PANDA active scan detected virus NOD32 Missed!

Discussion in 'NOD32 version 2 Forum' started by USERANON, Oct 27, 2005.

Thread Status:
Not open for further replies.
  1. flyrfan111

    flyrfan111 Registered Member

    Joined:
    Jun 1, 2004
    Posts:
    1,224
    Thanks for setting me straight Marcos, I always thought it was for IMON.
     
  2. Marcos

    Marcos Eset Staff Account

    Joined:
    Nov 22, 2002
    Posts:
    14,431
    At any rate, nobody's perfect, even Panda not as you can see below. I scanned a new worm being spread (btw, it doesn't seem to be Mydoom as detected by one of the AV)
     

    Attached Files:

    • vt5.jpg
      vt5.jpg
      File size:
      65.5 KB
      Views:
      375
  3. alglove

    alglove Registered Member

    Joined:
    Jan 17, 2005
    Posts:
    904
    Location:
    Houston, Texas, USA
    Getting back to the original question...
    My excuse guess is that NOD32 uses a different signature to detect the virus than Panda does. Let us suppose that 5 bytes inside the file were changed from the "original" version of the virus. This difference may be why NOD32 does not catch it, but Panda does.

    However... would the file on your computer actually do anything when executed? If changing those 5 bytes "broke" the virus, then the file is not exactly a live virus anymore, though it may resemble one. In this case, one could say that NOD32 is correct in not labeling this a virus. On the other hand, if the file actually would do something when executed, then Panda is correct, and NOD32 needs to update their definitions.

    This is why we want you to submit the file. If the file does turn out to be dangerous, then Eset can update/fix their definitions.
     
  4. USERANON

    USERANON Guest

     
  5. USERANON

    USERANON Guest

    Please see below regarding sending the file for analysis. Can't be done! the Panda AS deleted it immediately upon detection

    My excuse guess is that NOD32 uses a different signature to detect the virus than Panda does. Let us suppose that 5 bytes inside the file were changed from the "original" version of the virus. This difference may be why NOD32 does not catch it, but Panda does.

    However... would the file on your computer actually do anything when executed? If changing those 5 bytes "broke" the virus, then the file is not exactly a live virus anymore, though it may resemble one. In this case, one could say that NOD32 is correct in not labeling this a virus. On the other hand, if the file actually would do something when executed, then Panda is correct, and NOD32 needs to update their definitions.

    This is why we want you to submit the file. If the file does turn out to be dangerous, then Eset can update/fix their definitions.[/QUOTE]
     
  6. alglove

    alglove Registered Member

    Joined:
    Jan 17, 2005
    Posts:
    904
    Location:
    Houston, Texas, USA
    Ahhh, so I see. Oh, well.

    Panda's ActiveScan uses the same signature set (or at least a subset) as their full antivirus programs. ActiveScan does not monitor the computer continuously like their full antivirus packages do. That is one reason Panda gives away ActiveScan for free... to get you interested in their full products. Hmmm, it seems to be working... :ninja:

    Panda does have evaluation versions of their software you can download from their website. I believe they are 30 day trials. Look in the "Downloads" section.
     
  7. YeOldeStonecat

    YeOldeStonecat Registered Member

    Joined:
    Apr 25, 2005
    Posts:
    2,345
    Location:
    Along the Shorelines somewhere in New England
    Still seems to be missing this point...that it's possibly a harmless broken/corrupted file.

     
  8. fredra

    fredra Registered Member

    Joined:
    Jul 25, 2004
    Posts:
    366
    To track down or find this file (svch32.pif) I decided to get some information on it before I try to get the infected file.
    It would appear that if the machine has been patched, then the W32/Robot.asz Worm would not be able to exploit the vulnerabilities. However, that being said, I will try to "get" the file so I can send it off to eset.
    Cheers :)

    This blurb is taken from the SOPHOS web site.
    ------------------------------------------------------------
    This section is for technical experts who want to know more.
    W32/Rbot-ASZ is a worm and IRC backdoor Trojan for the Windows platform.
    W32/Rbot-ASZ may spread to remote network shares with weak passwords or by exploiting any of the following system vulnerabilities: RPC-DCOM (MS04-012), PNP (MS05-039), ASN.1 (MS04-007).
    W32/Rbot-ASZ runs continuously in the background, providing a backdoor server which allows a remote intruder to gain access and control over the computer via IRC channels.
    When first run W32/Rbot-ASZ copies itself to <System>\svch32.pif.
    The following registry entries are created to run svch32.pif on startup:
    HKCU\Software\Microsoft\Windows\CurrentVersion\Run
    SVCH Service
    svch32.pif
    HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
    SVCH Service
    svch32.pif
    HKCU\Software\Microsoft\Windows\CurrentVersion\RunServices
    SVCH Service
    svch32.pif
    HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices
    SVCH Service
    svch32.pif
    Registry entries are set as follows:
    HKCU\SYSTEM\CurrentControlSet\Control\Lsa
    SVCH Service
    svch32.pif
    HKLM\SYSTEM\CurrentControlSet\Control\Lsa
    SVCH Service
    svch32.pif
    HKCU\Software\Microsoft\OLE
    SVCH Service
    svch32.pif
    HKLM\SOFTWARE\Microsoft\Ole
    SVCH Service
    svch32.pif
    ------------------------------------------------------------------
     
  9. Marcos

    Marcos Eset Staff Account

    Joined:
    Nov 22, 2002
    Posts:
    14,431
    If it's already detected by NOD32, there's no need to send it as we already have one.
     
  10. Blackspear

    Blackspear Global Moderator

    Joined:
    Dec 2, 2002
    Posts:
    15,115
    Location:
    Gold Coast, Queensland, Australia
    BINGO, we have a winner, by default everything marked in the following screenshot is not scanned.

    Have a run through this thread in regards to tweaking Nod32.

    Cheers :D
     

    Attached Files:

  11. alglove

    alglove Registered Member

    Joined:
    Jan 17, 2005
    Posts:
    904
    Location:
    Houston, Texas, USA
    I don't know about the use of the term "winner" here.... :blink: Which of those non-default items would account for this particular virus going undetected, assuming that we are not dealing with a damaged or mutated version of the virus?
     
  12. GuruGuy

    GuruGuy Registered Member

    Joined:
    Jun 18, 2005
    Posts:
    48
    I asked the same thing in post #5
     
  13. BenoitG

    BenoitG Registered Member

    Joined:
    Sep 24, 2005
    Posts:
    5

    Sorry to jump in but after looking to eset web site, this threat was added in the V. 1.10.30 on 2005-03-19

    I do not use NOD32 for long but so far I love it.
     
  14. Albinoni

    Albinoni Registered Member

    Joined:
    Feb 17, 2005
    Posts:
    711
    Location:
    Perth, Western Australia
    And my question to ask you here is why did Panda miss alot of viruses that NOD didn't ? Lets say it did miss this virus does that make a NOD a bad product. Ok so you say stuff NOD because it misses one virus, whats will happen when you buy (assume you do) Panda and it misses one or more virus, than will you jump back to NOD, Kaspersky, McAfee, NAV whatever.

    Let me say something here and make it very clear with you. There is NO SUCH THING as a 100% full proof AV software, but let me rest assure there are AV softwware products out there that do a better job than others, and I can rest assure that NOD32 does a better job than Panda and also many others for sure.
     
  15. USERANON

    USERANON Guest

    Oh DO calm down dear, no need to get soooo emotional about things! ESET can't be paying you that much surely!?? It is a common virus and I should NOT be suffering from such a common virus, let's face it Nod b***sed up! NO more LAME EXCUSES PLEASE!

    I WILL stay with NOD only because I have tried all the other "BIG GUNS" and NOD has proved the best. But ESET I am having to FORMAT my hard drive THANK YOU, NOT!
     
  16. RejZoR

    RejZoR Registered Member

    Joined:
    May 31, 2004
    Posts:
    6,426
    Format the drive just because of one SdBot ? Thats new to me...
     
  17. beetlejuice69

    beetlejuice69 Registered Member

    Joined:
    Mar 16, 2005
    Posts:
    780
    Well that`s new to me too. :)
     
  18. USERANON

    USERANON Guest

    I am afraid there is something more malevolent on my machine, in the first instance I thought "ok, nothing major, no real harm done" but now I am noticing explorer errors, needs to be restarted all the time, now I am having problems using my web editor. I am also getting a lot of unknown connection errors. I am assuming that there is something more afoot. So, hence the format. Bye
     
  19. Firecat

    Firecat Registered Member

    Joined:
    Jan 2, 2005
    Posts:
    8,164
    Location:
    The land of no identity :D
    Panda's ActiveScan may not have deleted the registry entries that the SdBot may have created/modified, due to which you may be facing this problem.
     
  20. Joliet Jake

    Joliet Jake Registered Member

    Joined:
    Mar 1, 2005
    Posts:
    911
    Location:
    Scotland
    Tell her to do another Panda online scan.
     
  21. Firecat

    Firecat Registered Member

    Joined:
    Jan 2, 2005
    Posts:
    8,164
    Location:
    The land of no identity :D
  22. Marcos

    Marcos Eset Staff Account

    Joined:
    Nov 22, 2002
    Posts:
    14,431
    Why resort to formatting the hdd and not send a log from Hijackthis to Eset's support for analysis?
     
  23. vincent_vh

    vincent_vh Registered Member

    Joined:
    Sep 8, 2005
    Posts:
    6
    To USERANON:
    (1) Don't stress so much. It appears NOD32 does recognize your little bug. So be open to look at the fact there may be something wrong with your configuration.
    (2) You may think about buying another AV-solution... but are you sure it'll do better? Don't expect ANY sollution to be 100% bullet proof. I still think NOD32 is one of the best performing AV's detection-wise(and I don't even use it myself... I just evaluated it)
    (2bis) You may ask why I don't use it then... well because I don't run the company I work for. And alse there seems to be some/'a lot' of installation/stability problems. That's ok(=managable) for 1 personal computer but not if I have to manage hundreds of computers.

    To all:
    And what if it was a false positive from Panda :D ...
     
  24. pc-support

    pc-support Registered Member

    Joined:
    Mar 10, 2005
    Posts:
    285
    Location:
    Edinburgh, UK
    ~snip~ let's keep the personal comments out of this please ~ Blackspear

    Why not set up NOD as per Blackspears very-easy-to-follow instructions, do a scan and let us know what other rubbish you have on your pc? :rolleyes:
     
    Last edited by a moderator: Oct 31, 2005
  25. Marcos

    Marcos Eset Staff Account

    Joined:
    Nov 22, 2002
    Posts:
    14,431
    NOD32 should detect all threats with default settings. If you want NOD32 to do a complete scan of all files (including archives), you need to enable the appropriate option in the on-demand scanner setup, or run an in-depth scan as AMON would not pick up threats packed in archives which are actually harmless at this point.
     
Thread Status:
Not open for further replies.
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.