AV2009

Discussion in 'NOD32 version 2 Forum' started by tsherr, Jan 5, 2009.

Thread Status:
Not open for further replies.
  1. tsherr

    tsherr Registered Member

    Joined:
    Jan 30, 2007
    Posts:
    62
    I was reading this page:
    http://garwarner.blogspot.com/2008/12/more-than-1-million-ways-to-infect-your.html

    I downloaded the installer and tested it with NOD32 and it didn't find anything. Then I uploaded it to VirusTotal with the same result. I then submitted by email to Eset and checked again this morning and NOD32 still doesn't find it. I resubmitted to VirusTotal and more AVs find it, but still not NOD32.

    ~VT link removed per Policy.~

    It's been 13 days since the article was written. Where is Eset? Why isn't this found by now?

    T
     
    Last edited by a moderator: Jan 5, 2009
  2. dcd

    dcd Registered Member

    Joined:
    Jan 5, 2009
    Posts:
    1
    I've been running NOD32 Ver2 for two years on 525 computers, without any issues. But I must say that AV2009 has infected about 20 computers so far, over the past 2 months. It detects Win32/TrojanDownloader.FakeAlert.SU trojan or Win32/TrojanDownloader.FakeAlert.UX trojan. But for some reason it cannot detect/remove all of the associated files. Why can't NOD stop this infection or at least remove it? Am I the only having a problem with this?
     
  3. agoretsky

    agoretsky Eset Staff Account

    Joined:
    Apr 4, 2006
    Posts:
    4,032
    Location:
    California
    Hello,

    Please try installing ESET NOD32 Antivirus v4 beta and testing with that, as the v2 engine is older and may not detect threats detected by newer versions of the software.

    Undetected malware can be sent to samples@eset.sk in a .ZIP or .RAR file protected with a password of "infected" for analysis.

    Regards,

    Aryeh Goretsky
     
  4. TimaN

    TimaN Registered Member

    Joined:
    Aug 22, 2005
    Posts:
    125
    Location:
    Tulsa, OK
    I recommended/installed NOD to so many people and now have to explain why NOD does not catch such malware as AntiVirus 2009. It is being ignored by NOD resulting in an infected computer. I have to go back to those people’s computers and remove that malware with a third party software that is capable of dealing with this annoyance! I know there are a lot of variances of this malware being released on daily basis, but why NOD’s advanced heuristics don’t detect it, while other solutions detect and deal with it?
     
  5. tsherr

    tsherr Registered Member

    Joined:
    Jan 30, 2007
    Posts:
    62
    I shouldn't have to use a Beta program to catch viruses, if other released programs can catch it. I promote NOD32, but it's difficult when situations like this occur. I've send the attachment in once, but I'll try it again with the password on it, since I didn't do that the last time.

    T
     
  6. funkydude

    funkydude Registered Member

    Joined:
    Apr 5, 2004
    Posts:
    6,855
    This isn't a matter of catching viruses, this is a matter of cleaning them. What agoretsky is saying is that unknown files should be submitted so they can add them. They are IN NO WAY ignoring files and telling you to use a beta. The beta features improved cleaning methods superior to v2's for cleaning more complicated things like AV2009. That's the whole reason of creating new software.

    You can't run v2 and expect it to deal with threats of today. It may be great at detecting the threats, but cleaning is a different ball game.
     
  7. tsherr

    tsherr Registered Member

    Joined:
    Jan 30, 2007
    Posts:
    62
    Well, it's not detecting them either. And whatever version VirusTotal is using also doesn't detect it. I've got no problem with it taking NOD32 a few days to catch a new piece of malware, but 13 days? That seems like a long time.

    And since they're still updating version 2, and haven't moved everyone to version 3 (as they did when they went from 2.5 to 2.7) I think the argument that it's too old doesn't hold water.

    T
     
  8. agoretsky

    agoretsky Eset Staff Account

    Joined:
    Apr 4, 2006
    Posts:
    4,032
    Location:
    California
    Hello,

    Testing with a newer version of the software will help determine if non-detection is engine-specific or signature-specific. If is okay if you do not have the bandwidth to assist in the investigation. The virus lab will still look at any samples you mail them.

    Oh, I forgot to mention, please include a link to this message thread in the email if you have not already sent it.

    Regards,

    Aryeh Goretsky


     
  9. funkydude

    funkydude Registered Member

    Joined:
    Apr 5, 2004
    Posts:
    6,855
    They are updating the signatures, nothing else, so my point is very valid. ESET use a mixture of signatures/heuristics for detecting threats. If you think v2 is as good as v4 or even v3 in detection and removal, think again.

    I would suggest you resend the file, because it sounds to me like it got lost in the mail.
     
  10. Marcos

    Marcos Eset Staff Account

    Joined:
    Nov 22, 2002
    Posts:
    14,374
    I can confirm that v2 detects less than v3/v4. V4 goes further and brings significantly improved cleaning and self-protection capabilities.

    The authors of rogue applications update them on a regular basis and invest a lot to making their products undetectable by the most famous AV programs. It simply pays off them as it's all about business and getting money from people who they lure into purchasing their creations. As you can see in all AV forums, every AV vendor is trying hard to catch up with them. We've also improved heuristics significantly in order to be able to react quickly to this kind of frequently changed obfuscated malware. However, you should bear in mind that no AV is perfect and none will ever catch every new variant, especially if the authors focus on specific brands and update their creations until they are undetected. Having an AV program installed doesn't guarantee 100% protection, especially if the user visits suspicious websites, uses cracks and doesn't keep the OS up to date.
     
  11. YeOldeStonecat

    YeOldeStonecat Registered Member

    Joined:
    Apr 25, 2005
    Posts:
    2,345
    Location:
    Along the Shorelines somewhere in New England
    AV2009 is actually old..in standards of this trojan..it's been out over 6 months. There are many..many variants of this Vundu malware, which is said to be powered by the ZLob trojan. Antivirus 360 is one of the newer variants, as well as Search and Destroy 5.20, Defender 2008, and quite a few other names.

    The thing to remember...is as much as several new variants of the ZLob trojan are released each day. 3-4 or more new releases per day!

    So if you run across XPAntivirus2009 this morning...clean your system...and later that afternoon you catch another XPAntivirus2009 infection..chances are good you just caught a new variant of it.
     
  12. tsherr

    tsherr Registered Member

    Joined:
    Jan 30, 2007
    Posts:
    62
    I guess I wasn't clear. The version I'm testing came out about December 22 or 23, and NOD32 2.7 still isn't detecting it. I can understand that maybe 2.7 can't clean it (though it should be able to delete the files themselves) but it can't even detect it? I check it on VirusTotal each day and more and more AVs are catching it (~VT Link removed per Wilders Policy.~) but NOD32 still doesn't see it. That concerns me.

    T
     
  13. ASpace

    ASpace Guest

  14. tsherr

    tsherr Registered Member

    Joined:
    Jan 30, 2007
    Posts:
    62
    No it doesn't. And the online scanner doesn't find anything either. Very interesting. So that would suggest to me that version 3 wouldn't detect the file. Don't know about Beta 4, but I will try that tonight once I set up my new laptop.

    T
     
  15. funkydude

    funkydude Registered Member

    Joined:
    Apr 5, 2004
    Posts:
    6,855
    My guess is they just didn't get you're email. It happens a LOT these days. I usually have to send a file repeatedly.:doubt:
     
  16. agoretsky

    agoretsky Eset Staff Account

    Joined:
    Apr 4, 2006
    Posts:
    4,032
    Location:
    California
    Hello,

    Please keep in mind that more and more mail providers are filtering messages with archive file attachments containing executable files, sometimes even if the archives are protected with a password.

    You may wish to "repack" your password-protected archive containing the malware inside another password-protected archive (i.e., FILE.EXEARCHIVE1.ZIPARCHIVE2.ZIP) before you re-send it.

    Regards,

    Aryeh Goretsky
     
  17. tsherr

    tsherr Registered Member

    Joined:
    Jan 30, 2007
    Posts:
    62
    Is there an FTP site I can upload it to? That would be a lot easier and would resolve the email issue.

    T
     
  18. tsherr

    tsherr Registered Member

    Joined:
    Jan 30, 2007
    Posts:
    62
    VirusTotal reports the NOD32 still doesn't detect the malicious software.

    ~Link removed per Wilders Policy.~

    I have sent the file for a third time. Eset needs a better system for this - how about something like VirusTotal, where I can upload the file via the browser?

    T
     
    Last edited by a moderator: Jan 7, 2009
  19. mrwillywonka

    mrwillywonka Registered Member

    Joined:
    Jan 7, 2009
    Posts:
    4
    Funny that ... v3 didn't pick it up either! Seems to me that NOD32 is a rather lame product. I've been a user for a few years now, I have uninstalled it despite a live sub for a while. I am now using a diff product. Will not be recommending what is a poor program and when questioned the people from ESET come up with a canned reply all the time blah blah blah.
     
  20. funkydude

    funkydude Registered Member

    Joined:
    Apr 5, 2004
    Posts:
    6,855
    NOD32 is a lame product because it missed a threat? Right, I'm glad I don't live in your world. You must whore through AV's faster that Paris Hilton's pants go up and down.
     
  21. agoretsky

    agoretsky Eset Staff Account

    Joined:
    Apr 4, 2006
    Posts:
    4,032
    Location:
    California
    Hello,

    Certainly. You may upload the file to ftp://ftp.nod.sk/incoming/. Please make sure the archive file includes a text file with your contact information (name and email address) and a link to this message thread.

    Regards,

    Aryeh Goretsky


     
  22. tsherr

    tsherr Registered Member

    Joined:
    Jan 30, 2007
    Posts:
    62
    As of this morning, NOD32 v2 is picking up this infection, which is a good thing. I will use the upload information above to send addition files as I find them.

    T
     
  23. funkydude

    funkydude Registered Member

    Joined:
    Apr 5, 2004
    Posts:
    6,855
    You guys should put that FTP site somewhere on your website, I never knew about it.
     
  24. agoretsky

    agoretsky Eset Staff Account

    Joined:
    Apr 4, 2006
    Posts:
    4,032
    Location:
    California
    Hello,

    Your request has been forwarded to the technical writers responsible for the knowledge base.

    Regards,

    Aryeh Goretsky

     
  25. ASpace

    ASpace Guest

    I knew about this way but I didn't know it was public . Somebody from ESET told me about it but he also told me that I shouldn't use it on regular bases and I shouldn't share it.

    I also think that a web-site service/portal or FTP server is much easier than email submission.
     
Thread Status:
Not open for further replies.