Any reason why NOD32 scan missed a Trojan?

Discussion in 'NOD32 version 2 Forum' started by enduser999, Apr 16, 2006.

Thread Status:
Not open for further replies.
  1. enduser999

    enduser999 Registered Member

    Joined:
    Apr 17, 2005
    Posts:
    418
    Location:
    The Peg
    Is there why the trial version of NOD32 apparently missed trojans in two files DFRSRV.EXE (Trojan.Small) and WinXPA32.DLL (Trijan.Agent.qt) even when a scan was done in safe mode as well as realtime mode? The trial software is installed on a friend's computer who was having problems with it. The infections were found with Ewido malware scanner. In order to ensure that the C: drive was clear the friend restored a backup of the partition back to it.
     
  2. fosius

    fosius Registered Member

    Joined:
    Oct 14, 2004
    Posts:
    479
    Location:
    Partizanske, Slovakia
    If I were you, I would send those files to Eset for further analyse.
     
  3. enduser999

    enduser999 Registered Member

    Joined:
    Apr 17, 2005
    Posts:
    418
    Location:
    The Peg
    Well they are currently in Ewido's quartine area and I can not restore them other than to their original locations which I would like to avoid since it was a hassle cleaning the computer out.
     
  4. NOD32 user

    NOD32 user Registered Member

    Joined:
    Jan 23, 2005
    Posts:
    1,766
    Location:
    Australia
    Have worked your way through Blackspears extra settings for NOD32 thread (it's a sticky at the top of the list) to max out all your scan settings?
     
  5. Marcos

    Marcos Eset Staff Account

    Joined:
    Nov 22, 2002
    Posts:
    14,374
    We'll need to get those files for analysis, otherwise we cannot check them and add detection, if necessary. Bear in mind that no AV detects 100% of all threats and there are tons of others detected by NOD32 that are missed by other AVs.
     
  6. enduser999

    enduser999 Registered Member

    Joined:
    Apr 17, 2005
    Posts:
    418
    Location:
    The Peg
    I have now for that machine. I have other friends who are also using NOD32 does that mean I should do the same with their installs of the product? How safe are those settings for the normal user who may have one or two computers on a LAN? Is NOD's quarantine area like other virus scanning software in that a false positive file can be restored at a later date?
     
    Last edited: Apr 17, 2006
  7. enduser999

    enduser999 Registered Member

    Joined:
    Apr 17, 2005
    Posts:
    418
    Location:
    The Peg
    Do I send the files to samples@eset.com ? Does one ever receive any reply back regarding sample files sent to that address?
     
  8. ALEX(XX)

    ALEX(XX) Registered Member

    Joined:
    Mar 17, 2006
    Posts:
    19
    Never :(
     
  9. Marcos

    Marcos Eset Staff Account

    Joined:
    Nov 22, 2002
    Posts:
    14,374
    If you submit a sample to samples[at]eset.com, it will be added as quickly as the risk level it poses. Replies are received only in the case of large enterprise clients (on demand).
     
  10. NOD32 user

    NOD32 user Registered Member

    Joined:
    Jan 23, 2005
    Posts:
    1,766
    Location:
    Australia
    The default settings are certainly adequate, however (and correct me please if I am wrong) they are designed to provide a high default level of compatability for all the different environments NOD32 may be installed in. I do ordinarily recommend to use the settings from Blackspears guide as those settings provide the highest available level of protection and automation. The only time I would not is if they cause some kind of conflict on your machine, or if you have some other specific requirement that those settings would not be compatable with. In either case, issues with Blackspears settings are generally very few and very far between.
    HTH :)

    Cheers :)
     
  11. Marcos

    Marcos Eset Staff Account

    Joined:
    Nov 22, 2002
    Posts:
    14,374
    Also I'd add that it's not recommended to enable Potentially dangerous applications in network environment where tools for remote administration are used.

    When you enable the "Automatically deny download of infected files" option in the IMON - HTTP setup, it is strongly recommended to set the browser you use to Higher efficiency mode due to different ways of how browsers handle download of files.
     
  12. NOD32 user

    NOD32 user Registered Member

    Joined:
    Jan 23, 2005
    Posts:
    1,766
    Location:
    Australia
    Thank you Marcos - I learn every day from your posts.

    Cheers :)
     
  13. enduser999

    enduser999 Registered Member

    Joined:
    Apr 17, 2005
    Posts:
    418
    Location:
    The Peg
    The network environment you are referring to does not refer to a small WinXP/Win2k LAN that an end user would have in their home environment?

    So the quarantine that NOD32 has implemented is not like that used by other virus scanners on the market where a problem/suspicious file is placed/removed from the O/S?
     
  14. pykko

    pykko Registered Member

    Joined:
    Apr 27, 2005
    Posts:
    2,236
    Location:
    Romania...and walking to heaven
    Hope so.....
     
  15. SSK

    SSK Registered Member

    Joined:
    Nov 28, 2004
    Posts:
    976
    Location:
    Amsterdam
    No, this does not apply to a small Home LAN setup.

    NOD32 quarantine *does* work like other AV quarantine systems, I'm not sure which info here made you think that?
     
  16. xTiNcTion

    xTiNcTion Registered Member

    Joined:
    Oct 25, 2003
    Posts:
    253
    size doesn't matter. Potentially dangerous applications in network environment may cause conflict if tools for remote administration are used.
     
  17. enduser999

    enduser999 Registered Member

    Joined:
    Apr 17, 2005
    Posts:
    418
    Location:
    The Peg

    Post #23 of BlackSpear settings has the following:

    "NOTE: Quarantine ONLY makes a secure copy of the Virus or Trojan found so it
    can be sent to Eset for further analysis, it does NOT isolate the Virus or
    Trojan."
    --------------------
    Just talked to my friend and they are now using BlackSpear's settings and had initiated their weekly scan job on their computer via the Schedule menu and selecting "Run Now" option. The scan status still shows SCANNING even though there is no scan window open or other evidence that in fact NOD32 is indeed still scanning! In other words the job terminated without any error window! When they initiated another scan using the same method NOD32 showed the following in the event log:

    Time Module Event User
    4/17/2006 12:29:08 PM NOD32 An alert has been generated. See the on-demand scanner Log for details. NT AUTHORITY\SYSTEM

    ----------------------

    When they looked through the quarantine and through the NOD32 Scanner Logs the only item that is around this time is the log showing the startup of the first on demand job but it shows no list of files whatsoever that were scanned or where unable to be opened. It is almost as if NOD32 never did anything. They looked through the XP System logs and there is nothing there showing any errors whatsover!

    They are doing another scan and will see if this one terminates like the first one did.

    Needless to say they are not too impressed with my recommendation of NOD32.

    Their computer is an Win2k SP4 (fully updated ) w 512MB RAM on a P///-600.

    :doubt:
     
  18. beenthereb4

    beenthereb4 Registered Member

    Joined:
    Jun 29, 2004
    Posts:
    568
    From the Help File:

    I saw that other info in BlackSpear's stuff but took it as a mistake.
     
  19. enduser999

    enduser999 Registered Member

    Joined:
    Apr 17, 2005
    Posts:
    418
    Location:
    The Peg
    I need confirmation from someone representing ESET. Why else does NOD32 have a SCAN ONLY button and SCAN and CLEAN buttons on the NOD32 On Demand Screen?
     
  20. Marcos

    Marcos Eset Staff Account

    Joined:
    Nov 22, 2002
    Posts:
    14,374
    If you are asking why there are 2 buttons, I must say that it's essential for my work and I could not live with just one button. I'm quite positive that there are lots of other people who like the way it is.
     
  21. Detox

    Detox Retired Moderator

    Joined:
    Feb 9, 2002
    Posts:
    8,507
    Location:
    Texas, USA
    I also like it that way - I don't care to "exclude" files myself; I simply prefer to see them detected every time. Generally speaking, the ones I have are RATs that a small network of friends around the world use to control our servers. Mostly the use is for me to start a different game server on a machine in a friend's house in Nederlands while he is at work and other such scenarios including the reverse. It really is nice to have an idle friend's machine hosting to save your own bandwidth ;-)

    Long story short, I like to see them detected on a regular scan but obviously not automatically cleaned. Should I find something elsewhere, I can then go to the directory in which the threat is located and scan to clean it on a more "local" level.
     
  22. enduser999

    enduser999 Registered Member

    Joined:
    Apr 17, 2005
    Posts:
    418
    Location:
    The Peg
    Well went over to my friend's place last night and as soon as I tried to restore two of the infected files from Ewido's quarantine so that they could be sent to Eset, NOD32 flashed up a warning that they were infected with TrojanDownloader.Zlob.LP.Trojan and Win32/TrojanDownloader.Small.CML trojan!

    The only thing that has changed was the BlackSpear's settings were used. However that should not be the reason why NOD32 never caught these two infected files when they were sitting out on my friend's hard drive. A scan in Windows Safe mode as well as Normal mode (before Ewido was run) found neither of the above two infections!
     
  23. rothko

    rothko Registered Member

    Joined:
    Jan 12, 2005
    Posts:
    579
    Location:
    UK
    hi,

    TrojanDownloader.Zlob.LP.Trojan was added in NOD32 - v.1.1493 (20060417)
    AND
    Win32/TrojanDownloader.Small.CML was added in NOD32 - v.1.1492 (20060416)

    lee
     
  24. Marcos

    Marcos Eset Staff Account

    Joined:
    Nov 22, 2002
    Posts:
    14,374
    Well, I could not find that exact variant of Zlob, but here are actual scan results of another TD Zlob:

    AntiVir 6.34.0.24 04.18.2006 no virus found
    Avast 4.6.695.0 04.18.2006 no virus found
    AVG 386 04.18.2006 no virus found
    Avira 6.34.0.56 04.18.2006 no virus found
    BitDefender 7.2 04.18.2006 no virus found
    CAT-QuickHeal 8.00 04.18.2006 (Suspicious) - DNAScan
    ClamAV devel-20060202 04.18.2006 no virus found
    DrWeb 4.33 04.18.2006 Trojan.Popuper
    eTrust-InoculateIT 23.71.132 04.18.2006 no virus found
    eTrust-Vet 12.4.2165 04.18.2006 no virus found
    Ewido 3.5 04.18.2006 no virus found
    Fortinet 2.71.0.0 04.18.2006 suspicious
    F-Prot 3.16c 04.18.2006 no virus found
    Ikarus 0.2.59.0 04.18.2006 no virus found
    Kaspersky 4.0.2.24 04.18.2006 Trojan-Downloader.Win32.Zlob.lq
    McAfee 4742 04.17.2006 no virus found
    NOD32v2 1.1494 04.18.2006 Win32/TrojanDownloader.Zlob.NAV
    Norman 5.90.15 04.18.2006 W32/Malware
    Panda 9.0.0.4 04.17.2006 Suspicious file
    Sophos 4.04.0 04.18.2006 no virus found
    Symantec 8.0 04.18.2006 no virus found
    TheHacker 5.9.7.130 04.16.2006 no virus found
    UNA 1.83 04.17.2006 no virus found
    VBA32 3.10.5 04.18.2006 Trojan.Win32.TrojanDownloader.Zlob.NAV
     
  25. enduser999

    enduser999 Registered Member

    Joined:
    Apr 17, 2005
    Posts:
    418
    Location:
    The Peg
    So are you saying that my friend just had the misfortune of getting two infected files on his computer before NOD32 release signatures for them? By the way here is the exact wording of the threats:

    a variant of Win32/TrojanDownloader.Zlob.LP trojan
    Win32/TrojanDownloader.Small.CML trojan
     
Thread Status:
Not open for further replies.