Eset take their time adding new malware

Discussion in 'NOD32 version 2 Forum' started by muf, Dec 22, 2004.

Thread Status:
Not open for further replies.
  1. muf

    muf Registered Member

    Joined:
    Dec 30, 2003
    Posts:
    926
    Location:
    Manchester, England
    I sent a sample trojan to many AV/AT vendors, in fact these:

    <newvirus@kaspersky.com>; <submit@diamondcs.com.au>; <heuristik@antivir.de>; <virus_research@nai.com>; <submit@misec.net>; <virus_submission@bitdefender.com>; <research@lavasoft.de>; <virus_doctor@trendmicro.com>; <esafe.virus@eAladdin.com>; <virus@asw.cz>; <cat@vsnl.com>; <virus_submission@centralcommand.com>; <virus@commandcom.com>; <virus@cai.com>; <ipevirus@vet.com.au>; <Antivir@dials.ru>; <samples@nod32.com>; <viruslab@complex.is>; <samples@f-secure.com>; <submit@finjan.com>; <virus@grisoft.cz>; <hauri98@hauri.co.kr>; "Analysis" <Analysis@norman.no>; <virussamples@pandasoftware.com>; <virsample@pspl.com>; <support@sophos.com>; <avsubmit@symantec.com>; <submit@emsisoft.com>; <submit@ewido.net>

    I sent this on 27th November 2004. I re-sent it on 18th December 2004. It's still not detected by nod32. My current nod32 signature database is 1.957. This is not exactly what i'd call quick. I hope this is not a reflection on their usual response time. As a new registered user of nod32 i find this an example of poor support. Why is it taking so long?

    Here's a piccy of a scan over at Jotti's showing it is detected by other AV's.

    muf
     

    Attached Files:

  2. redwolfe_98

    redwolfe_98 Registered Member

    Joined:
    Feb 14, 2002
    Posts:
    581
    Location:
    South Carolina, USA
    muf, can you send me the sample-file? my email address is redwolfe_98 at yahoo dot com.. you can zip the file, and password-protect it so that the attachment will not be filtered.. you can include the password for the zipped file in the message-body of the email..

    here is the only writeup for "favadd" that i could find..

    http://securityresponse.symantec.com/avcenter/venc/data/trojan.favadd.html

    thanks..
     
  3. mufster

    mufster Guest

    Redwolfe_98,

    Sorry, no can do.

    I don't have a disposable e-mail address, and i'm not taking the chance on having mine added to your address book. You know if you ever get infected then i could be sent an infected e-mail if i'm in your address book. I'm paranoid like that.

    Don't know if you have access to the malware forum at BBR but it's there to download if you do. http://www.broadbandreports.com/forum/malware You should see the thread towards the bottom of the page.


    Sorry, this is the best i can offer. I don't give out my e-mail address to anyone other than websites i've registered to. Don't take offence. This is the answer i give everyone. Being paranoid helps keep me clean...

    muf
     
  4. muf

    muf Registered Member

    Joined:
    Dec 30, 2003
    Posts:
    926
    Location:
    Manchester, England
    Well they still haven't added this. It's now a month since i sent it. I mean AVG free detected this about 3 weeks ago. This is embarrassing, it really is. I mean they haven't even sent me an e-mail to acknowledge they are looking at it, or have any intension of adding it.

    You know, as good as nod32 is? The support is shite.

    muf
     
  5. Blackspear

    Blackspear Global Moderator

    Joined:
    Dec 2, 2002
    Posts:
    15,115
    Location:
    Gold Coast, Queensland, Australia
    I have sent an Email to Eset asking for someone to respond to this thread.

    Cheers.

    Blackspear.
     
  6. Atangel

    Atangel Registered Member

    Joined:
    Aug 29, 2004
    Posts:
    53
    I've noticed the same thing. Sent out to all the same e-mail addresses. Two files. Some have chosen to recognize the malware trojan droppers (according to KAV, now ID'd as Trojan-Downloader.Win32.Envolo.a and Envolo.b trojan adware might be a better explanation)

    And I think it happened once before. Sent out a spybot version to everybody (and it was of interest to many) but NOD's response was a week or two updates away (it was eventually recognized)

    Anyway, I think it must be something of a "terrirotry issue." What belongs to the AVs, what blongs to the ATs and what belongs to spyware guys (my own HO aside that it belongs to AV and AT vendors).

    NOD's a great scanner and AV, but it is only as good as the defs. I hope they focus on that as well. Just checked again with 1.959. No go.

    I guess if we understood better why some go in immediately, why some are delayed, and why others won't, that would help. It is an expectation issue.

    Edit: Thanks Blackspear. Dang, if I had only not bothered to re-read it.... :)
     
  7. ronjor

    ronjor Global Moderator

    Joined:
    Jul 21, 2003
    Posts:
    57,797
    Location:
    Texas
  8. phasechange

    phasechange Registered Member

    Joined:
    Aug 10, 2004
    Posts:
    359
    Location:
    Edinburgh
    It all makes sense once you read ESETs response on the other thread :)
     
  9. muf

    muf Registered Member

    Joined:
    Dec 30, 2003
    Posts:
    926
    Location:
    Manchester, England
    Ok fair enough. They are selective with what they add to the database. The malware sample i sent them was also added to BOClean, TrojanHunter, TDS3 and A2. Do they know something that Eset don't? I mean i know that nod32 specialises in viruses, but doesn't it also pride itself in how well it detects trojans as well these days?

    It's all very confusing. o_O o_O o_O

    muf
     
  10. Blackspear

    Blackspear Global Moderator

    Joined:
    Dec 2, 2002
    Posts:
    15,115
    Location:
    Gold Coast, Queensland, Australia
    Let's wait and see what Eset have to say about this ;) :D

    Cheers :D
     
  11. iwod

    iwod Registered Member

    Joined:
    Jun 25, 2004
    Posts:
    708
    what don't they just make a extended DB like KAV?
     
  12. dvk01

    dvk01 Global Moderator

    Joined:
    Oct 9, 2003
    Posts:
    3,131
    Location:
    Loughton, Essex. UK
    I don't know why NOD are not detecting this one at the moment in it's standard database as with all the start page viruses/CWS hijackers prevention is better than cure

    ALL the start page viruses/trojans are adwares or spywares and I wonder whether they have put or are intending to put the detection in the "dangerous applications" add on bit of NOD ( like KAV extended databases) rather than as a standard detections

    Edit:

    In their defence though I sent them 2 new agobot versions yesterday evening and they are in todday's update

    I can only assume that NOD will only put in detections for items it knows it can fix as there is little point in detecting something if it can't be cured and most if not all antiviruses cannot cure the startpage viruses/trojans though they should be able to block the files in the first place from installing
     
    Last edited: Dec 29, 2004
  13. Marcos

    Marcos Eset Staff Account

    Joined:
    Nov 22, 2002
    Posts:
    14,375
    NOD32 uses an extended database provided the Potentially dangerous applications option is enabled
     
  14. Stan999

    Stan999 Registered Member

    Joined:
    Sep 27, 2002
    Posts:
    566
    Location:
    Fort Worth, TX USA
    Would it be possible to add this to the AMON and HTTP scanner options?
     
  15. Marcos

    Marcos Eset Staff Account

    Joined:
    Nov 22, 2002
    Posts:
    14,375
    It is, but currently only in the beta I'm testing and which cannot be given out yet because there are some issues that need to be fixed first.
     
  16. Stan999

    Stan999 Registered Member

    Joined:
    Sep 27, 2002
    Posts:
    566
    Location:
    Fort Worth, TX USA
    Hi Marcos,

    Thanks for the feedback! Good to hear that option will be included at a future date.
     
  17. muf

    muf Registered Member

    Joined:
    Dec 30, 2003
    Posts:
    926
    Location:
    Manchester, England
    Good news. At last nod32 now detects this nasty. I got an e-mail from eset saying that the file in question is not harmful without the relevant .exe file(which i don't have), but that they have added it all the same. Thanks everyone who contributed in this thread.

    muf
     

    Attached Files:

  18. Blackspear

    Blackspear Global Moderator

    Joined:
    Dec 2, 2002
    Posts:
    15,115
    Location:
    Gold Coast, Queensland, Australia
    Good to see Muf, and thanks for keeping us up to date.

    Cheers :D
     
  19. norky

    norky Registered Member

    Joined:
    May 1, 2004
    Posts:
    172
    Location:
    Lithia, FL

    The idea of not detecting something because it can't fix it is ludicrous. Even if it can't remove it, alerting you to the fact that you're infected will allow you to dl a program that can fix the problem.
     
  20. ChaosBlizzard

    ChaosBlizzard Registered Member

    Joined:
    Jan 6, 2005
    Posts:
    44
    Eset would be correct.. I have used Trojans before, for security testing... However, that short.dll file is an extension for the Trojan itself. It would contain add-ons for the main Trojan exe. It is completely harmless by itself. The BioNet Trojan on it's later revisions had the same implementation. The sub7 Trojan also uses these dll add-ons.
     
Thread Status:
Not open for further replies.