Strange thing with Jotti´s NOD32 detection rate

Discussion in 'NOD32 version 2 Forum' started by NODUSER, Nov 24, 2005.

Thread Status:
Not open for further replies.
  1. NODUSER

    NODUSER Guest

    I don´t know why, but sometimes I see nod32 not detecting some trojans in jotti virusscan, but when I search the trojan name in nod32 update info I see that nod32 has a signature for this trojan... why?
     
  2. Blackspear

    Blackspear Global Moderator

    Joined:
    Dec 2, 2002
    Posts:
    15,115
    Location:
    Gold Coast, Queensland, Australia
    Part of the reason is the Jotti's uses a Linux version of Nod32. More technical than that, you will have to wait for Marcos or Happy Bytes to wander along.

    Cheers :D
     
  3. rumpstah

    rumpstah Registered Member

    Joined:
    Mar 19, 2003
    Posts:
    486
    It can also be related to the fact that the sample is non-functional.

     
  4. Marcos

    Marcos Eset Staff Account

    Joined:
    Nov 22, 2002
    Posts:
    14,374
    The results should be the same regardless of the oper. system used. All depends on the settings. The thing is a lot of samples submitted for analysis are corrupted, or they are installers which are not scanned internally (well, NOD32 actually supports NSIS, WISE, SFX archives), but malicious files are detected upon installation.
     
  5. Blackspear

    Blackspear Global Moderator

    Joined:
    Dec 2, 2002
    Posts:
    15,115
    Location:
    Gold Coast, Queensland, Australia
    Thank you Marcos, always knew there was a difference, but didn't know to what extent.

    Cheers :D
     
  6. NODUSER

    NODUSER Guest

    But I see it a lot of times... everytime this occours is because the file is corrupted? I´ve seen about 10 scans at jotti that nod doesn´t detect, but have the signature for the virus... The other antiviruses does detect it... it´s considerated a false positive if the file is corrupted?
     
  7. Marcos

    Marcos Eset Staff Account

    Joined:
    Nov 22, 2002
    Posts:
    14,374
    It all depends. No one says that NOD32 detects all 100% functional viruses as well as no one can say there's an AV that detects every single functional virus. Send it to samples[at]eset.com and if it's actually functional it will be added.
     
  8. NODUSER

    NODUSER Guest

    One exemple of many I´ve seen:

    http://img282.imageshack.us/img282/2063/joe7rf.jpg

    NOD32 - 1.1267 (2005102:cool: / posted 02:19)
    Virus signature database updates:
    Java.OpenConnection, Java.OpenConnection.AJ, Win32/Adware.CashFiesta, Win32/Agent.PQ, Win32/Aimbot.NAA, Win32/Bifrose.DG, Win32/Delf.AIM, Win32/DelFiles.AH, Win32/IRCBot.PG, Win32/Locksky, Win32/Locksky.A, Win32/Mytob.LY, Win32/Oscarbot.AU, Win32/Oscarbot.AV, Win32/Oscarbot.AW, Win32/Oscarbot.AX, Win32/Oscarbot.AY, Win32/Oscarbot.AZ, Win32/Pakes.H, Win32/Paltus.D, Win32/Prox.O, Win32/PSW.Agent.AN, Win32/PSW.Agent.CV, Win32/Spy.Banker.AGN, Win32/Spy.Banker.NGR, Win32/Spy.Banker.NGS, Win32/Spy.Banker.UG, Win32/Spy.Banker.WU, Win32/Spy.Banker.YT, Win32/Spy.Banker.ZY, Win32/Spy.Goldun.DN, Win32/Spy.Small.BV, Win32/StartPage.ADV, Win32/Surila.AB, Win32/Surila.NAC, Win32/Surila.NAD, Win32/TrojanClicker.Delf.DL, Win32/TrojanDownloader.Agent.NCZ, Win32/TrojanDownloader.Agent.NDA, Win32/TrojanDownloader.Agent.XX, Win32/TrojanDownloader.Small.BTE, Win32/TrojanDownloader.Small.BTJ, Win32/TrojanDownloader.Small.NFS, Win32/TrojanDownloader.VB.NBN, Win32/TrojanDropper.Agent.NAR, Win32/Troj anDropper.Agent.SO, Win32/TrojanDropper.Delf.NH, Win32/TrojanDropper.Delf.OC, Win32/TrojanDropper.Small.ABX, Win32/VB.AEH, Win32/VB.AEM, Win32/VB.NBC, Win32/VB.NBD
     
  9. Brian N

    Brian N Registered Member

    Joined:
    Jul 7, 2005
    Posts:
    2,148
    Location:
    Denmark
    Well I consider a corrupt file/virus to be a F/P if it gets detected.
    I mean, who want's to be warned about a threat that is not even working? Not me :)
     
  10. pykko

    pykko Registered Member

    Joined:
    Apr 27, 2005
    Posts:
    2,236
    Location:
    Romania...and walking to heaven
    hmmm... Kaspersky gives too many FP. :p
     
  11. RejZoR

    RejZoR Registered Member

    Joined:
    May 31, 2004
    Posts:
    6,426
    You say that this is FP but i say it's not. Look at the filename and you'll see what i mean. There is no crack for Symantec 2006 line except repacked 2005 keygens and other crap or trojans. And this one is correctly matched...
     
  12. pykko

    pykko Registered Member

    Joined:
    Apr 27, 2005
    Posts:
    2,236
    Location:
    Romania...and walking to heaven
    Well, probably u're right....u can never know. :D Anyway, I've seen many FP from Kaspersky compared to other AVs. :)
     
  13. Brian N

    Brian N Registered Member

    Joined:
    Jul 7, 2005
    Posts:
    2,148
    Location:
    Denmark
    Actually I'm not saying it's an F/P - I'm saying that I consider it to be an F/P.
    It could very well be garbage or a real working trojan/virus whatever.

    I don't have the time, nor the expertise to flag this as harmless ;)
     
  14. NODUSER

    NODUSER Guest

    So why NOD32 didn´t detect it? NOD32 has the signature...
     
  15. Farbod

    Farbod Registered Member

    Joined:
    Nov 10, 2005
    Posts:
    88
    You can send me the sample (support[at]nod32.com), maybe FP, maybe a subsignature needed, maybe file damaged, maybe...
     
    Last edited: Dec 1, 2005
  16. Brian N

    Brian N Registered Member

    Joined:
    Jul 7, 2005
    Posts:
    2,148
    Location:
    Denmark
    LOL? Youre then one giving away registration codes for BitDefender, are you not?
    Good reseller or something right here..

    https://www.wilderssecurity.com/showpost.php?p=616367&postcount=2
     
  17. NODUSER

    NODUSER Guest

    I dont have the file, cause wasnt me who submited the file to jotti.. anyway, I will search in some crack forums for this file and send it to you..
     
  18. Farbod

    Farbod Registered Member

    Joined:
    Nov 10, 2005
    Posts:
    88
    Last edited: Dec 1, 2005
  19. Farbod

    Farbod Registered Member

    Joined:
    Nov 10, 2005
    Posts:
    88
    Ok :)
     
  20. NODUSER

    NODUSER Guest

    Ok, eMule just start downloading.. 0,7kb/s :/

    For which e-mail should I send it?
     
  21. Farbod

    Farbod Registered Member

    Joined:
    Nov 10, 2005
    Posts:
    88
    Samples@eset.com or if you want a reply, to me also a CC! ;)
     
    Last edited: Dec 1, 2005
  22. Pain of Salvation

    Pain of Salvation Registered Member

    Joined:
    Apr 21, 2005
    Posts:
    398
    Hello...

    I´m the old "NODUSER"... ;)

    Will send it to you now!

    NOD32 has not detected it here...
     
  23. Farbod

    Farbod Registered Member

    Joined:
    Nov 10, 2005
    Posts:
    88
    OK, received it. but please let me to analyze it, here the time is 3:00am. :eek:
     
  24. NODUSER

    NODUSER Guest

  25. Farbod

    Farbod Registered Member

    Joined:
    Nov 10, 2005
    Posts:
    88
    Sorry for the delay,

    Yes, the file is infected!

    The malicious code is wrapped into Self-Archive-Extractor, and it isn't able for Auto-Extract itself. However, with user click or not, during extracting, the malicious code for installing itself must copy malicious body in the hard disk. in that time, with AMON enabled, the malicious code will be caught.
     

    Attached Files:

    • ddpx.png
      ddpx.png
      File size:
      34.7 KB
      Views:
      149
Thread Status:
Not open for further replies.