Eset ignores virus submissions?

Discussion in 'NOD32 version 2 Forum' started by ElGordo, Oct 17, 2006.

Thread Status:
Not open for further replies.
  1. ElGordo

    ElGordo Registered Member

    Joined:
    Oct 17, 2006
    Posts:
    3
    About two weeks ago I found a malware installer while cleaning up a clients PC. Being a public-spirited person, I submitted it to every AV company I could think of.
    I also checked it with NOD32 on my personal machine. Horrified that nothing was detected, I quarantined the file and submitted it that way. Four days later the file still wasn't being detected as malicious so I submitted it via email as per Eset's suggested method on their website on 13th and 15th October.
    It still isn't being detected. :mad:
     
  2. Blackspear

    Blackspear Global Moderator

    Joined:
    Dec 2, 2002
    Posts:
    15,115
    Location:
    Gold Coast, Queensland, Australia
    Hi ElGordo, welcome to Wilders.

    Viruses, trojans and other malware are added on a priority basis, and it has to be this way or you would have the analysts breaking their back over the odd single sample sent to them, instead of keeping focus on the spreading samples and adding the rest as they go...

    This is what Anton Zajac head of Eset had to say on the matter.

    Cheers :D
     
  3. ElGordo

    ElGordo Registered Member

    Joined:
    Oct 17, 2006
    Posts:
    3
    Thanks for your reply and the welcome :)
    I don't want to sound like a four year old having a tantrum because "my" virus isn't highest priority but it does seem to be taking an inordinately long time to add to the definitions.
    Other AV companies seem to have added it in under 24 hours, that's all.
     
  4. Blackspear

    Blackspear Global Moderator

    Joined:
    Dec 2, 2002
    Posts:
    15,115
    Location:
    Gold Coast, Queensland, Australia
    I understand, and if I had a undetected piece of malware on my system I wouldn't be too happy either, however Eset are receiving thousands of samples through Threatsense.net and analysis is completed strictly on a priority basis.

    Cheers :D
     
  5. ElGordo

    ElGordo Registered Member

    Joined:
    Oct 17, 2006
    Posts:
    3
    Understood. Thankyou for your time. :cool:
     
  6. Blackspear

    Blackspear Global Moderator

    Joined:
    Dec 2, 2002
    Posts:
    15,115
    Location:
    Gold Coast, Queensland, Australia
    You are welcome.

    Cheers :D
     
  7. Firecat

    Firecat Registered Member

    Joined:
    Jan 2, 2005
    Posts:
    7,927
    Location:
    The land of no identity :D
    If a user is actually infected with the malware, then such priorities can lead to high customer dissatisfaction, potentially causing sales drops. As far as I know, analysing a sample and creating a signature is hardly the problem (takes about 5 minutes at best), but rather testing and modifying it for zero false positives and 100% detection is the difficult part. For that reason, it should be fairly simple to at least provide an analysis of what the infected file does to the system via email with disinfection instructions even if no signature is added due to the amount of time required for testing the signature. This way the customer can clean his/her PC and Eset does not have to spend extra time in testing and adding non-priority signatures.

    Just a thought. I hope I'm not speaking like a nut here. o_O
     
  8. Londonbeat

    Londonbeat Registered Member

    Joined:
    Sep 21, 2006
    Posts:
    350
    Eset seem to have a pretty strict (and good) policy of making signatures for submitted malware - I've submitted something and it's had a signature within 24 hours before. However, I found a trojan-downloader (I still have the sample zipped up) on my system and submitted it to Eset back in late August/early september via email several times, it has not been added yet, so I guess I am the only person to have come across it/or it was corrupted, although saying that most other AV's I submitted it to has added it to signatures.

    Regards
     
  9. Firecat

    Firecat Registered Member

    Joined:
    Jan 2, 2005
    Posts:
    7,927
    Location:
    The land of no identity :D
    There is another AV in the market which will not detect corrupted files (Dr.Web). If that vendor denies the sample, then you can be assured Eset will too. :)

    But still, I think Eset can provide at least a small analysis without wasting much workforce. :doubt:
     
  10. Londonbeat

    Londonbeat Registered Member

    Joined:
    Sep 21, 2006
    Posts:
    350
    Thanks, I didn't know that.

    Dr Web detects this as VBS.Psyme.217.

    Regards
     
  11. Brian N

    Brian N Registered Member

    Joined:
    Jul 7, 2005
    Posts:
    2,148
    Location:
    Denmark
    No they don't. Your old dos files that poses no threat these days will get lower priority.
     
  12. Firecat

    Firecat Registered Member

    Joined:
    Jan 2, 2005
    Posts:
    7,927
    Location:
    The land of no identity :D
    VBS.Psyme is not a DOS virus. I've been infected by this once (very long time ago).
     
  13. Londonbeat

    Londonbeat Registered Member

    Joined:
    Sep 21, 2006
    Posts:
    350
    The sample I mentioned is a downloader that downloads a variant of Haxdoor, and was new as of August/September 2006.

    Regards
     
  14. pykko

    pykko Registered Member

    Joined:
    Apr 27, 2005
    Posts:
    2,236
    Location:
    Romania...and walking to heaven
    if that variant of Haxdor being downloaded is detected everything's fine I think. :)
    Maybe they'll aanyway have an automatic reply system to samples submitted with the new web-based sample submission system. If you sent the file maybe ESET haven't received it.
     
  15. webyourbusiness

    webyourbusiness Registered Member

    Joined:
    Nov 16, 2004
    Posts:
    2,640
    Location:
    Throughout the USA and Canada
    I think in the middle of this, the question may have been answered...

    the "threat" is a trojan downloader right?

    the actually trojan was already detected - right again?

    New downloaders of existing threats must by their very definition take a lower priority than the threats they download if the threat they download is detected by signature. As the "threat" of the downloader itself is somewhat mitigated by the fact that their isn't much it can do to you if it's payload program can't get past NOD32.

    Seems obvious when you think about it in those terms... at least to me....
     
  16. Londonbeat

    Londonbeat Registered Member

    Joined:
    Sep 21, 2006
    Posts:
    350
    I do not know if the trojan itself is detected, as my internet explorer security settings prevent the active x content from running therefore it doesnt even get the chance to try to download, however I would be almost positive that it is detected given nod's excellent haxdoor detection.

    However, I only found out I had this on my system (this was a clean computer, not one used for any testing) by running a back-up online scan, and an inexperienced user may be put off or doubt the ability of nod32 if they run back-up scans and are told they are infected when they believe they are clean...

    I agree to an extent, but some people would argue that leaving malware on your system because it is currently harmless may be unwise, what if nod32 was uninstalled or became defective? You would be unaware you have malware on your system that could be activated at any time...
     
  17. webyourbusiness

    webyourbusiness Registered Member

    Joined:
    Nov 16, 2004
    Posts:
    2,640
    Location:
    Throughout the USA and Canada
    I never said that trojan downloaders should be ignored, merely given much less priority if their "payload" is already handled.
     
  18. Marcos

    Marcos Eset Staff Account

    Joined:
    Nov 22, 2002
    Posts:
    14,374
    Especially if they are VBS and can be easily modified without a deep programming knowledge to evade detection. In such case, it's much more important to detect the malisious file that is downloaded.
     
  19. Londonbeat

    Londonbeat Registered Member

    Joined:
    Sep 21, 2006
    Posts:
    350
    @ Firecat

    I don't think that file was corrupted after all as detection has been added in today's update 1969 - HTML/TrojanDownloader.Agent.AQ

    Regards,
    Londonbeat
     
  20. proactivelover

    proactivelover Registered Member

    Joined:
    Apr 7, 2006
    Posts:
    840
    Location:
    Near Wilders Forums
    i think eset have small staff(10 or 20 peoples) and marcos is one them
     
  21. pykko

    pykko Registered Member

    Joined:
    Apr 27, 2005
    Posts:
    2,236
    Location:
    Romania...and walking to heaven
    I bet that too. ;) They've added that sample Londonbeat told about because the av-comparatives.org test is near and they're adding old signatures.
     
    Last edited: Jan 10, 2007
  22. steve1955

    steve1955 Registered Member

    Joined:
    Feb 7, 2004
    Posts:
    1,384
    Location:
    Sunny(in my dreams)Manchester,England
    Your not suggesting they're just adding sigs to increase their detection rate in an upcoming test are you??:-after we've been told they are not that important for protection!!
     
  23. Brian N

    Brian N Registered Member

    Joined:
    Jul 7, 2005
    Posts:
    2,148
    Location:
    Denmark
    Old dos sigs are added before the av-comparative test.
    Why they test dos detection is unknown to me however, since they aren't a threat these days anyway.
     
  24. pykko

    pykko Registered Member

    Joined:
    Apr 27, 2005
    Posts:
    2,236
    Location:
    Romania...and walking to heaven
    They are not adding DOS viruses only (DOS are very few in their latest defs). They're adding Exploits, Trojans, BAT, JS, and other old viruses they haven't add till now.

    And it's obvious they're adding them to have higher detection rates in the test. :rolleyes:
     
  25. steve1955

    steve1955 Registered Member

    Joined:
    Feb 7, 2004
    Posts:
    1,384
    Location:
    Sunny(in my dreams)Manchester,England
    I think all AV vendors probably add sigs when they know a test is due,solely to improve their detection rate for such tests,this is the main reason I feel tests should not run to a schedule but should be random AND unannounced beforehand
     
Thread Status:
Not open for further replies.