Virus

I have submitted to plenty of AV vendors, but never to Eset. I was wondering what the details should be and whether I need to show proof that I am a NOD32 user. But thanks for the help.

 

No , no need of any proof , just submit the sample . All vendors , including ESET , do appreciate undetected samples .

 

Is that a rootkit?
I wonder if NOD32 detects the rootkit (if that's what it is)? Or any of the other AV-vendors?

Seems the demo.exe file has some nasty payload.

 

Or just scan it at Virus Total or Jotti's, all vendors that don't detect it will get a sample that way.

 

Those who detect the downloader and the downloaded file will probably detect the rootkit (if it is one) as well, or at least I think so....Also, I already scanned it at virus.org, so maybe the vendors are already getting/have got it.

 

It does indeed appear to have a nasty payload...

Is there any news about the original .php file link that was posted? Someone posted about a java applet on that page, and it appears that their java cache files were infected with some form of trojan downloader.

I cant find anything there though, even the page's source code contains nothing but an IFRAME containing another .php file. not sure what is contained within the second file, but it would be interesting to know whether it is malicious or not.

 

Update: Scanned the file on Jotti as well, and also sent an email to Eset about it.

 

Excellent, it should be in the definitions soon enough

another one bites the dust

 

Not really, because Eset didn't consider this file worthy enough to be added as it is not being detected by NOD32 at Jotti's at the moment. At the same time, I sent this file to Trend Micro earlier today and they added it within 12 hours...

 

This is just my observation (from reading posts and what I've experienced):

Eset prioritize:
- malware they collect themselves/exchange with other AV-vendors
- most popular malware detected by heuristics/ThreatSense

Eset "ignores":
- files that have been submitted (unless it is a false positive), which may have to do with them getting a lot of junk
- samples from jotti's, VirusTotal, Virus.Org (which most other AV-vendors do also), probably because of a lot of junk here also

Maybe that is the best way for them to keep up with the important malwares, but it can be frustrating and making it seem like a waste of time submitting anything to them.

 

NOD32 has always been an AV for detecting ITW threats only. As much as the changes/improvements in detection rates the 2.5, 2.7 and soon 3.0 versions brought, this core "problem" has always remained, that Eset has always focused on VB100 and ITW samples, and zoo samples remain largely ignored, except for what Eset has in its collections, and what it receives from AV-testers after the tests (understandable because Eset wants to get high detection rate in tests so they can be a token good AV).

I do not know whether this is a good thing or bad thing - For me, I don't quite appreciate it. I'm not sure what others would think, and since the majority of users are not going to send many samples to Eset, this shortcut might very well prove to be a good thing....for the sales team.

 

I have to agree with you there. I am confident that NOD32 protects me, but i increasingly see the need for eset to re-analyse their signature adding procedures.

 

Count me in too if eset changed there policy for adding signatures i would come back as i loved nod It never gave me any problems what so ever,

it just concerns me about the submitting and being added bit

 

I absolutely love nod, and i know exactly how you feel. I know that nod is protecting me, but it does concern me how things are getting missed here and there... but thats a different story and a different topic

Eset need to take a leaf out of kaspersky's book imo. Two fantastic AV's, but KAV has the upper hand when it comes to protecting from new threats - due to the rate at which new signatures are churned out!

 

Best regards
Duca Bianco

 

Well, I said Eset didn't consider it worthy enough to be added, which is very much consistent with the quote of my earlier post which you have provided about the decision-making process. I only remarked that Eset didn't add it. I did not comment on the why or how of it.
As for that quote, the language and writing of my post is very much different from what was actually posted. Did you translate it to another language and back to English?

 

A silly ass statement if there ever was one . How does this controversy help the sales team? You've adopted a largely adversarial stance (that wasn't there before) towards Eset since the Inspector (Happy Bytes) left. Maybe you should take a closer look at how his new employer handles the same issues.

 

Excuse me Firecat

Duca bianco

 

I think he means the high scores on the ITW tests helps the sales team..

From Firecat

 

I think your right but I stand by the rest of it. BTW I renewed my "token Av" for another year.

 

Good for you. I never said that NOD32 sucks, I just said that the "problem" with submissions is a bad thing for me. And yes, the high scores on ITW tests will help the sales team as it does for any other company. Maybe I was harsh in saying the comment about the "token" good AV though.

But yes, this "shortcut" (if you can call it) helps the sales team also and the analysts also, since they save time. One thing I noticed about NOD32 from personal experience is that it detects most threats that arise out of malicious links in English webpages. What it misses are the more regional threats, i.e. malware that comes from Russia/China. I think the reason would be that NOD32 has not that much users in these countries, and possibly also because not many Russians/Chinese work at Eset, so they wouldn't be able to "probe" webpages of these languages. But this is just my opinion.

As far as anyone in the USA and Europe is concerned, I think NOD32 provides decent enough protection.

 

Yes, but the previous time you quoted this post, the language and structure of the contents were very different, which is why I asked whether you had translated it to another language and then back.

 

Where are Esets virus labs located? Just a stones throw from Russia in Slovakia or the Czech Republic think. Also the Virus Radar info comes from ISP's around the world or so they claim on their web site. One thing I've learned is malware doesn't recognize borders and doesn't speak languages, it's code. Also they exchange samples with lot of other vendors.