Undetected trojan or a Kaspersky's false-positive

Discussion in 'NOD32 version 2 Forum' started by Elliot, Nov 5, 2004.

Thread Status:
Not open for further replies.
  1. Elliot

    Elliot Registered Member

    Joined:
    Nov 5, 2004
    Posts:
    41
    I encounted a program, which was reported as a trojan by Kaspersky, but not by NOD32. I wonder whether it's a real trojan or Kaspersky's false-positive.

    I've post it to both Kaspersky and Eset yesterday, but got no response yet.

    And I'm new to here, can I attach it here for further test?

    THX.
     
  2. Elliot

    Elliot Registered Member

    Joined:
    Nov 5, 2004
    Posts:
    41
    I've submitted it to http://virusscan.jotti.dhs.org/ and got the following result:

    File: Keygen.exe
    Status: INFECTED/MALWARE (Note: this file has been scanned before. Therefore, this file's scan results will not be stored in the database)
    Packers detected: ASPACK

    AntiVir No viruses found (1.70 seconds taken)
    Avast No viruses found (4.80 seconds taken)
    BitDefender Trojan.Dropper.Delf.FD (3.94 seconds taken)
    ClamAV Trojan.Dropper.Delf-3 (4.28 seconds taken)
    Dr.Web Trojan.MulDrop.1159 (5.21 seconds taken)
    F-Prot Antivirus No viruses found (0.42 seconds taken)
    Kaspersky Anti-Virus TrojanDropper.Win32.Delf.fd (4.91 seconds taken)
    mks_vir Trojan.Trojandropper.Delf.Fd (2.12 seconds taken)
    NOD32 No viruses found (9.05 seconds taken)
    Norman Virus Control No viruses found (43.15 seconds taken)
     
  3. Blackspear

    Blackspear Global Moderator

    Joined:
    Dec 2, 2002
    Posts:
    15,115
    Location:
    Gold Coast, Queensland, Australia
    Welcome to Wilders Elliot.

    No, it is against the Terms of Service for Wilders to post links or attach viruses.

    Where did you send the file to, samples@nod32.com ?

    Cheers :D
     
  4. Elliot

    Elliot Registered Member

    Joined:
    Nov 5, 2004
    Posts:
    41
    Thank you Blackspear, I love this forum. :)

    Yeah, I've post them to samples@nod32.com . More than 30 hours past, still no response yet.
     
  5. dvk01

    dvk01 Global Moderator

    Joined:
    Oct 9, 2003
    Posts:
    3,131
    Location:
    Loughton, Essex. UK
    Sometimes when I submit samples to NOD I get a reply back in a couple of hours and sometimes it takes more than a week

    occasionally I have had no reply at all, but it has appeared in an update within a couple of days

    I think that they use a semi automatic system and if someone else has already submitted that sample and their email virus checker recognizes it then your sample gets automatically rejected
     
  6. Elliot

    Elliot Registered Member

    Joined:
    Nov 5, 2004
    Posts:
    41
    Yeah, dvk01 may be right. Kaspersky's incoming sampler mail processor DOES act in the same way.
     
  7. Elliot

    Elliot Registered Member

    Joined:
    Nov 5, 2004
    Posts:
    41
    This file was proved to be a Win32/TrojanDropper.Delf.FD. This morning I updated NOD32 and tried it on this file again and, detected.

    I felt that newvirus@kaspersky's reaction was must faster than NOD32's. I often got response from Kaspersky within a few hours. This time it took more than 3 days for NOD32 to added this new TrojanDropper to its signature.
     
  8. tazdevl

    tazdevl Registered Member

    Joined:
    May 17, 2004
    Posts:
    837
    Location:
    AZ, USA
    Kaspersky has an automated process, Eset doesn't, hence the delay.
     
  9. ronjor

    ronjor Global Moderator

    Joined:
    Jul 21, 2003
    Posts:
    57,729
    Location:
    Texas
    I believe Eset does have an automated process.

    June 17th, 2004, 03:11 AM
    anton anton is offline
    Eset Moderator

    Join Date: Oct 2002
    Posts: 208
    Default Re: What happend ESET?
    Hi Guys,

    Eset appreciates (a lot) all and every sample/s sent to its labs (samples@eset.com). Every sample is logged and examined using various methods. Addition of a sample-signature into the database is made on a need-to basis. Extraction of a signature of a sample is an automated process and could be completed in no time. However, Eset does not want to take part in a 'maximum-size-of-the-database' race and prefers to keep the database clean, i.e. without 'meaningless' benign signatures.

    Some of the forum participants may recall the Rosenthal Utilities (RU) tests performed by CNET two years ago. All the 'simulated viruses' generated by the RU were benign (non-viral). 100% detection of the RU samples (achieved by some of the products) meant 100% False Alarm Rate. Detection of non-viral samples may lead to a couple of things: excellent results in some 'tests' combined with a false sense of security, a huge 'virus' signature database and 'dinosaur' update files.
    Exponential increase of the number of new malware samples may often lead to a 'path-of-least-resistance' approach: automatic addition of all sample signatures, regardless of their viral nature.

    Eset exchanges samples with several av vendors. Opposite statement is incorrect.

    Speed of update and reaction time is of essence. Eset is fully aware of that. Advanced Heuristics has been developed and implemented with that in mind. The only acceptable reaction time is equal to zero. NOD32 achieves that often, e.g. it detected the infamous Netsky.A and Bagle.A heuristically.

    Once again, I would like to thank you all: for both the samples and your patience :)

    anton
    Last edited by anton : June 17th, 2004 at 04:11 AM.
     
Thread Status:
Not open for further replies.