How does the firewall and AV work together?

Today (overnight) Nod32 found 2 suspected trojans amongst some java files

C:\Users\xxx\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\29\61a815d-56e1199e » ZIP » vmain.class - probably a variant of Java/Agent.BR trojan - was a part of the deleted object

C:\Users\xxx\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\52\640f9e74-3e5d8961 » ZIP » vmain.class - a variant of Java/Agent.BR trojan - was a part of the deleted object

Firstly, I thought Nod32 offered realtime protection, how did they get there?

Secondly, if these are genuinely trojans and not false positives, would the firewall have been triggered if these trojans had tried to phone home with keystroke data (or whatever their purpose was) and blocked them?

Many thanks

 

What firewall do you use

Hogndog

 

Hi, thanks for a quick reply.

I use the firewall that's built into Eset Smart Security 4, on interactive mode.

When I got to my system this morning Nod32 was asking me what it should do with them, delete them, or do nothing. I chose to delete them, which I believe places them in quarantine.

 

I've tried firewalls built into a suite, spells trouble, for me that is, for now it looks like your O.k. To recommend a firewall at this time is premature, hope this helps

 

Does that mean that the ESET Firewall is uselsss? Someone please confirm this as I am using ESS too with a 2 year license just purchased

 

No it isn't useless. It's a decent two-way firewall. It doesn't have HIPS in v4.2 but HIPS will be added as a separate additional component in v5, which is currently available as a beta download.

 

oh ok, thanks for the info bro

 

You're welcome.

 

Going back to my original question, if nod32 allowed the (possible) trojan onto my system, how well would the firewall do at blocking any communications that it tried to make?

 

Assuming the Firewall is running in Interactive mode, it would depend on what methods the trojan used to try and connect out. If it used the kind of sneaky tricks that leak tests are designed to simulate, it would probably be successful. This is why the ESS firewall performs so poorly in the Matousec tests. This will change in Version 5, which has HIPS (providing the HIPS is also enabled in Interactive mode).

 

Thanks for the info. Is it worth upgrading to the beta now, or is it still a little early to be fully trusting it?

 

I'm running the beta and it's remarkably stable for a beta. I've encountered one or two minor bugs but nothing serious.