NOD fails to detect its own crack as malware

Discussion in 'NOD32 version 2 Forum' started by Zombini, Jul 11, 2006.

Thread Status:
Not open for further replies.
  1. NOD32 user

    NOD32 user Registered Member

    Joined:
    Jan 23, 2005
    Posts:
    1,766
    Location:
    Australia
    Finally some sense - thanks for the transparency (at last)

    Many files detected by in many cases almost all other vendors are in fact either defective, incomplete or themselves benign without other components to activate them... That said, NOD32 like all others needs to be updated and is in a continual state of incompletness as far as detection goes. False positives, which although do happen from time to time - have been quite rare in NOD32's case.

    If you haven't already you may wish to veiw -->THIS<-- statement from ESET as far as samples and adding detection.

    Please feel free to ask if there's anything further that I or others may be able to do to assist you.

    Cheers :)
    Agreed - it's been done before
     
    Last edited: Jul 11, 2006
  2. NOD32 user

    NOD32 user Registered Member

    Joined:
    Jan 23, 2005
    Posts:
    1,766
    Location:
    Australia
    If you prefer there is some research by Canon available - let me know...
     
  3. alglove

    alglove Registered Member

    Joined:
    Jan 17, 2005
    Posts:
    904
    Location:
    Houston, Texas, USA
    That is certainly possible, just like how all the "Wow! This virus was caught by heuristics. Nice job, Eset! :thumb: " threads probably fall into the other 88%. Of course, volume of forum posts is not exactly a scientific way to measure detection rate. Your point is taken. ;)

    Are you at least using the "Submit file for analysis" button in the Quarantine section to submit the suspicious file to Eset?

    A little off-topic here, but I think the -in suffix turning nouns into feminine is a German thing. Changing -o to -i to form a plural is an Italian thing (Zombino --> Zombini). My guess is that the Zombini name was chosen just because it sounds cool. :D
     
  4. NOD32 user

    NOD32 user Registered Member

    Joined:
    Jan 23, 2005
    Posts:
    1,766
    Location:
    Australia
    A further thought - sorry for the multiple posts - All I see is ESET presenting the information compiled by other independatnt parties. That information happens to be IMO quite a good independant measure of the relative performance of the products tested. Also IMO there would be no good reason not to utilise such information on their web site to help inform those wondering about just where different products are at. All the vendors included in the testing both at Vurus Bulletin and av-comparatives.org are included by their own choice and know in advance the testing procedure their products will be subjected to....
     
    Last edited: Jul 12, 2006
  5. Ngwana

    Ngwana Registered Member

    Joined:
    Jul 5, 2006
    Posts:
    156
    Location:
    Glasgow, United Kingdom
    Ok! It seems the question Zombini is asking is 'How reliable is the claims made on ESET website and on the NOD 32 forum?' Entrusted with such a responsibility as to buy an AV product for a small company Zombini is concerned about possible hype, misinformation or outright lying. Fine.

    My gripe is that Zombini started by an argument with some people who rely on a product demanding PERFECTION and seeking to prove NOD 32 as 'rubbish'. Appreciate that a good number of people have the same responsibilities as yours and they made their choice. Just make yours and answer to your company.:mad:
     
  6. steve1955

    steve1955 Registered Member

    Joined:
    Feb 7, 2004
    Posts:
    1,384
    Location:
    Sunny(in my dreams)Manchester,England
    ~snipped quote - unneeded~ dog
    You dont agree that crack files are malware?:-they steal revenue from software vendors which is much the same(smilar anyway)as a piece of malware on a pc stealing credit card details,just because it isn't an individual that is "affected" doesn't make it less wrong!
     
    Last edited by a moderator: Jul 11, 2006
  7. Firecat

    Firecat Registered Member

    Joined:
    Jan 2, 2005
    Posts:
    8,251
    Location:
    The land of no identity :D
    But then, detecting a crack is not user protection, it is developer protection. And Eset's job is to deliver user protection.

    There are many arguments to and against detecting cracks, but most vendors have agreed that cracks will be detected only if they have real malware-like behavior.

    Why? Because its a never-ending crusade as the crackers will release new cracks every day. There is absolutely no need to have analysts break their heads detecting 20 cracks every day (and it is not reasonable for the analysts either. because they can use this time to make signatures for real malware instead)!
     
  8. alglove

    alglove Registered Member

    Joined:
    Jan 17, 2005
    Posts:
    904
    Location:
    Houston, Texas, USA
    Of course, it is possible that the Nod32_crack[1].exe file is not a crack at all, but a trojan masquerading as one. It is also possible that the file contains a broken virus, so that is why NOD32 does not detect it. The truth is, without knowing the exact file that Zombini found, we have no idea whether the non-detection is correct or not. That is why I suggest submitting the file to Eset. In the comment field, you can put a link to this thread.

    (And no, I do not suggest running it yourself to find out, unless you have a test system set up for such a purpose.)

    The way I see it, Zombini is putting his/her/its reputation on the line (as well as any possible future services). If anything goes wrong, he will have to answer some very irate questions from the company. As users (and often, advocates) of NOD32, we can at least try to answer some of these questions without getting totally defensive.

    Zombini, I am guessing that you are comparing several antivirus programs against each other. After comparing, you should of course recommend whichever program you feel is best for the company. Keep in mind that no one antivirus program is perfect, so you will have to weigh the pros and cons of the programs against each other.

    Personally, I have no problem with you asking tough questions. Just make sure that we realize that they are questions and concerns, as opposed to taunts. ;)
     
  9. WSFuser

    WSFuser Registered Member

    Joined:
    Oct 7, 2004
    Posts:
    10,639
    once again, firecat hit it on the spot.

    anyways if zombini is indeed simply deciding on an antivirus for his company, why is he making such a big deal over one file? im sure all AV miss a file every once in a while. and like alglove said, it could be a broken virus.
     
  10. BlueZannetti

    BlueZannetti Registered Member

    Joined:
    Oct 19, 2003
    Posts:
    6,590
    I can personally attest to the fact that every AV I have ever used/been connected with for any prolonged period (Norton AV, Symantec Corporate, NOD32, KAV WS) has at one time or another missed an active malware file. This has not been accomplished via searching for some obscure or unknown variant, but in routine (and in some cases I certainly suspect naive) usage of a combination of family and work related PC's. So..., I find it rather difficult to get overly excited regarding potential single point failures in detection fidelity since every product will, at some point, suffer them. Unless malware writers develop an overwhelming empathy towards their potential victims and forward copies of their latest creations to AV vendors well in advance of their release in the wild, this situation will continue well into the future.

    There are plenty of pragmatic approaches to deal with this reality and augment AV protection, especially in a business setting in which the complement of installed applications is relatively static.

    Blue
     
  11. mvdu

    mvdu Registered Member

    Joined:
    Oct 14, 2003
    Posts:
    1,166
    Location:
    PA
    These threads can be useful, but make sure to submit this to Eset. While I think KAV has the best detection, even it misses sometimes.
     
  12. beethoven

    beethoven Registered Member

    Joined:
    Dec 27, 2004
    Posts:
    1,388
    :D :D :D
     
  13. Marcos

    Marcos Eset Staff Account

    Joined:
    Nov 22, 2002
    Posts:
    14,456
    This file was not submitted via VirusTotal. Could you send it to support @ eset.com along with a link to this thread? Without analysing the file it's impossible to tell whether it should actually be detected or not.
     
  14. Zombini

    Zombini Registered Member

    Joined:
    Jul 11, 2006
    Posts:
    469
    Lets just put my task into context here so that some of you can appreciate what people like me are up against. A company is paying me good money to recommend an AV product to them. A company that has been running another AV from a well established AV vendor in the US. If I am to go into the IT Director/CIO's office and tell him that the product they've been running from say an established US company that is traded on the NASDAQ/NYSE like McAfee for the last 5 years is crap, and instead you ought to spend a good chunk of their company's hard-earned profits on an AV product from a little known company in Bratislava, SK, hes going to laugh me out of the room. I nead to have hard evidence. And here's the scary part.. at best hes going to throw me out. At worst he going to go with my recommendation only to find that 6 months down the line the product is totally not what it was claimed to me. Thats could be the end of my career, because a lot of the successes of a security analyst or a pen tester is driven by word-of-mouth. So in order to make up for its lack of name/market share, NOD32 is going to have to be miles ahead of established players in all areas, not just detection rates. That includes support, protection against attacks on its files, processes etc., scanning speed, footprint, false positives, server reliability, compatibility with 3rd party file system drivers, 64-bit plans, Vista plans, integration with active directory and other enterprise management software etc., there is a ton of stuff that I need to look at. Many of you are just focused on the detection rate, scanning speed and footprint.

    The big deal over one file is that I have no way of knowing if that is the start of a trend that invalidate's ESET claim of 90% proactive protection. Today's its one, tomorrow it maybe another, and I am going to continue to find and test random exes with NOD32 and other AV products just to see if a trend of false negatives is really present... with two modifications as I have learnt 1) submit the exes to ESET and 2) use virustotal inaddition to jotti. No doubt you are well aware that there are many documented cases of malware not being detected by NOD32. And one of the common excuses I see here is that "the file must be corrupt". This is possible, and there is an easy way to find out if the file is corrupt or not. Run it and monitor all the changes it makes. Regmon, FileMon, TDIMon etc will help.

    Oh.. and btw even though these are "some random exes" as some of you have labeled them as they are files that are posted on highly active public P2P networks and we can be sure that someone is falling for them and installing them as a crack in the hope to steal software (which btw.. they deserve what they get). So these are very real world tests.
     
  15. ASpace

    ASpace Guest

    You are obvioulsy not so knowledgeble as you pretend to be . What is McAfee and what is NOD32 . The fact you or your director has never heard of NOD32 doesn't make it bad antivirus . It would be your and your boss's fault of not knowing a product like NOD32

    Hard evidence ! ! !
    Let's see :

    1. NOD32 was one of the small number of products which proactively protected Microsoft clients of WMF IE explioit . It detected this exploit with its heuristcs witout update

    2. Recently Microsoft told the world about exploit in MS Office Word . Thousand of new threats that exploit this vulnerability were created in some hours . ESET were extremely fast and only 2 hours after MS gave this publicity they made a fix so only 2 hours after this was made public, NOD32 was able to kill this vulnerability . ESET was the first company which made the so called fix for it

    3. Recenly Microsofts announced about exploit in MS Offce Excel . Again NOD32 was the one of the first that protected users against this exploit .

    Do you know how many people use MS Office . Thousand and many thousands and more . And they were vulnerable but only NOD32 users got protected within 2 hours

    4. NOD32 is the onlist product that has 38 VirusBulletin awards . The onliest that has always detected all in-the-wilde viruses and has never had even a single false positive in the tests.

    5. NOD32 has many other awards - It has Webcost's Checkmark about antivirus and antitrojan . NOD32 also has Webcost Checkmark Certificate about antispyware detection/removal . Note that only 2 products in the world has Checkmark for antispyware - McAfee and NOD32 .

    6. NOD32 had Advanced+ Certification in Av-Comperatives test June 2006

    7. ESET NOD32 is a member of the Microsoft Virus Information Alliance . Note that onl the best security softwares are part of this .

    8. NOD32 proactively and witout update has detected many Zero-day exploits such as Netsky , Bagle , Zotob ... (Do you remember Zotob ? )


    9. NOD32 has many worldwide clients .

    Dell , Canon , Microsoft use NOD32
    Dell , Canon , Microsoft trust NOD32 .Microsoft MVPs and Community members trust NOD32. Why you don't trust it!

    10. Do you see that . How would you comment:

    https://www.wilderssecurity.com/showpost.php?p=760705&postcount=35



    More information :Google and www.eset.com


    Yes , I note that !!!


    Again you demonstrate that you no nothing about NOD32 .

    Support . Excellent tech support which replies in no more than 10 min. 24 hours a day support from all over the world . You want to contact ESET USA then support@eset.us
    When US is sleeping then ESET in Bratislava are not sleeping support@eset.sk

    Scanning speed - one of the fast products (may be the fastest) 38 VirusBulleting awards
    VB 2005 Scanning speed on Windows XP/NT
    NOD32 5208.9 KB/s
    McAfee 3275.0 KB/s
    Symantec 2288.4 KB/s
    Kaspersky 2278.9 KB/s
    Etrust 2135.5

    NOD32 is compatiable with 3rd party drives
    NOD32 do works with 64 bit Operating systems
    NOD32 has excellent Enterprise managements such as the software Remote Admin Console and Remote Admin Server
     
  16. NOD32 user

    NOD32 user Registered Member

    Joined:
    Jan 23, 2005
    Posts:
    1,766
    Location:
    Australia
    Nice post HiTech_boy.
    Sorry to mention it and not to be picky but better that these things are noted
    NOD32 has actually has a FP some long time ago in the VB tests.
    In addition, depending on hardware configuration and OS is as high as 20MB/s in some VB tests and more (on one of my systems)

    Cheers :)
     
    Last edited: Jul 12, 2006
  17. ASpace

    ASpace Guest

    Yes , some really long time ago but when there was a FP , then there was no award and I guess it was only twice . Still NOD32 is the one with the most VB awards


    I can't understand that but what I posted was from official VB tests 2005
     
  18. NOD32 user

    NOD32 user Registered Member

    Joined:
    Jan 23, 2005
    Posts:
    1,766
    Location:
    Australia
    Sorry I'll rephrase - I'm sure what you quoted from VB is correct. Also in some other tests VB has reported NOD32's scanning speed around 20MB/s (October 2005 for example)
    On my system I also get an even higher average scanning throughput than this even if also using normal workstation applications during the scan.
    The actual speed of scanning is dependant on many factors and will vary from system to system.

    Cheers :)
     
  19. RejZoR

    RejZoR Lurker

    Joined:
    May 31, 2004
    Posts:
    6,426
    PS: You're mentioning exploits all the way, though NOD32 never really protected anyone from exploits. However it maybe did from exploited files and files that get transfered through that exploit. Thats a major difference!
     
    Last edited by a moderator: Jul 12, 2006
  20. Marcos

    Marcos Eset Staff Account

    Joined:
    Nov 22, 2002
    Posts:
    14,456
    I must say it again - the file has not been submitted via VirusTotal nor by email to Eset for verification whether it should actually be detected or not.
     
  21. ASpace

    ASpace Guest


    Ok , I now understand it . Agree ! :thumb: ;)
     
  22. ASpace

    ASpace Guest


    Yes , but it has protected users from malware using that vulnerability which is the most important !

    [MOVE]NOD32[/MOVE]

    No need of Avast and Vista support since this is BETA Operating system , by the way
     
  23. ASpace

    ASpace Guest

    I do hope Zombini sends this file to you or submit it to VirusTotal however I doubt he/she will do it . :D

    And again , I agree that there is a possibility of this being not real threat.
     
  24. pykko

    pykko Registered Member

    Joined:
    Apr 27, 2005
    Posts:
    2,236
    Location:
    Romania...and walking to heaven
    Perhaps, he checked the Distribute button on VirusTotal and that's why you didn't receive the file. o_O
     
  25. BlueZannetti

    BlueZannetti Registered Member

    Joined:
    Oct 19, 2003
    Posts:
    6,590
    If you've been comissioned to recommend an AV, there should be some underlying context behind that request and typically it would not simply be that it's renewal time. What is the requestors driver(s)? Pricing? Site administration? Performance issues (either in detection or impact on systems)? Where is either their pain or their perception of pain? Whatever you recommend needs to address that pain rather explicitly or you've missed the boat.
    I guess I'd note that none of the large and established AV producers that I can think of are crap despite what you might seen written on many forums like these. There are cogent reasons why one may go in one direction or another, but among the top tier producers it, in my personal estimation, should not generally be tied to static detection performance. Again, where is the pain? Has the company suffered through recent bouts of zero day events? Does it find itself innundated with spyware? Something else?
    and that is precisely where you started this thread, detection..., with nary a mention of any of the other attributes. If you desire relevant advice, at least start with a complete statement of the problem.
    Again, this is a business environment. Have they configured their systems so that unknown exe's cannot do many of the operations home users suffer through? Are you really trying to deal with that?
    I agree, it is a type of real world test. It is less clear whether this type of test is relevant to your client - whether or not it is depends on local system configuration and user account policy details - or whether this test addresses key underlying issues bothering you client - i.e. their pain.... but first make sure you have unambiguously diagnosed the situation.

    Blue
     
Thread Status:
Not open for further replies.
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.