Does NOD32 Detect JPEG virus?

Discussion in 'NOD32 version 2 Forum' started by profhsg, Mar 9, 2005.

Thread Status:
Not open for further replies.
  1. profhsg

    profhsg Registered Member

    Joined:
    May 18, 2004
    Posts:
    145
    Over at the DSL Broadband Security forum they have a thread which indicates that 22 out of 23 antivirus programs were unable to detect the jpeg based virus discovered 6 months ago. NOD32 was among those that missed the virus. In response a number of contributors to that forum posted images indicating that their antivirus now detected the threat. NOD32 was not among those either.

    Does NOD32 detect that threat? If it doesn't shouldn't it? If it does shouldn't somebody respond so that NOD32 doesn't get a "bad rap?"

    Here is a link to the thread on the other forum:

    http://www.dslreports.com/forum/remark,12840825~mode=flat~days=9999
     
  2. JimIT

    JimIT Registered Member

    Joined:
    Jan 22, 2003
    Posts:
    1,035
    Location:
    Denton, Texas
    There is some debate over whether AV's should detect this particular piece of code. The author has stated that it isn't malicious code or viral, and does not compromise a system. (I quoted the author on this in the thread you reference, and my post has pretty much been ignored.) It appears to be more of a POC or "test" than anything else.

    I'm sure it will be detected by all AV's pretty soon--just to quiet the "hysteria", but as of right now the code referenced is about as "harmful" as an eicar test file. ;)
     
  3. MAL11

    MAL11 Guest

    I just downloaded that test file and right away even before i could save it imon detected the zip file as win32/exploit.roxo.a trojan, i let it download neways and extracted the jpg then scanned it and again it detected the win32/exploit.roxo.a in the jpeg file... so it appears that NOD32 DOES infact detect this "exploit"/ code.

    Keep up the good work Eset :)
    Marc.
     
  4. nameless

    nameless Registered Member

    Joined:
    Feb 23, 2003
    Posts:
    1,184
    Same here. Would have been nice for the "Delete" button to be enabled, though! What's that all about? "Yeah, there's a trojan... I think I'll just 'leave' it."
     

    Attached Files:

  5. NAMOR

    NAMOR Registered Member

    Joined:
    May 19, 2004
    Posts:
    1,526
    Location:
    Arkham Asylum
  6. nameless

    nameless Registered Member

    Joined:
    Feb 23, 2003
    Posts:
    1,184
    Not here. IMON presented the dialog you see above. My only option was to "Leave" it.

    Since I don't have two hours per day to devote to NOD32 beta testing, I use the default IMON setting, which is to use compatibility mode exclusively--hence, IMON does not stop it "dead in it's tracks before you DL it" [sic].

    And my point is that I don't want to have to unzip it and run a scan. (Actually, you can just scan the ZIP directly.) Why should I have to? If I am downloading a trojan, let me delete it, now!
     
  7. NAMOR

    NAMOR Registered Member

    Joined:
    May 19, 2004
    Posts:
    1,526
    Location:
    Arkham Asylum
  8. BourgePD

    BourgePD Registered Member

    Joined:
    Sep 5, 2004
    Posts:
    75
    When I attempted to dl the *.zip, IMON detected the trojan and terminated the connection. No possibility of infection. :D
     
  9. nameless

    nameless Registered Member

    Joined:
    Feb 23, 2003
    Posts:
    1,184
    Wow, you found the "HTTP" tab under IMON Setup. Congratulations.
     
  10. NAMOR

    NAMOR Registered Member

    Joined:
    May 19, 2004
    Posts:
    1,526
    Location:
    Arkham Asylum
    Maybe I missed something. What does the HTTP tab have to do with it? I haven't changed any setting under that tab. Only changes settings under the Misc tab.
     
    Last edited: Mar 10, 2005
  11. nameless

    nameless Registered Member

    Joined:
    Feb 23, 2003
    Posts:
    1,184
    You can have the download automatically denied on the HTTP tab.

    But regarding my original post... Mea culpa. It wasn't IMON at all that caught the trojan; it was the post-download scan that GetRight passed to nod32.exe. You have to use compatibility mode with download managers.
     
  12. BourgePD

    BourgePD Registered Member

    Joined:
    Sep 5, 2004
    Posts:
    75
    Heh. Not as if NOD is difficult to use... :rolleyes:
     
  13. NAMOR

    NAMOR Registered Member

    Joined:
    May 19, 2004
    Posts:
    1,526
    Location:
    Arkham Asylum
    Gotcha now I see what you mean. Never used a DL manager before, so I can't comment on it.
     
  14. FanJ

    FanJ Guest

  15. MAL111

    MAL111 Guest

    I have everything setup in the compatibility for http to higher compatibility, all thats changed is the deep heuristics etc etc.. still detected for me...

    Marc.
     
  16. NAMOR

    NAMOR Registered Member

    Joined:
    May 19, 2004
    Posts:
    1,526
    Location:
    Arkham Asylum
    I think the problem is that he is using a download manger? Maybe because the DL manager donwloads files in chunk as seperate download?
     
Thread Status:
Not open for further replies.