threat detected by real time and http, but not on-demand scan

hi

i received an email with a link to a video, knowing it was malware i had a look anyway to see if NOD would recognise it, which it did as probably a variant of Win32/Nuwar worm. Great.

I disabled NOD and downloaded the file so i could upload to VirusTotal, only 9 of the 30 or so scanners detected it, and NOD wasn't one of them. Same Defs as mine though. Strange.

I then tried an on-demand scan of the file with my NOD and it came up clean. In the on-demand scan settings Heuristcs and Advanced Heuristics are turned on for all the scan profiles.

I enabled real-time protection again, tried moving the file to a folder and NOD detected the threat again.

My question: why does the http scanner and real-time protection detect the malware, but the on-demand scanner on mine or at VT doesn't detect it?

thanks, Lee

...and file was submitted for analysis via threatsense

 

This is a special type of defense which works in the web/email scanners and partially in the real-time protection which means the users are protected as long as they don't disable the protection modules.

 

thanks Marcos. Which option is it, or is it a hidden one? and it's not possible to enable it in the on-demand scanner?

thanks

 

No, it's not possible to enable it. If it was enabled in the on-demand scanner, it would cause more FPs and provide much worse protection even in the web/email modules.

 

righto, thanks again.

worth bearing in mind when people compare VT results. Just because NOD doesnt detect something through on-demand scanning, doesn't mean it won't block the threat.

 

just a little bump, if i may. this is an example of nod detecting a threat that is detected by very few AVs as of this moment, but only via everything but the on-demand scanner.

So in the on-demand scan tests (av-comparatives, etc), it could be that NOD is losing points. Or maybe it's just the new 'probably...' threats where this happens. Upshot is that NOD is detecting more of the real world threats than you'd give it credit for if you ran an on-demand test or checked results at VirusTotal.

Was news to me anyway.

 

And not only NOD32 but other AVs , too . That is why such tests (not on AV-Comparatives ones) don't show how an AV would perform in real world situation. A user's firewall with outgoing protection (including ESS) or behaviour analysis technologies could even give an extra protection , which is never shown in an on-demand scan (test)