Eset ignores virus submissions?

About two weeks ago I found a malware installer while cleaning up a clients PC. Being a public-spirited person, I submitted it to every AV company I could think of.
I also checked it with NOD32 on my personal machine. Horrified that nothing was detected, I quarantined the file and submitted it that way. Four days later the file still wasn't being detected as malicious so I submitted it via email as per Eset's suggested method on their website on 13th and 15th October.
It still isn't being detected.

 

Hi ElGordo, welcome to Wilders.

Viruses, trojans and other malware are added on a priority basis, and it has to be this way or you would have the analysts breaking their back over the odd single sample sent to them, instead of keeping focus on the spreading samples and adding the rest as they go...

This is what Anton Zajac head of Eset had to say on the matter.

Cheers

 

Thanks for your reply and the welcome
I don't want to sound like a four year old having a tantrum because "my" virus isn't highest priority but it does seem to be taking an inordinately long time to add to the definitions.
Other AV companies seem to have added it in under 24 hours, that's all.

 

I understand, and if I had a undetected piece of malware on my system I wouldn't be too happy either, however Eset are receiving thousands of samples through Threatsense.net and analysis is completed strictly on a priority basis.

Cheers

 

Understood. Thankyou for your time.

 

You are welcome.

Cheers

 

If a user is actually infected with the malware, then such priorities can lead to high customer dissatisfaction, potentially causing sales drops. As far as I know, analysing a sample and creating a signature is hardly the problem (takes about 5 minutes at best), but rather testing and modifying it for zero false positives and 100% detection is the difficult part. For that reason, it should be fairly simple to at least provide an analysis of what the infected file does to the system via email with disinfection instructions even if no signature is added due to the amount of time required for testing the signature. This way the customer can clean his/her PC and Eset does not have to spend extra time in testing and adding non-priority signatures.

Just a thought. I hope I'm not speaking like a nut here.

 

Eset seem to have a pretty strict (and good) policy of making signatures for submitted malware - I've submitted something and it's had a signature within 24 hours before. However, I found a trojan-downloader (I still have the sample zipped up) on my system and submitted it to Eset back in late August/early september via email several times, it has not been added yet, so I guess I am the only person to have come across it/or it was corrupted, although saying that most other AV's I submitted it to has added it to signatures.

Regards

 

There is another AV in the market which will not detect corrupted files (Dr.Web). If that vendor denies the sample, then you can be assured Eset will too.

But still, I think Eset can provide at least a small analysis without wasting much workforce.

 

Thanks, I didn't know that.

Dr Web detects this as VBS.Psyme.217.

Regards

 

No they don't. Your old dos files that poses no threat these days will get lower priority.

 

VBS.Psyme is not a DOS virus. I've been infected by this once (very long time ago).

 

The sample I mentioned is a downloader that downloads a variant of Haxdoor, and was new as of August/September 2006.

Regards

 

if that variant of Haxdor being downloaded is detected everything's fine I think.
Maybe they'll aanyway have an automatic reply system to samples submitted with the new web-based sample submission system. If you sent the file maybe ESET haven't received it.

 

I think in the middle of this, the question may have been answered...

the "threat" is a trojan downloader right?

the actually trojan was already detected - right again?

New downloaders of existing threats must by their very definition take a lower priority than the threats they download if the threat they download is detected by signature. As the "threat" of the downloader itself is somewhat mitigated by the fact that their isn't much it can do to you if it's payload program can't get past NOD32.

Seems obvious when you think about it in those terms... at least to me....

 

I do not know if the trojan itself is detected, as my internet explorer security settings prevent the active x content from running therefore it doesnt even get the chance to try to download, however I would be almost positive that it is detected given nod's excellent haxdoor detection.

However, I only found out I had this on my system (this was a clean computer, not one used for any testing) by running a back-up online scan, and an inexperienced user may be put off or doubt the ability of nod32 if they run back-up scans and are told they are infected when they believe they are clean...

I agree to an extent, but some people would argue that leaving malware on your system because it is currently harmless may be unwise, what if nod32 was uninstalled or became defective? You would be unaware you have malware on your system that could be activated at any time...

 

I never said that trojan downloaders should be ignored, merely given much less priority if their "payload" is already handled.

 

Especially if they are VBS and can be easily modified without a deep programming knowledge to evade detection. In such case, it's much more important to detect the malisious file that is downloaded.

 

@ Firecat

I don't think that file was corrupted after all as detection has been added in today's update 1969 - HTML/TrojanDownloader.Agent.AQ

Regards,
Londonbeat

 

i think eset have small staff(10 or 20 peoples) and marcos is one them

 

I bet that too. They've added that sample Londonbeat told about because the av-comparatives.org test is near and they're adding old signatures.

 

Your not suggesting they're just adding sigs to increase their detection rate in an upcoming test are you??:-after we've been told they are not that important for protection!!

 

Old dos sigs are added before the av-comparative test.
Why they test dos detection is unknown to me however, since they aren't a threat these days anyway.

 

They are not adding DOS viruses only (DOS are very few in their latest defs). They're adding Exploits, Trojans, BAT, JS, and other old viruses they haven't add till now.

And it's obvious they're adding them to have higher detection rates in the test.

 

I think all AV vendors probably add sigs when they know a test is due,solely to improve their detection rate for such tests,this is the main reason I feel tests should not run to a schedule but should be random AND unannounced beforehand