popup"



ESS-1

- Download File
-- Yes click "save file"
-- Popup - Display Threat detected - win32/genetik - connection-terminated
-- Click Disconnected


ESS-2

-- Popup - Threat Found - win32/genetik - connection-terminated
-- Click Disconnected


ESS-3

-- The transfer of the file gave error, and we could not be read.
-- Click OK


ESS-4

-- File transfer failed
-- No display popup treat found "deleting-quarantined" at any time ....
-- This example the ESS failed to eliminate parts of the file

 

Well NO, you can't the files are not readable... but the question raised was that NOD 2.7 was able to eliminate all the threat or just disconect the browser even before it has downloaded anything, where NOD 3.0 or ESS is not, and sometimes there is a leftover in the download cache... and If I'm not mistaken we are not pleased with that poor cleanup result. (I know I'm not compared to old NOD).
Still, if all web traffic is rerouted internaly thru Eset's shiny new proxy... ¿how come there is a cache leftover when the web filter detects a threat and terminates the connection? Even if you don't run in active mode, if eset gives you the "Conection Termiated" flag, there should be nothing downloaded, shouldn't it??
Cuold it be that the web filter should be set to the maximum clean level??

 

Round Testing:


IE 7.0, Opera 9.26, Safari 3.1, Firefox 2.0.0.13


Conclusion



NOD32 2.70.39 - Default settings


Normal Download: passed

Forced Download: passed



ESS/EAV 3.0.642 - Blackspear settings - exepct No active mode - Cleaning Level - No Cleaning "Display warning Popup"


Normal Download: passed

Forced Download: Firefox failed and Opera 9.26



PASSED - NO PARTS FILES DOWNLOAD DESKTOP = files totally eliminated

FAILED - PARTS FILES DOWNLOAD DESKTOP = no files totally eliminated

 

An important Update: setting the Dessinfection parameters to the max, passes all the tests (using Eicar) and leaves no traces of anything on the machine, even with forced downloads...

Tested in Opera 9.5 Beta and IE 7, on a Vista Ultimate system..