JS.Nevezed detection....

Discussion in 'NOD32 version 2 Forum' started by pykko, May 7, 2006.

Thread Status:
Not open for further replies.
  1. pykko

    pykko Registered Member

    Joined:
    Apr 27, 2005
    Posts:
    2,236
    Location:
    Romania...and walking to heaven
    I've found this sample a while ago.... and it's not a DOS virus or joke program. Still NOD32 doesn't pick it even ifalmost all other AVs catch it.
    Can anyone from ESEt take a look at it... ?
     

    Attached Files:

  2. pykko

    pykko Registered Member

    Joined:
    Apr 27, 2005
    Posts:
    2,236
    Location:
    Romania...and walking to heaven
    this one is strange....on virustotal.com NOD32 detects it as probably new CRYPT virus but on my PC with all settings (AH, scanning all files, etc) it's not detected. :(
     

    Attached Files:

  3. sir_carew

    sir_carew Registered Member

    Joined:
    Sep 2, 2003
    Posts:
    884
    Location:
    Santiago, Chile
    First, there're many script malware that without a valid extension isn't detected by NOD32.
    Before submitt it to Eset, rename the file and put the .js extension. I'm sure NOD32 will detect these scripts now.
    Otherwise, send it to Eset. Anyway, in my opinion, malware in scripts and macro aren't important.
     
  4. pykko

    pykko Registered Member

    Joined:
    Apr 27, 2005
    Posts:
    2,236
    Location:
    Romania...and walking to heaven
    why aren't they important?

    U're right...I had some other JS.Trojans and with .js extensions they are detected. ;)
    Only one remains unknown.
     
  5. sir_carew

    sir_carew Registered Member

    Joined:
    Sep 2, 2003
    Posts:
    884
    Location:
    Santiago, Chile
    Because scripts malware aren't today a danger. Most virus writer doesn't make scripts sample. If you can see there's no ITW scripts or macro sample today.
    The're also many options to protect you from scripts malware. Behaviour blockers, filters, or disabling js or vbs extensions. I think Symantec have a free utility to disable or enable these extensions. There's an excellent plugin for Firefox to disable all JS except those you enabled from specific web sites.
    Anyway, have you changed the extension to see if NOD32 pick up these malware?

     
  6. pykko

    pykko Registered Member

    Joined:
    Apr 27, 2005
    Posts:
    2,236
    Location:
    Romania...and walking to heaven
    yes.....I've mentioned in the above post. :D
    I've changed the extensions to .js and NOD detects 4 out of 5 undetected before samples. Only one remains unknown for NOD32. ;)

    Thx for the info abhout scripts. I use NoScript for FF, but anyway it's better to see your AV picks the malware anyway. :)
     
  7. ASpace

    ASpace Guest

  8. Marcos

    Marcos Eset Staff Account

    Joined:
    Nov 22, 2002
    Posts:
    14,374
    No, it's not necessary to submit a file once it's detected, it will just be ignored. Only in case you suspect it to be fp it would be analysed which is not the case, I think.
     
  9. pykko

    pykko Registered Member

    Joined:
    Apr 27, 2005
    Posts:
    2,236
    Location:
    Romania...and walking to heaven
    I submitted the file not detected even when changing the extension to .js. I've also submitted some other samples...hope they'll be added soon.
     
  10. ASpace

    ASpace Guest

    I am *not* from ESET but from the position of NOD32 user I am saying you one big Thank you
    ;)
     
    Last edited by a moderator: May 9, 2006
  11. pykko

    pykko Registered Member

    Joined:
    Apr 27, 2005
    Posts:
    2,236
    Location:
    Romania...and walking to heaven
    yes... thank you for thanking me. :D :D
    But ESET has some other oppinion.... no sample have been added. Anyway, let's not blame them. They're adding samples on per-need basis, depending on the threat level they pose. :rolleyes:
    It's low danger, its customers can go unprotected for a while...no problem :( I have for example 2 Trojans one have been added by KAV on february, so its not old, etc, and another one detected by almost all AVs from virustotal.com (with 5 exceptions). I won't post any screenshots, samples were submitted to ESET.
     
    Last edited: May 9, 2006
  12. Marcos

    Marcos Eset Staff Account

    Joined:
    Nov 22, 2002
    Posts:
    14,374
    And I've got trojans detected only by NOD32 and not by any other AVs for a couple of months already...
     
  13. pykko

    pykko Registered Member

    Joined:
    Apr 27, 2005
    Posts:
    2,236
    Location:
    Romania...and walking to heaven
    I know that and you're right and of course no AV it's perfect, but as long as you have the sample and you don't add it I think something's wrong. All other top AVs have automatic responses to sample submission e-mails and also e-mails sent after analysing the file. I don't want these e-mails, but adding faster the files submitted will be something nice. I'm not requiring u to make something unusual, but I think one paying for your product has to be protected....and not to say I'm telling fables here's the scanning result with sample submitted for a long time enough to be added.
     

    Attached Files:

  14. Marcos

    Marcos Eset Staff Account

    Joined:
    Nov 22, 2002
    Posts:
    14,374
    There's apparently something wrong if you complain about samples not detected by NOD32 if:
    - the samples (even detected by all AV except NOD32) are non-functional
    - the samples you submit are actually installers and all malicious files are detected upon extraction.

    The latter is the case so please refrain from making premature conclusions. It's not just that you intentionally search vx sites for old malware and then submit it for analysis, expecting they will be added quickly, but you need to analyse them in order to make correct and unbiased conclusion.

    Here are the scan results of files created after extraction:
     

    Attached Files:

  15. Marcos

    Marcos Eset Staff Account

    Joined:
    Nov 22, 2002
    Posts:
    14,374
    2nd file
     

    Attached Files:

  16. minceypw

    minceypw Registered Member

    Joined:
    Sep 25, 2005
    Posts:
    22
    Hi Marcos

    I for one appreciate the work you guys are doing. From the size of the latest signatures update, 1.1529, I can see the team is working hard. Keep it up.:thumb:
     
  17. pykko

    pykko Registered Member

    Joined:
    Apr 27, 2005
    Posts:
    2,236
    Location:
    Romania...and walking to heaven
    ok, Marcos! Thank you for your answer!
    I'll try to be more careful in the future! And thank you for 1.1529! Big update indeed! :)
     
  18. ASpace

    ASpace Guest

    Yes , they were , see this :

    http://www.eset.com/support/updates.php
    :D
     
Thread Status:
Not open for further replies.