Undetected threat

Latest NOD32 and def file fails to detect this infection.

See image.

Where can I submit the infection on the ESET site? I know there is a way, but can I find it - ho-hum.

VirusTotal screenshot removed per policy. https://www.wilderssecurity.com/showthread.php?t=180057

 

See here. http://www.eset.com/support/faq1.php?id=1110

 

How do you know it's undetected? This screenshot tells nothing about Nuwars' detection. If it's undetected by IMON / AMON, then it's most likely corrupted.

 

Well CounterSpy detected as I gave a selected scan. From the screen shoot many other anti-virus programs seem to have also.

I will submit it, and then we will know that it was an undetected thread.

No the file is not cuurupted.

I'II keep you posted.

Thanks for the link

 

So you are saying that you saw the file running on a computer and it was not detected by AMON nor IMON/EMON? This seems to me highly unlikely. Please submit it to samples[at]eset.com in an archive protected with the password "infected" and this thread's url in the subject.

 

Marcus this is the story.

I beta test for The Cleaner Professional and CounterSpy developers and have supplied over 10,000 of the nastiest infections in the wild in June 2006 to them each.

So when I get a spam message telling me to download this YouTube video, I download it. And others like it.

I then scan, knowing that it will be infected. NOD32 is my main anti-virus prog but I don't expect it to have a threat database monopoly on detection and removal of infections. So every time I capture an infection it is with caution. I’ve never been infected ever.

So the file was not executed, only downloaded. I scanned it with NOD32 (latest build and def) expecting it to detect the infection. It was so obvious what it was that it is incredulous to me how dumb computer users are to get infected by this crap.

I was surprised that NOD32 hadn't detected it. So I uploaded it to VIRUSTOTAL. The majority of scanners detected it.

The file has been submitted to ESET but is not detected yet, as each new def update I give it a scan.


PS: I’II be supplying another 10,000+ infections by the end of the year to The Cleaner Professional and CounterSpy developers.

 

Nuwar is a different story, you won't usually see detection by NOD32 in Virus Total though NOD32 can actually detect and block it. Could you please rename the file with AMON enabled to see if it's detected? Make sure that advanced heuristics is enabled on create in the AMON setup.

 

The filename was originally called:

video.exe


I renamed it:

vidoe.txe
hello.exe
hello.txt.

No detection on right-clicking NOD32 on the file, whatever the name of the file.


"Nuwar is a different story, you won't usually see detection by NOD32 in Virus Total though NOD32 can actually detect and block it."

Ok so it may no be detected in VIRUSTOTAL – why not, but that was the very reason I used VIRUSTOTAL, to confirm my hutch because the file was obviously an infection and NOD32 missed it.

Regardless, as to whether NOD32 via VIRUSTOTAL is a different story, the telltale is on a computer user’s machine. This is where a chink in the armour of NOD32 appears.

This was such an obvious rues to infect machines, but NOD32, missed it.

 

you fail to mention whether adv. heuristics was turned on - Marcos specifically said that they had to be turned on - do you have them on?

 

Is it working or broken?
NOD32 won't detect broken/non working samples (they do on rare occasions however), hence their low F/P ratio. NOD32 will not detect anything that is not a threat.. Simple as that So while you think the protection is not sufficient, it's actually working as it should, as it was designed.

 

Yes, heuristics is on and has always been on.

Why do you assume that it must be NOD32 that is broken or not working properly or the infection file that is broken or not working properly.

Would you like me to send it to you as a RAR file with the PW: infected.

May be you can see for yourself one way or the other.

PM me if anyone is interested.

I’ve been software testing for 15 years.

 

I recall receiving video.exe from different people, in all cases it was broken and wouldn't run. As a result, advanced heuristics could not emulate it and NOD32 didn't detect it which is ok.

 

Well then that is good news. The miscreants that are trying to infect machines cannot even get it right.

It may indeed be broken then, but others on VIRUSTOTAL and CounterSPy on my machine still seem to detect it regardless.

I had another email sending me to an obviously infected URL and collected the one named:

ecard.exe

That one was detected as the W32.Numar.Gen worm by NOD32.

 

Yes, many AV vendors don't bother to check a file for functionality before they add detection. I understand this because even without the functionality check they have too much samples to analyse. However, given that advanced heuristics emulates the code it normally doesn't trigger an alarm on corrupted files.

Unlike the previously discussed sample, this one should be fully functional if it was detected by NOD32. That's how things are supposed to work

 

It's funny how so many stuff gets "corrupted" just like that. Khm?! I was using 56k modem for quiet some time and i can't remember anything being corrupted, let alone todays reliable cable and DSL lines. Plus trojans, backdoors and worms don't just infect stuff (file infectors were known to get corrupted when some AV failed to repair them completelly). So all this "it's probably corrupted" sound like load of bollocks to me (imo). No offense, but it just sounds like this.

 

Well better to be safe and sure, don't you think?

 

Malware quality ain't what it used to be I guess.

 

NOD32 IS very picky what gets added / or if it gets even added.. sent quite afew pieces in awhile back.

1 week no detection

i jumped ship and went with another brand that adds stuff when u send it within hours and they also reply to you

if it is corrupted then why does most other av companys detect the threat

im not bashing just giving my own experience

 

Marcos.

I see. The number of sample supplied may overwhelm and company developing anti-infection program to the point that the infection may be harmless but included. I will bare that in mind in future.

Like you said, if the file is corrupted the heuristics will not permit NOD32 to emulate the infection as it is damaged. The ecard.exe one obviously wasn’t corrupted and NOD32 gives the infection detected display box. So all well there then.

In all probability the video.exe file is corrupted but I wanted to make sure. I still think NOD32 is the best.

Yeah, infection quality control is poor, which is good

As Marcus said, the reason why the infection isn’t included is because it is corrupted and effectively harmless. The reason it is added by other anti-infection companies is because they do not have the time to check each infection for its infection potential. Therefore corrupted files get included too. CounterSpy has a threat database of over one million, so I wonder how many are corrupted and effectively harmless. I will have to bring this to the attention of the head developer as this file was detected.

I must admit, I’m happier now than I was about this situation and I learnt more from it, especially with regards to NOD32.

It’s still the best as it has kernel-level active protection, a strong threat database and treads lightly on resources.

The best threat database is still Kaspersky but what a resource hog.

The champion for me is NOD32.

To "The Sly Dog": Go back to NOD32 with the 3-year plan.

 

Since it appears this issue has for the most part been resolved\discussed adequately enough....we'll bring it to a close. For those wishing to discuss other AV's....feel free to do so in our other anti-virus software forum Please.

Thanks,
Bubba