Nod32 did not detect this...Why not?

Discussion in 'NOD32 version 1 Forum' started by Straight Shooter, Jan 9, 2003.

Thread Status:
Not open for further replies.
  1. o_O

    On a whim,I decided to testdrive Avast and RAV, because the email scanner in the NOD beta kept crashing on me whenever I would get an email virus.. Now here's the clincher.. When I downloaded Avast, I ran a scan.. Of, course, I uninstalled every other AV, including NOD32. Avast found Win32.Huang in the system restore folder..

    I Uninstalled Avast, and reinstalled NOD32 (NOT the Beta) .. NOD did not find it. Then uninstalled NOD and reinstalled Avast. It found it again..

    Why won't NOD find this?

    Here is a screenshot...
     

    Attached Files:

  2. anders

    anders Eset Staff Account

    Joined:
    Oct 25, 2002
    Posts:
    410
    Should be no problems detecting the file (if extensions are correct for example).

    Please send a copy of that file to me at anders @ eurosecure.com. Could also be a false positive by Avast.

    Best regards,
    Anders
    EuroSecure
     
  3. :eek:Chalk up another victory for NOD32!

    I think it is a false positive.. I moved the "infected files" and they don't seem to be a virus.. You would know better. I am sending them to you with the heading, thanks from Straight Shooter.

    2 of the files have been renamed simply by adding ".vir" at the end..

    the other one is in original condition..

    I have a feeling that "infected" file is from Panda antivirus.. I tested that too..

    Although the regular version of NOD is fine, the beta version really crashes my Outlook Express when I get infected email.. I am in a "slight panic mode", and went around checking other av's.. just in case NOD VER 2 is something I can't use..

    FYI
    Win XP with latest Service pack 1
    512 ram
    Athlon Processor

    Thank you for your time. I appreciate it..
     
  4. anders

    anders Eset Staff Account

    Joined:
    Oct 25, 2002
    Posts:
    410
    Hi.

    Sorry about forgetting to post here.. :)

    The files you sent are clean, so it's a false positive from Avast.

    Regards,
    Anders
    EuroSecure
     
  5. Thanks. I thought it was too. I appreciate your "analysis"..
     
  6. vlk

    vlk AV Expert

    Joined:
    Dec 26, 2002
    Posts:
    618
    Hi, I'm from Alwil Software (the producer of avast!) and would like to explain this issue.

    If you're seeing this on a Panda antivirus file (actually, a virus definition file), it is because the file really contains the virus string. I don't understand how Panda can have some of the strings unencrypted - but we are aware of this "problem" :doubt:

    Thanks
     
  7. Technodrome

    Technodrome Security Expert

    Joined:
    Feb 13, 2002
    Posts:
    2,140
    Location:
    New York
    It’s not only avast! that detects this panda file as a virus, I've seen other AVs doing so....


    Technodrome
     
  8. Gladiator

    Gladiator Guest

    LOL yes i can confirm this :D
     
  9. sk

    sk Registered Member

    Joined:
    Nov 19, 2002
    Posts:
    241
    That damned Panda file wreaked havoc on my system until I finally figured out it was a false positive. Fortunately, I found it out one step short of a total reinstall!

    sk
     
  10. Everyday, you learn a little more...

    Well. I did the following on my computer before that virus (or whatever it was, showed up...)

    I uninstalled NOD32 ..
    I then installed the Panda Antivirus 7.0
    Hated it, and took it out.. (Too slow, other issues I don't care to write about., Never got an answer from Panda's tech support over email)..

    Then I downloaded Avast..

    To be honest, I liked it. It ran pretty fast, easy, and light.. No firewall with it, which I REALLY liked...

    Then came the fales positives, or true positives according to the Avast developer...

    So, I sent them the samples by sending them a virul report and have still yet to hear from anyone at Avast..

    Then I came here, got an answer in an hour from Jan.
    if what I am reading about that Panda file string being a virus. then NOD32 should have detected it, right?

    No harsh judgements or anything like that, I am simply trying to get the best for my needs..

    I think it should.. That now goes to what the defination of a virus is...

    So, if the Alwil Avast developer is still reading this, let me ask you, do you have a forum? How would I get a question asked?

    A virul string to me, is the same as the virus.. Or, it is better to be safe than sorry...

    Irregardless, that Panda messed up my computer pretty bad.. I think I will wind up Fdisking and reinstalling...
    Oh,well...
     
  11. Gladiator

    Gladiator Guest

    Well you can detect viruses with different scan strings.
    This means NOD can search for other bytes and detects this kuang.
    There is no unique scan string for a virus/backdoor.

    Michael
     
  12. Right Michael, to be honest.. I already had your answer in mind.. What the Avast guy is saying, if I am interpreting him correctly, is that Panda is actually using the Kuang string or a part of it itself to detect that virus.. Is that ethical? Or is NOD correct because their system approaches it in a different way and then it doesn't report it as a virus because it is in fact, a false positive...?
     
  13. Gladiator

    Gladiator Guest

    i had some promblems too - because pandy is not encrypting the scan stirings :)

    The same will happen with MSSAV (microsoft AV) under MS-Dos - there are also nothing is encrpyted - pure virus signs

    Michael
     
  14. Paul Wilders

    Paul Wilders Administrator

    Joined:
    Jul 1, 2001
    Posts:
    12,472
    Location:
    The Netherlands
    Shooter,

    In the end: yes ;).

    regards,

    paul
     
  15. Thank you...
     
  16. anders

    anders Eset Staff Account

    Joined:
    Oct 25, 2002
    Posts:
    410
    In my opinion, this should definitely NOT be detected.

    It's not a virus, it's not malware or anything, so it shouldn't be flagged as one.

    Detecting it would be producing a false positive.

    Of course it's not wise to have any "such things" unencrypted (or even un-obfuscated ;P) but it's still not good to detect it.

    It's stated here, and it has happened many times before... detecting a false positive could also cost you time/money/data.

    The use of non-malware in ZDNet /CNet (and other tests) has, as you ought to know by now, highly criticized.

    Best regards,
    Anders
    EuroSecure
     
Thread Status:
Not open for further replies.