Submission question...

Discussion in 'NOD32 version 2 Forum' started by RejZoR, Aug 19, 2005.

Thread Status:
Not open for further replies.
  1. RejZoR

    RejZoR Registered Member

    Joined:
    May 31, 2004
    Posts:
    6,426
    http://img384.imageshack.us/img384/8533/nod32sub8gc.png

    I'm wondering what does this mean (exactly). Good,bad,how to avoid this?
    I have opened the confirmation window and confirmed submission.
    Will those non suitable files be sent now or not?

    I checked my quiet large database of various malware and NOD32 detected many of them with heuristics so i chose to submit them.
     
  2. zashita

    zashita Registered Member

    Joined:
    May 17, 2005
    Posts:
    309
    The best thing I can tell you is to read the help file in the 'ThreatSense.Net' section.
    This is not bad at all, it is only a confirmation for sending only if you are agree with this :)
    You can change the settings in the CC -> Nod32 System Tools -> Nod32 System Setup -> Setup -> ThreatSense.Net tab
    To see if the files were sent, go to the Event Log section in the CC. You should see something about this.
     
  3. wangk0998

    wangk0998 Registered Member

    Joined:
    Oct 23, 2004
    Posts:
    20
    I always submit viruses via E-mail, but......
     
  4. RejZoR

    RejZoR Registered Member

    Joined:
    May 31, 2004
    Posts:
    6,426
    I did read help file and says nothing about this.
    I scanned files with explorer extension and NOD32 offered submission to ESET for new malware. Few minutes after this i got that popup baloon.
     
  5. mrtwolman

    mrtwolman Eset Staff Account

    Joined:
    Dec 5, 2002
    Posts:
    613
    If there is a lot of files to be submited they are not sent at once but in 2 or even more portions.
     
  6. zashita

    zashita Registered Member

    Joined:
    May 17, 2005
    Posts:
    309
    The baloon is a reminder telling you that some files are not yet submitted to Eset because you don't yet say 'yes I want to submitt them'.
    I guess your setting of EWS is 'ask before submitting'.
     
  7. Brian N

    Brian N Registered Member

    Joined:
    Jul 7, 2005
    Posts:
    2,148
    Location:
    Denmark
    If they have been sent to Eset, it should be in the event log.
     
  8. RejZoR

    RejZoR Registered Member

    Joined:
    May 31, 2004
    Posts:
    6,426
    That event log is crap because it doesn't log anything. Just loads of crap about failed update server connections and updates. Nothing about any submitted file...
     
  9. Brian N

    Brian N Registered Member

    Joined:
    Jul 7, 2005
    Posts:
    2,148
    Location:
    Denmark
    Hmm.. If there is no event for the files being sent, it could be because of your ThreatSence config.
    However I'm not really sure if this option is only for statistics or suspicious files too.

    NOD32 System Setup > Setup > ThreatSence.Net > Advanced Settings > Submission > tick 'log sent data'.
     
  10. RejZoR

    RejZoR Registered Member

    Joined:
    May 31, 2004
    Posts:
    6,426
    It's ticked from beginning. I never got anything logged. Even if i use Submit now! button.
     
  11. Stan999

    Stan999 Registered Member

    Joined:
    Sep 27, 2002
    Posts:
    566
    Location:
    Fort Worth, TX USA
    If it is sent the Event log should note it.

    Example from my log.

    Time Module Event User
    8/19/2005 6:26:41 AM Kernel Statistical information has been sent to Eset.
    8/18/2005 18:37:08 PM Kernel The file 'GRInstall.exe' has been sent to Eset's labs for analysis.
    8/18/2005 15:01:41 PM Kernel The virus signature database has been successfully updated to version 1.1197 (2005081:cool:.
     
  12. RejZoR

    RejZoR Registered Member

    Joined:
    May 31, 2004
    Posts:
    6,426
    No no and no. I have sent around i don't know 150 samples? Something like that. My log should be full of such entries by now.
     
  13. Marcos

    Marcos Eset Staff Account

    Joined:
    Nov 22, 2002
    Posts:
    14,374
    How do you know all of them were submitted if someone else had submitted them before?
     
  14. RejZoR

    RejZoR Registered Member

    Joined:
    May 31, 2004
    Posts:
    6,426
    Then why NOD32 doesn't tell me which were already submitted or which were approved and which not?
     
  15. Papp

    Papp Guest

    Is the submission anonymous?
    Exempel: if nod32 ask me to send a submission and the file is illegal(crack to a program or game or somthing), can i bean charge/prosecute/indict then? ( don't now the right word :) )
     
  16. Blackspear

    Blackspear Global Moderator

    Joined:
    Dec 2, 2002
    Posts:
    15,115
    Location:
    Gold Coast, Queensland, Australia
    Yes, totally. You do have the choice to add your email to the submission.

    Cheers :D
     
  17. NOD32 user

    NOD32 user Registered Member

    Joined:
    Jan 23, 2005
    Posts:
    1,766
    Location:
    Australia
    If you get that balloon and you want to send the files all you need to do is click the balloon when it shows and answer the dialogue box in the affirmative. Normally the only reason you would get that balloon is if you have not yet enabled 'submit without asking' in 'ThreatSense.Net', otherwise every time NOD32 needs to send a file it will have you confirm first that it is OK, I think even if it was you that added it to the submission que manually :)
     
  18. CyberMew

    CyberMew Registered Member

    Joined:
    Apr 17, 2005
    Posts:
    128
    So if the filename of the file is already inside, the file would not be sent? Then why in the first place it asked us whether to send it over or not?
     
  19. rumpstah

    rumpstah Registered Member

    Joined:
    Mar 19, 2003
    Posts:
    486
    The submission system is specific to a machine when asking to submit a file.

    For example: RejZoR has 3 computers.

    Computer A has Anastyfile.exe, Anastyfile5.exe

    Computer B has Anastyfile.exe, Anastyfile4.exe

    Computer C has Anastyfile.exe, Anastyfile2.exe, Anastyfile3.exe

    Computer A had completed a scan (either through Kernel mode, On-Access or On-Demand Scan) and no one else had previously sent Anastyfile.exe (either through e-mail or the submission system).

    The log would have this appearance:

    Time Module Event User
    08/18/2005 07:24:29 Kernel The file 'C:\windows\system32\Anastyfile.exe' has been sent to Eset's labs for analysis.

    Computers B and C would ask to submit the file, but a log entry would not be created in lieu of the fact that Eset currently has the sample.

    It appears that RejZoR would like to see feedback from the submission system (i.e. Thank you for submitting Anastyfile.exe). Now throw that back a few million (being conservative) times at an outbreak. Albeit it is a "feature" request and something that may be nice to know, but not a sound business practice given the amount of data that would be coming in and then going out. ;)
     
  20. RejZoR

    RejZoR Registered Member

    Joined:
    May 31, 2004
    Posts:
    6,426
    Then why is it bothering me to submit stuff!? Dumb logic. :rolleyes:
    Anyway i forcibly submitted all the samples yesterday...
     
  21. Marcos

    Marcos Eset Staff Account

    Joined:
    Nov 22, 2002
    Posts:
    14,374
    Because it was detected by heuristics :) NOD cannot store all information about samples submitted by other people on your pc.
     
  22. RejZoR

    RejZoR Registered Member

    Joined:
    May 31, 2004
    Posts:
    6,426
    But it could just synchronize MD5 signatures with your server and submit only those that were not yet submitted while telling user that those rejected will be discard from submission cache. Thats how i'd make a submission mechanism...
     
  23. CyberMew

    CyberMew Registered Member

    Joined:
    Apr 17, 2005
    Posts:
    128
    What happens if the filename are the same yet the contents of the file are different? (Let's assume the file has not been sent yet.) Will it still be sent?
     
  24. RejZoR

    RejZoR Registered Member

    Joined:
    May 31, 2004
    Posts:
    6,426
    I pretty much doubt they compare them by name. For example i have like 6 samples of server.exe which have completely different content.
    MD5 hash check is probably the most effective method.
     
Thread Status:
Not open for further replies.