Antivirus Test

Discussion in 'ESET NOD32 v3 Beta Forum' started by ramponge, Jul 28, 2004.

Thread Status:
Not open for further replies.
  1. ramponge

    ramponge Registered Member

    Joined:
    Jul 28, 2004
    Posts:
    9
    I found an AV test in another forum :

    snip - link removed - BlueZannetti - 28/7/2004

    Once the file downloaded and unzipped I scanned it and nod32 found 534 viruses in this file (instead of 593). Others with AV like AVG FProt KAV NAV found from 588 to 591 infected files.

    I changed setings (Deep heuristic, advanced heuristic...) but it kept found only 534 viruses :rolleyes:

    BTW I use nod32 for a year, and I know it's a very good AV, just wondering the reason why.

    (using nod32beta (2.000.11b ) on a xp box)
     
    Last edited by a moderator: Jul 28, 2004
  2. IBK

    IBK AV Expert

    Joined:
    Dec 22, 2003
    Posts:
    1,818
    Location:
    Innsbruck (Austria)
    1. REMOVE THE LINK TO VIRUS SAMPLES!
    2. At least 25 files are just garbage/innocent.
     
  3. Blackspear

    Blackspear Global Moderator

    Joined:
    Dec 2, 2002
    Posts:
    15,115
    Location:
    Gold Coast, Queensland, Australia
    REMOVE the link to viruses, or have it removed by a Mod.
     
  4. ramponge

    ramponge Registered Member

    Joined:
    Jul 28, 2004
    Posts:
    9
    Sorry for the link :oops:

    Any ideas why is there such a difference between 534 viruses found by NOD32 and 580+ found by others AV...

    Thanks for your help !!
     
  5. ronjor

    ronjor Global Moderator

    Joined:
    Jul 21, 2003
    Posts:
    57,719
    Location:
    Texas
  6. ramponge

    ramponge Registered Member

    Joined:
    Jul 28, 2004
    Posts:
    9
    Thanks Ronjor for the link

    This post from Anton is certainly a clear answer for my issue.

    Thanks again
     
  7. ronjor

    ronjor Global Moderator

    Joined:
    Jul 21, 2003
    Posts:
    57,719
    Location:
    Texas
    You are welcome ramponge!
     
  8. Marcos

    Marcos Eset Staff Account

    Joined:
    Nov 22, 2002
    Posts:
    14,374
    Just wanna give my 0.02$ - some of the files in that collection were virus cleaners and some other were just some testing utilities with the text "this is not a virus" or something like that. We analyzed it some time ago and found out there was nothing more NOD should detect.
     
  9. Blackspear

    Blackspear Global Moderator

    Joined:
    Dec 2, 2002
    Posts:
    15,115
    Location:
    Gold Coast, Queensland, Australia
    Nice to know Marcos, thanks for your 2 cents worth, think it was actually worth a bit more than that ;)

    Cheers :D
     
  10. ramponge

    ramponge Registered Member

    Joined:
    Jul 28, 2004
    Posts:
    9
    Thanks for your answer Marcos

    I didn't much worry about these samples, I know that NOD32 is a pretty good software (VirusBuletin and others), just wanted to kow why...

    BTW got no problem with NOD32 B, only with a file and a directory that I can't exclude from scanning by amon :doubt:
     
  11. Blackspear

    Blackspear Global Moderator

    Joined:
    Dec 2, 2002
    Posts:
    15,115
    Location:
    Gold Coast, Queensland, Australia
    Can you name the file and see what answers are found...

    Cheers :D
     
  12. ramponge

    ramponge Registered Member

    Joined:
    Jul 28, 2004
    Posts:
    9
    It's outpost.ini in outpost folder

    when I exclude it it appears in the exclusion window but amon keeps scanning the file. I had also stopped and restarted nod32 but it was the same o_O
     
  13. ronjor

    ronjor Global Moderator

    Joined:
    Jul 21, 2003
    Posts:
    57,719
    Location:
    Texas
    Make sure when you exclude a file, you hit the file button.

    Choose add, file, hit the file button, highlight outpost.ini and apply.

    Be sure to tick the file area too.
     

    Attached Files:

  14. Blackspear

    Blackspear Global Moderator

    Joined:
    Dec 2, 2002
    Posts:
    15,115
    Location:
    Gold Coast, Queensland, Australia
    There is a thread already running on this here:

    https://www.wilderssecurity.com/showthread.php?t=42476

    You might want to add your name to the list and subscribe to that thread for any further outcomes.

    Cheers :D
     
  15. ramponge

    ramponge Registered Member

    Joined:
    Jul 28, 2004
    Posts:
    9
    The issue is solved in the other thread :)

    Thanks for your help
     
  16. Mele20

    Mele20 Former Poster

    Joined:
    Apr 29, 2002
    Posts:
    2,495
    Location:
    Hilo, Hawaii
    Anton's answer is not impressive. Not when you witness KAV 4.5 catching all but 3. I refuse to believe that KAV is detecting garbage. I just ran this file by both scanners and NOD32 just doesn't perform well.

    On a related note, I'd like Anton to come over to DSLreports and explain why NOD32 doesn't detect hxxp:// members.rogers.com/wildcatboy/iebug.jpg

    using IE. I've submitted it to Juraj. KAV isn't detecting it either but it has been submitted and I'm sure they will detect it soon. (KAV would probably have detected it by now but they had a problem with an update today ruining the bases so they have been preoccupied) Most av vendors detect it as JS.Exception.exploit and those that don't are scrambling now to detect it. I wonder what Eset's position will be on this? I had originally told WCB that NOD32 would not detect this because it isn't an actual virus and that I would not bother to submit it for this reason. (My comment here was based on that post from Anton). I was jumped on and told that I should let Eset decide if they wanted to detect it. So, I submitted it.

    DSLreport's security forum moderator Wildcatboy has this to say about NOD32's non detection in response to my post reporting what Juraj said:


    Mele20 20m NOTE: this is in response to the post by Randy Bell
    Juraj says its a harmless jpeg and wants to know what code I was wanting NOD32 to detect.

    So how do I submit this so he can see the exploit? I just downloaded the jpeg and zipped and password protected and then sent it.

    Wildcatboy 2h5m
    That's the whole point Mele, it's not a jpeg. IE may think it is but it's not. When you open a .jpg file with notepad, you'll see gibberish. When you open this file with notepad, you won't.

    I believe the problem is not that your AV doesn't understand this script. Chances are it may already detect it in script form. It may be that your AV doesn't understand that actually this script is being run and doesn't even look at it.


    The thread is here.
    http://www.dslreports.com/forum/remark,10890980~mode=flat~start=0

    BTW, there was no need to remove the link to the file that has the 595 viruses unless you just don't want NOD32 users to see for themselves. That link didn't violate any rules here. The files have all been renamed so they are harmless and cannot execute.
     
    Last edited by a moderator: Jul 31, 2004
  17. flyrfan111

    flyrfan111 Registered Member

    Joined:
    Jun 1, 2004
    Posts:
    1,224
    Have you ever read the terms of service for this forum? Obviously not. It reads in part;
    Wilders Security Forums - Terms Of Service

    You agree, through your use of this forum, that you will not post any material which is false, defamatory, inaccurate, abusive, vulgar, hateful, harassing, obscene, profane, sexually oriented, threatening, invasive of a person's privacy, or otherwise in violation of ANY law. This is not only a forum policy, but legal actions can be taken against you in accordance with appropriate laws. You also agree not to post or upload any copyrighted material unless the copyright is owned by you or you have consent from the owner of the copyrighted material. Spam, flooding, advertisements, chain letters, pyramid schemes, and solicitations are also inappropriate in this forum.Furthermore, you agree not to post any links to warez sites or sites from which malware (viruses, worms, trojans, backdoors etc.) can be downloaded.

    Additionally, your friend wildcatboy in the link you provided stated that the script is harmless, so why would Eset want NOD to detect harmless script? The problem he is attempting to demonstrate is how IE handles script and how easily it can be tricked into running scripts, the fault lies with Microsoft not NOD. CERT has been recommending that people use an alternative browser for almost 6 months now.

    Lastly, downloading viruses just to see if your AV will catch them is a little extreme, Would you shoot yourself just to see if your first aid kit works? Most of the viruses in that file that NOD doesn't detect are more than 10 years old and designed for DOS and as such wouldn't run in WinMe and above or as proof of concept viruses and do not do any damage.
     
    Last edited: Jul 31, 2004
  18. snapdragin

    snapdragin Administrator

    Joined:
    Feb 16, 2002
    Posts:
    8,415
    Location:
    Southern Ont., Canada
    Hi Mele,

    flyrfan111 is right, and our TOS is quite clear on this matter. Specifically in regards to your statement that there was nothing wrong with the link to the malware files, and this section of the TOS:

    "Furthermore, you agree not to post any links to warez sites or sites from which malware (viruses, worms, torjans, backdoors etc.) can be downloaded."

    This includes renamed malware files as well. Whether they are disabled or not...malware files are malware files, and any link to such files will be removed.

    Regards,

    snap
     
  19. Blackspear

    Blackspear Global Moderator

    Joined:
    Dec 2, 2002
    Posts:
    15,115
    Location:
    Gold Coast, Queensland, Australia
    Nicely said Flyrfan.

    Mele, it is not only Nod32 users that peruse this forum, what if a person came along without antivirus software and tried that link, just to see what happens, or their antivirus was not up to standard... We don't want to start hearing; "I was infected by a virus while at Wilders Security..."

    Cheers :D
     
  20. Mele20

    Mele20 Former Poster

    Joined:
    Apr 29, 2002
    Posts:
    2,495
    Location:
    Hilo, Hawaii
    I understand if the files could be executed. But these are zipped first of all and then each has been renamed so they are harmless. The policy seems excessive in a case like this. Of course, I don't approve of links to live viruses, but IMO this is in another category. Oh well, I've just had people come from here over to dslr and IM me to get the link. :)

    I'm sorry I brought it up.
     
  21. BlueZannetti

    BlueZannetti Administrator

    Joined:
    Oct 19, 2003
    Posts:
    6,590
    Mele20,

    Although the policy might seem excessive, another way to view it is that there is no ambiguity. An inexperienced user contemplating posting a link to malware or potential malware, for whatever reason, does not have to make a determination of what is safe and what is not since the link, simply stated, shouldn't be there. Case closed. That's the rationale behind my edit of the link originally provided. The motivations of the original poster are not in any doubt in my mind - they were quite positive - to understand some behavior of NOD32 in a specific case and by this, to help him/herself and other users in the process.

    While you have the experience to render an informed judgement, many either do not or may make an ill-informed decision at some point. There are simply too many grey areas possible (sample is "disabled"; it's harmless on my machine; won't do anything harmful as long as you don't extract it, etc.) to effectively monitor and administer. Practically speaking, the unambiguous guideline is the safest and most equitable situation for all involved.

    I realize that this policy makes it somewhat more difficult for users discussing and evaluating situations such as the one discussed in this thread. As with any situation, there is a balance between safety and expediency that we always try to achieve. Depending on the potential magnitude of the unintended consequences, that balance shifts either towards safety or expediency. Here, safety is paramount.

    Despite the occasional inconvenience, thanks for understanding.

    Blue
     
  22. Blackspear

    Blackspear Global Moderator

    Joined:
    Dec 2, 2002
    Posts:
    15,115
    Location:
    Gold Coast, Queensland, Australia
    Nice post Blue.

    Cheers :D
     
  23. Mele20

    Mele20 Former Poster

    Joined:
    Apr 29, 2002
    Posts:
    2,495
    Location:
    Hilo, Hawaii
    Ok, Bluezannetti when you explain it like that I see the reason much more clearly and it makes a lot more sense to me. Thanks for taking the time to explain fully why Wilders has this policy. :)
     
  24. Mele20

    Mele20 Former Poster

    Joined:
    Apr 29, 2002
    Posts:
    2,495
    Location:
    Hilo, Hawaii
    I cxan't believe one of you mods changed my link to Wildcatboy's demo. It's a demo! Not a virus. You are scared to death of it but everyone in this forum thinks it's just fine that NOD32 doesn't detect this heuristically?

    You know NOD32 is getting rightly slaughtered in the Security forum at DSLreports. Wildcatboy just posted the results of various av when this file is in WORKING ORDER ...the script is now alive and dangerous...not a demo anymore. NOD32 still doesn't detect this. Everyone else does except Panda and they have stated that they will detect it in the next update.

    I can't continue to stay with an AV that can't or won't detect a working script. Even the NOD32 fanatics are now getting worried over at dslr.

    Only a blathering fanatic would say that NOD32 shouldn't detect this because it is a Microsoft problem? Or than no one should use IE? Gee, is NOD32 only for those who use Firefox? What an absurd statement but then I have never seen any sanity here when NOD32 messes up. All of you blame everything and everyone in sight except the real culprit.
     

  25. WELL SAID!!!
     
Thread Status:
Not open for further replies.