Nod has some issues

Discussion in 'NOD32 version 2 Forum' started by variable125, Feb 23, 2005.

Thread Status:
Not open for further replies.
  1. variable125

    variable125 Registered Member

    Joined:
    Feb 7, 2005
    Posts:
    10
    During a virus trial that we have been running Nod32 is consistantly failing to find viruses. These are not eicar viruses, these are real live virii. Currently we send 15 at a time and Nod is catching 8. We are using the command line scanner. I have tried their web site looking for a human to get in touch with but I can't seem to find the number to talk to a human.

    If any of you have any ideas why it is missing so many virii and it scores so high in virus testing. It catches the eicar strains but is failing on real ones.

    All return codes are either a 0 or 1. Does anyone know if Nod has any other return codes? The whole thing has me looking pretty bad as I touted Nod32.

    Here is the call to the cl scanner.
    SCANFILE C:\progra~1\eset\NOD32.exe /selfcheck- /sound- /quit+ /scanboot- /scanmbr- /arch+ /all
    VIRUSCODE 1
    VIRUSCODE 13
     
  2. ronjor

    ronjor Global Moderator

    Joined:
    Jul 21, 2003
    Posts:
    57,794
    Location:
    Texas
  3. variable125

    variable125 Registered Member

    Joined:
    Feb 7, 2005
    Posts:
    10
    These are for Sales. Tech support just has a contact form.
     
  4. Marcos

    Marcos Eset Staff Account

    Joined:
    Nov 22, 2002
    Posts:
    14,374
    How do you know they are real viruses? Are you positive the files aren't actually corrupted? Are they real executable files which do malicious actions? Have you sent them to samples@eset.com for Eset's engineers to have a look at them?
     
  5. variable125

    variable125 Registered Member

    Joined:
    Feb 7, 2005
    Posts:
    10
    They are live viruses. AVG, Symantec and F-Prot catch all of them but Nod32 fails almost half of the time. I would tell you the names of the virii but, I don't want people to exploit it.
     
  6. Paul Wilders

    Paul Wilders Administrator

    Joined:
    Jul 1, 2001
    Posts:
    12,472
    Location:
    The Netherlands
    Well, be our guest and:

    a) provide some screen shots from those AVs in the act - proof of the pudding;
    b) provide the samples to Eset as kindly requested.

    regards,

    paul
     
  7. Stan999

    Stan999 Registered Member

    Joined:
    Sep 27, 2002
    Posts:
    566
    Location:
    Fort Worth, TX USA
  8. rumpstah

    rumpstah Registered Member

    Joined:
    Mar 19, 2003
    Posts:
    486
    This command line scan above is not using all the NOD32 parameters (/pack+ for runtime packers is very essential). Why not use the On-Demand Scanner with all options checked?

    Here is a brief overview of the settings one can use.

    /clean = gives option to remove upon detection of infection
    /ah = Scan with Advanced Heuristics
    /all = Scan all files regardless of their extension
    /subdir+ = Scan sub-directories
    /heur+ = Enable heuristic analysis
    /scanfile+ = Enable scanning of the files
    /scroll+ = Enable scrolling
    /arch+ = Enable archives (ZIP, ARJ and RAR) scanning
    /pack+ = Enable internal runtime packer files scanning
    /mapi- = Disable Outlook Error Message
    /pattern+ = Enable testing using virus signatures/patterns
    /scanboot+ = Enable boot sectors scanning
    /scanmbr+ = Enable MBS scanning
    /heurdeep = Set deep heuristic sensitivity
    /log+ = Enable Log file generation
    /prompt = Prompt user for action upon detection
    /program = Potentially dangerous application scanning
     
  9. sir_carew

    sir_carew Registered Member

    Joined:
    Sep 2, 2003
    Posts:
    884
    Location:
    Santiago, Chile
    Try NOD32 with advanced heuristic enabled. Just add /ah

     
  10. Marcos

    Marcos Eset Staff Account

    Joined:
    Nov 22, 2002
    Posts:
    14,374
    Also don't forget about the /program parameter which enables detection of spyware/adware/dialers/keyloggers and other potentially dangerous applications
     
  11. variable125

    variable125 Registered Member

    Joined:
    Feb 7, 2005
    Posts:
    10
    I will try the additional parameters. The only caveat is NOD was supposed to be kind to the CPU, it is not showing up as such on a dual 2.6 Intel test box. It's hitting the cpu hard and using very little ram. I guess that makes sense because I am only using the CL scanner. But, I noted the Advanced Heuristics take more cpu (obviously) - this being the case, I think it's going to peg the CPUs at 100% ( it's getting ALOT of emails). This is an email server running Imail and Declude. The AV CL switch's come from Declude AV set-up page. I let one of the Declude guys TS into the box and look over what we were doing to see if I had something set up wrong. He was really surprised by Nod failing but, did not see anything wrong with our testing.

    What concerns me is that there may be something in the viruses themselves that makes them ignored by NOD32. I.E. it doesn't see them as a threat for some reason that is logical. But why does F-Prot see them as Viruses...

    Stan999 - your link looks real promising. I will ask that the virii be uploaded to this box and see what happens. Unfortunately like most of you who are Sys Admins, we are really busy, so this virii trial is sort of "do it as you get time" kind of thing. I have to create the written report tomorrow - the test bed will get wiped Monday, as next week we are evaluating some different software. Never enough time to do things the way I want to do them.
     
  12. variable125

    variable125 Registered Member

    Joined:
    Feb 7, 2005
    Posts:
    10
    This is thanks to Stan999 for the link to http://virusscan.jotti.org/

    There were a total of 15 live viruses uploaded. Kaspersky caught 13, F-Prot 12, here is the list.

    Service load: 0%

    100%

    File: main.mbx
    Status: INFECTED/MALWARE
    Packers detected: CRYPTCOM

    AntiVir Diamond #3, VGEN/6.0, Jerusalem-USA, Albania-429, Albania-506, MPC #1a, Ice #2, Clonewar-923 (A), Adolph #3, BadBoy #1,Badguy-B, Pirate #2, VGEN/28.0 (1.91 seconds taken)

    Avast Albania (3.00 seconds taken)

    AVG Antivirus No viruses found (0.40 seconds taken)

    BitDefender PS-MPC.0433.DZ.Gen, Diamond.1173, Jerusalem.1808.AT, Albania.429, Albania.506.A, PS-MPC.0576.AN.Gen, ARCV.571, Clonewar.923.A, Chameleon.1993, Bad_Boy.1000.A, Trivial.079.Gen, Burger.609.A, PS-MPC.0535.BY.Gen (1.09 seconds taken)

    ClamAV VGEN.6.0 (0.62 seconds taken)

    Dr.Web VirusConstructor.based, Diamond.David, Jerusalem.based, Albania.429, Albania.506, XRCV.571, CloneWar.924, V2Px.V2P6.1993,
    BadBoy.Rainbow.1000, Milan.BadGuy.208, Burger.609 (1.07 seconds taken)

    F-Prot Antivirus PS-MPC.432, corrupted or intended, Jerusalem.1808.CE, Albania.429, Albania.506.A, PS-MPC.546 (generic) - Dropper, ARCV.571, Clonewar.923.A, Milan.208.A, Burger.609.A, PS-MPC.535 - Dropper, Bad_Boy.1000.A (0.37 seconds taken)

    Fortinet Anti-Pascal_II.fam (0.44 seconds taken)

    Kaspersky Anti-Virus Virus.DOS.PS-MPC-based, Virus.DOS.Murphy.David, Virus.DOS.Jerusalem.b, Virus.DOS.Albania.429, Virus.DOS.Albania.506.a, Virus.DOS.ARCV.571, Virus.DOS.Companion.923, Virus.DOS.Chameleon.1993, Virus.DOS.BadBoy.1000.a, Virus.DOS.Badguy.208, Virus.DOS.Burger-based, Virus.DOS.PS-MPC.Bamestra.535, Virus.DOS.BadBoy.1000.b (2.72 seconds taken)

    mks_vir No viruses found (0.72 seconds taken)

    NOD32 No viruses found (1.38 seconds taken)

    Norman Virus Control No viruses found (0.76 seconds taken)

    Looks like we have a lot of pudding.
     
  13. Marcos

    Marcos Eset Staff Account

    Joined:
    Nov 22, 2002
    Posts:
    14,374
    Isn't it a special kind of a mailbox?
     
  14. Sweetie(*)(*)

    Sweetie(*)(*) Registered Member

    Joined:
    Aug 10, 2004
    Posts:
    419
    Location:
    Venus
    Hi, I’d like to ask you a few questions to clarify some details;

    1. How are you performing the tests?

    2. Do you know what you are doing?

    3. Are you testing the whole virii file or just the signatures?

    4. How do you know the virus samples you have are not corrupt?

    5. Where did you obtain the samples?

    I ask these questions as in a previous thread of yours, you ask for assistance to find virus samples and also how to test only the signatures of the virii file not the whole executable that would be delivered in a "In the wild" situation".
    (Link to threads mentioned above 1. 2.

    The testing of Antivirus scanners using "In the wild" virus samples is best left to experts, firstly you need actual current "In the wild samples", that have not been cleaned/deleted by a previous Antivirus, A sterile PC with exactly the same settings for every test run. If you merely load and delete the samples one after the other you will get errors in your test.

    The basic fact that you did not have Nod32 set to scan with full settings renders your results useless, amateur testing like this, especially when you post the results as definitive can mislead and misinform people.
     
  15. Happy Bytes

    Happy Bytes Guest

    yes, you are right, it's a unix mailbox format. also used by eudora and pegasus mail.
     
  16. Stan999

    Stan999 Registered Member

    Joined:
    Sep 27, 2002
    Posts:
    566
    Location:
    Fort Worth, TX USA
    Those are some really old DOS viruses from around 1989 and the 1990's.
    They mainly infect COM files in a DOS environment and don't really pose a current threat.

    IMHO, I personally wouldn't use results from that test file you have to influence a decision on which AV provides good protection from current day infections and zero-day threats.
     
  17. DonKid

    DonKid Registered Member

    Joined:
    Jun 27, 2004
    Posts:
    566
    Location:
    S?o Paulo, Brazil
    First of All, thanks for Stan999 for the link.

    I tried to solve my problem in this thread:

    https://www.wilderssecurity.com/showthread.php?t=68013

    So, I sent my file and got this answer:

    File: cartaovirtual
    INFECTED/MALWARE
    Packers detected:
    UPX

    AntiVir
    No viruses found (1.19 seconds taken)
    Avast
    No viruses found (4.53 seconds taken)
    AVG Antivirus
    No viruses found (1.15 seconds taken)
    BitDefender
    No viruses found (1.47 seconds taken)
    ClamAV
    No viruses found (1.89 seconds taken)
    Dr.Web
    No viruses found (2.41 seconds taken)
    F-Prot Antivirus
    No viruses found (0.23 seconds taken)
    Fortinet
    No viruses found (1.22 seconds taken)
    Kaspersky Anti-Virus
    Trojan.Win32.VB.ta (1.90 seconds taken)
    mks_vir
    No viruses found (0.27 seconds taken)
    NOD32
    No viruses found (0.54 seconds taken)
    Norman Virus Control
    No viruses found (0.67 seconds taken)

    Well, I´ve sent this file yesterday to Eset and Kaspersky, and unfortunately I didn´t get any answer yet.

    Best Regards,

    DonKid.
     
    Last edited: Feb 24, 2005
  18. variable125

    variable125 Registered Member

    Joined:
    Feb 7, 2005
    Posts:
    10
    That’s what I was thinking Stan, I like Nod. But that is a random pulling of about 500 or so live Windows viruses I have on a linux machine. If because some of them are old does that mean they shouldn't be caught? I wondered if Nod doesn't catch them because they are not considered a threat anymore. If so why do the other AV's catch them if they are unimportant? I will try another round of different Virii. I think your on the right track.

    Sweetie,I don't understand your childish attacks. Please read all the posts and you will see that I have live virus pool and I am sending them as attachments to a test bed email server running an Imail interface and sending the emails to be scanned using the command line scanner functions of the AV. This is a project. I am a network admin. I really don't care if I stepped on your toes because you are affiliated with NOD or think you know what you are doing. I just want a product that catches the viruses, has the lowest cpu usage and that works from a command line. I’m not picking on your pet av. The test viruses are caught by several well-known AV and not caught by Nod32. Why? I posted the results. You see it fails. My testing obviously concurs with Jotti's site. I have had a third party review my testing procedures and agree I was doing it right. Ranting like a teenager doesn't explain the discrepancy.

    I thought this was a professional site for people who do IT for a living.
     
  19. Marcos

    Marcos Eset Staff Account

    Joined:
    Nov 22, 2002
    Posts:
    14,374
    Hi variable125,
    I wonder if you have already submitted those files to Eset. Without doing so, it's impossible for people from Eset to tell why they weren't picked up by NOD32. Also I can assure you NOD32 detects a huge bunch of old DOS virii.
     
  20. Sweetie(*)(*)

    Sweetie(*)(*) Registered Member

    Joined:
    Aug 10, 2004
    Posts:
    419
    Location:
    Venus
    Edit; removed my post.
     
    Last edited: Feb 24, 2005
  21. ronjor

    ronjor Global Moderator

    Joined:
    Jul 21, 2003
    Posts:
    57,794
    Location:
    Texas
    No more personal attacks please. Marcos is here to assist in this matter.
     
  22. variable125

    variable125 Registered Member

    Joined:
    Feb 7, 2005
    Posts:
    10
    Marcos, we sent the original 15 and 9 newer W32 virii that are listed below to Eset. Hopefully, we will hear something back. Perhaps they monitor the threads here.

    Stan999, in keeping with your line of thinking about the virii being old, we sent a new round of W32 viruses through the test bed and to the Jotti web site. The results are listed below. Again, these are not eicar signatures but live viruses.

    Service load: 0% 100%

    File: main.mbx
    Status: INFECTED/MALWARE
    Packers detected: None

    AntiVir WIN/CERE1482, W32/Idele.2560.DR, W32/Lames.4096.A, W95/Millenium, W32/Cabinfector.1, W32/Volcano.Dr, WIN/ZOMBIE (0.42 seconds taken)

    Avast No viruses found (1.53 seconds taken)

    AVG Antivirus No viruses found (0.40 seconds taken)

    BitDefender Win32.Cerebrus.1482, Win32.Idele.2108.Dr, Win32.Lames.4096, Win98.Milen.3205, Win32.CabInfector, Win32.Vulcano, Win32.Intended.Zombie (0.59 seconds taken)

    ClamAV CERE1482 (0.59 seconds taken)

    Dr.Web Win32.Cerebrus.1482, Win32.Idele.2108, Win32.Deviator.4096, Win32.Benny.3205, Win32.Prizzy.4096, Win32.Benny.6416, modification of Win95.Zombie.4600 (0.96 seconds taken)

    F-Prot Antivirus W32/Cerebrus.1482, W32/Idele.2108, W32/Lameness.4096, W32/Milennium.3205, W32/Cabinf.A, W32/Vulcano.A, W32/Zombie.4576 (12.27 seconds taken)

    Fortinet No viruses found (1.09 seconds taken)

    Kaspersky Anti-Virus Virus.Win32.Cerebrus.1482, Virus.Win32.Idele.2108, Virus.Win32.Lames.4096, Virus.Win32.Levi.3205, Virus.Win32.CabInfector, Virus.Win32.Vulcano, Virus.Win32.Zombie (3.46 seconds taken)

    mks_vir No viruses found (0.79 seconds taken)

    NOD32 No viruses found (1.49 seconds taken)

    Norman Virus Control No viruses found (0.75 seconds taken)


    Interesting aside.. Testing AVG with these 9 resulted in many getting through. Once in the mail box however and using a manual scan, AVG found most of them. So this lead us to believe it could be a switching issue with the CL scanning. So far this has held to be true for Nod 32 as well. The obvious deduction from this is that a crucial switch is not set. We have tried all those suggested. The /pack+ actually crashed the test box :p Looked like a loop.

    We will continue to try tomorrow. If we come up with any solution I will post it.
     
Thread Status:
Not open for further replies.