How can I send a sample?

Discussion in 'NOD32 version 2 Forum' started by sard, Apr 18, 2004.

Thread Status:
Not open for further replies.
  1. sard

    sard Registered Member

    Joined:
    Apr 18, 2004
    Posts:
    175
    Location:
    UK
    Hello

    I've just installed the Demo for Perimeter from http://www.3dgamers.com/dl/games/perimeter/perimeterdemo.exe.html and NOD 32 claims a file called protect.dll is an unknown virus.

    There doesn't seem to be a built in function to send the suspected virus despite the help saying “When Nod32 detects a virus, it offers several actions. One of them is the "Export the file" button.” I can't seem to find this button.

    Shall I email the NQI and NQF files from the C:\Program Files\ESET\infected folder?

    Thanks
     
  2. Paul Wilders

    Paul Wilders Administrator

    Joined:
    Jul 1, 2001
    Posts:
    12,472
    Location:
    The Netherlands
  3. sard

    sard Registered Member

    Joined:
    Apr 18, 2004
    Posts:
    175
    Location:
    UK
  4. rodzilla

    rodzilla Registered Member

    Joined:
    Jun 15, 2002
    Posts:
    653
    Location:
    australia
    Your protect.dll might be part of a poular shareware anti-crack system. If so, it may be a legitimate file ... but because it pulls defensive tricks often used by virus coders to protect their little creations, NOD32's heuristics may think it's malicious.

    Try sending a zipped sample to samples@eset.com ... your first one might have gone astray in the mail or, if not zipped, might have been killed by NOD32 on arrival.
     
  5. sard

    sard Registered Member

    Joined:
    Apr 18, 2004
    Posts:
    175
    Location:
    UK
    Thanks for the reply.

    Sounds about right.

    I sent the sample in a RAR archive, but I thought NOD32 could scan inside archives so how does zipping it help? Do I need to submit it in a password protected archive to bypass their scanner which is deleting viruses from the virus sample inbox? o_O

    Sounds like the sample submission process needs to be built into the virus scanner, like it was with my old copy of PC-cillin, so samples don't go astray and get blocked.
     
  6. Mele20

    Mele20 Former Poster

    Joined:
    Apr 29, 2002
    Posts:
    2,495
    Location:
    Hilo, Hawaii
    I agree completely that the submission process needs to be built into the virus scanner! Submission should be from quarantine. Every other av I have used does it this way. I'm surprised that Eset hasn't fixed this as this antiquated submission system with the wrong address in the NOD32 help file certainly doesn't help Eset get samples fast. Of course, I suppose Eset is depending on adv. heuristics to make it unnecessary for a signature to be put out quickly, but I'm not very comfortable with that even though I realize NOD's adv. heuristics are the best. I also think a sticky should be put at the top of this forum telling everyone where to submit and how to do it. I'm getting tired of seeing Paul's response on this. :)

    Further, I hope this is not overstepping bounds here, but you might think of coming over to dslreports and using our submission process which, with one click, will submit the sample to all av vendors simultaneously (Submit Suspect Malware at top of dslr security forum). And yes, you should always password protect the zipped malware sample. (The idea of submitting to all vendors together is because we feel that av vendors should be fully cooperating on getting out signatures as fast as possible and competing only on other aspects of individual avs).
     
  7. DiGi

    DiGi Registered Member

    Joined:
    Jul 24, 2003
    Posts:
    114
    Location:
    in the middle of nowhere
    I also sent this dll to eset few days before... :D

    Just simple add that dll to AMON exclusions and game will works fine...
    (btw: ugly bad bad game, they defeat me each time! grr :D)

    But - i can see that heuristics do own job... ;)
    Another trouble is with protection in Total Commander :( 1 sec start vs. over 6 secs when is AMON active... Same in NOD32 scanner...

    I don't know why have Ghisler some stupid protections - when is there GENERIC keycrack that works from 5.x up to latest version (6.03a).
     
Thread Status:
Not open for further replies.