"unable to clean" threat: why doesn't EAV run the standalone tool?

Discussion in 'ESET NOD32 Antivirus' started by Reedmikel, Feb 23, 2012.

Thread Status:
Not open for further replies.
  1. Reedmikel

    Reedmikel Registered Member

    Joined:
    Dec 30, 2011
    Posts:
    185
    As a new user (NOD32 4.2 Bus Ed), I have come across several customers' machines that are getting infected with "a variant" of Win32/Olmarik.AWO trojan" and the Action is listed as "unable to clean".

    I research it on ESET's web site and find a page that lists "Stand-alone malware removal tools", which has a specific tool for this Olmarik threat. My question: If ESET knows of a threat like Olmarik (since 2010), why do we have to manually download their tool and run it on the infected machine? I would think ESET should be able to automate the fix after 2 years, no? If for some reason ESET can't figure a way to clean this threat with the regular NOD32 engine, at least provide a way that admins can schedule it to be cleaned from their ERAC (console)? Come on, if ESET can send definition and software updates to machines, surely they can send one of these removal tools.

    It is frustrating to realize that the software knows there's a threat, knows what the threat is, and knows of a malware removal tool that fixes it. Heck, upload the tool to the infected machine and then run it for us (and reboot and schedule a followup in-depth scan if needed)!!!

    Is my logic flawed?
     
  2. Cudni

    Cudni Global Moderator

    Joined:
    May 24, 2009
    Posts:
    6,956
    Location:
    Somethingshire
    Those tools are provided similarly to those of other AV tools targeting specific malware that often mutates and or is complex and dangerous enough to merit a custom tool to deal with it. I suspect those custom tools regularly become part of full AV detection.
     
  3. Reedmikel

    Reedmikel Registered Member

    Joined:
    Dec 30, 2011
    Posts:
    185
    I did see 2 versions of the removal tool for Olmarik, one dating back to 2010, other I think was Jan 2012. That makes sense that the 2012 tool wouldn't yet be incorporated into the base product. But the 2010 tool?

    I assume the normal course of action is for an admin to download and run a specific tool after NOD32 reports "unable to clean" and lists the threat type. Why not make ERAC more useful and allow us to configure it to push such tools to infected machines and attempt to run it for us? There's no magic in my having to remote into an infected PC, download the tool, then run it. Surely your software can do it too. The current process just devours my precious time :(

    If ESET added such a feature to the policy settings, those that love doing all this manual work could simply disable this new feature...
     
  4. Marcos

    Marcos Eset Staff Account

    Joined:
    Nov 22, 2002
    Posts:
    14,374
    Stand-alone cleaning tools are created especially for the following reasons:
    - make it much more difficult for malware authors to adapt to cleaners
    - stability (cleaners involve more risk which would be a problem especially on servers if security software carried out actions potentially resulting in serious problems automatically)
     
  5. Reedmikel

    Reedmikel Registered Member

    Joined:
    Dec 30, 2011
    Posts:
    185
    Imagine if you added some new policy settings that allowed us to decide whether stand-alone tools should automatically be pushed to infected machines and then run! I agree that most admins would not want to run any of these stand-alone tools on a server automatically, so this new feature should probably only apply to workstations.

    If ESET does not want to add this type of automation, how about at least providing us a link in ERAC to the appropriate stand-alone tool? e.g. I right-click on a threat such as Olmarik, and there's a new menu option that takes me right to the download link for Olmarik (as well as the instructions).

    The point is to make this as easy (and fast) for us admins as possible. Imagine if you managed thousands of machines and had to manually run these stand-alone tools.
     
  6. agoretsky

    agoretsky Eset Staff Account

    Joined:
    Apr 4, 2006
    Posts:
    4,032
    Location:
    California
    Hello,

    Your feature request has been passed on to ESET product management team for consideration in a future release.

    Regards,

    Aryeh Goretsky
     
Thread Status:
Not open for further replies.