variant of J2ME/TrojanSMS.Konov.L trojan not captured through http scanning

Discussion in 'ESET NOD32 Antivirus' started by vtol, Oct 29, 2010.

Thread Status:
Not open for further replies.
  1. vtol

    vtol Registered Member

    Joined:
    Apr 8, 2010
    Posts:
    774
    Location:
    just around the next corner
    the urls might need to be blocked too. submitted to Eset for analysis through build-in submitter. on demand scan detects it but does not move it into quarantine.

    link distributed via ICQ

    variant of J2ME/TrojanSMS.Konov.L trojan

    /sokrati.ru/1h4p referred to /z5.gryzi.org/1737/*.jar

    bypasses FF redirection protection, noScript may save you from a drive-by infection
     
    Last edited: Oct 29, 2010
  2. Marcos

    Marcos Eset Staff Account

    Joined:
    Nov 22, 2002
    Posts:
    14,374
    Please make sure you didn't run a scan without cleaning. Jar files are archives so you must be offered action selection after a scan completes. ICQ doesn't communicate via http, hence the web scanner didn't detect it in the first place.
     
  3. vtol

    vtol Registered Member

    Joined:
    Apr 8, 2010
    Posts:
    774
    Location:
    just around the next corner
    put the link from ICQ into sandboxed FF 4 with javascript off, then downloaded the file into sandboxed location and ran on demand scan. during the download in FF NOD did not detect it.

    that is what the on demand scan ended with, no offer to clean or quarantine or anything...

    29-10-2010 20-25-16.jpg

    just realized that FF was excluded from http scanning due to the incompatibility between NOD https scanner and FF. Repeated the same with Safari and NOD caught the bugger during the download... ...my bad. On the other hand users of FF who would have excluded the browser from http scanning for the same reason would be unprotected then. there should be an option to exclude https scanning only if an application is incompatible with NOD and not to have to exclude such application entirely from protocol filtering
     
    Last edited: Oct 29, 2010
  4. Marcos

    Marcos Eset Staff Account

    Joined:
    Nov 22, 2002
    Posts:
    14,374
    If you ran the scan from within the context menu, make sure you selected "Clean with ESET NOD32 Antivirus" and not "Clean with ESET NOD32 Antivirus".

    If you ran a custom scan from within the main program panel, make sure the "Scan without cleaning" check box is unticked before clicking the Scan button.
     
  5. vtol

    vtol Registered Member

    Joined:
    Apr 8, 2010
    Posts:
    774
    Location:
    just around the next corner
    from the context menu, it is either A or B, and I chose A with the result shown above bot no offer to clean or quarantine

    29-10-2010 20-50-24.jpg
     
  6. toxinon12345

    toxinon12345 Registered Member

    Joined:
    Sep 8, 2010
    Posts:
    1,200
    Location:
    Managua, Nicaragua
    The first option (A) is for diagnostic purposes
    The other option (B) is for cleaning

    Use B
     
  7. vtol

    vtol Registered Member

    Joined:
    Apr 8, 2010
    Posts:
    774
    Location:
    just around the next corner
    that is obvious. the logic of an AV is supposedly to offer clean/quarantine when detecting something malicious like that during a manual invoked scan
     
  8. Marcos

    Marcos Eset Staff Account

    Joined:
    Nov 22, 2002
    Posts:
    14,374
    Not everyone wants to remove found threats automatically during a scan. For this purpose, there are two options - "Scan with ESET..." serves to scan files without carrying out any action while "Clean files" enables cleaning/removing during a scan. The context menu can be customized so you can reverse the order of the options or completely remove some if you mind.
     
  9. vtol

    vtol Registered Member

    Joined:
    Apr 8, 2010
    Posts:
    774
    Location:
    just around the next corner
    did not mentioned that, it is more like popping up a window offering a choice when threats are recognized during a manual scan - options to clean or quarantine or ignore once or white-list permanently plus submit for analysis. that would easily serve those who do not wish to clean or quarantine as well as those wanting to get rid of a bugger.

    how much code is that to achieve, will it bloat NOD or make it incompatible or reduce functionality? probably not, as most of it is coded into NOD already related to ThreatSense.

    as it stands right now, user has to close the scan window, go back to back to explorer, right click again to pop up that menu, which easily could result in a left click and thus execution of a file, and choose one from B.

    afaik most of the other mainstream AV do offer a choice when detecting a threat during manually scan, asking the user how the AV is supposed to handle the threat.
     
  10. Marcos

    Marcos Eset Staff Account

    Joined:
    Nov 22, 2002
    Posts:
    14,374
    You can achieve that by editing the context menu scan profile and setting the cleaning level to none. At the end of a scan you will be prompted to select an action for each of the detected files.
     
  11. vtol

    vtol Registered Member

    Joined:
    Apr 8, 2010
    Posts:
    774
    Location:
    just around the next corner
    good to know that it is there, just extremely hard to find and to know what is actually achieved by each preset profile as the NOD help does not offer much insight.

    what are the differences between the 3 preset profiles context menu scan, in-depth scan and smart scan? I doubt that there is any with regard of what the user is presented upon the detection of a threat from a manual scan, the profiles differ only in targets and scan methods, which can be altered to the users liking. however for the user notification/intervention the cleaning level seems to be relevant. in each profile there is the same choice of 3 cleaning levels, all of them stating 'may be displayed' - so who is to decide whether it may or may not?

    30-10-2010 13-45-07.png

    and in this case the cleaning level was set to 1 (slider in the middle), which as far as said should have attempted an automatic clean or delete, but it did not - just did nothing - Note for Marcos - could be a bug in the exe/dll DEV builds
     
    Last edited: Oct 30, 2010
  12. Marcos

    Marcos Eset Staff Account

    Joined:
    Nov 22, 2002
    Posts:
    14,374
    Context menu scan - a scan run via the right-click context menu. There are two options in the context menu related to scanning by default: "Scan with %ProductName%" and "Advanced options -> Clean files". While the former merely triggers a scan without taking any action if malware is found, the latter triggers cleaning according to the cleaning mode set for the context menu profile.
    The order of the scan / clean option as well as their appearance in the context menu can be customized in the main setup -> User interface -> Context menu.
    As for the problem with not getting a prompt window when cleaning the archive in question after selecting "Clean files" from the context menu, I'm yet to reproduce it with the module on the pre-release servers which is responsible for deciding about actions on infected files.

    In-depth scan - a scan of all drives with all settings enabled. The settings can be altered but not saved to retain the purpose of that profile.

    Smart scan - a scan of all drives with settings pre-defined by the vendor or later altered by the user.

    As for various cleaning levels, "None cleaning" means that the user will be prompted for an action at the end of a scan if threats are found. "Standard cleaning" (the middle slider position) cleans/deletes files automatically unless they fulfill certain conditions when the program cannot decide itself if it's safe to delete a file (e.g. if it's a system file infected with a virus or an archive containing clean files besides an infected file). "Strict cleaning" should delete archives also containing clean files without prompting the user.
     
    Last edited: Nov 1, 2010
  13. tipo

    tipo Registered Member

    Joined:
    Dec 29, 2008
    Posts:
    408
    Location:
    romania
    thats why you should think to a different approach in your PC security....
     
  14. vtol

    vtol Registered Member

    Joined:
    Apr 8, 2010
    Posts:
    774
    Location:
    just around the next corner
    your point being after reading the entire thread?
     
Thread Status:
Not open for further replies.