Netsky.N not detected first time

Discussion in 'ESET NOD32 Antivirus' started by guilijan, Dec 19, 2007.

Thread Status:
Not open for further replies.
  1. guilijan

    guilijan Registered Member

    Joined:
    Jun 25, 2006
    Posts:
    206
    Scan Log
    Version of virus signature database: 2732 (20071219)
    Date: 19/12/2007 Time: 10:25:15 a.m.
    Scanned disks, folders and files: D:\OE\Almacen Angeles
    D:\OE\Almacen Angeles\Elementos eliminados.dbx » DBX » ?.MME » MIME » MIME » Sua Conta!!!.pif - Win32/Netsky.N worm
    Number of scanned objects: 15936
    Number of threats found: 1
    Time of completion: 10:30:28 a.m. Total scanning time: 313 sec (00:05:13)

    This was a manual scan I do sometimes, surprise, when the mail arrived, Nod didn't detected nothing.

    I've moved the mail from inbox to trash (I dont know if in englis is the correct name) and Nod dont do nothing.

    After scaned, dont do nothing, ther was no way to delete.
    I delete the mail and do a new scan and dont find nothing.
    3.0.563

    It is not a good job. How can I trust in Nod after that?
     
    Last edited: Dec 19, 2007
  2. the_sly_dog

    the_sly_dog Registered Member

    Joined:
    Feb 28, 2006
    Posts:
    297
    Location:
    The Heart Of London
    Hello guilijan

    what version are you using 2.7 or version 3

    have you set it up using blackspears guide??

    if it is not detected send it to samples[at]eset.com

    one of the techs im sure will help you abit later on.

    sorry couldnt be much help

    regards
     
    Last edited: Dec 19, 2007
  3. guilijan

    guilijan Registered Member

    Joined:
    Jun 25, 2006
    Posts:
    206
    3.0.563

    blackspear guide is for 2.7

    But there is at least two problems.
    1) Not detected Netsky the first time.
    2) No way to delete it.
     
  4. the_sly_dog

    the_sly_dog Registered Member

    Joined:
    Feb 28, 2006
    Posts:
    297
    Location:
    The Heart Of London
    i havent used version 3 im sorry :ouch: :ouch:

    can u send the sample off..
     
  5. Edwin024

    Edwin024 Registered Member

    Joined:
    Nov 14, 2004
    Posts:
    1,000
    Well, this is the Version 3 forum. So from now on you know what to do, Sly Dog ;)
     
  6. the_sly_dog

    the_sly_dog Registered Member

    Joined:
    Feb 28, 2006
    Posts:
    297
    Location:
    The Heart Of London
  7. ASpace

    ASpace Guest


    Hi !

    I can't tell you why it hasn't found the threat (there is another thread about similar issue) but since it is detected on-demand , ESET have denition for it .

    It is not deleted because it was detected in OE's files - in the dbx file Elementos eliminados.dbx

    AV programs cannot take action against it (EA/NOD32 is made so) because if they delete the dbx file , all emails from the folder "Elementos eliminados" will be deleted .

    EA can take action against a threat while it is being downloaded , before saved on the disk . Later it can only be detected and blocked , you are the only one who should/can delete the email manually :thumb:
     
  8. guilijan

    guilijan Registered Member

    Joined:
    Jun 25, 2006
    Posts:
    206
    Ok HiTech_boy I understand what you said, but then why don't detected whe the mail was "downloaded" to inbox, and when the mail was sent to trash?

    Then if an email infected is stored in inbox, Nod can do nothing abuot it? Ok but then when the mail is "downloaded" Nod can do anything?
    I dont belive that, so why happened it?
     
  9. ASpace

    ASpace Guest

    When the email was sent to trash ... Not a specialist in this but this is normal. Any antivirus will interfere when you or something try to open the infected attachment .

    Yes , not only NOD32 but any AV . They can only detect it . You must delete it . Of course , AV companies could have made it delete the whole dbx file but this will result in mail databases corruption.

    EA can take action here and generally it does . However , I am not 100% sure why it didn't happen this time . And don't worry too much about this . AV is a layered protection . If the email protection missed it , the real-time or on-demand protection will catch it .

    Possible reasons : Incorrect settings , mail protection disabled/inactive/temporary inactive , email protection scans only pop3 traffic only on port 110 , you have got old signatures when the email arrived in your mail box , etc. I can only guess the reason but I will vote for the last one (you got old signatures) . Why do I think so ? Because detection for this Netsky.N have been added with sig version 26xx . The infected dbx file is not located in the normal OE database folder (in Documents and Settings for XP) but in D:\OE\ which makes me think this dbx is just your archive with old emails . :thumb:
     
  10. guilijan

    guilijan Registered Member

    Joined:
    Jun 25, 2006
    Posts:
    206
    Well I have used KAv and NAV a years ago and when one email with virus is downloaded the av delete or put it in quarantine if you set this action. Not happened this with Netsky.
    I have used Nod for abut one year and have any problem.
    I put the database folder in other partition so if I have a problem with "C" I just format it and dont lost my emails database so that is the reason why is in other folder. but this is my normal setting, not new setting.
    Email is pop3, gmail, but I see that Nod 3.x scan incoming mails from gmail using a temporay folder in trash and delete when the mail is moved to inbox, so there may be no problem about that. Unusual is that Gmail dont see the worm also.
    The signatures are update every days, so no problem for it.

    So if anybody have this problem, its not a problem, just my problem, but very strange.

    Thank you again for your assistance.
     
  11. ASpace

    ASpace Guest

    The cause of your problem is marked in bold red letters and is called Google Mail (GMail) . GMail uses encrupted connection to transfer emails (port 995 , I guess) . There is no way for ESET Antivirus to scan this encrypted connection . GMail's things will only be scanned by EA after saved and upon you try to open the attachment . As you wrote , it is very unlikely that GMails's excellent virus/spam filter missed that message but that is why ESET is there to guard you ;) :thumb:
     
  12. guilijan

    guilijan Registered Member

    Joined:
    Jun 25, 2006
    Posts:
    206
    Humm I'm not an expert but I think you are wrong.
    That was true with 2.xx but not with 3.xxx and the proxy.
    This is the reason for the temporay folder, but I can see any confirmation about this form Eset.
    It's just a suposicion.

    https://www.wilderssecurity.com/showthread.php?t=190562
     
  13. ASpace

    ASpace Guest


    I don't use pop3 for GMail and I personally can't confirm or deny with 100% sure
     
  14. guilijan

    guilijan Registered Member

    Joined:
    Jun 25, 2006
    Posts:
    206
    I dont read nothing about that but the temporary folder looks that it do.

    Perhaps if some ESET expert read this thread, can confirm or not if Nod 3.XX scan incoming mails from Gmail, using Pop3.
     
  15. NodboN

    NodboN Registered Member

    Joined:
    Nov 3, 2007
    Posts:
    139
    Yes, your guess is on the dot:-
    Gmail POP3 = 995
    Gmail SMTP = 465
     
Thread Status:
Not open for further replies.