My Web Search - Partially caught

Discussion in 'ESET NOD32 Antivirus' started by rockshox, Apr 16, 2010.

Thread Status:
Not open for further replies.
  1. rockshox

    rockshox Registered Member

    Joined:
    Oct 23, 2009
    Posts:
    261
    We just had a user get MyWebSearch (browsing places on the internet I'm sure are not "work related"). ESET Real-Time Protection successfully sees a couple DLL's and quarantines them, just enough to disable MyWebSearch but not enough to remove it completely. (Just to note, 1 hour 37 minutes prior to this infection our weekly full in-depth scan had run and found nothing on this machine, so it was perfectly "clean" according to ESET).

    The part I do not understand is how the rest of the MyWebSearch files were created in C:\Program Files\MyWebSearch\ and were not caught by the Real Time Protection? Just to prove my point, installed MBAM and ran a scan. The moment that MBAM touches the infected files ESET pops up and quarantines them! How can the real-time protection not catch the file created an hour earlier in C:\Program Files\MyWebSearch but an hour later, MBAM touches the file to move it to quarantine and ESET jumps in like it's saving the day and quarantines MBAM's quarantine. So please explain how the Real-Time Protection can flat miss created items that are clearly in the definitions?

    See screenshot below.....

    eset_mws_01.jpg
     
  2. Cudni

    Cudni Global Moderator

    Joined:
    May 24, 2009
    Posts:
    6,956
    Location:
    Somethingshire
  3. rockshox

    rockshox Registered Member

    Joined:
    Oct 23, 2009
    Posts:
    261
    ESET does find the files, that is not the problem, but only after MBAM touches them. If the Real-Time Protection can find the infection when MBAM touches the files, why can't the Real-Time Protection find it when the file was created in the first place? Even better, why didn't the Web-Protection find this in the first place and never let the file get created in C:\ProgramFiles\MyWebSearch. And if it did slip past the Web Protection, how did the Real-Time Protection let it get created in C:\Program Files\MyWebSearch?
     
  4. siljaline

    siljaline Former Poster

    Joined:
    Jun 29, 2003
    Posts:
    6,619
    What to do if you are infected.

    Infections like this are generally due to soft security settings.

    Not all security solutions can guarantee 100% protection 100% of the time.

    Respected Security sites like Bleeping Compter, and Malwarebytes have extensive Anti-Rogue Removal Guides. This is a testament to how severe the Rogue AV problem and Malware problem is.
     
    Last edited: Apr 17, 2010
  5. tobacco

    tobacco Frequent Poster

    Joined:
    Nov 7, 2005
    Posts:
    1,497
    Location:
    British Columbia
    Pretty much "Eset's Motto" isn't it :rolleyes:
     
  6. Marcos

    Marcos Eset Staff Account

    Joined:
    Nov 22, 2002
    Posts:
    14,374
    I'm not sure whether you're talking about binaries or additional data / config files. ESET does not detect such benign stuff plus we try to avoid detection of adware uninstallers as they can be used to remove adware traces completely (including non-binary stuff or registry entries in other than run keys). I'd suggest submitting all suspicious files you find to ESET and we'll see if it is appropriate to detect some of them.
     
  7. siljaline

    siljaline Former Poster

    Joined:
    Jun 29, 2003
    Posts:
    6,619
    Some of the malware and BHO's MyWebSearch can install without user consent.
    Info on the MyWay pest, More on BHO's
     
    Last edited: Apr 17, 2010
  8. rockshox

    rockshox Registered Member

    Joined:
    Oct 23, 2009
    Posts:
    261
    I think everyone is missing my point. My point is not MyWebSearch, I'm well aware of MyWebSearch and it's removal. The files caught by ESET, only AFTER MBAM tried Quarantining them, are not "benign" files. They are DLL's and an EXE (refer to my screenshot in my original post to clearly see this).

    My question is: How does a DLL and EXE file not get caught by the Real-Time Protection? but then get caught as soon as MBAM quarantine's the file? I can understand TXT, LOG, INI files possibly not getting picked up. But I just checked the config for this machine and "Scan On -> File Creation" is turned on. I always assumed this meant ALL files were scanned on creation, not just the ones that NOD32 felt like scanning.
     
  9. Marcos

    Marcos Eset Staff Account

    Joined:
    Nov 22, 2002
    Posts:
    14,374
    Maybe detection was added after the files were saved to the disk or you didn't have real-time protection configured to detect this kind of stuff. I assume that running an on-demand scan with detection of potentially unsafe applications and adware/spyware/riskware enabled would have revealed the files.
     
  10. siljaline

    siljaline Former Poster

    Joined:
    Jun 29, 2003
    Posts:
    6,619
    See my previous two replies here, here
     
  11. rockshox

    rockshox Registered Member

    Joined:
    Oct 23, 2009
    Posts:
    261
    Thanks for the replies. I'll check the policy and make sure everything is set correctly on the Real-Time protection. I'll also just have to watch for the next MyWebSearch infection and see if I can find any other useful information.
     
  12. siljaline

    siljaline Former Poster

    Joined:
    Jun 29, 2003
    Posts:
    6,619
    Use of a HOSTS File would help greatly in avoiding infiltrations such as these.

     
Thread Status:
Not open for further replies.