antivir missed trojan

Discussion in 'other anti-virus software' started by hawkeen, Oct 13, 2006.

Thread Status:
Not open for further replies.
  1. hawkeen

    hawkeen Registered Member

    Joined:
    Apr 9, 2006
    Posts:
    78
    Hello All,

    I found a .exe inside a .zip email attachment and I scanned it with Antivir and Nod32 (both updated) and both missed it. Kaspersky was able to neutralize it and protect the system witout any updates.

    The virus is detected: Trojan program Trojan.Win32.Small.kn

    Now, I would never open an attachment and run it but still, I did not like the fact that antivir missed a trojan that has been around since 3/1/2006.

    The short love affair with antivir is now over. I hope it continues to improve but I will stay with kaspersky for now.

    cheers
    Hawk
     
  2. veri

    veri Registered Member

    Joined:
    Aug 3, 2006
    Posts:
    138
    Possible KAV FP?

    Uploaded to Jotti?
     
  3. btman

    btman Registered Member

    Joined:
    Feb 11, 2006
    Posts:
    576
    You've made a good choice. But yes upload to virustotal or jottis. And two you have antivir, nod32 AND kaspersky on your computer?
     
  4. JerryM

    JerryM Registered Member

    Joined:
    Aug 31, 2003
    Posts:
    4,221
    Do you have a resident, real time, anti-trojan scanner?
    There have been threads discussing whether or not an anti-trojan program, such as Ewido, is necessary and adds protection.

    Accordingly, I would appreciate knowing what you have in the way of AT applications either real time or on demand.

    Also, are you using Avira Classic or Premium. It is my understanding that Classic does not scan email, but instead treats it as any other download. Therefore, it would detect and "block" the trojan if you attempted to open the attachment.
    I assume that you did not attempt to open the attachment, but instead scanned it. Is that correct? How did you treat the attachment? I am not sure that Avira would detect it at that point.

    Thanks for the information. I am using Avira Classic and am interested in your situation.

    I posted the original question on the Avira Classic forum. Hope that is OK.

    Best,
    Jerry
     
    Last edited: Oct 14, 2006
  5. the Tester

    the Tester Registered Member

    Joined:
    Jul 28, 2002
    Posts:
    2,854
    Location:
    The Gateway to the Blue Hills,WI.
    I would be interested to know the results of a VirusTotal or Jotti's online scan.

    If it does indeed happen that AntiVir and Nod32 missed a trojan,it's a fact of life.
    No security program is perfect.They all miss something sooner or later.
     
  6. hawkeen

    hawkeen Registered Member

    Joined:
    Apr 9, 2006
    Posts:
    78
    I have 3 different AVs installed on 3 diff computers.

    here is results of Jotti upload. NOd32 did not detect it on my work machine. I do not know why it is now.


    AntiVir
    Found nothing
    ArcaVir
    Found nothing
    Avast
    Found nothing
    AVG Antivirus
    Found Downloader.Generic2.TFP
    BitDefender
    Found Trojan.Downloader.Agent.APP
    ClamAV
    Found Trojan.Downloader.Small-2854
    Dr.Web
    Found Trojan.DownLoader.14120
    F-Prot Antivirus
    Found W32/Goldun.NK
    Fortinet
    Found W32/Dloader.AYT!tr.dldr
    Kaspersky Anti-Virus
    Found Trojan.Win32.Small.kn
    NOD32
    Found Win32/TrojanDownloader.Small.NPO
    Norman Virus Control
    Found W32/DLoader.BAOZ
    VirusBuster
    Found nothing
    VBA32
    Found nothing

    cheers
    Hawk

    EDIT: I just rescanned with Nod32 having todays update. Now nod32 is detecting the trojan. It did not this morning when the email arrived in box.
     
  7. Marcos

    Marcos Eset Staff Account

    Joined:
    Nov 22, 2002
    Posts:
    14,374
    I'm highly suspicious that the file was corrupted. It's very unlikely that NOD32 wouldn't detect a threat propagating by email, especially if it's so old as you said. Could you send it to support @ eset.com in a password protected archive with a link to this thread to confirm or deny my assumption?

    Edit:
    There have been no updates to NOD32 for about 10 hours, so your NOD32 must have been outdated when the email arrived. Note that Jotti's scanner is not reliable, sometimes you have to upload the same file several times to get the right result. Next time I'd suggest you scan suspicious files at www.virustotal.com as well
     
  8. hawkeen

    hawkeen Registered Member

    Joined:
    Apr 9, 2006
    Posts:
    78
    First, there is no corrupted file. Nod32 just missed it. Believe it or not but its a fact. Second, there was nod32 update today at 18:31 hours which is about 6:31 PM EST.

    Furthermore, Nod32 is not very good at trojan detection removal. Its forte is virus detection/removal.

    cheers
    Hawk
     
  9. FRug

    FRug Registered Member

    Joined:
    Feb 7, 2006
    Posts:
    309
    hawkeen: just because KAV labels it the same as a threat from the beginning this year does not mean it actually IS the same malware. It could have been slightly modified/repacked/crypted and thus have received the same name, but the actual detection signature can be completely different.

    Besides its nothing new that no AV software finds all threats. The same that has happened with this file for you and Antivir can happen tomorrow with Kaspersky.

    You should not draw conclusions based on one sample but rather take comprehensive and thorough tests by professionals like this one http://www.eweek.com/article2/0,1895,2023127,00.asp as an indication for the quality of a scanner.
     
  10. Marcos

    Marcos Eset Staff Account

    Joined:
    Nov 22, 2002
    Posts:
    14,374
    I'm not saying that NOD32 didn't miss it. It was a new piece of malware and a signature was required in order to be detected. This is the fact.

    This is from my log:

    Time Module Event User
    13. 10. 2006 23:49:36 Kernel The virus signature database has been successfully updated to version 1.1803 (20061013).

    Do you see the time 23:49 (11:49 PM)? It's 10:19 AM here now so I received this update about 10 hours ago.

    Could you give me an example please? Complaining without an evidence makes no good.
     
  11. Londonbeat

    Londonbeat Registered Member

    Joined:
    Sep 21, 2006
    Posts:
    350
    Are you basing this from personal experience or empirical fact? I have personally found version 2.5 of nod32 to be one of the best antivirus' at removing Trojans and other malware.
    As for it's detection of trojans this has been steadily increasing over the last couple of years and is now at pretty much the same level as other 'top tier' antiviruses such as Kaspersky and Antivir, according to av-comparatives.

    Regards
     
  12. trjam

    trjam Registered Member

    Joined:
    Aug 18, 2006
    Posts:
    9,057
    Location:
    North Carolina
    Good job, Kav.:)
     
  13. dah145

    dah145 Registered Member

    Joined:
    Jul 3, 2006
    Posts:
    262
    Location:
    n/a
    +1 as always
    :cool:
     
  14. Stefan Kurtzhals

    Stefan Kurtzhals AV Expert

    Joined:
    Sep 30, 2003
    Posts:
    701
    Please send the sample as a password encrypted ZIP to heuristik2 (at) avira dot com, I will have the sample analysed and the detection improved.
     
  15. hawkeen

    hawkeen Registered Member

    Joined:
    Apr 9, 2006
    Posts:
    78
    Here is scan from virustotal. Sophos still not detecting it as is avast. Antivir's recent update catches it now.

    AntiVir 7.2.0.30 10.14.2006 TR/Small.KN.1
    Authentium 4.93.8 10.13.2006 W32/Goldun.NK
    Avast 4.7.892.0 10.13.2006 no virus found
    AVG 386 10.14.2006 Downloader.Generic2.TFP
    BitDefender 7.2 10.14.2006 Trojan.Downloader.Agent.APP
    CAT-QuickHeal 8.00 10.14.2006 no virus found
    ClamAV devel-20060426 10.14.2006 Trojan.Downloader.Small-2854
    eTrust-InoculateIT 23.73.22 10.13.2006 Win32/Ursnif.MJI!Trojan
    eTrust-Vet 30.3.3131 10.13.2006 Win32/Ursnif!downloader
    DrWeb 4.33 10.14.2006 Trojan.DownLoader.14120
    Ewido 4.0 10.14.2006 Trojan.Small.kn
    Fortinet 2.82.0.0 10.14.2006 W32/Dloader.AYT!tr.dldr
    F-Prot 3.16f 10.13.2006 security risk named W32/Goldun.NK
    F-Prot4 4.2.1.29 10.13.2006 W32/Goldun.NK
    Ikarus 0.2.65.0 10.13.2006 Win32.Outbreak
    Kaspersky 4.0.2.24 10.14.2006 Trojan.Win32.Small.kn
    McAfee 4873 10.13.2006 Downloader-AXM
    Microsoft 1.1603 10.14.2006 TrojanDownloader:Win32/Agent.EP
    NOD32v2 1.1803 10.13.2006 Win32/TrojanDownloader.Small.NPO
    Norman 5.80.02 10.13.2006 W32/DLoader.BAOZ
    Panda 9.0.0.4 10.14.2006 Trj/SpyForms.J
    Sophos 4.10.0 10.13.2006 no virus found
    TheHacker 6.0.1.098 10.14.2006 Trojan/Small.kn
    UNA 1.83 10.13.2006 no virus found
    VBA32 3.11.1 10.13.2006 no virus found
    VirusBuster 4.3.7:9 10.14.2006 Trojan.Small.EVT

    cheers
    Hawk
     
  16. Firefighter

    Firefighter Registered Member

    Joined:
    Oct 28, 2002
    Posts:
    1,670
    Location:
    Finland
    Don't worry. This kind of things you can see with any top tier av when you surf enough. S...t happens! :D

    Best regards,
    Firefighter!
     
  17. the Tester

    the Tester Registered Member

    Joined:
    Jul 28, 2002
    Posts:
    2,854
    Location:
    The Gateway to the Blue Hills,WI.
    I have a feeling that some users will be changing av's a lot if the measuring stick is not missing any malware.

    Seriously though,
    Looks like most av's got up to speed quickly on this missed sample.
     
  18. JerryM

    JerryM Registered Member

    Joined:
    Aug 31, 2003
    Posts:
    4,221
    Hi hawkeen,

    Would you take a look at my post, NO 4, and see if there is anything you can and will answer? Thanks.

    Best,
    Jerry
     
  19. hawkeen

    hawkeen Registered Member

    Joined:
    Apr 9, 2006
    Posts:
    78
    Jerry,

    I was using antivir premium (paid for it) and no I am not using any anti trojan software.

    This is not the first time something like this has happened. About a year ago, we had a temp workers computer infected with quite a few viruses/trojans. First I tried updating and using the norton corporate version. It did not remove very many. Next, I downloaded Nod32 (we have a multi user license with nod32) and it removed quite a few of the viruses/trojans. However, it did not remove the live process trojan that was currently running. It was called sdbot or something. Anyway, I downloaded KAV and used the trial version to finish cleaning the machine.

    Again, I know that AVs are not perfect and that they ALL miss stuff. This is just from my work experience in a large IT setting.

    We will be moving to KAV when the next set of licenses expire.

    cheers
    Hawk


    EDIT: AVs were uninstalled properly and at any one time, only 1 AV was running on this system.
     
  20. JerryM

    JerryM Registered Member

    Joined:
    Aug 31, 2003
    Posts:
    4,221
    Hi Hawk,

    Thanks for the reply.

    I suppose that in an environment where some of the workers do not understand the danger on the net, there will be such infections.

    In my view Kaspersky can't be beat, but I also have a high opinion of Avira. I am using both, although Avira is the Classic version. I do have other anti-malware applications. I am surprised that, considering the number of infections the company has experienced, other anti-malware applications are not used.

    Best,
    Jerry
     
  21. Toby75

    Toby75 Registered Member

    Joined:
    Mar 10, 2006
    Posts:
    480
    You hit it right on the head.

    Exactly...this is what counts!
     
  22. QBgreen

    QBgreen Registered Member

    Joined:
    Jan 1, 2005
    Posts:
    627
    Location:
    Queens County, NY
    As good as the top-tier AVs are at detecting trojans, they will miss some. BOClean is a constant companion of any AV that I choose to run on my system.
     
  23. RejZoR

    RejZoR Registered Member

    Joined:
    May 31, 2004
    Posts:
    6,426
    Yey, it missed 1 sample (one!). Just wait till KAV misses one. What you'll change it for next time?
     
  24. doctor IT

    doctor IT Registered Member

    Joined:
    Mar 4, 2006
    Posts:
    30
    He missed a lot in fact :D Some files that have been detected by Aviras and, especially BitDefenders heuristic engines. The picture is only a sample. In last table only bitdefender detected a variant of Zlob.
     
    Last edited by a moderator: Oct 15, 2006
  25. BlueZannetti

    BlueZannetti Administrator

    Joined:
    Oct 19, 2003
    Posts:
    6,590
    To all:

    As already noted here, and the advice applies generally, snapshot in time screenshots can be irrelevant at best, and misleading at worst. Their use in specific diagnostic cases are fine. However, as an objective assertion of comparative performance, they should be avoided.

    Thanks in advance.

    Blue
     
Loading...
Thread Status:
Not open for further replies.