Retrieve cleaned file for virustotal submission?

Discussion in 'ESET NOD32 Antivirus' started by vivona, Oct 1, 2010.

Thread Status:
Not open for further replies.
  1. vivona

    vivona Registered Member

    Joined:
    Nov 6, 2007
    Posts:
    24
    On my last full scan, NOD32 4.0.474.0 reported that it has found and deleted several trojans in the Application Data\Sun\Java\Deployment\cache\6.0\ folder. All were identified as Java/TrojanDownloader.Agent.NBU trojan.

    Since I have had past NOD32 reports of trojans in the Sun\Java\Deployment\cache\6.0\ folder, I would like to submit the files to virustotal.com to see if these are reported as such by other antivirus programs. Are they really deleted, or are they still available somewhere? I looked in the Local Settings\Application Data\ESET\ESET NOD32 Antivirus\Quarantine folder and did not see any files there with the same names as the ones reported. Instead, all files there have NQF or NDF extensions which I understand to be encrypted files created by NOD32.

    My two questions:

    1. How does one retrieve a reported and deleted malware file for submission to virustotal.com?

    2. If NOD32 is checking files in real-time, why weren't these files caught when they were first copied to the hard drive prior to the on-demand scan?
     
  2. Marcos

    Marcos Eset Staff Account

    Joined:
    Nov 22, 2002
    Posts:
    14,374
    1, open the Quarantine panel, select the desired quarantined file and from the right-click menu select "Restore to".
    2, in order to tell, I'd need to know the full path to the file. I assume it could be that it's a non-sfx archive which are not scanned by real-time protection for obvious reasons.
     
  3. vivona

    vivona Registered Member

    Joined:
    Nov 6, 2007
    Posts:
    24
    marcos - Thank you for the instruction on how to restore a quarantined file. I submitted it to virustotal.com and 35% of the antivirus programs reported it as malware, though of different names. I have returned the file to quarantine.

    As to my second question, the full path of the file was C:\Documents and Settings\Username\Application Data\Sun\Java\Deployment\cache\6.0\31\.
     
  4. Marcos

    Marcos Eset Staff Account

    Joined:
    Nov 22, 2002
    Posts:
    14,374
    That seems to be a folder only without the actual file name. I assume the file was a jar archive, wasn't it?
     
  5. vivona

    vivona Registered Member

    Joined:
    Nov 6, 2007
    Posts:
    24
    The filename was 781da39f-42d20623. I do not know what kind of file it is because it doesn't have an extension even though I have explorer set to show extensions and hidden files.
     
Thread Status:
Not open for further replies.