2.70.32 2342 does not detect common trojans

Discussion in 'NOD32 version 2 Forum' started by olmer, Jun 21, 2007.

Thread Status:
Not open for further replies.
  1. olmer

    olmer Registered Member

    Joined:
    Jun 21, 2007
    Posts:
    4
    Where to submit? I have searched eset – there is no such service.

    Below is KOS log:

    KASPERSKY ONLINE SCANNER REPORT
    Thursday, June 21, 2007 12:32:42 PM
    Operating System: Microsoft Windows XP Professional, Service Pack 2 (Build 2600)
    Kaspersky Online Scanner version: 5.0.83.0
    Kaspersky Anti-Virus database last update: 21/06/2007
    Kaspersky Anti-Virus database records: 328408

    C:\WINDOWS\system32\drivers\etc\service.exe Infected: Trojan.Win32.Agent.amg skipped
    C:\WINDOWS\system32\drivers\etc\svchost.exe Infected: Backdoor.Win32.Iroffer.af skipped
    C:\WINDOWS\system32\exec2.exe/data.rar/service.exe Infected: Trojan.Win32.Agent.amg skipped
    C:\WINDOWS\system32\exec2.exe/data.rar/svchost.exe Infected: Backdoor.Win32.Iroffer.af skipped
    C:\WINDOWS\system32\exec2.exe/data.rar Infected: Backdoor.Win32.Iroffer.af skipped
    C:\WINDOWS\system32\exec2.exe RarSFX: infected - 3 skipped
     
  2. pykko

    pykko Registered Member

    Joined:
    Apr 27, 2005
    Posts:
    2,236
    Location:
    Romania...and walking to heaven
    Send it here: samples [AT] eset.com ;)
     
  3. ASpace

    ASpace Guest

    In additon to what Pykko wrote , you'd better also include a link to this thread.Files you need to submit are:

    C:\WINDOWS\system32\exec2.exe
    C:\WINDOWS\system32\drivers\etc\svchost.exe
    C:\WINDOWS\system32\drivers\etc\service.exe
     
  4. olmer

    olmer Registered Member

    Joined:
    Jun 21, 2007
    Posts:
    4
    Thanks. Sent. That is if ISP will not filter them out.
     
  5. De Hollander

    De Hollander Registered Member

    Joined:
    Sep 10, 2005
    Posts:
    718
    Location:
    Windmills and cows
    Send the files to samples@eset.com, archive the samples with rar or zip and password protected the file with the password 'infected' (without the quotes)
     
  6. Marcos

    Marcos Eset Staff Account

    Joined:
    Nov 22, 2002
    Posts:
    14,374
    Just one note re. the topic name; I don't understand why it reads "2342 does not detect common trojans". What is common? Because I could give tons of examples where other famous AVs miss "common" malware. Please understand that what is common for you may not be common for the others and every AV misses some malware.
     
  7. manOFpeace

    manOFpeace Registered Member

    Joined:
    Feb 1, 2003
    Posts:
    716
    Location:
    Ireland
    May I suggest this thread be made a sticky. I also had a trojan and Nod scanner requested to send a sample. I clicked "yes" and waited and waited and.....:rolleyes:
    Nothing.
     
  8. ASpace

    ASpace Guest

    @manOFpeace

    NOD32 offered you to send a sample , then it was previously detected -> you remained protected , why would you want to add definition for something that was already detected by heuristics ... If you mean email answer , ESET Lab doesn't answer submissions .

    Perhaps this should be made sticky:
    Because I could give tons of examples where other famous AVs miss "common" malware :D
     
  9. Marcos

    Marcos Eset Staff Account

    Joined:
    Nov 22, 2002
    Posts:
    14,374
    NOD32 does not advise you to submit a sample unless it's caught by heuristics. If it's actually malicious usually no further action will be taken. If you think it's a false positive, it's better to email it to samples[at]eset.com with "FP" in the subject and enclose as much information about it as possible (e.g. the url of the program that triggered an alert, etc)
     
  10. Londonbeat

    Londonbeat Registered Member

    Joined:
    Sep 21, 2006
    Posts:
    350
    I don't know the particular situation manOFpeace was in, but I think if an AV has a signature it can usually clean an infection much better than just with heuristic detections, i.e. remove all traces and registry entries whereas the heuristic just detects the particular suspicious file it is flagging.

    Londonbeat
     
  11. The_Duality

    The_Duality Registered Member

    Joined:
    Apr 3, 2007
    Posts:
    276
    Location:
    Liverpool, UK
    True, but how can you catch zero day malware without heuristics or other pro-active detection? It is better to find and delete the trojan right away, rather than have it undetected until signatures are released. If NOD saves your credit card numbers, you wont be worried about a few registry entries. In my opinion anyway. Just my 0.02.
     
  12. Londonbeat

    Londonbeat Registered Member

    Joined:
    Sep 21, 2006
    Posts:
    350
    I agree, I'm not criticising heuristics, just pointing out that not adding a signature because it is already detected by heuristics could have some disadvantages, but from reading previous posts here Eset do usually add a signature for submitted heuristic detections, especically if it's widely spreading.

    Londonbeat
     
  13. trjam

    trjam Registered Member

    Joined:
    Aug 18, 2006
    Posts:
    9,057
    Location:
    North Carolina
    I know a vendor that can help you with all this.:)
     
  14. The_Duality

    The_Duality Registered Member

    Joined:
    Apr 3, 2007
    Posts:
    276
    Location:
    Liverpool, UK
    Yes I totally agree with that. Any AV company that uses heuristics in its products should add a generic signature for detections flagged and subsequently submitted by the heuristics engine. As such I would certainly hope that Eset think the same way. Considering that Threatsense does submit heuristically detected threats automatically, I would think that this is the case.

    On hindsight it appears I mis-interpreted your post. :ouch: Apologies :)
     
  15. The Hammer

    The Hammer Registered Member

    Joined:
    May 12, 2005
    Posts:
    5,619
    Location:
    Toronto Canada
    I'm sure you do. But what about the new vendor you'll be using next week? :p
     
  16. ASpace

    ASpace Guest

    Next week , you must be kidding . Tomorrow he'll change the vendor and the song again
     
  17. ALEX(XX)

    ALEX(XX) Registered Member

    Joined:
    Mar 17, 2006
    Posts:
    19
    Also what? Speed of reaction of virus laboratory simply amazes me. I 1,5 week ago have sent 21 sample in ESET. And here only yesterday NOD32 has found out 1 trojan from 21 sent. It is pleasant to me as act DrWeb, KAV at sending a suspicious file in their laboratory. From them the automatic answer, with a serial number of inquiry comes. The answer from a virus analyst then comes. Really such it is difficult to make? I send samples in ESET, I at all do not know, send in addition they or not. Sorry for my English.

    Edit ~ Virus Total log removed; please read THIS POST ~ Blackspear.
     
    Last edited by a moderator: Jun 22, 2007
  18. ASpace

    ASpace Guest

  19. Marcos

    Marcos Eset Staff Account

    Joined:
    Nov 22, 2002
    Posts:
    14,374
    This is true only for file infectors when submitting infected files helps us create a cleaning algorithm.
     
  20. Marcos

    Marcos Eset Staff Account

    Joined:
    Nov 22, 2002
    Posts:
    14,374
    Well, it's quite unbelievable that you'd find 21 threats on your or your fellow's computer. Always bear in mind that signatures are picked up on a per-need basis and samples from collectors are treated with lower priority (unless they are of a higher importance), first we need to serve our clients and not deal with obscure samples from vx sites, etc.
     
  21. Inspector Clouseau

    Inspector Clouseau AV Expert

    Joined:
    Apr 2, 2006
    Posts:
    1,329
    Location:
    Maidenhead, UK
    True, very true. Same here.
     
  22. ALEX(XX)

    ALEX(XX) Registered Member

    Joined:
    Mar 17, 2006
    Posts:
    19
    Well, actually, I 2-nd year use Nod32 EE. In due time I recommended our company to pass on NOD32 and is very happy with its work. This 21 sample, real. They have been found out on computers of different users and left by me for a collection so to say.
     
  23. The_Duality

    The_Duality Registered Member

    Joined:
    Apr 3, 2007
    Posts:
    276
    Location:
    Liverpool, UK
    I can see a pattern emerging here... My 0.02:

    Marcos and other Eset moderators on this forum have gone to great lengths, over time, to explain their signature addition methods. It is explained quite clearly that Eset will not just add "any old rubbish" to their signature database. NOD32 is about great detection, combined with great performance. Performance would hit rock-bottom if Eset added every single sample to their database. If Eset didnt produce a great AV, they wouldnt be in business. Full stop.

    With companies like Kaspersky and Avira in the market, competition is cut-throat. Yet Eset stay afloat. With a great reputation for performance; as well as detection. Eset add their signatures the way they decide to. If you dont like it, use a different AV. Its as simple as that.

    This is not an attack directed at anyone who has posted in this thread, or in this forum - regarding Eset's sample submission policy. I just think that it goes beyond "flogging a dead horse".
     
  24. pykko

    pykko Registered Member

    Joined:
    Apr 27, 2005
    Posts:
    2,236
    Location:
    Romania...and walking to heaven
    That's the best solution. :thumb:
     
  25. Bunkhouse Buck

    Bunkhouse Buck Registered Member

    Joined:
    May 29, 2007
    Posts:
    1,056
    Location:
    Las Vegas
    Having worked with computers since 1968, I can say that NOD32 is one of the most effective software programs I have used. In addition, it is also the best AV program I have used in my company's computers.

    Although I recently starting posting in this forum, I have read the threads for years. There is a pattern here, and it has to do (in my opinion) with competitors of ESET posting various topics that all get back to something NOD32 is doing wrong. While one can never be certain of the psychological motives involved, I can see the financial motivation to attempt to discredit NOD32 by any means possible.

    Many if not most of the critical threads posted here are absurd. After reading a new topic, I often find myself -say what? The comments above me are basically if you don't like NOD32, use some other software. I could not agree more. If any user does not like what ESET provides and the way they provide it, simply use something else. But don't use this forum for unfounded assertions and cheap shots.
     
Thread Status:
Not open for further replies.