Disinfecting of Sality.

Discussion in 'ESET NOD32 Antivirus' started by Roman Rashevskiy, Feb 16, 2010.

Thread Status:
Not open for further replies.
  1. Roman Rashevskiy

    Roman Rashevskiy Former Poster

    Joined:
    Jan 17, 2010
    Posts:
    13
    Location:
    Russia
    Hello!

    My name is Roman Rasheskiy, I am from Russia. I use Eset Antivirus NOD32, version is 4.0.474.
    I have infected my computer with Sality, I want to check Eset on disinfection of this malware-sample.
    Eset deleted all files (and "good" file, e.g. documents, files of programms etc.), which was infected with Sality. I think this fact is not good, because Eset can delete very important user files, but others vendors can clean "good" files and cure infect computer.


    --
    Best regards,
    Roman Rashevskiy.
     
    Last edited: Feb 16, 2010
  2. nikanthpromod

    nikanthpromod Registered Member

    Joined:
    Oct 9, 2009
    Posts:
    1,369
    Location:
    India
  3. nikanthpromod

    nikanthpromod Registered Member

    Joined:
    Oct 9, 2009
    Posts:
    1,369
    Location:
    India
    once i was infected with Virut ( a ploymorphic virus)
    It destroyed all my system files.My system crashed. Eset deleted that files but made my system unbootable.
     
  4. Marcos

    Marcos Eset Staff Account

    Joined:
    Nov 22, 2002
    Posts:
    14,374
    It sounds like you infected your computer intentionally so you actually didn't lose any important data. I'd suggest submitting a couple of such files to ESET per the instructions here.

    Infected files that cannot be cleaned are NEVER deleted automatically, however, the user can choose to delete them if he's sure the files are not that important or that they can be replaced with a clean copy easily. At any rate, the original files are always stored in quarantine so it's possible to revert to them at a later time, if necessary.

    If the entire infected file comprises only of the virus itself, it's deleted automatically.
     
  5. Roman Rashevskiy

    Roman Rashevskiy Former Poster

    Joined:
    Jan 17, 2010
    Posts:
    13
    Location:
    Russia
    I know, what it is. I am malware-researcher. ;)
    But thank you for your help. :)

    I want to tell you, that other vendors realised special cure-procedure in their products and their products don't delete user's files, but cured it, i.e. delete "body" of virus from legitimate (user's files, system files etc.) files. But Eset's products just deletes files with virus, and it is very bad...
     
    Last edited: Feb 16, 2010
  6. Roman Rashevskiy

    Roman Rashevskiy Former Poster

    Joined:
    Jan 17, 2010
    Posts:
    13
    Location:
    Russia
    Yes, you understand me. :)

    But Eset's products deleted files, which can be cleaned (other products can clean this files, and this file does not comprises only "body" of virus).

    But user's files does not comprises only "body" of virus, they comprises some important user's information.


    P.S. If you do not mind, I would like to discuss with you this problem in PersonalMessages or Skype. :)
     
    Last edited: Feb 16, 2010
  7. nikanthpromod

    nikanthpromod Registered Member

    Joined:
    Oct 9, 2009
    Posts:
    1,369
    Location:
    India
    discuss here. That will help us too;)
     
  8. Marcos

    Marcos Eset Staff Account

    Joined:
    Nov 22, 2002
    Posts:
    14,374
    Are you saying that a backup copy of the original file was not put in quarantine before cleaning(deletion) took place?


    Are you saying that these files were deleted automatically with standard cleaning mode (default setting) and you were not prompted for an action at all?

    Could you submit the files to ESET as I instructed you before so that we can take a look at them to see if they actually contain also usable code (previously clean file) and cleaning of the files actually fails ? Even if cleaning was not possible for whatever reason, such files should not be deleted automatically by EAV / ESS.
     
  9. Roman Rashevskiy

    Roman Rashevskiy Former Poster

    Joined:
    Jan 17, 2010
    Posts:
    13
    Location:
    Russia
    No. Eset put backup copy of files in Quarantine module.

    In my computer I setting "Advanced disinfection" and in this mode Eset delete all files without asking me. But in standard-mode Eset asking me, but I can choose only 2 functions in dialog-box - Delete and "skip this file".

    Ok, no problem. :)
    How can I submit files?

    P.S. What can you say about cured of TDL3?
    P.P.S. Every day I analyse a lot of malware-samples, which ESET's products not detected, but submit all these samples to ESET with help of standard form for submiting file - it is very inconvenient for me. How can I submit files directly to malware-analysts?
     
  10. Marcos

    Marcos Eset Staff Account

    Joined:
    Nov 22, 2002
    Posts:
    14,374
    Please submit a couple of files that cannot be cleaned to ESET per the instructions here with this thread's url in the subject.

    As for the TDS3 rootkit, we most likely detect it as Olmarik/Kryptik. I barely see files undetected by all protection layers that ESET uses. However, if you come across one feel free to submit it for perusal.
     
  11. Roman Rashevskiy

    Roman Rashevskiy Former Poster

    Joined:
    Jan 17, 2010
    Posts:
    13
    Location:
    Russia
    Ok.

    But ESET's products can't remove this threats from computer, if computer was infected before ESET was installed. ;)
    In my question I mean - "When will ESET's products can remove active TDL3 from computer?"

    Ok. :)
     
  12. Marcos

    Marcos Eset Staff Account

    Joined:
    Nov 22, 2002
    Posts:
    14,374
    In order to keep discussion on the thread subject and to allow others to participate in the ongoing discussion about the Olmarik/TDL3 rootkit, we've split the thread and created a new one dealing with Olmarik/TDL3. Please continue discussing it here.
     
Thread Status:
Not open for further replies.