Not clean/deleted file in system?

Discussion in 'ESET NOD32 Antivirus' started by nodyforever, Feb 21, 2008.

Thread Status:
Not open for further replies.
  1. nodyforever

    nodyforever Registered Member

    Joined:
    Oct 30, 2007
    Posts:
    549
    Location:
    PT / Lisbon
    Re: New Bugs in EAV v621

    Not clean/deleted file in system?

    clean coding file but does not eliminate himself ... why?
     

    Attached Files:

  2. BFG

    BFG Registered Member

    Joined:
    Oct 27, 2004
    Posts:
    482
    Location:
    San Diego
    Hello,

    Are you asking why the file couldn't be cleaned and was only deleted?

    If so, cleaning a file was more an option, or more common a few years. ago when a threat was attached to a good file. You could clean the threat, leaving the good file.

    Nowadays the entire file is the threat so the only way to "Clean" it is to delete it.

    It does make an encrypted copy of the file in the event of a false positive. That file is harmless in it's encrypted state.

    If this is not what you were asking please let us know.

    Thank you,
    BFG
     
  3. nodyforever

    nodyforever Registered Member

    Joined:
    Oct 30, 2007
    Posts:
    549
    Location:
    PT / Lisbon

    Yes.


    Not false positve file.


    His theory has a logic to which I agree, but if this good archive was always ordered for quarantine we could restore it and turn back it like a false positive.


    The problem is that the EAV/ESS does not manage to remove an archive if this one is already in the desktop as happens in case of the archives zip/rar that they are in the desktop but is not removed completely.


    Or be that they will be these archives removed after restarting my computer? Or it is going to fill my computer of archives
    what contain virus but alone was his malicious code taken from him?


    Will it have this so crazy logical?


    If we have the possibility to restore the same archive because he will not be able to be removed of the desktop or in which siege it will be in our computer?



    Cheers:argh:
     
  4. nodyforever

    nodyforever Registered Member

    Joined:
    Oct 30, 2007
    Posts:
    549
    Location:
    PT / Lisbon
    anyone ideas? :rolleyes: :blink:
     
  5. Marcos

    Marcos Eset Staff Account

    Joined:
    Nov 22, 2002
    Posts:
    14,374
    Apparently the malicious file was detected in a temp folder, but you are inquiring about a file on your desktop. These are two different files.
     
  6. ASpace

    ASpace Guest


    I have seen your case before . As Marcos points what is deleted is not the file you show but perhaps its extracted copy in the temp directory .

    For example , the file on your desktop is started , it creates a malicious file (in your case in your Temp dir) , EAV deletects the mal file in your temporary folder . It doesn't detect the file itself as malicious , just what is executed and created after your first file loads.
     
  7. thanatos_theos

    thanatos_theos Registered Member

    Joined:
    Apr 28, 2007
    Posts:
    540
    I believe what nodyforever meant was: NOD32 should delete/quarantine an archive containing malware and not just delete/quarantine the malicious content of the archive :doubt:.

    thanatos
     
    Last edited: Mar 12, 2008
  8. nodyforever

    nodyforever Registered Member

    Joined:
    Oct 30, 2007
    Posts:
    549
    Location:
    PT / Lisbon



    Thanatos thou in full in the question that I wanted to see answered.


    Yet the view of Mark and HB deserve all due credit, because they have their logic and agree with each reply.



    Despite the image present a virus that generated the file in the folder Temp he also detected the file and here ..... so you removed the malicious code thus the file on my desktop.



    It thus generates huge garbage useless by the computer if he continues to do that constantly.



    There are several theories in this forum that prove this .... frustrating to say the least.


    As you have any concrete evidence to indicate .... here again.




    Marcos and HB me not lead to evil, but my position is not tarnish the image of who is but understand the things NOD32 has presented.

    Cheers:cool:
     
    Last edited: Mar 12, 2008
  9. Marcos

    Marcos Eset Staff Account

    Joined:
    Nov 22, 2002
    Posts:
    14,374
    Well, I'm not sure if it's an archive. It could be an installer with encrypted files inside which are decrypted during installation, and at this point they are detected by NOD32.
     
  10. PaulB2005

    PaulB2005 Registered Member

    Joined:
    Apr 19, 2005
    Posts:
    525
    How would NOD know to delete the archive if it can't detect the Malware in the archive / package on the desktop due to obfuscation or encryption? NOD doesn't know where the malicious files came from when they're unpacked into the TEMP directory. It could have come from a download or any of the many processes and services running.
     
  11. MasterTB

    MasterTB Registered Member

    Joined:
    Jun 19, 2007
    Posts:
    547
    Location:
    Paran?, Argentina

    Yet, a question: If nod knows that a bad file is created in the temp directory, adding the ability to detect which file created it (if not already present) would enable it to alert the user about the host and give an optio to delete it aswell, wouldn't it??
    That way, you could eliminate the created threat and the file resposible for creating it...
     
  12. Marcos

    Marcos Eset Staff Account

    Joined:
    Nov 22, 2002
    Posts:
    14,374
    Hm, eliminating the system files svchost.exe, explorer.exe and maybe other crucial files that act as parents wouldn't be wise at all. These files are updated and the parent can be any legit application so that's certainly not a way to go.
     
  13. PaulB2005

    PaulB2005 Registered Member

    Joined:
    Apr 19, 2005
    Posts:
    525
    Also how far back does it go?

    If a malicious file appears in the temp directory and then NOD has to work out where that came from, should it then work out where that file came from? And that one? And that one?

    The next step in virus self protection will be to have a file that generates an obfuscated file, that generates an obfuscated file, that generates an obfuscated file that generates the Malware. Deleting the last two files in the chain still leaves the first two.

    Finally how much overhead would you be prepared to accept in order for NOD to be able to track where each file came from (assuming you could even do that)
     
  14. MasterTB

    MasterTB Registered Member

    Joined:
    Jun 19, 2007
    Posts:
    547
    Location:
    Paran?, Argentina
    Come on... It is not that hard... If you open a .rar or .exe NOD already knows, it is just a matter of keeping track of wnat that file does... and presto!! It is just a matter of allowing it to follow that track back to where it started.

    @Marcos: I'm not talking about deleting crucial system files, but files like those you download and that for some reason have to be executed/extracted or whatever to do harm... It is not that I'm saying NOD should be able to delete svchost, in fact I don't think it could at all, at least not in Vista!!
     
  15. PaulB2005

    PaulB2005 Registered Member

    Joined:
    Apr 19, 2005
    Posts:
    525
    Right. So with all the services and other programs running in the background you think NOD can track where each and every file came from?

    Can i ask what qualifies you to state that "It is not that hard"?

    Also how much overhead do you think that tracking every move every file makes to this degree would add to NOD?
     
  16. Marcos

    Marcos Eset Staff Account

    Joined:
    Nov 22, 2002
    Posts:
    14,374
    How should we distinguish between legit and malicious parent files?
     
  17. MasterTB

    MasterTB Registered Member

    Joined:
    Jun 19, 2007
    Posts:
    547
    Location:
    Paran?, Argentina
    Well, Realt Time Scanner (according to ESS helpfile) starts with the sistem, and analizes each file upon creation/start/open/close looking for malicious activity, so I'm not that crazy to suggest that it can walk back it's own steps... also If you consider that (according to Eset's help) EAV or ESS can delete newly created registry entries or modified ones done by malicious files upon desinfection, I'm not that crazy too... also, you have to remember that ADVHeur in NOD can emulate a newly created file to see where it will lead, and if it detect a (potential) suspicious behavior it will act upon it, sou I really think I'm not too crazy to do my suggestion... of course my suggestion is to be implemented for mewly created files or the ones that have not been opened in a while, you could not keep track of an infection detected vía an ondemand scan... that I understand could be tricky.:p
     
  18. PaulB2005

    PaulB2005 Registered Member

    Joined:
    Apr 19, 2005
    Posts:
    525
    So basically you are not qualified at all to comment of the ease / difficulty of doing this. Just because you THINK something is easy, doesn't make it so....
     
  19. MasterTB

    MasterTB Registered Member

    Joined:
    Jun 19, 2007
    Posts:
    547
    Location:
    Paran?, Argentina
    What?? If I download Eicar.zip and it then extracts eicar.com, is it so hard to know that Eicar.zip is a malicious or at least unwanted parent??

    I know I am not an expert, just a concerned user but I think common sense should kick in this conversation at some point. My suggestion is not that crazy, If a file creates or estracts a malicious peace of code, I think the user would want to be able to eliminate it aswell as the threat created, or at least have the option to do so, I mean if NOD can desinfect the threat GREAT!! but what if it can'to_O I particularly don't like any peace of code in my PC that could potentialy do harm, that is why I use NOD, because it has never let anything in... but if something where to get in, I would like to be able to delete al threat and there related files, even the parents.
     
  20. PaulB2005

    PaulB2005 Registered Member

    Joined:
    Apr 19, 2005
    Posts:
    525
    OK. Imaging this scenario.

    A vital system file is infected by an, as yet, undetected virus, or is used to download a malicious file. The legit system file then effectively creates the malicious file. This malicious file IS detected by NOD and removed. Should the legit, system (parent) file be destroyed or not?

    How would NOD know which parent files to destroy? What if the parent file is a system file?

    It is a nice idea but totally impractical because you don't know if the parent file is safe to destroy or not..... Until you can answer that question....
     
  21. MasterTB

    MasterTB Registered Member

    Joined:
    Jun 19, 2007
    Posts:
    547
    Location:
    Paran?, Argentina
    Point taken, that is why I said that system files could not be treated in this fashion, yet if you consider that the system file is a Vista system file, then infection is not that probable, in any case, this particular scenario calls for a revision of the OS rather that an update of the AV, which in any case is doing it's job.
    Don't get me wrong, I am not complainig about nod in any way.
     
  22. Anth-Unit

    Anth-Unit Registered Member

    Joined:
    Oct 13, 2006
    Posts:
    108
    Well presumably if its a Trojan downloader you are protected from the payload. If its some kind of different virus thats able to get into your system to that degree why it would need to create another malicious file?
     
  23. PaulB2005

    PaulB2005 Registered Member

    Joined:
    Apr 19, 2005
    Posts:
    525
    Not sure i understand your question here.

    I've seen plenty of examples with another brand of AV where the Trojan Downloader isn't detected but the payload is. All very well detecting and killing the payload but it doesn't help if the Trojan Downloader (TD) continues to download and attempt to reinfect the system with it's payload. You just get alert after alert regarding the payload but not the TD.

    The suggestion here was to map where every file comes from and if the child file is malicious NOD was to kill the parent child. My point was if the parent file was a critical system file infected with a TD you can't do that or you kill the system (potentially).
     
  24. nodyforever

    nodyforever Registered Member

    Joined:
    Oct 30, 2007
    Posts:
    549
    Location:
    PT / Lisbon
    Hi!

    Downloading file for desktop - detected win32\genetik - connection terminated-quarantined - 2 files desktop not deleted-quarantined

    Not delete-quarantine file.... "flash" codec virus


    If removes malicious code File why not detect it and not put in quarantine?


    Will unnecessary junk on my computer because of this?



    After several reviews of different people as is the question?



    Not for more go to quarantine and then if it is a false positive or a genuine file restore them to me?



    Cheers :cool:


    Image attachment:
     

    Attached Files:

    Last edited by a moderator: Mar 19, 2008
  25. ASpace

    ASpace Guest

    I have never seen what you reported even twice but can you try with NOD32 v2 how will it be ? Save the malicious address and attempt to download the things again . IMON should again detect them proactively as Genetik trojans but you'll see if they are saved or not
     
Thread Status:
Not open for further replies.