Disappointed at NOD32 Failure to ID

Discussion in 'NOD32 version 2 Forum' started by Agrajag, May 25, 2007.

Thread Status:
Not open for further replies.
  1. Agrajag

    Agrajag Registered Member

    Joined:
    May 25, 2007
    Posts:
    28
    I just went through 24 hours of hell trying to rid my PC of "Virtumonde".

    NOD32 never alerted me to any sort of problem. Nor could it find the problem once I realized I had it or remove the problem.

    In fact, I was let down on a few fronts. AdAware didn't spot it. Spyware Doctor spotted it but only got rid of the latest incarnation and not the root. VundoFix did a bit better. It took Hijaak This for me to manually find the base problem and remove it on my own.

    Why is NOD32 failing to protect and remove this virus?
     
  2. GAN

    GAN Registered Member

    Joined:
    Mar 3, 2007
    Posts:
    355
    Actually it's not a virus. It's adware which could be a pain and hard to remove in some cases, but it's not a virus. A virus is usually more serious and cause more damage while adware usually don't cause damage except to be a pain.

    But it's not like you can find a antivirus software able to stop all adware, virus, worms and other stuff out there. I never read a test where some antivirus software where able to stop absolutely everything. There might be adware, virus and worms that nod32 is able to stop and others not or it could be the other way around. All of them miss something. You could send a mail to eset support regarding Virtumonde.

    Also what nod32 detect might depend on your settings. Did you enable Potentially unwanted applications and potentially unsafe applications?
     
    Last edited: May 25, 2007
  3. Agrajag

    Agrajag Registered Member

    Joined:
    May 25, 2007
    Posts:
    28
    I already sent an e-mail. They're looking into it. I do not agree that a virus is defined by its danger level.

    Think of the classic definition. It's a virus regardless of your temperature.

    This think attacked my system. I suspect I'll be seeing the same thing from the other side.... "It's not adware, it's a virus."
     
  4. GAN

    GAN Registered Member

    Joined:
    Mar 3, 2007
    Posts:
    355
    Well it's defined as adware by most others that create antivirus and antispyware software it seems, but i'm not going into a long discussion what it is if you disagree.

    The behavior of VirtuMonde is this "Adware.VirtuMonde is an adware program that downloads and displays popup advertisements". I define that as adware and not virus. A virus in my opinion is something that infect your computer trying to do damage....someone very serious and some not serious at all. I don't define it as a virus because of the danger level, but the behavior.

    In any case it's not like nod32 or any other antivirus is able to stop everything and maybe eset define this as adware as well like most others. And nod32 is a antivirus software and not a security suite that include antispyware and stuff like that even if it's able to stop some.

    But as i said you should also check your settings. Maybe nod32 actually is able to stop VirtuMonde if the settings is correct.
     
  5. webyourbusiness

    webyourbusiness Registered Member

    Joined:
    Nov 16, 2004
    Posts:
    2,640
    Location:
    Throughout the USA and Canada
    NOD32 would have detected it if both potentially unwanted and potentially unsafe were enabled. Although I'm not sure why it would be missed if heuristics was turned on. Perhaps Aryeh or Marcos can shed a little light.
     
  6. Agrajag

    Agrajag Registered Member

    Joined:
    May 25, 2007
    Posts:
    28
    Both were enabled.
     
  7. webyourbusiness

    webyourbusiness Registered Member

    Joined:
    Nov 16, 2004
    Posts:
    2,640
    Location:
    Throughout the USA and Canada
    and advanced heuristics?
     
  8. Agrajag

    Agrajag Registered Member

    Joined:
    May 25, 2007
    Posts:
    28
    AMON under Options tab has every box checked including Advanced Heuristics.

    That's why I'm not exactly thrilled. I know this is adware-related but it behaves like a virus and, as such, I believe NOD32 should spot this attack and nail it.

    There's an option there for Adware/Spyware/Riskware. If it's of no use, what's the point? I recall a big deal being made about this some time ago as a reason to continue on. I did my share and I continue to be a fan. I just think this case is poor one.
     
  9. The Hammer

    The Hammer Registered Member

    Joined:
    May 12, 2005
    Posts:
    5,619
    Location:
    Toronto Canada
    Agrajag I hope you also posted at the forums of the other security programs you use and not just here. If anything like this ever happens again could you send the sample to Eset?
     
  10. Agrajag

    Agrajag Registered Member

    Joined:
    May 25, 2007
    Posts:
    28
    Hammer, I'm not sure what to make of your post. I have indeed posted to the other vendors but that has nothing to do with the post here. What these other vendors do is irrelevant to the conversation here.

    What purpose does your post serve? Does it provide me with more information regarding my post? Does it provide me more information about eset? Does it provide anyone here more information about anything? The only purpose I see to your post is to stamp a big, "I love NOD32" sticker on your chest. That doesn't help me or address this issue.

    I pay ESET for a service they claim to be the best at. I'm pointing out, as a paying customer (and a pretty happy one that buys and installs their product at dozens of other locations), that I am simply disappointed that NOD32 completely missed something pretty significant in my view. I also e-mailed them on this.
     
  11. The Hammer

    The Hammer Registered Member

    Joined:
    May 12, 2005
    Posts:
    5,619
    Location:
    Toronto Canada
    What it has to do with is the fact that your using a multi layer approch which is good and everyone from AdAware to Spyware Doctor wants to improve their products. That's all. Just scanning the posts of various Av vendors tells me everyone will dissappoint at sometime.
     
  12. tsilo

    tsilo Registered Member

    Joined:
    Apr 29, 2006
    Posts:
    376
    When i was using NOD32 I also had problems with Virtumonde, NOD32 detected only part of them, while second part was on my computer, It's ESET's problem, they must add to signatures large number of Virtumonde.
     
  13. Agrajag

    Agrajag Registered Member

    Joined:
    May 25, 2007
    Posts:
    28
    Thanks. That's all I was pointing out and hoping for.
     
  14. Blackspear

    Blackspear Global Moderator

    Joined:
    Dec 2, 2002
    Posts:
    15,115
    Location:
    Gold Coast, Queensland, Australia
    Hi Agrajag, welcome to Wilders.

    Virtumonde is update multiple times a day in order to avoid detection, it is also tested at www.virustotal.com in order to see if any software is picking up the new variant. This is a continual cat and mouse game and has been discussed at length in This Thread which includes commentary by TonyKlein.

    Cheers :D
     
  15. Xenophobe

    Xenophobe Registered Member

    Joined:
    May 26, 2007
    Posts:
    174
    Well, as you probably know the definition of viruses in Biology terms...
    A computer virus will reproduce it's self, infect other files and computers, etc.

    So, if anything attacked your system that doesn't automatically make it a virus.
     
  16. Agrajag

    Agrajag Registered Member

    Joined:
    May 25, 2007
    Posts:
    28
    As this one does reproduce itself it continues to work like a virus.
     
  17. Blackspear

    Blackspear Global Moderator

    Joined:
    Dec 2, 2002
    Posts:
    15,115
    Location:
    Gold Coast, Queensland, Australia
    No it doesn't, the authors continually change it to avoid detection, it does not self replicate.

    Blackspear.
     
  18. ablatt

    ablatt Registered Member

    Joined:
    Nov 14, 2004
    Posts:
    128
    Location:
    Canada
    The fact is that Virtumonde is an annoying and not that unpopular infection.

    If NOD32 can't detect and remove the variation you have, and Symantec or Kaspersky can, then it reflects badly on Eset.

    The fact is that NOD32 is slipping in detection rates in the large recognized tests recently, and that is not a good thing.

    I have used NOD32 for a couple of years because it is light and unobtrusive on my PC, but I will have to look elsewhere if it consistently provides 10% less detection than other popular free and paid antivirus products in tests. I hope version 3 is better.
     
  19. Londonbeat

    Londonbeat Registered Member

    Joined:
    Sep 21, 2006
    Posts:
    350
    With regards to vundo/virtumonde, new variants are released more than daily, when released the authors make sure no antivirus detects it, including the AV's you've mentioned. Within a couple of hours, another variant (again usually undetected by all) will be released. As Blackspear said, it's a cat and mouse game, sometimes nod gets the updates in quicker than the AV's you mentioned, and sometimes other av's are quicker. But initially all AV's usually miss a new variant as the authors tweak them (using virustotal etc to check) until they are undetected by nearly all AV's. It's the same with the zlob trojans. I'm not disagreeing with your other statements about overall detection, but I don't think you can measure the effectiveness of any AV with vundo/zlobs, as they all miss new variants every day.

    Londonbeat
     
  20. Marcos

    Marcos Eset Staff Account

    Joined:
    Nov 22, 2002
    Posts:
    14,374
    Malware authors who are payed for their "job" can develop new variant which are undetected even in less than 1 hour after detection for the previous variant was added. With assistence of Eset's support you will be able to remove Virtumonde if you happen to get infected for whatever reason.
     
  21. prius04

    prius04 Registered Member

    Joined:
    Apr 14, 2007
    Posts:
    1,238
    Location:
    USA
    Visit a few of the other AV support fora and look through the threads. I did, in fact, and discovered NOD32 is not the only AV that has a problem detecting and/or removing one (or more) of this one's variants. I saw several posts by support personnel recommending the use of HijackThis and other solutions.
     
  22. tsilo

    tsilo Registered Member

    Joined:
    Apr 29, 2006
    Posts:
    376
    If you are searching AV that detects all variants of virtumond you must switch in other AV, if you want to know which one, PM me and I will tell you :)
     
  23. ASpace

    ASpace Guest

    100% guaratee there is no such creature !

    I will give you whatever you want if you give me an antivirus with 100% detection rate of malware incl. Vundo/Virtumonde
     
  24. Firecat

    Firecat Registered Member

    Joined:
    Jan 2, 2005
    Posts:
    7,927
    Location:
    The land of no identity :D
    That ought to make some developers in the AV industry work all the more harder to get that magic 100% number :p :D

    Cheers guys, just trying to lighten up the thread a little. Regarding virtumonde, no AV detects all variants of it. Some AVs with Rapid updates are able to provide protection quicker, but no one will provide fool proof protection, except those who are having good behaviour blocker systems. And even that is not 100% fool proof (but yeah sometimes it can come pretty darn close :p). :)
     
  25. The Hammer

    The Hammer Registered Member

    Joined:
    May 12, 2005
    Posts:
    5,619
    Location:
    Toronto Canada
    Don't hide behind PM's. Tell us all and thus start the stampede to this miracle worker product. I guarantee you will get people from all the major vendors buying.:p
     
    Last edited: May 26, 2007
Thread Status:
Not open for further replies.