A-Squared Anti Mallware.

Ultragunner, if you really would like to prove that you have any merit to your claims, take your issues to the Eset forum here in a professional manner. Otherwise, every post you make wrought with smileycons, bold text, colored text, and vehement rhetoric simply drops any credibility you have further down the scale.

As Blue and I have asked, provide real evidence or stop wasting everyone's bandwidth.

 

Here is proof: One Trojan undetected by Nod32!!!!!!!!!

Language


Server load
Server Load
VirSCAN <http://www.virscan.org>
Suspicious files to scan
1, You can UPLOAD any files, but there is 10Mb limit per file.
2, VirSCAN supports Rar/Zip decompression, but it must be less than 10
files.
3, VirSCAN can scan compressed files with password 'infected' or 'virus'.







Current Position:
Current Scanner:
Last Scanned:
Suspicious degree:

File Name:
File Size:
File Type:
MD5:
SHA1:
Compressed:

Current Position: 0 / (0%)
Elapsed time: 0
Est Time Left: 0
Est Speed: 0


Main Menu
HOME </index.php> About VirSCAN </about.php> Report </reportlist.php>
Help VirSCAN </helpus.php> Submit Bugs </bug.php> Contact us </contacts.php>


File information
File Name : nod32 sucks.sqx
File Size : 134349 byte
File Type : data
MD5 : 826c923ace8b8bb83d26513b63968599
SHA1 : 4dad9f1e9e6bebd21d01bce6b6d652a037fabe8b

Scanner results
Scanner results : 25% Scanner(9/36) found malware!
Time : 2007/11/24 12:22:23 (PHT)

{As per forum policy, gratuitous VT summary scan results removed - Blue}

Told you that Nod32 sucks You are looking at a very unhappy customer here!!!

 

Another undetected Trojan by Nod32



Server load
Server Load
VirSCAN <http://www.virscan.org>
Suspicious files to scan
1, You can UPLOAD any files, but there is 10Mb limit per file.
2, VirSCAN supports Rar/Zip decompression, but it must be less than 10
files.
3, VirSCAN can scan compressed files with password 'infected' or 'virus'.







Current Position:
Current Scanner:
Last Scanned:
Suspicious degree:

File Name:
File Size:
File Type:
MD5:
SHA1:
Compressed:

Current Position: 0 / (0%)
Elapsed time: 0
Est Time Left: 0
Est Speed: 0


Main Menu
HOME </index.php> About VirSCAN </about.php> Report </reportlist.php>
Help VirSCAN </helpus.php> Submit Bugs </bug.php> Contact us </contacts.php>


File information
File Name : H.tar
File Size : 187904 byte
File Type : tar archive
MD5 : a9f92dd282556a3531278a35fff00afc
SHA1 : bf4f4920c5deb85a6786b915884fc16e4b92cecf

Scanner results
Scanner results : 61% Scanner(22/36) found malware!
Time : 2007/11/24 12:49:30 (PHT)


{As per forum policy, gratuitous VT summary scan results removed - Blue}



Now you all see why I am unhappy with Nod32.
Try scanning your computers with the online scanners then to see what I mean.

 

Well if you don't like a particular software which in your case is NOD32, do what myself and many other's do is this situation. Don't use it, try something else. Personally I will not download,install,use,recommend,endorse or touch anything with a ten foot pole from Emsi software.

 

Fine. Told you all that I had proof!.

 

First of all, as you should be well aware if you've frequented these forums, use of collected VT/VS/or other summary scans tell you very little when you get right down to it. If you wish to expand on specifics, at least take the time to perform some analysis on your end - and that doesn't mean regurgitating scanner summaries. When you have mixed results, as were the two cases you provided, naturally caution is warranted. What's probably not really warranted is going off on an aggressive rant against any specific product. Whenever I'm presented with opposing opinions, and that what the results you provided are, I personally dig deeper. Lots of the flag I personally experience are false positives due to flags originating with potential riskware. No more, no less.

I take it at face value when you state that x% of the scanners at VT (or other resource) have flagged a file. I assume that statement's you have made correctly relayed the information that these multiscanners provided. Reproducing that scan result adds nothing to the discussion, except to illustrate that A-squared alerted on neither example you posted, while KAV flagged both examples as Trojan.Win32.Agent.cro.

You have a file, you state that it is malware, some scanners flag it as such, some do not. If you are going to immediately presume that any one positive constitutes immediate and incontrovertible proof that you have a functional piece of malware in your hands, the discussion is pretty much over. If that's your approach, go with a solution that flags as much as possible - other factors are irrelevant - and move on with your life.

If you want to dig deeper, fine, but I'm not about to play multiscanner games with you since they go nowhere at the end of the day. No one is further educated as to what's behind the detections, whether the platform used in the scan is relevant to causal (i.e. Windows) users, or why I should be concerned about the specific file in front of me.

Do I think the samples you provided are potentially malware? Of course I do. I explicitly stated that in my first point of my initial response to you. However, you seem more focused on ranting than discussing. If that's the case, I'm done.

Later,

Blue

 

Yes, something like DeepFreeze, but I prefer FirstDefense-ISR, because DF is just an option in FDISR. All the main functions of FDISR don't even exist in DF.
DF is too limited in possibilities and not flexible enough for home users.
The frozen mode of DF is not the same as a frozen snapshot in FDISR, although many users THINK it is.

DF is only faster and uses less space than FDISR. I'm not blinded by speed and less space in a software, because both are hardware issues.

Why would I use A2 Anti-Malware or any other scanner to remove malware, if I don't allow any change on my system partition ?

What can a malware do in my system partition, that has no personal data ? My system partition is like an empty house to a burglar.

The only thing a malware can do is corrupt my Windows and Applications. So what ? A simple reboot and everything is back to normal and if that doesn't work a simple restore of a clean image will do it.

NOD32 didn't detect 25 trojans. KAV is better than NOD32. Do you really think I still care about that ? I use these scanners for only one thing : to prove my approach really works. If all these scanners will ever find something on my system partition, it will be a false positive.

 

Point taken. But you would be mad too if your ex-favorite antivirus missed that many trojans you know. 25 trojans is a riduculous amount to ignore. Guess I was just blowing off steam. Pls understand my side too pls.
I kept the trojans in quarantine in KASPERSKY by the way to those who still have doubts that I am telling the truth.

 

Okay I try this FirstDefense-ISR because you recommended it. Personally I dont like Deep Freeze because it freezes everything else no exceptions including your updates.

 

It depends.

I really only worry about things that I anticipate I have a finite chance of encountering. That's why, at the present moment, I really don't even think about esoteric malware that's more rumor than even firm proof of concept, yet you can uncover threads here and elsewhere that would lead you to believe we're in the midst on a deluge of this same material. I really don't view this situation as a lot different, given that experiencing something like 25 alerts (i.e. 25 trojans) will take me a few years to see during my normal computer usage - and that includes navigating to dicey sites that are sometimes posted here as links.

Blue

 

ultragunnerdcl

Very often scanners will have a "false" detection for certain files. It is done, as I understand, because there is a possibility of a threat is still justifiabe in some way or another. I suppose you installed a game and it has some "risky" files. Equally, if you scan an installed angryIP or the magic bean counter these too will appear as threats. Yet these are neither a risk or a threat. The decision rests in the hands of the user to say if the file or software has to be cleaned or uninstalled.

I suppose the other side of the coin is an AV being too lax, as that could be very dangerous.
I suppose if the scanners jump at the least risk files, then they have justified their presence on the PC and promoted the sale and customer loyaty. Plus the user does not have to think about anything -before, during or after- the PC usage. The software does all the thinking for the user. Kind of sad- the users are becoming used to this convience and being taken care.

I just finished downloading 300 songs. Scanned with NOD 2.7 and asquared. All came clean. Listening to them now as typing. But I should add false detection of scanners is not a funny topic to be taken lightly_KAV 6 once ripped out a few files out of my MS Office, rendering it useless. All because of false detections. I had to re-install Office from the media disks just to type a letter. Then I changed the KAV setting to alert instead of automatically remove on detection.

12fw

 

IC, But 9 or more scanners detecting a TROJAN tells a very different story. I will never believed in nod32 again. To think I was using the new version 3.0.566.0 & I really like it at first that was until I tried kaspersky online scanner on my computer & found out the truth. I assure you 9 to 20 scanners detecting a file a trojan is not a false positive!!!!. Nod32 is a blind scanner!!!

 

Not always

On the basis of your disassembly of the code? Running it in a sandbox/VM and watching the activity and outcome? Note that I'm not relying on ad infinitum scanner results from online multiscanners. The jump from a cautious alert to firm proof is a big one, and it's a jump that you seemingly have not be able to come to grips with.

If I were a user looking to determine whether or not to use a program of unclear origin that yielded flags on a multiscanner, I'd take the results at face value and not use the file. However, if I was publicly and aggressively taking a vendor to task on detection metrics, I'd do a lot more homework on these supposed malicious files than you have in this instance.

Blue

 

ultragunnerdcl said:

"IC, But 9 or more scanners detecting a TROJAN tells a very different story. I will never believed in nod32 again. To think I was using the new version 3.0.566.0 & I really like it at first that was until I tried kaspersky online scanner on my computer & found out the truth. I assure you 9 to 20 scanners detecting a file a trojan is not a false positive!!!!. Nod32 is a blind scanner!!!"

Exactly. My point and see for yourself_ download angryIP and kf151 and then scan these two at VT and see the results. No doubt the detection will be high. Yet these are safe files to execute. I have a partition set aside to keep these types of "risky" file- it is excluded from the scanners. Most declared as "risk", yet they are innocent.

12fw

 

I think you really need to educate yourself on why some anti viruses detect a file as malware while others do not.

There can be many reasons as Blue has touched on.

Example:

If the file is damaged, and therefore not able to infect a PC, it is useless so can it really still be called malware?

If Anti Virus 'A' flags this damaged malware as a trojan and Anti Virus 'B' does not, which one is correct?
Probably both but Anti Virus 'B' does not bother you with false alarms about non working malware.

Eset, as far as I'm aware, take the approach of checking malware individually and will not add damaged, unfunctional malware to it's database.

 

Maybe we should stop discussing about nod32 before I say something bad about it. I really like it a lot before & my mind is made up, nothing you all gonna say is gonna change that. Pls change the topic & let us stop discussing about nod32 now. Let discuss something else now.

 

You see, that's just the point. Moving on from that antivirus you don't want to talk about... Now, go run chkdsk. After it takes 6+ hours because Kaspersky has ganked your drive with ObjectID tags all over the place, you'll be just as critical of them. Oh, and good luck trying to remove the ObjectIDs when you're done. Getting rid of 25 abberant files will seem like a cakewalk.

 

Yep I agree. How about A2?

Gerard

 

I do believe you are mistaken, I did just that & it finished in 4 minutes!!! Maybe you never tried kaspersky before. Im using the latest version 7 & I assure you it doesnt gank my drive with objectid. Ps

 

A-Squared Anti-mallware.? You mean. Are you using it too?

 

ultragunnerdcl,

Unless there has been an unannounced change, scanned files will exhibit KAV created File Object ID's if they hadn't had them previously.

As for creating issues beyond a simple and required increase in time for chkdsk to execute, a very low frequency of problems have been reported - low enough that it should not be a significant concern. Since NTFS uses a transactional model, it is fairly robust against filesystem errors. However, I can conceptually envision that hard system crashes during scanning may precipitate filesystem inconsistencies - and there are certainly a few situations in which this would be more probable (say, with flaky power supplies or on a system overloaded with realtime security monitoring solutions from multiple vendors conflicting in the background while running a p2p filesharing application..., just as a couple of illustrative examples).

Blue

 

Look, Just becuase im no longer your customer, pls stop putting down kaspersky. Very well, I will go their official forum to verify what you said.

 

Well, I guess you don't know me very well then, and you didn't read my post terribly carefully.

For your benefit, I happen to be a multilicense/multiyear Kaspersky user. I don't believe that file object ID's are a major practical issue. I do believe the KL programmers made a poor choice in using them for the purposes that they did, and I believe that any program should not leave extensive tracks of their existence on any machine if it is uninstalled - that goes for any program, it is simply very poor etiquette.

Blue

 

hi there,

for a bit of closure on the 'blind' NOD32 issue, i asked ultragunnerdcl to share the samples with me, which he kindly did. There are 5 files in an archive which are then in a tar archive.

NOD32 does not detect anything if you scan the tar file, obviously can't 'see through it', but once you extract it NOD32 jumps in with 'multiple infiltrations'. I disabled AMON so i could extract the files and see what was inside. there are 5 .exe files, one of which is only detected by PREVX at VirusTotal and is 1kb in size, so a nonsense file.

the other 4 files are detected by NOD32 as follows:

Scan performed at: 24/11/2007 14:49:55
Scanning Log
NOD32 version 2683 (20071124) NT
Command line: C:\Documents and Settings\***\Desktop\none\none.exe

Date: 24.11.2007 Time: 14:49:57
Anti-Stealth technology is enabled.
Scanned disks, folders and files: C:\Documents and Settings\***\Desktop\none\none.exe
C:\Documents and Settings\***\Desktop\none\none.exe »RAR »keygen.exe - Win32/TrojanDownloader.Agent.NSP trojan
C:\Documents and Settings\***\Desktop\none\none.exe »RAR »crack.exe - Win32/Adware.Virtumonde application
C:\Documents and Settings\***\Desktop\none\none.exe »RAR »serial.exe - Win32/Dialer.NDU trojan
C:\Documents and Settings\***\Desktop\none\none.exe »RAR »install.exe - Win32/Virut.AV virus
Number of scanned files: 5
Number of threats found: 4
Time of completion: 14:49:58 Total scanning time: 1 sec (00:00:01)


So, it isnt that NOD32 doesnt detect the nasties, it detects ALL of them. It just cant unpack (that the right word?) to see inside the tar file. The files pose no threat until they are extracted anyway, at which point NOD32 deals with them all.

i think someone owes someone an apology...

Lee

PS i will submit the files in the tar to ESET just in case they want to analyse the packing

 

You are also forgetting a lot of things. I have more samples here if you want. So by doing that test too shows one thing too & proves That Nod32 heuretics is inferior to the competition & a lot of antivirus heuretics beats the hell out of nod32!!! A lot of antivirus was able to scan thru the unpacking & nod32 could not shows that its signature detection is very weak & its heuretics does not work So are you sure you want to challenge me!!!!!! I have already sent all of the samples to kaspersky lab. Quit crying over spilled milk & all of you should accept that Nod32 all lost to a lot of better antivirus.!!!!!!!!!

Here are the facts:
Nod32 could not detect the samples & could not see thru the unpacking shows that it heuretics is not as good as it used to be.
Nod32 Signature Database has very few virus & trojan records compared to other antivirus!!!

Your test proves it is very weak.

By admiting that nod32 could not see thru the compresion means that its heuretics does not work!! A question to everyone " Does nod32 has the best heuretics" Absolutely not. Even if your reason that the file is harmless when packed, pls that like someone reasoning that he is winning after getting beaten up by a bully!!!
By the way, I used to use Nod32 version 3.0.566.0 which is superior to version 2.7.