NOD32 catches all the big viruses, what about the small ones?

Discussion in 'ESET NOD32 Antivirus' started by MaXimus666, Nov 19, 2007.

Thread Status:
Not open for further replies.
  1. MaXimus666

    MaXimus666 Registered Member

    Joined:
    Jul 7, 2006
    Posts:
    29
    Location:
    United Arab Emirates
    Well it has gotten many award from Virus Bulletin for many years to have never missed an in the wild virus! great! so i bought it and have been a loyal user for years thinking my system is rock solid and protected.

    Only to be surprised by something fishy running on my system while NOD32 is running and always updated! a file called ndt.sys! it's a malware according to a search on google that NOD32 never informed me of! so here's the surprise! I uninstalled NOD32 and installed AVG Free Anti Virus! and guess what!

    It caught many viruses in my system!

    LimeWire was reported as malware
    KGB Keylogger
    YouTube Video Downloader
    Wireless KeyView
    Acronis keygen
    etc..


    I uninstalled AVG and reinstalled version 3.xxx.566 of NOD32 back on my system (Windows Vista Business)

    But am very scared now and doubt ful about teh greatness of teh NOD32
     
  2. deanmartin

    deanmartin Registered Member

    Joined:
    Sep 6, 2007
    Posts:
    231
    Location:
    USA/KY
    2 days ago I had it happen to me. my computer was not acting right, so just to ease my mind i uninstalled nod32 3.0566 and installed Avast to double check nods 0 detection on its scan. Guess what i did have 2 viruses (win32ctx & civil defence). Avast was my AV before nod32 and now is again. I like nods liteness but i never had that happen before.
     
  3. nodHead

    nodHead Registered Member

    Joined:
    Sep 23, 2007
    Posts:
    85
    Doesn't inspire confidence.

    But I already know what the official ESET retort will be:

    "No Antivirus product guarantee's to catch 100% of Viruses"

    Which is fair enough, but then why do other free products manage to find and clean viruses that NOD lets slip through?
     
  4. GAN

    GAN Registered Member

    Joined:
    Mar 3, 2007
    Posts:
    355
    First of all did you enable these features of nod32:
    - Potentially unwanted applications
    - Potentially unsafe applications

    And those examples given by you is NOT a virus and will do no harm to your system except maybe the keylogger. If the keylogger is on your system without your knowledge then it could do harm, but if you know about it and actually use it it does no harm.
    For the rest of your examples those programs is most likely something you want to keep and actually use. None of those do any harm and fit in the category "Potentially unwanted applications", but it's for sure not a virus. Do you actually want your antivirus to remove limewire, youtube video downloader and wireless keyview or do you use those applications and want to keep them?

    You should check why AVG detect those applications and not just assume it's a virus which is not. Antivirus software detect much more then virus and what is detected depend on your settings as well. Virus, trojans and worms is some examples of stuff that cause damage to your system or put your computer at risk. Limewire and YouTube video downloader is not a virus, but maybe to be considered as potentially unwanted application. In most cases people that installed those applications actually want to use them and would not define them as unwanted. Actually i would say that youtube video download is just as safe as any other application and should not be detected as a threat.

    It make sense if nod32 detect the keylogger as a threat (and maybe it does as well if you enable unsafe/unwanted applications), but for me it make no sense if nod32 detect the other applications as a threat. I would say detecting "YouTube Video Downloader" as a threat is unwanted behavior of an antivirus application. In that case word and excel could be a threat as well. For your Acronis Keygen that is not a threat, but a keygen used for illegal usage of an application and therefore detected as unwanted by some AV software. I guess the reason why you have this keygen is because you don't have a legal version of some Acronis software? So even if the usage of this keygen is illegal i assume you actually want to keep it? Malware is also something you normally don't want on your computer, but it's not the same as a virus that cause damage.

    For the file ndt.sys i don't know what it is and maybe you are right it should have been detected.....don't know what it is so cannot tell.

    I have seen several discussions if a antivirus should detect stuff like limewire, toolbars and youtube video download as a threat and there is a lot of opinions since those applications doesn't do any harm and fit better in the category "Potentially unwanted applications". AV software that detect almost everything as malware some find to be pretty annoying and some like it that way. AV software from different vendors work a bit different and if you are not happy with the detection of nod32 you could try another product. But you should remember that the best AV software isn't necessarily the one that detect most threats, but the one that detect the real threats with few false positives. This is the hard part since there is no right and wrong and all about opinions except with virus, worms, trojans and stuff like that which is created for one purpose only. In this case i'm pretty sure you don't want your antivirus software to prevent you from using limewire and youtube video downloader? So would AVG be a better choice for you?
     
    Last edited: Nov 20, 2007
  5. deanmartin

    deanmartin Registered Member

    Joined:
    Sep 6, 2007
    Posts:
    231
    Location:
    USA/KY
    Mine where on ( Potentially unwanted applications
    Potentially unsafe applications) on all the setups.
     
  6. MaXimus666

    MaXimus666 Registered Member

    Joined:
    Jul 7, 2006
    Posts:
    29
    Location:
    United Arab Emirates
    Well I did enable the option to detect unwanted applications.

    As for ntd.sys and many other .sys files that were automatically being run at start up that I cannot remember now coz I formatted sine that hapened, according to google they are very dangerous and send information from your system to unknown sources! someone explain why NOD32 didn't catch them? that was m major disappointment to be honest, whereas the keygen, limewire, keylogger, wireles key view, never did cause any trouble.
    But neither did NOD32 nor Ad-Aware 2007 Pro catch ndt.sys!
     
  7. GAN

    GAN Registered Member

    Joined:
    Mar 3, 2007
    Posts:
    355
    Well for the ntd.sys that might be something that should have been detected. In deanmartins case that also sound like real threats, but the other examples is no real threats in my opinion except maybe the keylogger as i said.

    There is no one that can give you any good explanation why it was not detected except the obvious which is nod32 didn't have the signature to detect the threat (assuming nod32 was actually working properly on your computer). Follow the instructions from eset and send a sample is the best thing to do. Then you help eset to make the detection better and that way help other nod32 users as well. You won't get any further explanation here why it was not detected since there isn't much more to say.

    You probably read the "No Antivirus product guarantee's to catch 100% of Viruses" before in this forum and that is the fact even if it might be a bit boring reading this over and over again. A friend of mine had to reinstall his computer because of a virus when using norton antivirus so this could happen using any AV software. Which one is the best and most secure.....i don't think anyone can say for sure, but if you feel safer using AVG or some other av software i think you should use that one instead of nod32. No one can say for sure what is the best to use so reading different antivirus software test/reviews, your personal experience and what you believe is the best should decide. You could also listen to advice from others, but in this forum which is the official eset support forum i guess a lot of people prefer nod32. If you go to some other official AV software forum you will probably see the same thing.

    I used Symantec AV Corp Edition (not Norton antivirus for home users) before i switched to nod32 and had no problems with either so could recommend both. The reason why i changed to nod32 is because it use less resources and for me seems to work very good. I still use version 2.7 though because of the bugs in 3.0 and unless the detection is better using 3.0 i cannot see why i should upgrade to a version that use more memory with a new GUI.
     
    Last edited: Nov 20, 2007
  8. deanmartin

    deanmartin Registered Member

    Joined:
    Sep 6, 2007
    Posts:
    231
    Location:
    USA/KY
    I cant say that i'll never go back to nod. Im just going to give em more time.
     
  9. MaXimus666

    MaXimus666 Registered Member

    Joined:
    Jul 7, 2006
    Posts:
    29
    Location:
    United Arab Emirates
    till this point of time....Avast and AVG did a better job than NOD32! and guess what? they're free!

    this said from an official NOD32 fan / owner

    kthxbye
     
  10. Nahaz

    Nahaz Registered Member

    Joined:
    Nov 19, 2007
    Posts:
    8
    What is ntd.sys?

    I tried to google it and I couldn't find any information on it
     
  11. MaXimus666

    MaXimus666 Registered Member

    Joined:
    Jul 7, 2006
    Posts:
    29
    Location:
    United Arab Emirates

    The unsafe files using this name are associated with the malware group Win32.Rootkit.Gen.Some files using the name NDT.SYS are also associated with the malware group:


    Generic.Rootkit

    These files may have the following Vendor, Product, Version Information in the file header ; ; 1.0.0.0
    The following Vendor, Product, Version Information has also been reported:
    ; ; 2.0.1.66 ; ; 2.0.1.38 ; ; 2.0.1.88


    NDT.SYS has been seen to perform the following behavior(s):
    Can communicate with other computers using TCP protocols This Process Deletes Other Processes From Disk Can communicate with other computer systems using HTTP protocols Executes a Process Modifies the Windows Host File which could be used to stop you visiting specific web sites by redirecting you to alternative addresses without you knowing Terminates Processes Adds a Registry Key (RUN) to auto start Programs on system start up Registers a Dynamic Link Library File Writes to another Process's Virtual Memory (Process Hijacking) This Process Creates Other Processes On Disk

    NDT.SYS has been the subject of the following behavior(s):
    Created as a process on disk Executed as a Process Deleted as a process from disk Writes to another Process's Virtual Memory (Process Hijacking) Terminated as a Process

    NDT.SYS can also use the following file names:


    WMIPRVES[2].EXE WMIPRVES[1].EXE NDT2.SYS 31072677.SYS 33201795.SVD NDT2SUSPECT.SYS 75062483.SYS 03410126.SYS 84733211.SYS 79840294.SYS
     
  12. Marcos

    Marcos Eset Staff Account

    Joined:
    Nov 22, 2002
    Posts:
    14,374
    To avoid speculations whether ntd.sys is legit or malware, please submit it to samples[at]eset.com with this thread's url so that we can check it out.
     
  13. MaXimus666

    MaXimus666 Registered Member

    Joined:
    Jul 7, 2006
    Posts:
    29
    Location:
    United Arab Emirates
    too late. i've formatted my system long back dude
     
  14. SteveBlanchard

    SteveBlanchard Registered Member

    Joined:
    Nov 4, 2007
    Posts:
    312
    Location:
    ENGLAND
    I used AVG during a rebuild (waiting for my current AV licence to be resent). AVG found the licence key for rFactor, reported it as spyware and deleted it.(it found the Trymedia.adware spyware file but deleted the folder it was in, rather than the file itself). AVG maybe great at finding oddities, but extreme care needs to be used with it.
     
  15. GAN

    GAN Registered Member

    Joined:
    Mar 3, 2007
    Posts:
    355
    It depend what you define as a better job. Finding YouTube Video Downloader as a threat is not part of a good job i think. I'm not going to start a nod32 vs avg discussion since that is pointless, but i think this is all about opinions, personal experience and what everyone prefer. A couple of examples doesn't really say anything about how good the AV software work.
     
  16. Joliet Jake

    Joliet Jake Registered Member

    Joined:
    Mar 1, 2005
    Posts:
    911
    Location:
    Scotland
    Try having a look over at AV Comparatives and Virus Bulletin, check out the current state of play and go back over the history of all three you mentioned and see if you still feel you can make this assertion. :D
     
  17. Muscle

    Muscle Registered Member

    Joined:
    Aug 11, 2006
    Posts:
    15
    NOD32 didn't saw this virus

    Yesterday I had a virus on my PC that uninstalled NOD32 silently!
    I had to reinstall Vista because of it :mad:

    After reinstalling Vista, I analyzed the Virus, and guess what, NOD32 does not detect it as virus where other scanners do.

    Results from http://www.virustotal.com

    VirusTotal results removed per this policy.

    What I don't understand is that NOD32 is supposted to be a very good scanner as can be read in many tests, but why doesn't it see these Trojan/Downloader.Bagle.fx/ft variants. These aren't small viruses if I'm correct.
     
    Last edited by a moderator: Nov 22, 2007
  18. Marcos

    Marcos Eset Staff Account

    Joined:
    Nov 22, 2002
    Posts:
    14,374
    Re: NOD32 didn't saw this virus

    As you can see in the results, the file was scanned with v. 2655 (issued on Nov 13th) - more than a week ago. I have tested it now and all Bagle samples were actually detected.
     
  19. Bunkhouse Buck

    Bunkhouse Buck Registered Member

    Joined:
    May 29, 2007
    Posts:
    1,056
    Location:
    Las Vegas
    Agreed. Amazing how hard data does not convince certain users that NOD32 is at the top of the list along with Avira for best overall protection (signatures + heuristics).
     
  20. Muscle

    Muscle Registered Member

    Joined:
    Aug 11, 2006
    Posts:
    15
    Re: NOD32 didn't saw this virus

    No. That last result (not mine but from someone else) was from 13 Nov, and the virus was from at max 13 Nov (or earlier). (Dutch: http://gathering.tweakers.net/forum/list_message/29079824#29079824 )

    So at that time (13 nov), the latest update (of 13 nov) of NOD32 didn't saw where other scanners did at 13 nov.

    I scanned my virus samples (the first 2 results) yesterday with both NOD32V3 with latest virus updates and with NOD32 from Virustotal.com, and neither instances of NOD32 didn't detected it as Virus.

    If NOD32 does see it now, than thats probably because I submitted the virus yesterday to NOD32.
    (At the moment I'm running Kaskersky.)
     
  21. Muscle

    Muscle Registered Member

    Joined:
    Aug 11, 2006
    Posts:
    15
    I also find comparitive data very valuable, but when you have an experience in where you trust a certain scanner because of comparitive data, and then get infected by a variant of a major known virus (TrojanDownloader.Bagle.*), you'll scratch your head and think: how is this possible, why did the other scanners do see that virus while I'm using a top-scanner. It makes you uninstall the scanner and install a scanner that did detect the virus. And makes you wonder if the comparitive data is simply to old (even thought it is only some months old).
     
  22. Muscle

    Muscle Registered Member

    Joined:
    Aug 11, 2006
    Posts:
    15
    I just tested to see if the Online Scanner of NOD32 (http://www.eset.com/onlinescan) sees the virus sample of Trojan-Downloader.Win32.Bagle.fx. Well... it still doesn't.
     
  23. Marcos

    Marcos Eset Staff Account

    Joined:
    Nov 22, 2002
    Posts:
    14,374
    I'm not aware of any undetected Bagle. If you have one, please send it in a password protected archive to samples[at]eset.com with this thread's url in the subject.
     
  24. Muscle

    Muscle Registered Member

    Joined:
    Aug 11, 2006
    Posts:
    15
    Check your mail :)
    I've just put the 2 samples in it.
     
  25. ultragunnerdcl

    ultragunnerdcl Registered Member

    Joined:
    Oct 26, 2007
    Posts:
    103
    Location:
    Philippines
    Nod32 also misses a lot on trojans. Kaspersky's Online Scanner detected a lot of trojans that nod32 missed. I am unhappy with nod32 & would never renew my license again. I even had all the trojans quarantined in my kaspersky that I downloaded after the online scanner detected a lot of it. How do you explain that.o_O? Nod32 is really a lot of hype & is very overated. I also scanned the sample in VIRUS TOTAL & a lot of scanners(9 & above) detected the sample a trojan, talk about nod32 being a blind scanner.:thumbd: Nod32 loses this customer by the way & would never believe in it again.
    To think that I was even using the new & improved version 3.0.566.0 & it failed me.!!!
     
    Last edited: Nov 24, 2007
Thread Status:
Not open for further replies.