hmm, this virus got through somehow

Discussion in 'NOD32 version 2 Forum' started by Arksun, Jul 16, 2006.

Thread Status:
Not open for further replies.
  1. Arksun

    Arksun Registered Member

    Joined:
    Jul 16, 2006
    Posts:
    13
    I'm a new NOD32 user, and my first impressions were great!.

    Way less of a resource hog than Norton, nice and customizable, though I haven't really adjusted it from its default settings.

    Tonight I notice a background program running called 'winsecure.exe'

    i look it up, and its a worm!.

    I let NOD32 do an In Depth Analysis and sure enough it detects it as a virus, then deletes the files from the hard drive.

    I reboot, notice there's this other background program called 'firewall.exe'

    then this little pop up window comes out of nowhere referring to it.. and as its just sitting there, without me clicking anything, i notice the winsecure.exe virus pops right back into memory!. Along with installing files on hard drive.

    This time i delete both winsecure.exe AND firewall.exe from the background memory, do a full scan.

    Then I go into msconfig, and disable loading of this 'firewall.exe' file and reboot.

    So I 'think' thats cleared the problem up.

    My question is, how the hell did either of these get past NOD32. Why didn't NOD32 even realise it was running in memory, does NOD32 only ever check the memory when you click 'in depth analysis' ?

    I'm really shocked this got past.

    Like I say, everything on install default settings, AMON, EMON, IMON etc all enabled.

    The only things that aren't checked are 'Potentiall Dangerous Applications' .

    Still this is very worrrying, its also very worrying that even on the full scan, nod32 did NOT recognise 'firewall.exe' as a threat even when it was still in memory and scanned right over it.

    If someone working for ESET is reading this, please take note.

    Should I enable the 'Potential Dangerous Applications' in the options too?. I am on a network soo dont want it to affect anything.

    Regards

    Laurence
     
  2. Blackspear

    Blackspear Global Moderator

    Joined:
    Dec 2, 2002
    Posts:
    15,115
    Location:
    Gold Coast, Queensland, Australia
    Hi Laurence, welcome to Wilders.

    Could you please check your settings against those found in THIS THREAD and then run a scan by clicking on the NOD32 Control Centre> NOD32> Run NOD32> Scan and Clean.

    Let us know how you go...

    Cheers :D
     
  3. Arksun

    Arksun Registered Member

    Joined:
    Jul 16, 2006
    Posts:
    13
    I did, that wasn't very helpful though was it.

    I have mine set to prompt instead of clean so I get asked what I want it to do, in case it accidently deletes something that shouldn't be.

    That and the "Place a tick in “Potentially dangerous applications” " which i left unchecked.

    My point still stands though, why didn't NOD32 at the very least not detect or warn me of the winssecure.exe presense in memory. I only found out by chance!, then did the in depth scan.

    And again, the in depth scan failed to detect the bad 'firewall.exe' memory resident program (and failed to see it as a threat on the hard drive as a file)

    Isn't this a serious security risk?

    Does NOD32 only really detect and clean if auto-clean is ticked, instead of prompting. Just naturally assumed prompt mean, prompt first giving me the choice to clean at that point.

    Laurence
     
  4. Blackspear

    Blackspear Global Moderator

    Joined:
    Dec 2, 2002
    Posts:
    15,115
    Location:
    Gold Coast, Queensland, Australia
    If you followed the instructions found in that Tutorial and then ran a further scan it would resolve the problem. So helpful, yes if you follow the instructions.


    That’s why “Copy to Quarantine” is ticked in each step of the Tutorial.


    Bingo.


    Because as you said, you chose to leave PDA unticked.

    Blackspear.
     
  5. Arksun

    Arksun Registered Member

    Joined:
    Jul 16, 2006
    Posts:
    13
    Ok fair enough,

    Then a new question is, if not having “Potentially dangerous applications” checked allows not only high risk viruses such as the well documented 'winsecure.exe' to pass through unnoticed but reside in memory unnoticed. why on earth isn't this checked by default?!?

    FTW. I just did a full in depth scan with everything set to max, and it still hasn't recognised the firewall.exe file on my hard drive as a threat. I'm deleting it manually.

    Someone at NOD32 needs to be notified that this program (when residing in memory) causes the downloading of a winsecure.exe off the internet... which is high risk.

    I'd like to say I feel secure NOD32 is protecting me now but :/ hmmmm. Lets see how this pans out...


    Laurence
     
  6. Blackspear

    Blackspear Global Moderator

    Joined:
    Dec 2, 2002
    Posts:
    15,115
    Location:
    Gold Coast, Queensland, Australia
    It is not a virus, it is “Spyware”.


    Please submit that file for further analysis through “Threatsense”.


    See above.

    Blackspear.
     
  7. phasechange

    phasechange Registered Member

    Joined:
    Aug 10, 2004
    Posts:
    359
    Location:
    Edinburgh
    So Blackspear do you mean he was incorrectly referring to spyware as a virus or are you suggesting that "spyware" means that NOD32 shouldn't catch it?

    This is an interesting point... I would expect antivirus to tackle all malware types including Spyware (I don't see Keyloggers etc as any less serious and a similar problem to that of the Virus). In fact if a scrict approach was taken there isn't a lot of Virus activity these days. However Worms, Trojans, and Spyware (which may be Worms/Trojans) are very active areas of threat development. Add to this the dropper Worm/Trojan enabling other malware to infect a machine and there is a heady mix of noxious code all of which should be (IMHO) tackled by AV.

    What do you think should be the scope of AV?

    NOD32 on there website talk about protecting against Malware.

    Fairy
     
  8. covaro

    covaro Registered Member

    Joined:
    Jul 4, 2006
    Posts:
    149
    Location:
    Abingdon, MD, USA
    What Blackspear is saying is there is Adware/Spyware that will not be detected by NOD32 unless the "Potentially Dangerous Apps" is checked. And if you look up information on winsecure.exe it shows up clearly as adware (hence why not detecting with PDA off), which is why Blackspear is correct in saying that unless you know what you are doing and understand the consequences, you should have the PDA box checked off.

    -Cov
     
  9. alglove

    alglove Registered Member

    Joined:
    Jan 17, 2005
    Posts:
    904
    Location:
    Houston, Texas, USA
    Eh? I was always under the impression that "Adware/Spyware/Riskware" is a totally separate category from "Potentially Dangerous Application". o_O

    My personal opinion is that the winsecure.exe program is not the same piece of adware that everybody thinks it is. Can you give us the exact name given by NOD32 when it detected it as a Potential Dengerous Application?

    I believe that firewall.exe is an unknown virus/downloader/trojan/whatever that manages to evade NOD32's detection. As Blackspear said, you should submit a copy of this file through the Quarantine --> Submit For Analysis feature, so Eset may analyze it and add detection for it. Add a link to this thread in the Comment field, so they may refer to it.

    By the way, checking "Potentially Dangerous Applications" in the AMON and IMON setups should at least stop the winsecure.exe from making it back onto the computer, without you having to do an In-Depth scan.
     
  10. Suggers

    Suggers Guest

  11. biggerbyte

    biggerbyte Registered Member

    Joined:
    Feb 5, 2006
    Posts:
    53
    I think the point the creator of this thread is trying to make is the fact that some of the settings that are not turned on by default should be. Many people who download NOD32 have never heard of this forum, much less visited it. The default settings leave the end user at risk. Sometimes these people do not even know they have a problem until it is too late. Why does ESET create the ability to catch such nasties and then have this ability turned OFF? That makes no sense. This poster has a VERY valid point.


    It is my concern that NOD32 is so much faster than all the rest because of the fact that these things are switched off. Turn then on and leave them on and watch how much slower NOD32 is at scanning stuff. The others simply have these options turned on realtime.

    NOD32 is my favorite out of all of them for many reasons. However, we have to face the facts with all software.

    Good luck in the future to the poster of this thread.
     
  12. kjempen

    kjempen Registered Member

    Joined:
    May 6, 2004
    Posts:
    379
    There are already multiple posts here in the forum regarding confusion around Potentially dangerous applications being detected as a "virus" by NOD32. Everyone immediately thinks it's a warning about a virus when they see the red NOD32 warning being flashed on the screen, without even thinking about that there might be different types of malware, or even just a warning about tools that can be used by malware. And then they start complaining about either the software, or that NOD32 is giving a false positive (which it actually isn't).

    Much of today's security software or advanced recovery/tweaking tools can fall under the "Potentially dangerous applications" category, which again can lead to a high amount of warnings if all people's antiviruses were set to detect these. Most antivirus clearly state in the name-descriptions of the detection what it is really being classified as: "Win32/Tool... application" (or something along those lines). And usually people don't read this, and if they did, they don't always know what to do with the detection. It can happen that they accidentally delete software they might need (f.ex. password recovery tools, which is also used in combination with trojans and worms), because of their antivirus detecting it. There is no clear rule for it always being ignored or always being deleted/disinfected. Therefore, I agree in a way with ESET's choice of this being an optional detection.

    Only an "advanced" user will know what to do about the warning, and only an "advanced" user would be messing around with the NOD32 settings... Meaning, the "Potentially dangerous applications" detection is optional and for "advanced" users only.
     
  13. NOD32 user

    NOD32 user Registered Member

    Joined:
    Jan 23, 2005
    Posts:
    1,766
    Location:
    Australia
    Wouldn't a non-advanced user not normally have any PDA on their PC as a function of them being a non-advanced user, and therefore want to know if some had got on there somehow?

    Cheers :)
     
  14. kjempen

    kjempen Registered Member

    Joined:
    May 6, 2004
    Posts:
    379
    A bit off-topic, but you don't have to be very advanced user to install a "Potentially dangerous application"; it's enough to install/run the Windows XP cd-key recovery tool, or certain spyware clean-up tools (for those who can't do it manually), or tools that patches tcpip.sys file for opening more concurrent connections (useful for those filesharing applications). There are already multiple threads/posts/complaints about these detections in the forum, so apparently the "advanced" users don't really know what to do with these detections.
     
  15. NOD32 user

    NOD32 user Registered Member

    Joined:
    Jan 23, 2005
    Posts:
    1,766
    Location:
    Australia
    Sorry for being a bit off topic - just thought your post was worth replying to.
    Why would a non-advanced user be using something to patch TCP/IP etc unless they're learning to be a more advanced user in which case isn't reading and learning an appropriate response part of that learning process?
    Isn't PDA detection off in NOD32 by default and optional anyhow?

    IMO it is essential for a non-advanced user to be alerted to PDA's at which time (or later) they can make a deciscion as to what response if any they wish to make. I would prefer if it were on by default but realise there are many reasons it is not...
     
    Last edited: Jul 19, 2006
Thread Status:
Not open for further replies.