At least 6 viruses skipped by NOD32 - for the first time I'm disappointed

Discussion in 'NOD32 version 2 Forum' started by k!b?, Jan 16, 2006.

Thread Status:
Not open for further replies.
  1. k!b?

    k!b? Registered Member

    Joined:
    Jan 16, 2006
    Posts:
    22
    and what's worse some of them are listed in NOD32 virus database. for example Win32/TrojanDownloader.Agent.FK.

    NOD32 v25.51.8 + MS AntiSpyware are active, up-to-date and MAX configured(for nod32 same as BlackSpear recomends).

    this is what happened::
    -added hdd from my customer with intention do disinfect it and backup data
    -scanned with nod32 whole disk and it found 155 infected files
    -scanned it w/MS Anti... and it found couple more trojans and spyware

    then, as I found out that disk is/was full of viruses, I decided that it was great opportunity to test nod32's reliability. so I've run Online BitDefender scan - and guess what - it found 8 more real viruses/trojans - not some 3rd grade malware!
    I'll continue to use for myself and to recommend to others NOD32 so this is not somekind act of rage or bad advertising but more of a move to try to help Eset developers improve NOD32. so i'm not going to make any fast conclusions, but i'll wait for reactions from experienced members of this forum.
     

    Attached Files:

  2. Marcos

    Marcos Eset Staff Account

    Joined:
    Nov 22, 2002
    Posts:
    14,374
    How many samples of those detected by NOD32 were actually detected by BitDefender? Also I noticed there some joke programs in the log. I suggest to refrain from creating another flame that one AV is better than another and vice-versa. It's a matter of fact that no AV will detect all 100% of malware in the world.
     
  3. YeOldeStonecat

    YeOldeStonecat Registered Member

    Joined:
    Apr 25, 2005
    Posts:
    2,345
    Location:
    Along the Shorelines somewhere in New England
    As an added sidenote.....you should disable system restore on infected XP systems before attempting to clean.
     
  4. pc-support

    pc-support Registered Member

    Joined:
    Mar 10, 2005
    Posts:
    285
    Location:
    Edinburgh, UK
    I wonder how many NOD would have found if BitDefender had been run first?

    Probably a lot more than 6 :D
     
  5. k!b?

    k!b? Registered Member

    Joined:
    Jan 16, 2006
    Posts:
    22
    as i said, scaned disk is secondary and it had Win9x on it.
    beleive me, i do that on every XP machime i service.
    my rig is, for years now, clear of any kind of malware. except if I intentionaly let it get inside (for testing purposes).
     
  6. k!b?

    k!b? Registered Member

    Joined:
    Jan 16, 2006
    Posts:
    22
    and why wouldn't even that 6-8 viruser and 20-30 files they infiltrated, be cleaned by NOD? my intention was to, posibly, help in improving NOD's detection... nothing more.
     
  7. dog

    dog Guest

    Please keep any flame type comments out of this thread, no matter which product they are directed at. Any further such comments will be removed. As Marcos already stated NO AV is perfect ... :)

    Let's keep on the topic, detection and disinfection/removal and any failures to do so in this instance.

    Regards;

    Steve
     
  8. k!b?

    k!b? Registered Member

    Joined:
    Jan 16, 2006
    Posts:
    22
    as i said before, i have no intentions of flaming anything or anybody.

    it's true that it's not perfect, BUT why not try to improve it? is this thread unwanted o_O
     
  9. Paul Wilders

    Paul Wilders Administrator

    Joined:
    Jul 1, 2001
    Posts:
    12,472
    Location:
    The Netherlands
    Good to hear ;)

    Be assured all security softwares are doing their upmost to improve.

    As long as it stays on topic, civilized: not at all. In case trolling etc. happens: we'll - say - "interfere" ;)

    regards,

    paul
     
  10. dog

    dog Guest

    No not at all, Please do continue ;) My intent wasn't to discourage you in any way. You haven't done anything wrong. :)

    and Yes, everyone is always interested in product improvement. :)

    Regards;

    Steve
     
  11. k!b?

    k!b? Registered Member

    Joined:
    Jan 16, 2006
    Posts:
    22
    tnx Paul Wilders and dog.
     
  12. alglove

    alglove Registered Member

    Joined:
    Jan 17, 2005
    Posts:
    904
    Location:
    Houston, Texas, USA
    I guess it is unfortunate that those files were deleted, since now there is no way to submit them to Eset for analysis. Well, let me rephrase that. Unfortunate from the point of view of analyzing these files and getting some sort of verdict on them (broken virus files? something that needs to be added to NOD32's definitions?). Fortunate from the point of view of getting them off the computer!
     
  13. k!b?

    k!b? Registered Member

    Joined:
    Jan 16, 2006
    Posts:
    22
    that's my thought too. too bad.
     
  14. Paul Wilders

    Paul Wilders Administrator

    Joined:
    Jul 1, 2001
    Posts:
    12,472
    Location:
    The Netherlands
    Bolded by me: that's a pitty indeed. Thus, we'll never know, will we? Let's move on and keep away from turning this thread into a "comparison" thread. We do have a separate forum for that: "other antiviruses" ;)

    regards,

    paul
     
  15. k!b?

    k!b? Registered Member

    Joined:
    Jan 16, 2006
    Posts:
    22

    BitDefender scan was done AFTER NOD32 scanned/cleaned that whole drive. so it found what first didn't. and what it found doesnt seem like unimportant malware.
    this one for example (found by BD in file mibxub.dll)::
    http://www.viruslist.com/en/viruses/encyclopedia?virusid=66410
    or
    one found in winsync.exe and mc104[1].exe (as shown in scan log)
    http://www.sophos.com/virusinfo/analyses/trojmancsyna.html

    i don't know, there is a chance that all theese were broken, but...who knows.
    there were no bad sectors, i did chkdsk and there were no file structure or any other errors, NAV was installed but we all know how NAV is efficient :gack: ... so i'm not sure WHY would theese files become "broken"? it probably happens sometime, but when and why?
    i'm confused about what to think right now. and it's time for bed hehe.
    but i will apreciate constructive answers :)
     
  16. Paul Wilders

    Paul Wilders Administrator

    Joined:
    Jul 1, 2001
    Posts:
    12,472
    Location:
    The Netherlands
    That has been and still is the issue, since there's no way anymore to verify all this. For that reason there simply isn't an answer to "constructive answers". No samples left > no way to verify. It's as simple as that. Instead of guessing in the dark - since in the end that's all we can do - sleep well ;) .

    There's novalid answer to questions in this particular case anymore. We'll have to live with that.

    regards.

    paul
     
  17. k!b?

    k!b? Registered Member

    Joined:
    Jan 16, 2006
    Posts:
    22
    well maybe there is light in the dark hehe ie some files were sent to Eset for analasys as shown in pic. Threat Sense must be very helpful in this kind of situations. if only there was file size info in that BD scanlog, maybe i could connect those A00819xx (they are still in quarantine also) with winsync.exe, mc104[1].exe and other files in BD log so i would be happy that those b*stards :) were delivered to right adress ;)
     

    Attached Files:

  18. Paul Wilders

    Paul Wilders Administrator

    Joined:
    Jul 1, 2001
    Posts:
    12,472
    Location:
    The Netherlands
    Threat Sense is indeed a very useful feature. The files in question will be analyzed for sure ;)

    Well, that's water under the bridge, isn't it? Eset will act if necessary - and that's all there's to it. No more guessing in the dark - it's of no use in any way. Sleep well ;) .

    regards,

    paul
     
  19. flyrfan111

    flyrfan111 Registered Member

    Joined:
    Jun 1, 2004
    Posts:
    1,224
    You wouldn't be able to match files by sizes either, windows compresses the files in the System restore folders, windows also renamed them, Nod doesn't generate random numbers when it quarantines files. Nod changes the extension, not the file name.
     
  20. Blackspear

    Blackspear Global Moderator

    Joined:
    Dec 2, 2002
    Posts:
    15,115
    Location:
    Gold Coast, Queensland, Australia
    I maintain and have always maintained that once a system is infected: "All bets are off" in relation to cleaning a system by any singular anti-virus product.

    Cheers :D
     
  21. k!b?

    k!b? Registered Member

    Joined:
    Jan 16, 2006
    Posts:
    22

    in this case, however, it's not the whole system that was infected(it's my main work/home rig) but just that hd that I added to clean it, backup data and repartition it for clean XP install. those viruses didn't infect my system because NOD32 AMON is running all the time.
     
  22. Itsme

    Itsme Registered Member

    Joined:
    Jan 31, 2004
    Posts:
    148
    Hi k!b¤

    I find this a interesting thread... and it reminds me of an evaluation/test report I read in a computer magazine recently (but I cant find it anymore). It looked for the best possible combination AV / Trojan scanners. For freeware AVG/Ms AS came out first, for paid versions Nod32 / Ewido came out first. Both categories together Nod32+Ewido was clearly the winner.

    It would be intersting if someone could redo these tests and see if conclusions of the article (I cannot find anymore) were right.

    Ciao
    Itsme
     
    Last edited: Jan 18, 2006
  23. flyrfan111

    flyrfan111 Registered Member

    Joined:
    Jun 1, 2004
    Posts:
    1,224
    NOD and Eset are the same product, not a combination.
     
  24. k!b?

    k!b? Registered Member

    Joined:
    Jan 16, 2006
    Posts:
    22
    well, you know what - since they were in quarantine, I could have restored them to some location and stop AMON from deleting(or getting back to quarantine) them again. and then compare size. what nod32 is doing is (i suppose) exactly extracting them from Restore compressed files and then storing them in it's quarantine format.


    BUT much bigger question is:: is majority(at least) of potential/unknown viral files AT ALL DETECTED by Advanced Heuristics?
    Here enters ThreatSense storry. AFAIK It's efficiency is DIRECTLY dependant of Advanced Heuristics's 'intelligence' in recognising unknown threats.
    so, let's say in this perticular case, could it be that some of threats in that drive were not detected, and as a consecvence, didn't get to Eset Threat Sense 'inbox' ? (it's too too bad that I configured that BD online scanner to delete files if it can't disinfect dhem :( )

    my question is: HOW MUCH is Eset relying on ThreatSense (and Advanced Heuristics 'sixth sense' :) ) lately in searching/finding new threats (and including them in threat/virus Signature database?
    tnx for answers.
     
  25. flyrfan111

    flyrfan111 Registered Member

    Joined:
    Jun 1, 2004
    Posts:
    1,224
    Eset's Threatsense helps dramatically, I think the majority of users now submit AH detections because it is easier, right click and hit submit, you don't have to create an email, look for the address if you don't know it, attach the file, compress it and password protect it, the process alone used to discourage people, now they are getting much more files submitted which helps in a few ways, it helps identify true malware and get a definition added and helps with false positives in getting them analyzed as to why AH is picking up on them and fixing it so users put up with less false positives. I would reverse your suggestion and say AH's intelligence comes from Threatsense, it allows Eset to fine tune AH to better detect malware while reducing fasle positives. in the last week or so there were 2 updates to AH, those could have come from analyzing files submitted from users.

    Yes you could have restored the files but the way sys restore works it would have been difficult to track down which files were the problem, you could have set NOD to report only and rescanned, that would have found them, sys restore compresses and renames all files in a sequential numerical format, so the name of the file in the System Volume Information folder has absolutely nothing to do with it's original name. It has more to do with when it was placed into the folder than the name of the file.
     
Thread Status:
Not open for further replies.