Sick and tired of ESET letting things through

Discussion in 'ESET NOD32 Antivirus' started by jimwillsher, Apr 15, 2010.

Thread Status:
Not open for further replies.
  1. jimwillsher

    jimwillsher Registered Member

    Joined:
    Mar 4, 2009
    Posts:
    668
    Today it's Vista Smart Security 2010, when one of my users run an attachment from a rogue UPS "unbale to deliver your parcel" email. Stupid user, yes, but I'm so sick or ESET letting through "Vista Smart Security 2010" and "XP AntiVirus 2010".

    We have all the defaults, we have current definitions, and we have the "potentially unwanted applications" options selected.

    Why oh why have I paid for 122 licenses of EAVBE and continue to have this problem?



    Jim
     
  2. The Hammer

    The Hammer Registered Member

    Joined:
    May 12, 2005
    Posts:
    5,619
    Location:
    Toronto Canada
    It probably won't make you feel any better but other Av's are experencing the same problem. I know this as I have colleagues that use competitors.
     
  3. jimwillsher

    jimwillsher Registered Member

    Joined:
    Mar 4, 2009
    Posts:
    668
    What frustrates me though is that MBAM *always* finds the affected/infected files. So why can't ESET?

    We're seriously considering ditching ESET after this latest episode. We need something we can rely on, since users will always open unexpected attachments. I thought we had that reliability in ESET but I'm no longer sure.



    Jim
     
  4. doktornotor

    doktornotor Registered Member

    Joined:
    Jul 19, 2008
    Posts:
    2,047
    If users will always open unexpected attachments, then why on earth do you let them do it? You complain about ESET failing you, yet you as sysadmin have failed multiple times:

    1/ You can block such attachments directly on your mailiserver, why don't you? Executables have no place in email in general; if absolutely needed, exceptions can be configured on a per account basis.
    2/ You can block them in Outlook (heck, it's even default IIRC to not let EXE and similar run from Outlook)
    3/ You can roll a SRP policy which will simply not let users run random stuff. %WINDIR% and %ProgramFiles% is really all what they need.

    Sigh.
     
  5. jimwillsher

    jimwillsher Registered Member

    Joined:
    Mar 4, 2009
    Posts:
    668
    Thanks, but it's a Zip file....

    Also, you know nothing about our business. Our users frequently need to open .EXE files supplied to us.

    But that is not the point. ESET is supposed to block these and it didn't.
     
  6. adik1337

    adik1337 Registered Member

    Joined:
    Mar 21, 2010
    Posts:
    199
    I totally agree :thumb: ... don't expect any antivirus to do all things for you for none of them are 100% reliable when it comes to detection ... you as a system admin should do your part.
     
  7. Marcos

    Marcos Eset Staff Account

    Joined:
    Nov 22, 2002
    Posts:
    14,374
    I second to what doktornotor has written above. No security solution will protect you against every single threat. Neither MBAM will and I'm sure the vendor wouldn't claim otherwise. Some products are better in specific areas than the competitors and vice-versa which doesn't mean they don't strive for perfection at all.
     
  8. doktornotor

    doktornotor Registered Member

    Joined:
    Jul 19, 2008
    Posts:
    2,047
    So your users have unpacked and willingly run it? Well, I actually forgot to add #0 to your fail list - educate your users.

    What kind of business it that which requires users (who are apparently uneducated and foolish enough to be trapped by social engineering "vulnerability) to frequently run random .EXE sent to them? You definitely need a whole lot more protection in such environment, like - sandboxes and probably something that will roll back the Windows to previous state after reboot (Returnill and similar).
     
  9. The Hammer

    The Hammer Registered Member

    Joined:
    May 12, 2005
    Posts:
    5,619
    Location:
    Toronto Canada
    I don't normally make guarantees in a security forum. But in this case I can say with certainty the problem will not go away with a switch in Av's.
     
  10. trjam

    trjam Registered Member

    Joined:
    Aug 18, 2006
    Posts:
    9,057
    Location:
    North Carolina
    they all let crap through. Like doktornotor said, get a sandbox or a product that will mark all new applications untrusted.;)
     
  11. funkydude

    funkydude Registered Member

    Joined:
    Apr 5, 2004
    Posts:
    6,853
    Valid or not, it's always excuses these days with AV companies.
     
  12. doktornotor

    doktornotor Registered Member

    Joined:
    Jul 19, 2008
    Posts:
    2,047
    Eh... in an environment where (allegedly) users frequently need to run unknown executables, relying on any antivirus as the only security application is just waiting for a disaster to strike. Absolutely not viable on Windows platform.
     
  13. dannyboy

    dannyboy Registered Member

    Joined:
    Jul 21, 2005
    Posts:
    113
    Location:
    UK
    we get lots of those fake UPS emails every day, but they're caught by our spam filter so they never reach our users' inboxes.
     
  14. jimwillsher

    jimwillsher Registered Member

    Joined:
    Mar 4, 2009
    Posts:
    668
    I'm not looking for a magic wand. I'm just annoyed that our users have been hit six times now, each with "Vista Smart Security 2010" and "XP AntiVirus 2010". Each time ESET has let it through and MBAM has cleaned it up.

    What detection mechanism does MBAM use that ESET seem unable to implement?

    Nothing is foolproof, things will always slip by. But these two rogue products consistently get past ESET.


    Jim

    PS Barracuda would be lovely, but we're a non-profit and it's damned expensive.
     
  15. doktornotor

    doktornotor Registered Member

    Joined:
    Jul 19, 2008
    Posts:
    2,047
    See, MBAM detects it since the malware is already installed. Then you have a footprint to work with, known entries in registry, autostart entries, processes etc. Its entirely different situation than detecting something that's a single file based on signatures and some heuristics.

    And will continue to do so since malware changes all the time. Antivirus is NOT a solution for your problem. It's a good thing to add into your security layer, but in environment you've described you definitely need more.

    As already noted above, you don't need anything like Barracuda. Open-source free solutions exist to implement antispam + antivirus filtering of mail, ban exe and similar attachments on mailserver etc. You can do things like realtime HTTP scanning for virii w/ things like ClamAV + HAVP. Things like LUA/SRP are part of Windows. Security doesn't need to be expensive but properly designed in the first place. Which is not your case, unfortunately.
     
  16. Jeroen1000

    Jeroen1000 Registered Member

    Joined:
    Aug 18, 2008
    Posts:
    162
    The OP does have a point here. I have NOD32 on a few computers I admin in my spare time. Whenever one of the other products (Mainly Avira, PrevX and MBAM) find something, I run it by NOD32 as well.

    I'll elaborate further for those up for a read.

    In the past (2-4 years ago) I never had something slip by NOD32 (that I was aware of anyway). After that period, I started to notice things getting past it. Weird exe's that had virus stamped all over it, sort of speak. Crap comming in via Live Messenger that I saved and some stuff getting in via malicous websites, etc... Back in the 2.7 version, I always used to click those things just to see that bad red eye of NOD32 guarding me. But more and more I started to notice it slipping up. At first, I was almost shocked that a virus coming my hadn't already been added to NOD32's signature base or got caught by its heuristics.

    From that point onwards, I decided to upload everything to jotti.org and started using a few other scanners on the PC's I admin (for sake of diversity as I was looking to replace NOD32).
    Avira in particular and others consistently caught the things that NOD32 missed. As did many other scanners on jotti.org's malware scanner. I always sent all the missed samples to NOD32 (around 20 in total over all that time) and I know for a fact that Avira caught them all (and threw in a few FP's too but that's another story). What baffled me the most is that it sometimes took Eset over a week to add detections for the things I sent them. The odds that a new virus hits me before it has hit countless other users were slim in the past, but if you take into account how long it takes to add detection to the database, I for one, am not surprised more and more got by as time progressed.

    Back in the day it (jotti.org's malware scanner) displayed the results of every file that came by, I sometimes spent an hour or so hitting F5 to comfirm my suspicions. The fact that many users experience this is proof that some vendors get overwhelmed by the sheer number of new threats that emerge every day. The more time a vendor has to spend adding definition files the more time it will take for one to reach a user in the form of an update.

    Heuristics and in the cloud tech. seem the key to addressing these issues and if I'm not mistaken Eset is not in the cloud yet? (Not quite sure on this one)

    There may be many reasons for them lagging behind now:

    • It's more difficult for them to add detection (outdated scan engine or something in the likes), hence they lose more time creating updates
    • They may be understaffed taking into account they had trouble answering help desk queries in a timely manner
    • The progressed less than other AV-vendors
    • ...

    So to the OP, I feel you have a strong point here. Eset has a point too but it is no secret to me they are not the rocksolid AV they were in the past.
     
    Last edited: Apr 15, 2010
  17. Marcos

    Marcos Eset Staff Account

    Joined:
    Nov 22, 2002
    Posts:
    14,374
    My experience is quite opposite - ESET detects most zero day threats in online scanners that other famous AVs (including the one you mentioned) miss.

    As for cloud, ESET introduced ThreatSense.Net in v2 and it has continually evolved to a cloud-like system which will be improved even further in the future.
     
  18. Geosoft

    Geosoft Registered Member

    Joined:
    Jan 7, 2009
    Posts:
    270
    Location:
    Toronto, Ontario, Canada
    Hi Jimwillsher,

    Barracuda does not have the power that Ironport has when it comes to spam filtering. Ask for a trial of their C160 device.

    It's also a good idea to use a different vendor of antivirus on your email gateway compared to what your clients are running.
     
  19. JeremyWW

    JeremyWW Registered Member

    Joined:
    Apr 13, 2005
    Posts:
    237
    Sorry to hijack this thread, but a quick q if I may. I'm running EAV 4.2.40 with no issues on Windows 7 Ultimate 32 Bit. I use Firefox. I was considering upgrading MWB to the paid for real-time version and running alongside NOD32. Any comments / advice on that? I scan regularly with both and take very few risks on-line. I haven't had a 'hit' from a scan for a very long time. Main reason for thinking about it is I do a fair bit of on-line shopping, banking & credit card sites etc...

    Thanks in advance.
     
  20. Jeroen1000

    Jeroen1000 Registered Member

    Joined:
    Aug 18, 2008
    Posts:
    162
    I must elaborate a bit here. The samples I scanned were not detected by Eset (all settings on highest, of course). I have no clue whatsoever as whether they were zero day samples. Some were probably quite new because not many scanners detected them and some may have been weeks old or more. I just don't know. The fact is that another set of samples may go by unoticed by other AV's and get caught by Eset. However, I can say this much: adding samples takes too much time. Avira, Kaspersky and PrevX are much faster in adding them (granted I have not been able to send them much). It may be in that deparment you are losing the "war".

    BTW, how do you know whether Eset detects more than the one's I mentioned? Just being curious:)

    Eventually, every sample I sent got detected, but much later. Perhaps this is what I and the OP are experiencing Marcos?


    I've did notice this option, never quite knew what it was. I believe I may have this disabled thinking it is a privacy risk. Thanks for the heads up.
     
  21. Marcos

    Marcos Eset Staff Account

    Joined:
    Nov 22, 2002
    Posts:
    14,374
    If you have examples of files that are not detected, perhaps you could post here a couple of MD5 that I could subsequently check and provide more info on them (it is against TOS to post here results from online scanners).
     
  22. Jeroen1000

    Jeroen1000 Registered Member

    Joined:
    Aug 18, 2008
    Posts:
    162
    I'll keep my eyes out for new ones. I kind of gave it a rest but recently my enthousiasm has been sparked again. I have a fair few contacts on Live Messenger sending me malicious links (not on purpose, their machine is likely to be infected).

    My laptop is quiped with NOD32 (4.0.something) but I've already downloaded the installer to upgrade to the latest version.
    My fixed desktop runs Antivir premium v10 and PrevX 3.5

    I hope I get lucky and find a good example:)
     
  23. Rolando57

    Rolando57 Registered Member

    Joined:
    Jan 21, 2009
    Posts:
    24
    Same here some weeks ago: One user got his PC infected by Antivirus Plus with Eset AV 4.0.474 installed - a scan of the computer brought no reaction, NOD32 didnt find anything. A scan with Avira found infected files and quarantined them.

    Where is the difference between doing a scan with MBAM after infection and with NOD32 as I did? You dont got the point there...
     
  24. Jeroen1000

    Jeroen1000 Registered Member

    Joined:
    Aug 18, 2008
    Posts:
    162
    If you still have the files, scan them again now. Perhaps detection is added by now. I have a firm feeling Eset is just a tad slow on the adding part. Well something doesn't add up anyway:)
     
  25. Mister Natural

    Mister Natural Registered Member

    Joined:
    May 10, 2007
    Posts:
    225
    Location:
    3rd density St. Louis
    System security is a multi-faceted work. No one application is going to do it all. Sounds like to me your users are getting hit with another vundo variant. These are defended well by keeping your adobe acrobat and flash player fully updated at all times. Also content filtering can go a long way in preventing users from going to places they shouldn't.
     
Thread Status:
Not open for further replies.