Any reason why NOD32 scan missed a Trojan?

I doubt Evido detected TD Zlob before NOD32 did. NOD32 has always been one of the few AV to detect this threat among first. Maybe he didn't have NOD32 updated or whatever.

 

This is not a mistake. Putting a secure copy into quarantine is one action. It's a seperate action to clean/delete/whatever the original, even though it may happen at the same time.
NOD32's quarantine also permits an item to be restored to it's original or another location for various reasons.

 

Again NOD32 miss to detect new trojan..
<snip>

How can this happen again


removed link to possible malware - don't worry - Eset has access to removed link - Detox

 

and you lol are not to be have other membernames here right this is first time you are ever to be post? muah haha oh please you chump...

 

UPS... again... nod32 and Bitdefender detected this malware and other AVs not HOW CAN THIS HAPPEN??

 

I think we have all had enough of the Nod32 missed this one and found this other one type posts.

The original question has been answered and it is time to move on.

Blackspear.

 

....and do you suppose your online scanner knew the password to unlock this archive with
No files scanned should = no virus found...
I wonder if something went wrong with the others !!

Fully.
(sorry, already posted before I saw yours over the page)

 

You're right..
We must keep moving on..
I think using 2 antivirus is not a bad option
As long as they can work together..

 

I'm begininng to become suspicious when a secure freeware app is discovered on the internet lately why the web sites are falling apart where they cant be reached anymore. Do a Google search for filechangealarm and see what i mean.

I had been sharing that find occasionally with other forums including here at Wilder's but not can't do that now because it's vanished all of the sudden.

It was a directory/folder monitor that monitored in real-time ANY changes internally to any files of renaming/deleting of files that served a very good purpose and was a good added security measure that still serves my units very effectively.

It remains to be seen if it surfaces again but was always and still is excellent at intercepting newcomer intruders that the regular and highly tauted AV's and even some malware detectors seem to skip occasionally.

It alerts with your choice of an Audible tone whenever some new change is made no matter what. It always alerts when even a roll forward is conducted by windows system restore. It of course records the attempted action so you can investigate and deal with the matter if it's an intrusion or forced file drop on your good system.

 

I'm not sure I see the connection with this thread. I would be concerned as a user about the assertion that real time detection can be performed...remotely. Maybe I don't underand what it's doing, but in general I have believed that the compelling argument against relying on remote detection is that, basically, it only discovers infection, after the fact, which is not such a good thing. Also that my files are accessable remotely. The concept of blocking a role forward is very interesting. I've never heard the term, but that says a lot in and of itself, and I applaud and attempt to put software installation decisions in the hands of the computer owner, not....I'd rather not say what I am thinking!


-HandsOff

P.S. - Actually, I do see a connection, but I'm not sure it's the one you meant. Did you mean you are better off finding other ways to confirm whether a detection is legitimate or not? I would agree with that strongly. If one program detects malware and another does not, my over-riding concern for the moment is whether the file is infected or not. The only one I would submit a questionable file to is someone who is going the give me the benefit of knowing what they found (or not). To say it would strengthen the program is speculative at best. First of all, I will already have found my answers, and secondly, what evidence would I have that the file is even analysed in the first place?

 

No it was being updated on a daily basis. At least the popup notice would appear on a daily basis and indicate the signatures had just been updated. I looked through the logs and it indicated that the signatures had been updated on April 15 at 3:34AM to version 1.1490. It was that evening, a week ago that Ewido found the infection.

Now I have switched the Win2k account he uses on a day to day basis to a limited account only to find out that it appears that the weekly scheduled scan no longer runs. I go into NOD32 to look at the parameters which tells the job to run at 2AM Saturday. I look through the logs and sure enough the job appears to have started but shows a status of SCANNING in the NOD32 Scanner Logs and when I look at the logfile in detail and it shows that the scanner had some problems with find the next archive volume in a series of archive files and then the scan job just died.

Seems that the April 1 scan job also did not run to completion.

The job is calling NOD32 as an external execution with the following options

/local /adware /ah /all /arch+ /heur+ /log+ /mailbox+ /pack+ /scanboot+ /scanmbr+ /scanmem+
/scroll+ /sfx+ /unsafe /wrap+

When I go thorugh the parameters of the job under his limited user account after the Run External Command screen I get a window titled Scheduler/Planner with a black Exclamation mark on a yellow triangle, no other information or error message is shown in this window!

 

Hello,

I have no clue as to what happened, certainly NOD32 would have alerted you at least during a scan of files run at computer startup if the threat was actually active. NOD32 is still one of the few AVs to detect TD.Zlob among first:

AntiVir 6.34.0.24 04.20.2006 no virus found
Avast 4.6.695.0 04.21.2006 no virus found
AVG 386 04.21.2006 no virus found
Avira 6.34.0.56 04.22.2006 no virus found
BitDefender 7.2 04.22.2006 no virus found
CAT-QuickHeal 8.00 04.21.2006 no virus found
ClamAV devel-20060202 04.22.2006 no virus found
DrWeb 4.33 04.22.2006 no virus found
eTrust-InoculateIT 23.71.136 04.22.2006 no virus found
eTrust-Vet 12.4.2171 04.21.2006 no virus found
Ewido 3.5 04.22.2006 no virus found
Fortinet 2.71.0.0 04.22.2006 suspicious
F-Prot 3.16c 04.21.2006 no virus found
Ikarus 0.2.59.0 04.21.2006 no virus found
Kaspersky 4.0.2.24 04.22.2006 no virus found
McAfee 4746 04.21.2006 no virus found
NOD32v2 1.1502 04.22.2006 a variant of Win32/TrojanDownloader.Zlob.LZ
Norman 5.90.16 04.21.2006 no virus found
Panda 9.0.0.4 04.22.2006 Suspicious file
Sophos 4.04.0 04.21.2006 no virus found
Symantec 8.0 04.22.2006 no virus found
TheHacker 5.9.7.133 04.22.2006 no virus found
UNA 1.83 04.21.2006 no virus found
VBA32 3.11.0 04.22.2006 no virus found

 

Is there no way of NOD32 informing the end user with a pop up error window when a scheduled job did not complete normally? My friend is losing confidence in NOD32.

 

Check out in Blackspears Extra Settings for NOD32 thread (it's a sticky near the top of the thread list if you haven't seen it) - you can chedule a command line scan that has a visible window dirung it's scan if you like, and prevent it from being closed before it finishes, or configure it however you like for your exact requirements.
Of course, stricly speaking a full weekly scan is just a nice addition, not necessarily an essential one - AMON checks files on access anyhow

 

Thats the way this computer is configured. However that window never opened or if it did it closed while the scheduled 2AM Saturday scan was going on and then for whatever reason terminated on its own closing the scan window. My friend who is now using a limited account under Win2k. It appears that NOD32 control will not function properly when run by a Win2k limited user since a limited user can NOT change the scheduling of any jobs! The result if this is attempted is a very informative small window with an exclamation point on a yellow triangle and no text whatsoever in the alert window. Also as a result was that the scheduled scan could not be resceduled so that it ran last night! My friend still can not get NOD32 to perform a scheduled scan properly! It appears that one has to run the NOD32 control centre as a adiminstrator to change affect any change especially the scheduling of any jobs!

 

If the scanner window closed out of a sudden during a scan, I'd suggest to disable archives and email which can, under very specific circumstances, cause this problem.

 

I assume that this is referring to the scan job parameters and not to NOD settings in general. Why though is it hit and miss whether the scanner window closes and the scan not complete properly if the same parameters have always been used for scheduled scans?

I have changed the parameters of the job to use /arch- /mailbox- rather than /arch+ /mailbox+ and have scheduled it to run shortly rather than overnight so that I can check on it.

As well when using a limited user account under Win2k the NOD32 control panel has to be started using an administrator type account. This is so one will be able to change scan job settings and thereby preventing the cryptic warning window (small window with yellow triangle and black exclamation mark) from appearing when saving the job. Is this correct?

 

Well that scan ran ok. The thing is that in the past the regularly scheduled scan sometimes ran without a hitch and other times it apparently just closed the window and did not complete.

Also regarding that trojan that NOD32 missed. I thought NOD was capable of detecting viruses in the wild ie ones that were not in its definitions? If so why did a manual scan both in safe and normal mode, apparently before the signatures with that particular trojan in them were released, not catch the trojan?

 

I'm sorry but I don't understand. You are asking why NOD32 didn't detect it without a signature? If NOD32 was to detect 100% of all threats either by a signature or heuristics, it would be like the perpetual motion - 100% effective, but unreal.

 

You're right... you misunderstood him Marcos , but that's ok. We're not perfect.

He understands NOD32 claims to detect 100% of ITW viruses but he doesn't understand the definition of ITW virus. He thinks (as you can see from the quote) that ITW means not in NOD32's definitions which is clearly a misunderstanding. So we can set enduser999 straight with a simple definition that an ITW (in the wild) virus is one which is reported to be spreading in the real world. NOD32 detects 100% of these... but also a lot more. NO AV solution detects 100% of ALL malware

I hope I've cleared this up

Thread closed?

 

Well i don't agree exactly. This whole ITW is pretty much BS if you ask me.
ITW samples are only those that are included in the ITW list. Thats a very small number. But in reality there is thousands of ITW malware thats not included on that list and most of ppl tend to call it "zoo". But if i can get that malware and run it, thats not zoo at all. But hey, who am i to judge giant AV companies (this doesn't apply just for ESET) that have more clue than me about this subject...

 

I agree with you. The turnover in malware nowadays is massive. Most of the junk has a short life. Each variant is spewed out one after another in order to avoid detection. This does indeed nullify the value of the wildlist. Things have changed

A lot of researchers would agree with you. I know some have said similar to me in the past.

 

NOD32 probably has one of the most advanced heuristics engine and so relies on a smaller signature base. I realise NOD32 may not have a signature for a dangerous file because it has been shown by respectable tests to detect between 80-90% of virus samples. It does however, detect up to 100% of so called in-the-wild and zero-hour threats (that appear before most AV have implented protection in their signature updates). Isn't a large signature base better than an advanced heuristics engine that misses a worrying number of viruses/trojans? Don't get me wrong, I absolutely love NOD32 but as the sole AV on a machine, I wouldn't feel safe. I use NOD32 for on-demand scans only, complimenting my resident or on-access AV (which has repeatedly been shown to detect between 90-98% of virus/trojan samples). To date, I have submitted 5 samples to Eset and these were all added very quickly to NOD32 updates, so top marks to Eset for their speedy work. Still, that was 5 instances where, to varying degrees, my data could have been damaged or my system left vulnerable.

 

Let me understand this, NOD32 claims to be detecting ALL the malware existing in real world (or just the viruses), just not 100% of zoo malware? Because if it does, it's unbelievably ridiculous BS.

I've seen NOD32 fail to detect ITW trojans many times (although along with Kaspersky it seems that is does have one of the best detection rates).

 

Well thats the point where road splits between official terminology of ITW and ZOO samples... Many AVs claim they detect all ITW malware. But reality is different (my explanation few posts above).