Undetected threat

Discussion in 'NOD32 version 2 Forum' started by 'G', Aug 31, 2007.

Thread Status:
Not open for further replies.
  1. 'G'

    'G' Registered Member

    Joined:
    Aug 21, 2004
    Posts:
    64
    Location:
    United Kingdom
    Last edited by a moderator: Aug 31, 2007
  2. The Hammer

    The Hammer Registered Member

    Joined:
    May 12, 2005
    Posts:
    5,619
    Location:
    Toronto Canada
    See here. http://www.eset.com/support/faq1.php?id=1110
     
  3. Marcos

    Marcos Eset Staff Account

    Joined:
    Nov 22, 2002
    Posts:
    14,374
    How do you know it's undetected? This screenshot tells nothing about Nuwars' detection. If it's undetected by IMON / AMON, then it's most likely corrupted.
     
  4. 'G'

    'G' Registered Member

    Joined:
    Aug 21, 2004
    Posts:
    64
    Location:
    United Kingdom
    Well CounterSpy detected as I gave a selected scan. From the screen shoot many other anti-virus programs seem to have also.

    I will submit it, and then we will know that it was an undetected thread.

    No the file is not cuurupted.

    I'II keep you posted.

    Thanks for the link :)
     
  5. Marcos

    Marcos Eset Staff Account

    Joined:
    Nov 22, 2002
    Posts:
    14,374
    So you are saying that you saw the file running on a computer and it was not detected by AMON nor IMON/EMON? This seems to me highly unlikely. Please submit it to samples[at]eset.com in an archive protected with the password "infected" and this thread's url in the subject.
     
  6. 'G'

    'G' Registered Member

    Joined:
    Aug 21, 2004
    Posts:
    64
    Location:
    United Kingdom
    Marcus this is the story.

    I beta test for The Cleaner Professional and CounterSpy developers and have supplied over 10,000 of the nastiest infections in the wild in June 2006 to them each.

    So when I get a spam message telling me to download this YouTube video, I download it. And others like it.

    I then scan, knowing that it will be infected. NOD32 is my main anti-virus prog but I don't expect it to have a threat database monopoly on detection and removal of infections. So every time I capture an infection it is with caution. I’ve never been infected ever.

    So the file was not executed, only downloaded. I scanned it with NOD32 (latest build and def) expecting it to detect the infection. It was so obvious what it was that it is incredulous to me how dumb computer users are to get infected by this crap.

    I was surprised that NOD32 hadn't detected it. So I uploaded it to VIRUSTOTAL. The majority of scanners detected it.

    The file has been submitted to ESET but is not detected yet, as each new def update I give it a scan.


    PS: I’II be supplying another 10,000+ infections by the end of the year to The Cleaner Professional and CounterSpy developers.
     
  7. Marcos

    Marcos Eset Staff Account

    Joined:
    Nov 22, 2002
    Posts:
    14,374
    Nuwar is a different story, you won't usually see detection by NOD32 in Virus Total though NOD32 can actually detect and block it. Could you please rename the file with AMON enabled to see if it's detected? Make sure that advanced heuristics is enabled on create in the AMON setup.
     
  8. 'G'

    'G' Registered Member

    Joined:
    Aug 21, 2004
    Posts:
    64
    Location:
    United Kingdom
    The filename was originally called:

    video.exe


    I renamed it:

    vidoe.txe
    hello.exe
    hello.txt.

    No detection on right-clicking NOD32 on the file, whatever the name of the file.


    "Nuwar is a different story, you won't usually see detection by NOD32 in Virus Total though NOD32 can actually detect and block it."

    Ok so it may no be detected in VIRUSTOTAL – why not, but that was the very reason I used VIRUSTOTAL, to confirm my hutch because the file was obviously an infection and NOD32 missed it.

    Regardless, as to whether NOD32 via VIRUSTOTAL is a different story, the telltale is on a computer user’s machine. This is where a chink in the armour of NOD32 appears.

    This was such an obvious rues to infect machines, but NOD32, missed it.
     
  9. webyourbusiness

    webyourbusiness Registered Member

    Joined:
    Nov 16, 2004
    Posts:
    2,640
    Location:
    Throughout the USA and Canada
    you fail to mention whether adv. heuristics was turned on - Marcos specifically said that they had to be turned on - do you have them on?
     
  10. Brian N

    Brian N Registered Member

    Joined:
    Jul 7, 2005
    Posts:
    2,148
    Location:
    Denmark
    Is it working or broken?
    NOD32 won't detect broken/non working samples (they do on rare occasions however), hence their low F/P ratio. NOD32 will not detect anything that is not a threat.. Simple as that :) So while you think the protection is not sufficient, it's actually working as it should, as it was designed.
     
  11. 'G'

    'G' Registered Member

    Joined:
    Aug 21, 2004
    Posts:
    64
    Location:
    United Kingdom
    Yes, heuristics is on and has always been on.

    Why do you assume that it must be NOD32 that is broken or not working properly or the infection file that is broken or not working properly.

    Would you like me to send it to you as a RAR file with the PW: infected.

    May be you can see for yourself one way or the other.

    PM me if anyone is interested.

    I’ve been software testing for 15 years.
     
  12. Marcos

    Marcos Eset Staff Account

    Joined:
    Nov 22, 2002
    Posts:
    14,374
    I recall receiving video.exe from different people, in all cases it was broken and wouldn't run. As a result, advanced heuristics could not emulate it and NOD32 didn't detect it which is ok.
     
  13. 'G'

    'G' Registered Member

    Joined:
    Aug 21, 2004
    Posts:
    64
    Location:
    United Kingdom
    Well then that is good news. The miscreants that are trying to infect machines cannot even get it right.

    It may indeed be broken then, but others on VIRUSTOTAL and CounterSPy on my machine still seem to detect it regardless.

    I had another email sending me to an obviously infected URL and collected the one named:

    ecard.exe

    That one was detected as the W32.Numar.Gen worm by NOD32.
     
  14. Marcos

    Marcos Eset Staff Account

    Joined:
    Nov 22, 2002
    Posts:
    14,374
    Yes, many AV vendors don't bother to check a file for functionality before they add detection. I understand this because even without the functionality check they have too much samples to analyse. However, given that advanced heuristics emulates the code it normally doesn't trigger an alarm on corrupted files.

    Unlike the previously discussed sample, this one should be fully functional if it was detected by NOD32. That's how things are supposed to work :)
     
  15. RejZoR

    RejZoR Registered Member

    Joined:
    May 31, 2004
    Posts:
    6,426
    It's funny how so many stuff gets "corrupted" just like that. Khm?! I was using 56k modem for quiet some time and i can't remember anything being corrupted, let alone todays reliable cable and DSL lines. Plus trojans, backdoors and worms don't just infect stuff (file infectors were known to get corrupted when some AV failed to repair them completelly). So all this "it's probably corrupted" sound like load of bollocks to me (imo). No offense, but it just sounds like this.
     
  16. 'G'

    'G' Registered Member

    Joined:
    Aug 21, 2004
    Posts:
    64
    Location:
    United Kingdom
    Well better to be safe and sure, don't you think?
     
  17. The Hammer

    The Hammer Registered Member

    Joined:
    May 12, 2005
    Posts:
    5,619
    Location:
    Toronto Canada
    Malware quality ain't what it used to be I guess.:D
     
  18. the_sly_dog

    the_sly_dog Registered Member

    Joined:
    Feb 28, 2006
    Posts:
    297
    Location:
    The Heart Of London
    NOD32 IS very picky what gets added / or if it gets even added.. sent quite afew pieces in awhile back.

    1 week no detection

    i jumped ship and went with another brand that adds stuff when u send it within hours and they also reply to you

    if it is corrupted then why does most other av companys detect the threat o_O

    im not bashing just giving my own experience
     
    Last edited: Sep 3, 2007
  19. 'G'

    'G' Registered Member

    Joined:
    Aug 21, 2004
    Posts:
    64
    Location:
    United Kingdom
    Marcos.

    I see. The number of sample supplied may overwhelm and company developing anti-infection program to the point that the infection may be harmless but included. I will bare that in mind in future.

    Like you said, if the file is corrupted the heuristics will not permit NOD32 to emulate the infection as it is damaged. The ecard.exe one obviously wasn’t corrupted and NOD32 gives the infection detected display box. So all well there then.

    In all probability the video.exe file is corrupted but I wanted to make sure. I still think NOD32 is the best.

    Yeah, infection quality control is poor, which is good :)

    As Marcus said, the reason why the infection isn’t included is because it is corrupted and effectively harmless. The reason it is added by other anti-infection companies is because they do not have the time to check each infection for its infection potential. Therefore corrupted files get included too. CounterSpy has a threat database of over one million, so I wonder how many are corrupted and effectively harmless. I will have to bring this to the attention of the head developer as this file was detected.

    I must admit, I’m happier now than I was about this situation and I learnt more from it, especially with regards to NOD32.

    It’s still the best as it has kernel-level active protection, a strong threat database and treads lightly on resources.

    The best threat database is still Kaspersky but what a resource hog.

    The champion for me is NOD32.

    To "The Sly Dog": Go back to NOD32 with the 3-year plan.
     
  20. Bubba

    Bubba Updates Team

    Joined:
    Apr 15, 2002
    Posts:
    11,271
    Since it appears this issue has for the most part been resolved\discussed adequately enough....we'll bring it to a close. For those wishing to discuss other AV's....feel free to do so in our other anti-virus software forum Please.

    Thanks,
    Bubba
     
Thread Status:
Not open for further replies.