ESS worries???

Discussion in 'ESET Smart Security v3 Beta Forum' started by nonouu7, May 1, 2007.

Thread Status:
Not open for further replies.
  1. nonouu7

    nonouu7 Registered Member

    Joined:
    Apr 18, 2007
    Posts:
    13
    Hello, I am using the ess beta and the firewall is a bit buggy, which is normal but the antivirus part should be working and stopping the bad guys.

    I update ess everyday on auto mode, so no problems there.
    I today ran 2 programs which were a-squared free for spyware, and avg anti-spyware.
    I do this almost every week, so this is nothing new for me to run these programs.
    The thing which bothers me is both programs found a major trojan in 2 files!!!
    I ran again these 2 programs in custom mode and singled out these 2 files and it was a sure thing that it was those files and that trojan.
    I than ran a custom scan with ESS on those 2 files and ESS came back 0 bad!!

    This is worrisome and I wonder if nod needs to really do a makeover of its virus scanner, it should have found this.

    I like the program ESS but wonder if I will keep ito_O


    Anyone
     
  2. The Hammer

    The Hammer Registered Member

    Joined:
    May 12, 2005
    Posts:
    5,619
    Location:
    Toronto Canada
    Suggest you upload the files to jotti's and Virus Total.
     
  3. nonouu7

    nonouu7 Registered Member

    Joined:
    Apr 18, 2007
    Posts:
    13
    Here is one finished scan from Virus Total.

    Complete scanning result of "Vista_Wireless_Network_Helper.exe", received in VirusTotal at 05.02.2007, 03:02:25 (CET).

    Antivirus Version Update Result
    AhnLab-V3 2007.4.30.1 04.30.2007 no virus found
    AntiVir 7.4.0.15 05.01.2007 no virus found
    Authentium 4.93.8 05.02.2007 no virus found
    Avast 4.7.997.0 05.01.2007 no virus found
    AVG 7.5.0.467 05.01.2007 Generic2.KJD
    BitDefender 7.2 05.02.2007 no virus found
    CAT-QuickHeal 9.00 04.30.2007 no virus found
    ClamAV devel-20070416 05.01.2007 no virus found
    DrWeb 4.33 05.01.2007 no virus found
    eSafe 7.0.15.0 05.01.2007 no virus found
    eTrust-Vet 30.7.3609 05.01.2007 no virus found
    Ewido 4.0 05.01.2007 Trojan.AddUser.o
    FileAdvisor 1 05.02.2007 no virus found
    Fortinet 2.85.0.0 05.01.2007 no virus found
    F-Prot 4.3.2.48 04.30.2007 no virus found
    F-Secure 6.70.13030.0 05.02.2007 no virus found
    Ikarus T3.1.1.5 05.01.2007 Trojan.Win32.AddUser.o
    Kaspersky 4.0.2.24 05.02.2007 no virus found
    McAfee 5021 05.01.2007 no virus found
    Microsoft 1.2405 05.02.2007 no virus found
    NOD32v2 2233 05.01.2007 no virus found
    Norman 5.80.02 05.01.2007 no virus found
    Panda 9.0.0.4 05.01.2007 Suspicious file
    Prevx1 V2 05.02.2007 no virus found
    Sophos 4.17.0 05.01.2007 no virus found
    Sunbelt 2.2.907.0 05.01.2007 no virus found
    Symantec 10 05.02.2007 no virus found
    TheHacker 6.1.6.095 04.15.2007 no virus found
    VBA32 3.11.4 05.02.2007 Trojan.Win32.AddUser.o
    VirusBuster 4.3.7:9 05.01.2007 no virus found
    Webwasher-Gateway 6.0.1 05.01.2007 no virus found



    Here is Jotti's

    Service
    Service load:
    0% 100%
    File: Vista_Wireless_Network_Helper.exe
    Status:
    INFECTED/MALWARE
    MD5 40794b5e870e1e82b74373861738a959
    Packers detected:
    -
    Scanner results
    Scan taken on 02 May 2007 01:09:28 (GMT)
    A-Squared
    Found Trojan.Win32.AddUser.o
    AntiVir
    Found nothing
    ArcaVir
    Found nothing
    Avast
    Found nothing
    AVG Antivirus
    Found Generic2.KJD
    BitDefender
    Found nothing
    ClamAV
    Found nothing
    Dr.Web
    Found nothing
    F-Prot Antivirus
    Found nothing
    F-Secure Anti-Virus
    Found nothing
    Fortinet
    Found nothing
    Kaspersky Anti-Virus
    Found nothing
    NOD32
    Found nothing
    Norman Virus Control
    Found nothing
    Panda Antivirus
    Found nothing
    Rising Antivirus
    Found Backdoor.IRC.Zapchast.ago
    VirusBuster
    Found nothing
    VBA32
    Found Trojan.Win32.AddUser.o


    Thks
     
    Last edited: May 1, 2007
  4. The Hammer

    The Hammer Registered Member

    Joined:
    May 12, 2005
    Posts:
    5,619
    Location:
    Toronto Canada
    Just submit the file , link to this thread , short description ; if in a password-protected archive , the password also to, samples @ eset . com

    Quoting HiTech boy here.
     
  5. BlueZannetti

    BlueZannetti Administrator

    Joined:
    Oct 19, 2003
    Posts:
    6,590
    As The Hammer mentioned, submit the samples.

    However, looking at the detections listed, I would have a strong suspicion of a potential false positive due to a touchy detection based on the short profile of those signaling positive and that the AVG detection is generic. I don't have any background with Ikarus or VBA, so I can't comment, but this is one case where I'd take a close look at the files signaled, their pedigree and age on the system, other symptoms that may be present, and use that info to make a preliminary assessment. On the whole, I'd be cautious before assuming a correct detection.

    Blue
     
  6. flyrfan111

    flyrfan111 Registered Member

    Joined:
    Jun 1, 2004
    Posts:
    1,224
    I agree, Kaspersky doesn't detect it and neither do NOD, Dr. Web or F-Prot's heuristics. I would venture a guess of a false positive. Not that they all are perfect but in my experience if not ONE of those detect something it usually is a false pos. There is some serious research going on among those 4 companies, chances are one of them would be on top of things and have a definition or at least a heuristic hit.
     
  7. The Hammer

    The Hammer Registered Member

    Joined:
    May 12, 2005
    Posts:
    5,619
    Location:
    Toronto Canada
    I suspected a false positive from the beginning that's why I suggested Jotti's and Virus Total. Still it hasn't been proven to be one. Panda also found the file to be suspicious. It's been said on the forum before by AV experts that sometimes the worst AV will detect something legitimate that the best miss.
     
    Last edited: May 2, 2007
  8. nonouu7

    nonouu7 Registered Member

    Joined:
    Apr 18, 2007
    Posts:
    13
    So it could be a false positiveo_O
    Who knows, I was just being careful...
     
  9. The Hammer

    The Hammer Registered Member

    Joined:
    May 12, 2005
    Posts:
    5,619
    Location:
    Toronto Canada
    Always a good position to take. The usual knee jerk reaction is to immediately delete.
     
  10. nonouu7

    nonouu7 Registered Member

    Joined:
    Apr 18, 2007
    Posts:
    13
    I did a good delete of it and also sent a sample to Eset .

    Does anyone know when the next upgrade is of the Beta?

    Thks
     
  11. ASpace

    ASpace Guest

    Soon :)
     
Thread Status:
Not open for further replies.