PAV got by again

Discussion in 'ESET NOD32 Antivirus' started by bradtech, Jul 10, 2009.

Thread Status:
Not open for further replies.
  1. bradtech

    bradtech Guest

    Sending it in again to ESET.. I don't know if it's a new variant or what.. It looks and behaves the exact same.. Even installs in the same folder again.. I've sent sysinspector logs in, along with the screenshot locations of where my copy of Spyware Doctor with AV finds it, and cleans it..

    C:\program files\PersonalAV\PAV.exe

    C:\windows\system32\msxmlm.dll
     
  2. Marcos

    Marcos Eset Staff Account

    Joined:
    Nov 22, 2002
    Posts:
    14,374
    Zero detection at VT.
     
  3. funkydude

    funkydude Registered Member

    Joined:
    Apr 5, 2004
    Posts:
    6,852
    I can't imagine wtf people do on your network to constantly be a victim of this.
     
  4. bradtech

    bradtech Guest

    Dang! I sent a cc to you along with the samples@eset.sk so you could check it out also..
     
  5. bradtech

    bradtech Guest

    I have 1,000s of people. I have a GPO I'm pushing out to most of them on our AD side that stops scripts running in non-trusted zones.. The other side stuck on netware is still out in the wild..
     
  6. bradtech

    bradtech Guest

    That PAV file had 0

    The .dll file I sent with it had two hits.. One from Microsoft, the other from PrevX.

    Good thing I sent it in to you guys :) Must be a new one..
     
  7. funkydude

    funkydude Registered Member

    Joined:
    Apr 5, 2004
    Posts:
    6,852
    Well, it's the same code just repacked and re-branded.
     
  8. bradtech

    bradtech Guest

    Add

    Mcafee Artemis,
    Symantec,
    Sophos

    to the list now detecting msxmlm.dll in system32 along with microsoft, and prevx.
     
  9. Marcos

    Marcos Eset Staff Account

    Joined:
    Nov 22, 2002
    Posts:
    14,374
    Add ESET, too :) An update is being compiled and will be released shortly. It seems ESET will be the first AV to detect your pav.exe, there's still zero detection of it at VT.
     
  10. tanstaafl

    tanstaafl Registered Member

    Joined:
    Apr 8, 2005
    Posts:
    207
    Hey Brad,

    You might be interested in a really neat little (free) tool that I discovered a while back... TrustNoEXE...

    http://www.beyondlogic.org/solutions/trust-no-exe/trust-no-exe.htm

    Amazingly useful and functional app that lets you install it on your PC, then push different configs out to different groups of PCs on your domain...

    Settings are stored in two registry keys with two subkeys (allow and deny) with the ACLs...

    In conjunction with NOD32, it locks down a PC incredibly well... and did I mention TrustNoEXE is free? ;)
     
  11. funkydude

    funkydude Registered Member

    Joined:
    Apr 5, 2004
    Posts:
    6,852
    After everyone got infected, gogo ESET :rolleyes:
     
  12. kC_

    kC_ Registered Member

    Joined:
    Apr 6, 2007
    Posts:
    452
    its not esets fault that some users are stupid and click on any link thats giving away free porn or smileys.
     
  13. funkydude

    funkydude Registered Member

    Joined:
    Apr 5, 2004
    Posts:
    6,852
    This is true, and brings me back to my original post of "wtf do hes users do".
     
  14. bradtech

    bradtech Guest

    Glad I could get you guys a sample of it.. I view it as a partnership, and understand that nothing is 100%.
     
  15. bradtech

    bradtech Guest

    I looked at the guys logs.. He wasn't on any questionable sites before being redirected.. May have been a victim of cross site scripting.. Plus our Netware side is lacking in some hard locked down IE Group Policies.. I have a good setup going in Active Directory to stop a lot of these attacks but disabling cross site scripting vulnerabilities, and to stop scripts from running in non trusted sites. This is NOT ESETS fault, and I am not flaming them. How are they suppose to add these attacks if nobody reports them, or lets them know about it.

    I can now confirm that NOD32 has eaten the copy of PAV running in one of my VMware environment on my home system. Any attack or thing that gets by I let ESET know because it's the only way they can improve to help their customers.
     
  16. Brummelchen

    Brummelchen Registered Member

    Joined:
    Jan 3, 2009
    Posts:
    1,732
    Thats a reason why good admins are worth each penny...
    If i were you - i would let hands off that network and get a good admin...
    If that loosen policy is wanted by chief - dont mind again - not your job.
     
  17. sysfu

    sysfu Registered Member

    Joined:
    Aug 25, 2009
    Posts:
    4
    Just had to manually remove this Trojan from a customer's WinXP system.

    It got by Eset Nod32 version 3.0.669.0 running virus signature database 4364

    Time to manually update Nod32 apparently. I'm guessing it does not automatically update the program version across major release numbers.
     
  18. bradtech

    bradtech Guest

    This is a nasty variant... As soon as one of their builds get caught, it seems that the makers of PAV will redesign it, repackage it, and test it against all of the products by uploading it to virustotal.. I pray that Heuristics can be improved to catch the *******... I'd pay some money to get my hands on the China man making this! Trust me, it's not ESET missing it, it's all 41 vendors on Virustotal most of the time.. Please harvest those files, and submit them in a password protected zip file to

    samples@eset.sk
     
Thread Status:
Not open for further replies.