PANDA active scan detected virus NOD32 Missed!

Discussion in 'NOD32 version 2 Forum' started by USERANON, Oct 27, 2005.

Thread Status:
Not open for further replies.
  1. USERANON

    USERANON Guest

    I posted this originally in wrong section today, ooops!

    Incident Status Location

    Virus:W32/Sdbot.FKS.worm Disinfected C:\WINNT\system32\svch32.pif

    This is the virus Panda AS found (ok so it's low threat) and NOD Missed. Why did it miss this? I am curious to hear the possible excuses "is your anti-virus set up correctly" "have you updated" "is AMON EMON DMON IMON set up yada yada yada etc, my answer is Yes to ALL of these. I would be interested to find out why it missed it . I have already checked prices of Titanium with a view to purchasing it as I need a anti-virus that works!
     
  2. flyrfan111

    flyrfan111 Registered Member

    Joined:
    Jun 1, 2004
    Posts:
    1,224
    Upload the file to Jotti's or Virustotal's online scanner, or Kaspersky's.
     
  3. Marcos

    Marcos Eset Staff Account

    Joined:
    Nov 22, 2002
    Posts:
    14,374
    I'm not sure, but do you mean this one?
     

    Attached Files:

  4. flyrfan111

    flyrfan111 Registered Member

    Joined:
    Jun 1, 2004
    Posts:
    1,224
    It would appear that his configuration was not set up correctly then.
     
  5. GuruGuy

    GuruGuy Registered Member

    Joined:
    Jun 18, 2005
    Posts:
    48
    What part of the configuration would have made NOD totally miss a known virus?
     
  6. flyrfan111

    flyrfan111 Registered Member

    Joined:
    Jun 1, 2004
    Posts:
    1,224
    In this case not scanning pif files most likely, it would take messing with the defaults though as it is an ext that is scanned even with defaults. Or possibly the license expired unbeknownst to the user. Until the OP returns we can't figure out what happened though.
     
    Last edited: Oct 27, 2005
  7. Marcos

    Marcos Eset Staff Account

    Joined:
    Nov 22, 2002
    Posts:
    14,374
    I assume his virus signature database was not up to date. What is ridiculous is the sentence " I am curious to hear the possible excuses "is your anti-virus set up correctly" "have you updated"... Though NOD32 has a perfect detection of new threats thanks to ThreatSense (generic detection, AH), it's still necessary to keep the signatures up to date for NOD32 to provide the best detection capabilities.
     
  8. flyrfan111

    flyrfan111 Registered Member

    Joined:
    Jun 1, 2004
    Posts:
    1,224
    Waiting along with you Marcos, Curious to hear the excuse myself. His intial response was to fly off in anger (which I have done a few times in the past myself btw).
     
  9. USERANON

    USERANON Guest

    Like all companies ESET is indeed in business to make profit and like sooo many companies we are gently informed that we have not configured our software correctly, or we are at fault somewhere else, all very patronising so rather than get the old "have you setup correctly, yada yada yada I thought I would save you the trouble. And, my licence is for 3 yrs and runs out in 2007. Nexto_Oo_O? Hmmmmm! And please all NOTE that I am not a BLOKE but a woman and b4 you criticise, I BUILT my pc from scratch (not from a barebones) I also troubleshoot others (inc 2 businesses) PC's as a hobby so please do not patronise me for being another sex, I know what I am doing!!
     
  10. GuruGuy

    GuruGuy Registered Member

    Joined:
    Jun 18, 2005
    Posts:
    48
    Marcos,

    When was the signature for that particular threat (virus) added to the definitions?
     
  11. flyrfan111

    flyrfan111 Registered Member

    Joined:
    Jun 1, 2004
    Posts:
    1,224
    No one is criticizing you, Marcos was responding to a perceived insult to his company, which appears to be without reason as the file was detected by NOD on Virustotal's scanner (as well as almost every other AV), so that seems to show that your NOD settings are not correct or there is some other problem causing it not to be detected. When you begin a post with an aggressive/sarcastic tone you should be prepared to receive an answer in a similar tone. Are you sure your settings are correct? Is NOD fully updated? Is it running? There are many questions unanswered that could have caused this, there is obviously a problem that needs to be fixed.
     
  12. fredra

    fredra Registered Member

    Joined:
    Jul 25, 2004
    Posts:
    366
    Hi Useranon
    I didn't interpret that anyone is patronizing you.... all three, so far (Marcos, flyrfan111 & GuruGuy) are trying to help and pinpoint the cause.
    Lets see if we can be less caustic :) and would you be able to provide us with more relevant information so we can all (collectively) find a solution for this situation.
    Thanks
    Cheers :)
     
  13. rumpstah

    rumpstah Registered Member

    Joined:
    Mar 19, 2003
    Posts:
    486
    Hi USERANON:

    Has the file been sent to Eset for analysis (sample(s) at eset.com)? It may be broken and not pose a threat.
     
  14. flyrfan111

    flyrfan111 Registered Member

    Joined:
    Jun 1, 2004
    Posts:
    1,224
    It was detected by NOD at Virustotal but not on the user's system.
     
  15. Firecat

    Firecat Registered Member

    Joined:
    Jan 2, 2005
    Posts:
    7,927
    Location:
    The land of no identity :D
    Perhaps the file is a damaged one, due to which NOD did not detect it? o_O
     
  16. Joliet Jake

    Joliet Jake Registered Member

    Joined:
    Mar 1, 2005
    Posts:
    911
    Location:
    Scotland
    Sits back with a large coke and bag of popcorn ;)
     
  17. USERANON

    USERANON Guest

    Hello, sorry to sound acidic but I am so peed off with this not being detected. No I did not send it as it did not show up in my NOD logs/quarantine/detected/sent for analysis. I saved the Panda Active Scan log but it only saves as a .TXT or .DOC And it did show as a threat when I active scanned(!?) I only use the Panda AS as backup to check all is ok once a month.

    Below are my nod definitions, showing clearly it is up to date.

    Apologies to all but it's a bu**er of a shock to find you have a damn worm aboard!

    NOD32 antivirus system information
    Virus signature database version: 1.1266 (20051026)
    Dated: 26 October 2005
    Virus signature database build: 6267

    Information on other scanner support parts
    Advanced heuristics module version: 1.021 (20050930)
    Advanced heuristics module build: 1092
    Internet filter version: 1.001 (20031104)
    Internet filter build: 1012
    Archive support module version: 1.034 (20050902)
    Archive support module build version: 1132

    Information about installed components
    NOD32 For Windows NT/2000/XP/2003 - Base
    Version: 2.50.25
    NOD32 For Windows NT/2000/XP/2003 - Internet support
    Version: 2.50.25
    NOD32 for Windows NT/2000/XP/2003 - Standard component
    Version: 2.50.25

    Operating system information
    Platform: Windows 2000
    Version: 5.0.2195 Service Pack 4
    Version of common control components: 5.81.4916
    RAM: 1024 MB
    Processor: AMD Athlon(tm) XP 3000+ (2091 MHz)
     
  18. flyrfan111

    flyrfan111 Registered Member

    Joined:
    Jun 1, 2004
    Posts:
    1,224
    Ok , we all understand how frustrating it as, and yes it does suck to have to deal with but hang in there and bear with us. Do you still have the file as originally detected? or did Panda' AS already clean/delete it? If it is still uncleaned please send it to samples@eset.com following these instructions;

    To submit a suspicious file to Eset for analysis, please carry on as follows:

    * compress the file(s) into a zip or rar archive, protect it with the password "infected"
    * attach the archive to an email message
    * send the message with the attachment to samples@eset.com


    Also include a link to this thread in the email. This will help determine if it possibly damaged and non-functional and that could account for it not being detected. We will go from there when Eset takes a look at the file.
     
  19. Marcos

    Marcos Eset Staff Account

    Joined:
    Nov 22, 2002
    Posts:
    14,374
    If your NOD32 was up to date as your log shows, there's no reason why it wouldn't have been picked up unless it was corrupted and non-functional. The best would be if you could submit it to samples@eset.com for analysis as Flyrfan111 suggested above.
     
  20. GuruGuy

    GuruGuy Registered Member

    Joined:
    Jun 18, 2005
    Posts:
    48
    And back to my question:

    Marcos,
    When did NOD add this to the definitions?


    OP,
    When did you scan with Panda and find this virus? Perhaps it wasn't in NOD's def's when you scanned.........
     
  21. flyrfan111

    flyrfan111 Registered Member

    Joined:
    Jun 1, 2004
    Posts:
    1,224
    A google search on svch32.pif found that the file has no known legitimate purpose,it is not part of windows 2000, it is installed by 2 different trojans. First detected in May of 05, now detected by most AV's, AT's and some AS apps. Not sure when Eset added the detection. The only explanations I can think of prior to seeing if the file is damaged are; something wrong with settings, NOD being disabled somehow, or a file system problem preventing proper extension id if you don't have all files being scanned.
     
  22. FanJ

    FanJ Guest

    Hi,

    Sorry for interrupting :oops:

    I was wondering about these versions of your NOD32:
    Internet filter version: 1.001 (20031104)
    Internet filter build: 1012


    I have (on W98SE):
    Internet filter version: 1.002 (2004070:cool:
    Internet filter build: 1013
     
  23. flyrfan111

    flyrfan111 Registered Member

    Joined:
    Jun 1, 2004
    Posts:
    1,224
    Opps, missed that, but it shouldn't be a factor, it possibly could explain it getting the system as IMON might have missed it but AMON should have picked it up. It also seems from Panda's description that they just added detection of it on the 20th of Oct.
     
  24. Marcos

    Marcos Eset Staff Account

    Joined:
    Nov 22, 2002
    Posts:
    14,374
    The Internet filter module is actually a packet worm scanner against Code Red and similar worms exploiting bugs in oper. systems, it has nothing to do with HTTP/POP3 scanning.
     
  25. FanJ

    FanJ Guest

    Thanks for the info Marcos !

    Sorry for interrupting in the thread !
     
Thread Status:
Not open for further replies.