Problem with threat

Discussion in 'ESET Smart Security' started by elnath78, Dec 28, 2009.

Thread Status:
Not open for further replies.
  1. elnath78

    elnath78 Registered Member

    Joined:
    Dec 28, 2009
    Posts:
    8
    ESET does not detect Bagle variation

    hello,

    im running the 4.0 and updated version of the software, ive spent my last 5 hours clearing my infected PC (using free tools) from a threat that ESET Smart Security is unable to detect.

    My license expire on 04/11/2010 and is valid for 2 PC, i wish to ask if it is possible to have money back as the antivirus filed on this. Ive also used online file checker from avast that also failed, and from kaspersky that found the threat. I reserve the right to ask any additional costs for the time loss.

    The threat on which ESS failed is called: Trojan-Downloader.Win32.Bagle.cez this is the name given by kaspersky file checker, ive a copy of the virus and i should be able to upload somewhere if someone wish to try.

    Ive also uploaded the file using ESS submit feature, i think ive uploaded it at least two times. Note that this is not a injected/net virus but a simple worm, and in my opinion if an antivirus fail where a free software (findykill) was able to restore the services and infected files there is a problem.

    Virus file is around 800Kb and as side effect it prevents you from searching particular keywords on the web, included but not limited to avast, findykill. It also reset your windows installation, making the OS to ask for license validation one more time, as after the first installation. It interrupts the services and prevent to run SAFE mode correctly. It injects infected copy of itself inside all your .zip files creating a patch/crack folder with the same name executable in it.

    For additional information ask to kaspersky! Have a good day,
     
    Last edited: Dec 29, 2009
  2. elnath78

    elnath78 Registered Member

    Joined:
    Dec 28, 2009
    Posts:
    8
    hello, ive uploaded a copy of this worm, you can download it and toy with it. I suggest you to not to rename it as .exe to prevent accidental execution.

    ~ Removed Posted Link to Possible Malware as per Policy ~
     
    Last edited by a moderator: Dec 29, 2009
  3. JRViejo

    JRViejo Global Moderator

    Joined:
    Jul 9, 2008
    Posts:
    20,924
    Location:
    U.S.A.
    elnath78, it's against policy to post links to any possible malware. Please refrain from doing so. Thanks.

    JR
     
  4. Marcos

    Marcos Eset Staff Account

    Joined:
    Nov 22, 2002
    Posts:
    14,374
    Every new variant of Bagle is detected upon download by web protection providing that you have detection of potentially unwanted applications (PUA) enabled. They use Themida protector to evade detection by antivirus programs, but with web protection and PUA enabled this protector itself will be detected and download of the malicious file blocked.

    Since Bagle comes disguised as a crack, avoid using cracks as much as possible. One shouldn't rely solely on the security software that it will catch 100% of malware. There's no such a solution that would protect you against every single piece of malware and one should take other precautions to prevent getting infected.

    What could help you identify Bagle, it's usually bundled with a short nfo text file and the size of the exe file is approximately 700-1000 kB.
     
    Last edited: Dec 29, 2009
  5. COSMO26

    COSMO26 Registered Member

    Joined:
    Oct 21, 2003
    Posts:
    404
    QUOTE: ["They use Themida protector to evade detection by antivirus programs, but with web protection and PUA enabled this protector itself will be detected and download of the malicious file blocked."]

    Marcos - Anyone: The Web Access Default does NOT Check Potentially Unwanted/Unsafe Apps and this Bagle issue begs the question, "So Why Not?".

    Would Web Access Setup be the Only place to check the 2 PUA's, or should all Modules with them be checked. The tough part for amateurs setting up ESS is we don't recognize the cases where (i.e.) "don't check something here because it may often slow you down, but it doesn't matter because another Module X will stop it anyway".

    Anyone's clarification on Where to Check the two PUA's is appreciated!
     
  6. Marcos

    Marcos Eset Staff Account

    Joined:
    Nov 22, 2002
    Posts:
    14,374
    When installing EAV/ESS, it is mandatory to enable or disable detection of potentially unwanted applications and this step cannot be skipped. If you choose to leave detection of PUA disabled during installation and decide to enable it later, you'll need to do that for every module as some people might prefer having PUA disabled for all modules but web protection. This is the only way how to proactively protect against new Bagle variants as signature detection can only be added when we receive the particular sample from users or other sources.
     
  7. COSMO26

    COSMO26 Registered Member

    Joined:
    Oct 21, 2003
    Posts:
    404
    Thanks, Marcos.
    [Quote: "When installing EAV/ESS, it is mandatory to enable or disable detection of potentially unwanted applications and this step cannot be skipped."]

    I have always checked to Activate PUA's, but having done that still wonder why the two PUAs' checks would THEN be ERASED as Part Of My Choosing module DEFAULT Setups often Recommended as OK for Most Users. Per your Reply that fact creates a Self-Defeating reality of NO PUA Protection against Bagle unless Default is changed, or an "Oh by the way, Default Kills Bagle Protection" disclaimer is offered so a user can know to manually check them "again".

    I'll Check PUA's everywhere and see what happens with loading speed. Thanks again.
     
  8. Marcos

    Marcos Eset Staff Account

    Joined:
    Nov 22, 2002
    Posts:
    14,374
    V4 always asks the user whether to enable or disable detection of PUA during installation regardless of whether they choose installation in typical or advanced mode.
     
  9. elnath78

    elnath78 Registered Member

    Joined:
    Dec 28, 2009
    Posts:
    8
    hello, the detection is enabled; however if i right click on any infected file or the .exe file that is injected in every .zip file present on the machine ESET does not detect any possible threat.

    There is not much to say, eset cant detect this bagle variation, stop. I think everyone expect from an antivirus 'on demand scan' to detect any possible threat. Consider that this bagle is actually cleared by free software (findykill) and i dont talk about injected infection, but also running services, registry keys and so on.
     
  10. Marcos

    Marcos Eset Staff Account

    Joined:
    Nov 22, 2002
    Posts:
    14,374
    Please read what I wrote above. With PUA enabled, WEB access protection detects and blocks every new variant of Bagle. Providing that you have PUA and web access protection enabled, there's no chance you'd successfully download a new variant of Bagle from the web.
     
  11. elnath78

    elnath78 Registered Member

    Joined:
    Dec 28, 2009
    Posts:
    8
    a worm is not a 'potentially unwanted application' it is a malware, both features where active. What use if the antivirus protect from the download while when asking to performa a scan on the infected files it say 'no threats detected'? Make sense for you?
     
  12. Marcos

    Marcos Eset Staff Account

    Joined:
    Nov 22, 2002
    Posts:
    14,374
    I repeat, new Bagle variants can only be blocked proactively by web access protection with PUA enabled as it is the protector itself that is detected and blocked. Otherwise it is necessary to receive a sample of Bagle first in order to add signature detection. I think everyone wants to be protected proactively so:
    1, keep potentially unwanted applications enabled
    2, keep web access protection enabled
     
  13. elnath78

    elnath78 Registered Member

    Joined:
    Dec 28, 2009
    Posts:
    8
    this mean that ESET does NOT detect the bagle, as reference, bagle.cez variant was added to kaspersky database on 21 december, 8 days are passed so since and ESET still does not detect this variant (and who know how many others!)

    again, both were active - no protection, detecting its protector but not the worm is little thing when the result is that the antivirus in use does not protect the machine.

    Again: both features were active, this variation is know at least from 8 days and eset database is not yet up to date but rely on a secondary measure for detection.

    Do ESET protect from new threats only if downloaded from the web?
     
  14. Marcos

    Marcos Eset Staff Account

    Joined:
    Nov 22, 2002
    Posts:
    14,374
    Once a new variant of Bagle is detected as a variant of Themida by the web protection module and download is blocked, there's no chance it would get into and infect the computer.

    You're complaining about not detecting that Bagle. Have you already submitted it per the instructions here? If not, do so so that the virus researchers can analyze it and add signature detection for it.
     
  15. elnath78

    elnath78 Registered Member

    Joined:
    Dec 28, 2009
    Posts:
    8
    just say eset doesnt offer p2p and messenger protection, we will understand.
     
  16. trjam

    trjam Registered Member

    Joined:
    Aug 18, 2006
    Posts:
    9,057
    Location:
    North Carolina
    I always check POA wherever I see it. I also check AH and Runtime Packers and have no issues.
     
  17. elnath78

    elnath78 Registered Member

    Joined:
    Dec 28, 2009
    Posts:
    8
    alas, this wont have any effect against bagle variations that are unknown to eset, as previously dais, eset protect against unknown variants ONLY if downloaded from web, not if sent from a messenger or via p2p.
     
  18. trjam

    trjam Registered Member

    Joined:
    Aug 18, 2006
    Posts:
    9,057
    Location:
    North Carolina
    I only care about the web, like 99 percent of most users.
     
  19. elnath78

    elnath78 Registered Member

    Joined:
    Dec 28, 2009
    Posts:
    8
    you should say: "I only care about the web, like 99 percent of most ESET users, as since there is no protection against p2p and messengers at all"

    that would be correct.
     
  20. Cudni

    Cudni Global Moderator

    Joined:
    May 24, 2009
    Posts:
    6,956
    Location:
    Somethingshire
    why on Earth would the Real Time protection with PUA enabled not block that same protector? Or would it?
     
  21. sir_carew

    sir_carew Registered Member

    Joined:
    Sep 2, 2003
    Posts:
    884
    Location:
    Santiago, Chile
    Re: ESET does not detect Bagle variation

    Ask Kaspersky what? I've some samples that aren't detected by KAV and one sample that only ONE AV detect, NOD32 as NewHeur_PE virus (heuristically) and is being spread using a link. Apparently in my case I need to ask to ESET ;)

     
  22. Marcos

    Marcos Eset Staff Account

    Joined:
    Nov 22, 2002
    Posts:
    14,374
    Re: ESET does not detect Bagle variation

    I'd like to note that the Bagle variant mentioned in this thread is already detected by ESET. In order to be protected against any new Bagle variant, keep web access protection enabled as well as detection of Potentially unwanted applications for web protection. I can't tell now if it will be possible to add proactive protection to other modules as well, but what I can promise is that we'll strive for being among first to detect new Bagle variants by all modules.
     
  23. rony474

    rony474 Registered Member

    Joined:
    Mar 5, 2009
    Posts:
    24
    send as as described in Marcos post , i send yesterday two and they are already in the definitions .. i think that all files copied to pc are scanned with Esets AV..
    if u are not sure if the file is use a sandbox or second scanner like malwarebytes..

    JR
     
  24. RASD

    RASD Registered Member

    Joined:
    Aug 31, 2004
    Posts:
    5
    I´ve been a user of nod32 since about 2005 and has always been my favorite AV.

    However I think eset is falling behind the competition.

    I´ve been in the past infected with bagle with nod32, but continued to be my Antivirus.

    Recently, with eset smart security installed, another bagle variant infected me, through a compressed program I downloaded from emule – Advanced heuristics and unwanted applications activated.

    I made a scan before and after the decompression and nothing came up.

    When I clicked on the installer the computer automatically restarted. None of the security applications loaded, their services couldn’t be started. When I tried browsing to pages with security programs the browser crashed (chrome, explorer or firefox), etc.
    None of the security apps could be installed or run (for example: Gmer, antivirus, hjackthis etc etc etc) and when trying to run windows on safemode a blue screen prevents it.

    I was infected with bagle. Some of the infected files I remember were winupgro.exe, wintems.exe, srosa.sys, etc

    This was the result of being to lazy to upload the file (which I thought was benign) to virus total and being depending solely on Eset and windows firewall for protection.

    As you can see in this result from virus total, eset don´t detect one of the infected files:

    http://www.malwarebytes.org/forums/index.php?showtopic=33966&pid=172486&st=0&#entry172486

    I spend 4 hours cleaning the infection. I replaced eset smart security and have increased my level of protection.

    I now have:
    - Windows security essential for antivirus
    - Online Armor free for firewall
    - Geswall free for policy restrictions on programs and safe surf
    - Returnil free for virtualization when needed
    - Thinking on having also a restoration tool like "eaz fix", "comodo time machine", "acronis". Any sugestions here?

    My suspicious on the level of protection provided by eset were confirmed after I´ve seen this test:
    http://www.youtube.com/user/languy99#p/u/63/R2yHMeKzIW8

    I sincerely hope to see another level of protection on Eset SS 5.

    Regards
     
    Last edited: Jan 2, 2010
  25. Hotep

    Hotep Registered Member

    Joined:
    Jan 7, 2008
    Posts:
    34
    Location:
    Sydney Australia
    Ditto, I too think ESET is loosing ground on the competition. I do hope things change for the better as I do like ESET products. I'm hanging in as long as I can but they are not making it easy! :(
     
Thread Status:
Not open for further replies.