Strange thing with Jotti´s NOD32 detection rate

I don´t know why, but sometimes I see nod32 not detecting some trojans in jotti virusscan, but when I search the trojan name in nod32 update info I see that nod32 has a signature for this trojan... why?

 

Part of the reason is the Jotti's uses a Linux version of Nod32. More technical than that, you will have to wait for Marcos or Happy Bytes to wander along.

Cheers

 

It can also be related to the fact that the sample is non-functional.

 

The results should be the same regardless of the oper. system used. All depends on the settings. The thing is a lot of samples submitted for analysis are corrupted, or they are installers which are not scanned internally (well, NOD32 actually supports NSIS, WISE, SFX archives), but malicious files are detected upon installation.

 

Thank you Marcos, always knew there was a difference, but didn't know to what extent.

Cheers

 

But I see it a lot of times... everytime this occours is because the file is corrupted? I´ve seen about 10 scans at jotti that nod doesn´t detect, but have the signature for the virus... The other antiviruses does detect it... it´s considerated a false positive if the file is corrupted?

 

It all depends. No one says that NOD32 detects all 100% functional viruses as well as no one can say there's an AV that detects every single functional virus. Send it to samples[at]eset.com and if it's actually functional it will be added.

 

One exemple of many I´ve seen:

http://img282.imageshack.us/img282/2063/joe7rf.jpg

NOD32 - 1.1267 (2005102 / posted 02:19)
Virus signature database updates:
Java.OpenConnection, Java.OpenConnection.AJ, Win32/Adware.CashFiesta, Win32/Agent.PQ, Win32/Aimbot.NAA, Win32/Bifrose.DG, Win32/Delf.AIM, Win32/DelFiles.AH, Win32/IRCBot.PG, Win32/Locksky, Win32/Locksky.A, Win32/Mytob.LY, Win32/Oscarbot.AU, Win32/Oscarbot.AV, Win32/Oscarbot.AW, Win32/Oscarbot.AX, Win32/Oscarbot.AY, Win32/Oscarbot.AZ, Win32/Pakes.H, Win32/Paltus.D, Win32/Prox.O, Win32/PSW.Agent.AN, Win32/PSW.Agent.CV, Win32/Spy.Banker.AGN, Win32/Spy.Banker.NGR, Win32/Spy.Banker.NGS, Win32/Spy.Banker.UG, Win32/Spy.Banker.WU, Win32/Spy.Banker.YT, Win32/Spy.Banker.ZY, Win32/Spy.Goldun.DN, Win32/Spy.Small.BV, Win32/StartPage.ADV, Win32/Surila.AB, Win32/Surila.NAC, Win32/Surila.NAD, Win32/TrojanClicker.Delf.DL, Win32/TrojanDownloader.Agent.NCZ, Win32/TrojanDownloader.Agent.NDA, Win32/TrojanDownloader.Agent.XX, Win32/TrojanDownloader.Small.BTE, Win32/TrojanDownloader.Small.BTJ, Win32/TrojanDownloader.Small.NFS, Win32/TrojanDownloader.VB.NBN, Win32/TrojanDropper.Agent.NAR, Win32/Troj anDropper.Agent.SO, Win32/TrojanDropper.Delf.NH, Win32/TrojanDropper.Delf.OC, Win32/TrojanDropper.Small.ABX, Win32/VB.AEH, Win32/VB.AEM, Win32/VB.NBC, Win32/VB.NBD

 

Well I consider a corrupt file/virus to be a F/P if it gets detected.
I mean, who want's to be warned about a threat that is not even working? Not me

 

hmmm... Kaspersky gives too many FP.

 

You say that this is FP but i say it's not. Look at the filename and you'll see what i mean. There is no crack for Symantec 2006 line except repacked 2005 keygens and other crap or trojans. And this one is correctly matched...

 

Well, probably u're right....u can never know. Anyway, I've seen many FP from Kaspersky compared to other AVs.

 

Actually I'm not saying it's an F/P - I'm saying that I consider it to be an F/P.
It could very well be garbage or a real working trojan/virus whatever.

I don't have the time, nor the expertise to flag this as harmless

 

So why NOD32 didn´t detect it? NOD32 has the signature...

 

You can send me the sample (support[at]nod32.com), maybe FP, maybe a subsignature needed, maybe file damaged, maybe...

 

LOL? Youre then one giving away registration codes for BitDefender, are you not?
Good reseller or something right here..

https://www.wilderssecurity.com/showpost.php?p=616367&postcount=2

 

I dont have the file, cause wasnt me who submited the file to jotti.. anyway, I will search in some crack forums for this file and send it to you..

 

NO, I'm not reseller!

 

Ok

 

Ok, eMule just start downloading.. 0,7kb/s :/

For which e-mail should I send it?

 

Samples@eset.com or if you want a reply, to me also a CC!

 

Hello...

I´m the old "NODUSER"...

Will send it to you now!

NOD32 has not detected it here...

 

OK, received it. but please let me to analyze it, here the time is 3:00am.

 

Ok..

 

Sorry for the delay,

Yes, the file is infected!

The malicious code is wrapped into Self-Archive-Extractor, and it isn't able for Auto-Extract itself. However, with user click or not, during extracting, the malicious code for installing itself must copy malicious body in the hard disk. in that time, with AMON enabled, the malicious code will be caught.