Submission question...

http://img384.imageshack.us/img384/8533/nod32sub8gc.png

I'm wondering what does this mean (exactly). Good,bad,how to avoid this?
I have opened the confirmation window and confirmed submission.
Will those non suitable files be sent now or not?

I checked my quiet large database of various malware and NOD32 detected many of them with heuristics so i chose to submit them.

 

The best thing I can tell you is to read the help file in the 'ThreatSense.Net' section.
This is not bad at all, it is only a confirmation for sending only if you are agree with this
You can change the settings in the CC -> Nod32 System Tools -> Nod32 System Setup -> Setup -> ThreatSense.Net tab
To see if the files were sent, go to the Event Log section in the CC. You should see something about this.

 

I always submit viruses via E-mail, but......

 

I did read help file and says nothing about this.
I scanned files with explorer extension and NOD32 offered submission to ESET for new malware. Few minutes after this i got that popup baloon.

 

If there is a lot of files to be submited they are not sent at once but in 2 or even more portions.

 

The baloon is a reminder telling you that some files are not yet submitted to Eset because you don't yet say 'yes I want to submitt them'.
I guess your setting of EWS is 'ask before submitting'.

 

If they have been sent to Eset, it should be in the event log.

 

That event log is crap because it doesn't log anything. Just loads of crap about failed update server connections and updates. Nothing about any submitted file...

 

Hmm.. If there is no event for the files being sent, it could be because of your ThreatSence config.
However I'm not really sure if this option is only for statistics or suspicious files too.

NOD32 System Setup > Setup > ThreatSence.Net > Advanced Settings > Submission > tick 'log sent data'.

 

It's ticked from beginning. I never got anything logged. Even if i use Submit now! button.

 

If it is sent the Event log should note it.

Example from my log.

Time Module Event User
8/19/2005 6:26:41 AM Kernel Statistical information has been sent to Eset.
8/18/2005 18:37:08 PM Kernel The file 'GRInstall.exe' has been sent to Eset's labs for analysis.
8/18/2005 15:01:41 PM Kernel The virus signature database has been successfully updated to version 1.1197 (2005081.

 

No no and no. I have sent around i don't know 150 samples? Something like that. My log should be full of such entries by now.

 

How do you know all of them were submitted if someone else had submitted them before?

 

Then why NOD32 doesn't tell me which were already submitted or which were approved and which not?

 

Is the submission anonymous?
Exempel: if nod32 ask me to send a submission and the file is illegal(crack to a program or game or somthing), can i bean charge/prosecute/indict then? ( don't now the right word )

 

Yes, totally. You do have the choice to add your email to the submission.

Cheers

 

If you get that balloon and you want to send the files all you need to do is click the balloon when it shows and answer the dialogue box in the affirmative. Normally the only reason you would get that balloon is if you have not yet enabled 'submit without asking' in 'ThreatSense.Net', otherwise every time NOD32 needs to send a file it will have you confirm first that it is OK, I think even if it was you that added it to the submission que manually

 

So if the filename of the file is already inside, the file would not be sent? Then why in the first place it asked us whether to send it over or not?

 

The submission system is specific to a machine when asking to submit a file.

For example: RejZoR has 3 computers.

Computer A has Anastyfile.exe, Anastyfile5.exe

Computer B has Anastyfile.exe, Anastyfile4.exe

Computer C has Anastyfile.exe, Anastyfile2.exe, Anastyfile3.exe

Computer A had completed a scan (either through Kernel mode, On-Access or On-Demand Scan) and no one else had previously sent Anastyfile.exe (either through e-mail or the submission system).

The log would have this appearance:

Time Module Event User
08/18/2005 07:24:29 Kernel The file 'C:\windows\system32\Anastyfile.exe' has been sent to Eset's labs for analysis.

Computers B and C would ask to submit the file, but a log entry would not be created in lieu of the fact that Eset currently has the sample.

It appears that RejZoR would like to see feedback from the submission system (i.e. Thank you for submitting Anastyfile.exe). Now throw that back a few million (being conservative) times at an outbreak. Albeit it is a "feature" request and something that may be nice to know, but not a sound business practice given the amount of data that would be coming in and then going out.

 

Then why is it bothering me to submit stuff!? Dumb logic.
Anyway i forcibly submitted all the samples yesterday...

 

Because it was detected by heuristics NOD cannot store all information about samples submitted by other people on your pc.

 

But it could just synchronize MD5 signatures with your server and submit only those that were not yet submitted while telling user that those rejected will be discard from submission cache. Thats how i'd make a submission mechanism...

 

What happens if the filename are the same yet the contents of the file are different? (Let's assume the file has not been sent yet.) Will it still be sent?

 

I pretty much doubt they compare them by name. For example i have like 6 samples of server.exe which have completely different content.
MD5 hash check is probably the most effective method.