Antivirus Test

I found an AV test in another forum :

snip - link removed - BlueZannetti - 28/7/2004

Once the file downloaded and unzipped I scanned it and nod32 found 534 viruses in this file (instead of 593). Others with AV like AVG FProt KAV NAV found from 588 to 591 infected files.

I changed setings (Deep heuristic, advanced heuristic...) but it kept found only 534 viruses

BTW I use nod32 for a year, and I know it's a very good AV, just wondering the reason why.

(using nod32beta (2.000.11b ) on a xp box)

 

1. REMOVE THE LINK TO VIRUS SAMPLES!
2. At least 25 files are just garbage/innocent.

 

REMOVE the link to viruses, or have it removed by a Mod.

 

Sorry for the link

Any ideas why is there such a difference between 534 viruses found by NOD32 and 580+ found by others AV...

Thanks for your help !!

 

Thanks Ronjor for the link

This post from Anton is certainly a clear answer for my issue.

Thanks again

 

Just wanna give my 0.02$ - some of the files in that collection were virus cleaners and some other were just some testing utilities with the text "this is not a virus" or something like that. We analyzed it some time ago and found out there was nothing more NOD should detect.

 

Nice to know Marcos, thanks for your 2 cents worth, think it was actually worth a bit more than that

Cheers

 

Thanks for your answer Marcos

I didn't much worry about these samples, I know that NOD32 is a pretty good software (VirusBuletin and others), just wanted to kow why...

BTW got no problem with NOD32 B, only with a file and a directory that I can't exclude from scanning by amon

 

Can you name the file and see what answers are found...

Cheers

 

It's outpost.ini in outpost folder

when I exclude it it appears in the exclusion window but amon keeps scanning the file. I had also stopped and restarted nod32 but it was the same

 

There is a thread already running on this here:

https://www.wilderssecurity.com/showthread.php?t=42476

You might want to add your name to the list and subscribe to that thread for any further outcomes.

Cheers

 

The issue is solved in the other thread

Thanks for your help

 

Anton's answer is not impressive. Not when you witness KAV 4.5 catching all but 3. I refuse to believe that KAV is detecting garbage. I just ran this file by both scanners and NOD32 just doesn't perform well.

On a related note, I'd like Anton to come over to DSLreports and explain why NOD32 doesn't detect hxxp:// members.rogers.com/wildcatboy/iebug.jpg

using IE. I've submitted it to Juraj. KAV isn't detecting it either but it has been submitted and I'm sure they will detect it soon. (KAV would probably have detected it by now but they had a problem with an update today ruining the bases so they have been preoccupied) Most av vendors detect it as JS.Exception.exploit and those that don't are scrambling now to detect it. I wonder what Eset's position will be on this? I had originally told WCB that NOD32 would not detect this because it isn't an actual virus and that I would not bother to submit it for this reason. (My comment here was based on that post from Anton). I was jumped on and told that I should let Eset decide if they wanted to detect it. So, I submitted it.

DSLreport's security forum moderator Wildcatboy has this to say about NOD32's non detection in response to my post reporting what Juraj said:


Mele20 20m NOTE: this is in response to the post by Randy Bell
Juraj says its a harmless jpeg and wants to know what code I was wanting NOD32 to detect.

So how do I submit this so he can see the exploit? I just downloaded the jpeg and zipped and password protected and then sent it.

Wildcatboy 2h5m
That's the whole point Mele, it's not a jpeg. IE may think it is but it's not. When you open a .jpg file with notepad, you'll see gibberish. When you open this file with notepad, you won't.

I believe the problem is not that your AV doesn't understand this script. Chances are it may already detect it in script form. It may be that your AV doesn't understand that actually this script is being run and doesn't even look at it.


The thread is here.
http://www.dslreports.com/forum/remark,10890980~mode=flat~start=0

BTW, there was no need to remove the link to the file that has the 595 viruses unless you just don't want NOD32 users to see for themselves. That link didn't violate any rules here. The files have all been renamed so they are harmless and cannot execute.

 

Have you ever read the terms of service for this forum? Obviously not. It reads in part;
Wilders Security Forums - Terms Of Service

You agree, through your use of this forum, that you will not post any material which is false, defamatory, inaccurate, abusive, vulgar, hateful, harassing, obscene, profane, sexually oriented, threatening, invasive of a person's privacy, or otherwise in violation of ANY law. This is not only a forum policy, but legal actions can be taken against you in accordance with appropriate laws. You also agree not to post or upload any copyrighted material unless the copyright is owned by you or you have consent from the owner of the copyrighted material. Spam, flooding, advertisements, chain letters, pyramid schemes, and solicitations are also inappropriate in this forum.Furthermore, you agree not to post any links to warez sites or sites from which malware (viruses, worms, trojans, backdoors etc.) can be downloaded.

Additionally, your friend wildcatboy in the link you provided stated that the script is harmless, so why would Eset want NOD to detect harmless script? The problem he is attempting to demonstrate is how IE handles script and how easily it can be tricked into running scripts, the fault lies with Microsoft not NOD. CERT has been recommending that people use an alternative browser for almost 6 months now.

Lastly, downloading viruses just to see if your AV will catch them is a little extreme, Would you shoot yourself just to see if your first aid kit works? Most of the viruses in that file that NOD doesn't detect are more than 10 years old and designed for DOS and as such wouldn't run in WinMe and above or as proof of concept viruses and do not do any damage.

 

Hi Mele,

flyrfan111 is right, and our TOS is quite clear on this matter. Specifically in regards to your statement that there was nothing wrong with the link to the malware files, and this section of the TOS:

"Furthermore, you agree not to post any links to warez sites or sites from which malware (viruses, worms, torjans, backdoors etc.) can be downloaded."

This includes renamed malware files as well. Whether they are disabled or not...malware files are malware files, and any link to such files will be removed.

Regards,

snap

 

Nicely said Flyrfan.

Mele, it is not only Nod32 users that peruse this forum, what if a person came along without antivirus software and tried that link, just to see what happens, or their antivirus was not up to standard... We don't want to start hearing; "I was infected by a virus while at Wilders Security..."

Cheers

 

I understand if the files could be executed. But these are zipped first of all and then each has been renamed so they are harmless. The policy seems excessive in a case like this. Of course, I don't approve of links to live viruses, but IMO this is in another category. Oh well, I've just had people come from here over to dslr and IM me to get the link.

I'm sorry I brought it up.

 

Mele20,

Although the policy might seem excessive, another way to view it is that there is no ambiguity. An inexperienced user contemplating posting a link to malware or potential malware, for whatever reason, does not have to make a determination of what is safe and what is not since the link, simply stated, shouldn't be there. Case closed. That's the rationale behind my edit of the link originally provided. The motivations of the original poster are not in any doubt in my mind - they were quite positive - to understand some behavior of NOD32 in a specific case and by this, to help him/herself and other users in the process.

While you have the experience to render an informed judgement, many either do not or may make an ill-informed decision at some point. There are simply too many grey areas possible (sample is "disabled"; it's harmless on my machine; won't do anything harmful as long as you don't extract it, etc.) to effectively monitor and administer. Practically speaking, the unambiguous guideline is the safest and most equitable situation for all involved.

I realize that this policy makes it somewhat more difficult for users discussing and evaluating situations such as the one discussed in this thread. As with any situation, there is a balance between safety and expediency that we always try to achieve. Depending on the potential magnitude of the unintended consequences, that balance shifts either towards safety or expediency. Here, safety is paramount.

Despite the occasional inconvenience, thanks for understanding.

Blue

 

Nice post Blue.

Cheers

 

Ok, Bluezannetti when you explain it like that I see the reason much more clearly and it makes a lot more sense to me. Thanks for taking the time to explain fully why Wilders has this policy.

 

I cxan't believe one of you mods changed my link to Wildcatboy's demo. It's a demo! Not a virus. You are scared to death of it but everyone in this forum thinks it's just fine that NOD32 doesn't detect this heuristically?

You know NOD32 is getting rightly slaughtered in the Security forum at DSLreports. Wildcatboy just posted the results of various av when this file is in WORKING ORDER ...the script is now alive and dangerous...not a demo anymore. NOD32 still doesn't detect this. Everyone else does except Panda and they have stated that they will detect it in the next update.

I can't continue to stay with an AV that can't or won't detect a working script. Even the NOD32 fanatics are now getting worried over at dslr.

Only a blathering fanatic would say that NOD32 shouldn't detect this because it is a Microsoft problem? Or than no one should use IE? Gee, is NOD32 only for those who use Firefox? What an absurd statement but then I have never seen any sanity here when NOD32 messes up. All of you blame everything and everyone in sight except the real culprit.

 

WELL SAID!!!