Netsky.N not detected first time

Scan Log
Version of virus signature database: 2732 (20071219)
Date: 19/12/2007 Time: 10:25:15 a.m.
Scanned disks, folders and files: D:\OE\Almacen Angeles
D:\OE\Almacen Angeles\Elementos eliminados.dbx » DBX » ?.MME » MIME » MIME » Sua Conta!!!.pif - Win32/Netsky.N worm
Number of scanned objects: 15936
Number of threats found: 1
Time of completion: 10:30:28 a.m. Total scanning time: 313 sec (00:05:13)

This was a manual scan I do sometimes, surprise, when the mail arrived, Nod didn't detected nothing.

I've moved the mail from inbox to trash (I dont know if in englis is the correct name) and Nod dont do nothing.

After scaned, dont do nothing, ther was no way to delete.
I delete the mail and do a new scan and dont find nothing.
3.0.563

It is not a good job. How can I trust in Nod after that?

 

Hello guilijan

what version are you using 2.7 or version 3

have you set it up using blackspears guide??

if it is not detected send it to samples[at]eset.com

one of the techs im sure will help you abit later on.

sorry couldnt be much help

regards

 

3.0.563

blackspear guide is for 2.7

But there is at least two problems.
1) Not detected Netsky the first time.
2) No way to delete it.

 

i havent used version 3 im sorry

can u send the sample off..

 

Well, this is the Version 3 forum. So from now on you know what to do, Sly Dog

 

Hi !

I can't tell you why it hasn't found the threat (there is another thread about similar issue) but since it is detected on-demand , ESET have denition for it .

It is not deleted because it was detected in OE's files - in the dbx file Elementos eliminados.dbx

AV programs cannot take action against it (EA/NOD32 is made so) because if they delete the dbx file , all emails from the folder "Elementos eliminados" will be deleted .

EA can take action against a threat while it is being downloaded , before saved on the disk . Later it can only be detected and blocked , you are the only one who should/can delete the email manually

 

Ok HiTech_boy I understand what you said, but then why don't detected whe the mail was "downloaded" to inbox, and when the mail was sent to trash?

Then if an email infected is stored in inbox, Nod can do nothing abuot it? Ok but then when the mail is "downloaded" Nod can do anything?
I dont belive that, so why happened it?

 

When the email was sent to trash ... Not a specialist in this but this is normal. Any antivirus will interfere when you or something try to open the infected attachment .

Yes , not only NOD32 but any AV . They can only detect it . You must delete it . Of course , AV companies could have made it delete the whole dbx file but this will result in mail databases corruption.

EA can take action here and generally it does . However , I am not 100% sure why it didn't happen this time . And don't worry too much about this . AV is a layered protection . If the email protection missed it , the real-time or on-demand protection will catch it .

Possible reasons : Incorrect settings , mail protection disabled/inactive/temporary inactive , email protection scans only pop3 traffic only on port 110 , you have got old signatures when the email arrived in your mail box , etc. I can only guess the reason but I will vote for the last one (you got old signatures) . Why do I think so ? Because detection for this Netsky.N have been added with sig version 26xx . The infected dbx file is not located in the normal OE database folder (in Documents and Settings for XP) but in D:\OE\ which makes me think this dbx is just your archive with old emails .

 

Well I have used KAv and NAV a years ago and when one email with virus is downloaded the av delete or put it in quarantine if you set this action. Not happened this with Netsky.
I have used Nod for abut one year and have any problem.
I put the database folder in other partition so if I have a problem with "C" I just format it and dont lost my emails database so that is the reason why is in other folder. but this is my normal setting, not new setting.
Email is pop3, gmail, but I see that Nod 3.x scan incoming mails from gmail using a temporay folder in trash and delete when the mail is moved to inbox, so there may be no problem about that. Unusual is that Gmail dont see the worm also.
The signatures are update every days, so no problem for it.

So if anybody have this problem, its not a problem, just my problem, but very strange.

Thank you again for your assistance.

 

The cause of your problem is marked in bold red letters and is called Google Mail (GMail) . GMail uses encrupted connection to transfer emails (port 995 , I guess) . There is no way for ESET Antivirus to scan this encrypted connection . GMail's things will only be scanned by EA after saved and upon you try to open the attachment . As you wrote , it is very unlikely that GMails's excellent virus/spam filter missed that message but that is why ESET is there to guard you

 

Humm I'm not an expert but I think you are wrong.
That was true with 2.xx but not with 3.xxx and the proxy.
This is the reason for the temporay folder, but I can see any confirmation about this form Eset.
It's just a suposicion.

https://www.wilderssecurity.com/showthread.php?t=190562

 

I don't use pop3 for GMail and I personally can't confirm or deny with 100% sure

 

I dont read nothing about that but the temporary folder looks that it do.

Perhaps if some ESET expert read this thread, can confirm or not if Nod 3.XX scan incoming mails from Gmail, using Pop3.

 

Yes, your guess is on the dot:-
Gmail POP3 = 995
Gmail SMTP = 465