3 issues/bugs that bother me on NOD32...

Discussion in 'ESET NOD32 Antivirus' started by hubaduba, Jun 11, 2008.

Thread Status:
Not open for further replies.
  1. hubaduba

    hubaduba Registered Member

    Joined:
    Jun 11, 2008
    Posts:
    7
    OK, Im running Windows XP Pro SP3 with NOD32 Antivirus v3. Im pretty pissed off so to say about three issues:

    1) I have submitted a sample of ise32.exe trojan/backdoor days ago, and still NOD32 have not added it to their detection. They do detect the autorun.inf file that is usually packed with this baby, but not the actual ise32.exe file. If you dont know what ise32.exe does, use google. Not good. Other antivirus products have detected it weeks ago.

    2) NOD32 does not have a way of submitting superhidden files. NOD32 could normally scan the file when scanning the folder (but, as I told in part1, it still doesnt ofcourse detect it as virus), but when I try to submit it, the window in NOD32 where I should select the file for submission simply does not see the file! How can this be?!? (No, nothing to do with exclusions) It can scan it, but it cannot see it on "submit file" window! I had to do some dirty trick with this ise32.exe file to be even able to see it normally on Windows XP and only after that I could see and send it on "Submit file" window in NOD32.

    3) It seems to be impossible to configure NOD32 for one very simple rule on alerts/notifications: To make NOD32 alert user(s) when it detects infection...and ONLY alert users when it detects infections! This is very irritating! Either I have to read all the possible reports on all updating and other stuff that happen all the time too with NOD32 - or I cannot see any alerts at all! (Ofcourse I could turn the "cleaning level" to "ask on every infection" to get those reports, but I dont want that, I want NOD32 to automatically kill every malware it finds in the system with its protection on, BUT ALSO to alert me if it finds some malware in the system)

    Is there any hope on fixing these bugs / issues?
     
  2. Marcos

    Marcos Eset Staff Account

    Joined:
    Nov 22, 2002
    Posts:
    14,374
    Please PM me the exact date and subject of the email. I assume you sent it to samples[at]eset.com, right? If not, please send it there in a password protected archive and enclose a link to this thread as well.

    If you mean the option that allows you to attach a file to a customer care request, it depends on your system settings whether hidden files are shown or not. It's a system dialog that we cannot affect. Anyway, the recommended way of submitting samples is by email, they should go to samples[at]eset.com

    I'm not sure if I understand your last point. Do you mean reports in logs or the bubbles that appear when a threat is detected? As for asking for an action when a threat is detected, you should minimize the number of prompts by setting the cleaning level to Strict cleaning. In such case, you should be prompted for an action if something is detected by heuristics, if a file is infected with a virus and deleting it might result in system instability, etc.
     
  3. hubaduba

    hubaduba Registered Member

    Joined:
    Jun 11, 2008
    Posts:
    7
    I used the build-in system in NOD32. "Submit files for analysis". WTF is the purpose of this "Submit files for analysis" if it really does NOT send the damm files anyway?

    I cannot send it via email, because gmail doesnt allow .exe files to be sent...no, not even when they are zipped or even double zipped...nonono, not even if they are encrypted because zip encryption doesnt encrypt filenames or file extensions so Gmail can still findout that it is .exe file inside and refuses to send it. If you have some viable method of sending it, sure, I will send it, but Im not going to do more tricks or open new email-accounts simply because build-in "Submit for analysis" doesnt seem to work at all (or because you dont really understand that it is malware or dont bother answering the submitter email).

    No. Im not talking about that, hidden files are shown in my computer. You dont seem to understand. Let me say it again: This file IS superhidden in Windows. It just IS. Period. NOD32 submit files cannot see it (if I dont tweak the file before). Period. I dont know how.

    This is how the file seems NOW (after I tweaked it a bit with zipping and unzipping it). Before tweaking it, I could not see the file even myself at all. I dont know why, maybe it had something to do with it being "system file" (not, not the way Windows conciders normal system files, those I can see), kinda like...something, I have seen similiar stuff before, dont know where and when but anyway there IS A WAY TO WINDOWS TO COMPLETELY HIDE FILE. NOD32 did see it was there because it was able to scan it, but it was not able to see it on "submit file" window.
    http://www.aijaa.com/img/b/00499/2218911.jpg
    Notice that this file is NOT inside MY recycle bin, but in a folder named recycle bin (it was in real recycle bin where it was when I zipped it).

    Bubbles that appear when threat is detected.
    I want NOD32 to alert me only when virus is found and to have no other alerts or reports popped up to my desktop. I cannot understand how I could possibly explain this in any more simple. I dont want to see ANY OTHER ALERTS THAN WHEN VIRUS IS FOUND.

    No alerts that databases have been updated.
    No alerts that program files have been updated.
    No alerts that NOD32 could not connect to update server.
    No alerts that NOD32 did connect to server but no new updates where available.
    No other alerts either, except
    ALERT WHEN VIRUS IS DISCOVERED (when antivirus and antispyware protection is enabled).
     
  4. mkuntic

    mkuntic Registered Member

    Joined:
    Mar 6, 2008
    Posts:
    54
    Setup - user interface - alerts and notifications - display only notifications requiring user intervention.
     
  5. hubaduba

    hubaduba Registered Member

    Joined:
    Jun 11, 2008
    Posts:
    7
    Please read what I have already posted before answering. I already sayd, that yes, but if I have set NOD32 to automatically delete infected files, then it does not require user intervention and therefore it does not display alerts on viruses that it detects.

    I want NOD32 to automatically kill all the malware it finds AND to get notified by alert when malware is found AND NOT GET NOTIFIED by any other alerts.

    Since other users dont have administrator account on the computer and dont know the passphrase for NOD32 settings, they cannot prevent NOD32 from deleting malware (by selecting "no action"), because NOD32 would not ask their permission to delete malware. THIS IS why I dont want to be asked about whether or not to do something about malware, but I still want to be informed when malware is found.
     
  6. hubaduba

    hubaduba Registered Member

    Joined:
    Jun 11, 2008
    Posts:
    7
    A littlebit more clarification:
    When I have set only "Display Alerts", it DOES display alerts on viruses that are found, HOWEVER, it displays them on the backround, behind my application windows that are running, where they are almost impossible to notice...there is no indication about any viruses in the taskbar, NOD32 icon, or anywhere else. I need to minimize all windows to see the alert window. This is NOT what I want.

    I would like to get similiar type warning that I get when I set "Display alerts on desktop", but ONLY when viruses are found.
     
  7. hubaduba

    hubaduba Registered Member

    Joined:
    Jun 11, 2008
    Posts:
    7
    Now I managed to send it in email, subject line
    "ise32.exe backdoor trojan", inside 7zip compressed end encrypted archive (Gmail doesnt seem to be able to scan inside those), password given in the email.

    Please note that that archive also contains the autorun.ini virus, which NOD32 already detects, but inside the "recycler" folder is the ise32.exe backdoor trojan that NOD32 does NOT detect.
     
  8. edwin3333

    edwin3333 Registered Member

    Joined:
    Aug 29, 2007
    Posts:
    244

    This is usually done via a rootkit;
    http://en.wikipedia.org/wiki/Rootkit

    Microsoft has a rootkit revealer, as do others which are mentioned on this link.

    I found ISE32.EXE and downloaded it to my Mac. Virustotal shows only 4 of the AV engines detecting this yet. However, Virustotal's patten for Nod32 is 3175 and we are on 3182 atm though 3182 doesn't detect it either. I've submitted it to eSet too.
     
    Last edited: Jun 12, 2008
  9. hubaduba

    hubaduba Registered Member

    Joined:
    Jun 11, 2008
    Posts:
    7
    Yes, but this is not the case with this file, since it has not installed itself onto my system.

    This file hides itself by somehow making Windows believe that its some "constantly in recycle bin kept system file". I dont remember the process of how it actually goes, but if you look at any file in your recycle bin, you can notice, that you cannot, for example, rename them from Windows Explorer! Try it out, put a file in recycle bin and try to rename it! You cant! You can only delete it, restore it or view its properties. How is this possible? Its a feature, not a bug in Windows somehow! :D

    Well, this is pretty bad file, I will tell you that. Apparently this was the source of the massive infection of a computer I worked very hard to clean. The damm thing automatically add itself to all USB-sticks and makes them "autorun" to infect all the systems you plug the USB-stick into (unless those systems have disabled autorun in drives). Not to mention it apparently downloads more nasty malware onto the system.

    I hope ESET quickly adds it to detection...
     
  10. hubaduba

    hubaduba Registered Member

    Joined:
    Jun 11, 2008
    Posts:
    7
    Finally NOD32 detects ise32.exe.

    However, still the 2 problems remain. Anyone?
     
  11. Bubba

    Bubba Updates Team

    Joined:
    Apr 15, 2002
    Posts:
    11,271
    If one of those 2 items refers to the below, that's not possible. My belielf is I will win the lotto before that's inacted.

     
Thread Status:
Not open for further replies.