Question about virus updates

Discussion in 'ESET NOD32 Antivirus' started by Missileman, Feb 27, 2008.

Thread Status:
Not open for further replies.
  1. Missileman

    Missileman Registered Member

    Joined:
    Jan 12, 2008
    Posts:
    11
    First let me say I'm not a troll and have no intention of starting a war, but i am now very concerned.

    I received a Bank of America phish last week. I wasn't busy so I decided to see how much trouble I could give them while having the phish site taken down. I had the site down in about one hour so it was a success, but here's the issue. They were trying to have people download a new "security certificate" for their banking. I downloaded the file and scanned it. NOD32 V3 or 2.7 both reported it clean. I upload the file to VirusTotal and only 3 saw it but all showed it new and unknown. I then right clicked it and submitted it to Eset. I also went to CastleCops and used their list to submit the sample to all the AV companies. I received a lot of replies. The big K AV came back in 10 minutes confirming a rootkit/trojan info stealer and the update was in place. The next morning I had several more confirmations. Nothing from Eset. I keep getting several updates a day from NOD, but it still scans the file and says it is clean.

    Here's the real problem. It has been over a week and it still scans the file and reports it as clean. I resubmitted/rescanned it today at TotalVirus and now 26/32 show it as a Rootkit/Trojan. NOD still shows it as clean. I realize the lab is busy and I'm sure they are working hard, but it has been over a week. Obviously this is a real trojan and not a false positive. I am concerned about this as my confidence in my protection is now gone. I have been a confident NOD32 user for many years, but now I am starting to research other AV alternatives. I feel this is far to long to not get a detection of a real threat by Eset. With my confidence gone I am feeling very shaky surfing the net now even though V3 is looking very good with this last patch/download.

    Am I wrong in my thinking? Should I be this concerned. I am an "avid" anti spam/exploit person and research and report every spam/exploit that I receive. I always felt fairly safe roaming the seedier side of the net, but now I'm fearful. I use a sandbox and take all the precautions to prevent a problem, but this issue has really shaken me.

    Somebody boost my confidence back up.
     
  2. Thankful

    Thankful Savings Monitor

    Joined:
    Feb 28, 2005
    Posts:
    3,731
    Location:
    New York City
    Did you follow the instructions from Eset's website?:
    Also see:
    https://www.wilderssecurity.com/showpost.php?p=860087
     
    Last edited: Feb 27, 2008
  3. Missileman

    Missileman Registered Member

    Joined:
    Jan 12, 2008
    Posts:
    11
    Actually I did the zip password. with text background file. (That has become the standard way mostly). I also did a right click > advanced > submit with backgound notes and contact email (twice). I also submitted it through VirusTotal as well. They surely got the file more then once.

    Still no reponse - no detect.

    I just rescanned with latest updates - no detection. I also did another Right Click submission.

    I'll wait and see, as no system is perfect and things fall through the cracks. It's just that this crack is turning into a chasm. I still think NOD32 is a good AV. No AVs are perfect so it becomes a matter of personal trust in your chosen AVs abilities.
     
  4. Marcos

    Marcos Eset Staff Account

    Joined:
    Nov 22, 2002
    Posts:
    14,374
    Please PM me your email address so that I can check the samples mailbox and track it down.
     
  5. Missileman

    Missileman Registered Member

    Joined:
    Jan 12, 2008
    Posts:
    11
    PM sent as requested
     
  6. shadek

    shadek Registered Member

    Joined:
    Feb 26, 2008
    Posts:
    2,363
    Location:
    Sweden
    Worrying indeed...
     
  7. Missileman

    Missileman Registered Member

    Joined:
    Jan 12, 2008
    Posts:
    11
    After resending the file yesterday (to the same addresses as the first times) the file is being detected as a rootkit this morning. I don't know where the breakdown happened, but it did. Things like this I guess are bound to happen when dealing with the huge number of suspicious files they get everyday.

    Thanks Marcos for following up on this.
     
  8. viruscraft

    viruscraft Registered Member

    Joined:
    Sep 22, 2007
    Posts:
    114
    It is always a problem.

    It has happened for many times that I use ThreatSense.Net to send a unknow virus detected by nod32 as NewHeur_PE to ESET but no responses.

    It has happened for many times that I use ThreatSense.Net to send a infected files came from my computer to ESET but no responses.

    Sometime I even doubt if the ThreatSense.Net really works.
     
  9. Marcos

    Marcos Eset Staff Account

    Joined:
    Nov 22, 2002
    Posts:
    14,374
    ThreatSense.NET mainly provides statistical information that helps us react quickly to fast spreading malware. NewHeur_PE samples are of low importance as the user is already protected against threats detected heuristically. Only in case it's a false positive we fix it promptly.
     
  10. viruscraft

    viruscraft Registered Member

    Joined:
    Sep 22, 2007
    Posts:
    114
    Thanks Marcos!

    I know you treat the sample according to its' risk level.
    But NOD32 need a signature in order to clean (not delete) the file infected by NewHeur_PE in the case of it can be clean.
     
  11. Marcos

    Marcos Eset Staff Account

    Joined:
    Nov 22, 2002
    Posts:
    14,374
    If it's actually a file infecting virus, then yes, we'd need to receive a couple of such infected files so that we know more precisly how the virus alters files.
     
  12. viruscraft

    viruscraft Registered Member

    Joined:
    Sep 22, 2007
    Posts:
    114
    Thanks again,mate:)
     
Thread Status:
Not open for further replies.