virus attack undetected

Discussion in 'NOD32 version 2 Forum' started by ruulf, Jan 29, 2004.

Thread Status:
Not open for further replies.
  1. ruulf

    ruulf Registered Member

    Joined:
    Nov 23, 2003
    Posts:
    7
    I was attacked last Monday by a malware (Adclicker O or Troj Winpup.A) and my software didn't protect me. I run Win XP Home, Ad-aware and Spybot installed, plus spyware blaster and spyware guard and of course NOD32 with the latest updates. I have a hardware firewall (router) and Sygate Personal Firewall.

    All other antivirus, like NAV or Mcafee detect this kind of threat, but nod32 didn't. I switched from NAV 2003 to this antivirus, because it was highly recommended. Now I'm kind of disappointed. When I detected the pup.exe and outer.exe in the Program Files folder I became suspicious and downloaded Trojan Hunter. The Trojan was found and deleted. :D
     
  2. The run around answer which I assure you will receive is:

    "Nod32 is not an anti-trojan but an anti-virus blah blah blah blah" a nice exuse said way too many times.
     
  3. Randellx5

    Randellx5 Registered Member

    Joined:
    Oct 11, 2003
    Posts:
    4
    "Nod32 is not an anti-trojan but an anti-virus blah blah blah blah"

    But... then again, that's correct, isn't it? If Nod32 were able to detect every trojan in the wild, so to speak, it would then be an anti-trojan rather than an anti-virus program, would it not? Different anti-virus progams have varying capabilities in detecting various trojans, but to expect them to perform as well as the 2 or 3 top anti-trojan programs is not too realistic. Is it a fact that Norton or McAfee would have detected the SPECIFIC trojan in question?

    Take care... Randellx5
     
  4. Paul Wilders

    Paul Wilders Administrator

    Joined:
    Jul 1, 2001
    Posts:
    12,472
    Location:
    The Netherlands
    NOD32 is indeed first and foremost an ITW Antivirus - with a very fast growing trojan/backdoor database. In this context please consider:

    • Adclicker O is spyware first and foremost, sort of a "page hitter"generating clicks and therefore revenues.
    • WinPup A is an adware component generating large amounts of pop-up advertisements, coming with for example software called "Free History Cleaner" which states in the EULA: "...you expressly alow FHC to redirect 404, DNS and other pages, and show you advertisement windows from time to time".

    Although there is a tendency Antiviruses targetting spyware etc. as well, it's not common practice as for now. NOD32 is focussed on ITW viruses first and foremost, and doing the best job according to the VB 100% Awards.

    ""Som' Antiviruses do detect the ones mentioned - and even the ones mentioned are not able to detect all sortalike nasties FYI.

    IMHO you shouldn't: NOD32 does provide you with the best ITW protection - far better then NAV 2003.

    Layered Defense is IMO always the way to go. Each software is specificly designed to cope with what their aiming at. Layered defense comes with the additional pro you don't put all eggss in just one basket.

    regards.

    paul
     
  5. Marcos

    Marcos Eset Staff Account

    Joined:
    Nov 22, 2002
    Posts:
    14,376
    It would have been good to send those files to Eset for analysis. Also, it would be very helpful to tell under what exact name the trojans were identified by Trojan Hunter.
    (we've searched our database and found out that this file is created by the Win32/Revop.A trojan which NOD32 has detected as of version 1.605) There are plenty of possible reasons, but it's hard to tell unless we analyse the file (the most likely reason is that it was a slightly different variant).
     
  6. spm

    spm Registered Member

    Joined:
    Dec 9, 2002
    Posts:
    437
    Location:
    U.K.
    This thread, like many others on this forum clearly demonstrates, in my opinion, a gulf of understanding between the A/V vendors and those that defend their view on the one hand, and the 'average' user on the other.

    Now, before anyone prepares to flame me for these views, let me state categorically that I believe NOD32 to be the best of the bunch at performing its primary role (as established by Eset) - that of detecting and isolating ITW viruses - and, despite some of the product's deficiencies, I am a proud NOD32 licence holder. I am also a believer in layered defences, and I am a sophisticated user (and MD of a software development company) who understands the security implications of working with the internet.

    The vast majority of users (the 'average' user, say) are not as computer literate as some who frequent here, and most do not appreciate the nature or implications of the various types of threat that exist. That is how it is, and how it should be.

    So, why should vendors and their defenders, therefore, respond to a user who's expectations are failed by a product (as ruulfs were here) by effectively blaming him/her for their lack of knowledge about different types of threat, and wondering why they haven't installed layered defences or other products to fill what that user perceived as a shortcoming.

    I find it a little distasteful, in fact. Why should a user be required to understand the distinctions between, say, viruses, trojans, worms, spyware, adware, etc.? To some extent, these distinctions are arbitrary and only exist for the convenience of vendors, to the detriment of the average user.

    What happened to the concept of software that filled *user* needs and expectations, rather than those of a vendor?

    When a vendor (or those 'in the know') responds by telling the user that his/her expectations are the cause of their downfall, I can only conclude that the vendor has a great deal to learn. For instance, at what point do Eset and its suppliers ever tell the unwary customer or prospect something along the lines that "while NOD32 is unparalled in its protection it gives you against ITW viruses, there are other types of threat that you may be subjected to while using the internet, and we advise you also to consider supplementing your security measures with software that protects against other common types of threat, such as trojans. See xxx for a discussion of these issues"?

    I see nothing in such a statement that would adversely affect Eset's sales: on the contrary, it might actually give their customers a sense of contentment that they are dealing with a vendor who understands their needs, and the issues of working with the internet as a whole. It will also serve to gently educate the average user about the issues involved.
     
  7. sig

    sig Registered Member

    Joined:
    Feb 9, 2002
    Posts:
    716
    Unfortunately many users expect AV's to be the all in one solution because AV vendors have encouraged people to think so. I rather like your suggested blurb as it would assist in educating users as to the other dangers out there and the value of a layered approach to security issues. The user would be better informed and better served.

    But most vendors are more into promoting their product (and telling people that their's is "the best") rather than educating their users. No surprise then that users get upset when their chosen product apparently fails to provide the kind of protection they've been led to expect.

    Spyware, browser hijackers and things of that sort increasingly are a type of malware that Windows users are most likely to encounter in ordinary use on the Internet (if they're browsing with IE on default settings as undoubtedly most users do). Although people might see news reports about worm outbreaks and be repeatedly told not to open unknown email attachments, there's not a lot of info in the mass media about the increasing scourge of spyware/hijackers and how to avoid them. And some of these can muck up a PC more and be more difficult to get rid of than some of the more "traditional" malware. The AV's are now somewhat picking up on these kinds of infestations, but still much is not covered. And whenever missed trojans or spyware are discussed here one is inevitably reminded that NOD is an "anti-virus."

    But a glance at the sig definitions reveal that the days of the "pure" antivirus are long gone in a world of varied threats and considerably fewer viruses. While I don't expect an AV to cover everything all the time (and am naturally skeptical of anything that claims to do so) still it wouldn't hurt, in my opinion, if ESET would provide more information about their product, their reasons (or philosophy) for their particular approach in designing NOD to work as it does (since many still find it a tad peculiar when compared to some other AV's), its strengths and also how people also can better protect themselves against a variety of threats by adopting a layered approach. Instead of just saying, we're the best, use our product and you're good to go. But I suppose it's easier to chide disappointed users when the product doesn't perform up to heightened expectations.

    Alas I don't expect your suggestion will be adopted, although it really would be an innovative PR move IMO.
     
  8. optigrab

    optigrab Registered Member

    Joined:
    Nov 6, 2002
    Posts:
    624
    Location:
    Brooklyn/NYC USA
    Bravo, Steve Moss. Applause. :) Further agree with Sig.

    Regards,
    Optigrab
     
  9. tempnexus

    tempnexus Registered Member

    Joined:
    Apr 16, 2003
    Posts:
    280
    I am a happy nod32 user and have been for over 2 years, but sadly over the 2 years I have seen virii and some trojans go by nod32 detections (yes I"ve submitted them all) while some others detected it (most of the time it was Kav). THe reasons why I use Nod32 REalTime engine is it's low impact on resources. Thus I do not trust Nod32 fully, I mean no one should trust one AV company completelly (even though one should :( ). Thus I also have a licenese for KAV, Norton, AVG and Bitdefender which are ranned as on demand scanners and scheduled weekly scanners. (I download lots of malware for testing that's why I need few AV's on my pc in order to see what detects what and to whom I should send).
    I would have a bit more respect for a compnay which says "Sorry we goofed, the defs will be up in a jiffy, you know no one is perfect". As opposed to defeding their product with blood and bones.

    P.S.
    Don't get me wrong I like Nod32 I just no longer have a full confidence in it's detection capabilities (At least not as much as some other people here). But than again no one AV is perfect, one will detect this while other won't so there is no clear winner here, the only winner that NOD32 is at (so far) is it's low resource usage.
     
  10. ruulf

    ruulf Registered Member

    Joined:
    Nov 23, 2003
    Posts:
    7
    Hi,

    Thanks for all your comments. This was not about, which is the best AV, since all have deficiencies in one way or another.

    I wanted to share my experience with the board, read your opinions and gain more knowledge. Isn't this the purpose?

    Anyway, I was contacted by Nod32 tech support today, and I have already submitted the files for analysis. They don't know, why the attack wasn't detected, since the software should protect against Winpup.B or Winpup.A. That's the good news. As soon as I receive the results, I will share it with the board.

    Keep up the good work, Paul and Marcos.

    ruulf
     
  11. Paul Wilders

    Paul Wilders Administrator

    Joined:
    Jul 1, 2001
    Posts:
    12,472
    Location:
    The Netherlands
    ruulf,

    Right on spot - glad to see you put the thread back on subject ;)

    It is indeed - and even more.

    By all means ;)

    regards.

    paul
     
  12. spm

    spm Registered Member

    Joined:
    Dec 9, 2002
    Posts:
    437
    Location:
    U.K.
    Paul:

    I have to say I am very disappointed in you. It would be easy to surmise from your post that you would rather suppress material that doesn't suit you personally. I do hope that is not the case.

    Intead of taking this ingenuous position, why don't you address the issues I raised with respect, instead of trying to dismiss them?

    I will be perfectly happy to start a new thread with the same content, that will then not be 'off subject'.
     
  13. Paul Wilders

    Paul Wilders Administrator

    Joined:
    Jul 1, 2001
    Posts:
    12,472
    Location:
    The Netherlands
    Sorry to hear so, Steve.

    It's not the case ;)

    I fail to see disrespect in my answer, or dismissing the issues raised. Overall, I'm expressing my strong believe in layered defense.

    In case you feel the need: by all means. Since this doesn't seem an NOD32/Eset issue, but an issue about my person taking a stance overall and therefore a personal matter, a more appropriate forum to start a new thread seems the way to go.

    regards.

    paul
     
  14. MorrisAO

    MorrisAO Registered Member

    Joined:
    May 31, 2003
    Posts:
    14
    Location:
    Perth, Western Australia
    Like most people who in the beginning had no clue about these things I've had to educate myself to a certain point to protect myself online. In the end, if I don't take advantage of the tools available then I only have myself to blame if my machine gets infected with any of the nasties the low species out there would like to get on my machine. So I read up and have done my best to secure my 'puter with the best I could find that are also within my budget. So I have Nod32 for Av, TDS3 for Antitrojan, Adaware and SpyBlaster for spyware. In the end though I still insist on viewing all email coming in to me on the server before downloading because I still don't trust any program to do it all for me. The best defence against these things is ourselves - using a good dose of common sense.
     
Thread Status:
Not open for further replies.