What more should I do?

Discussion in 'other anti-virus software' started by Macstorm, Feb 21, 2007.

Thread Status:
Not open for further replies.
  1. Macstorm

    Macstorm Registered Member

    Joined:
    Mar 7, 2005
    Posts:
    2,531
    Location:
    Sneffels volcano
    I'm a diehard Kaspersky AV user from about 2 years back, however.....I was trialing nod32 until yesterday when I downloaded a .rar file which came up 'clean' for the up-to-date nod32, then to be double safe, I scanned this compressed file with the Kasp online file scanner and guess what? infected by 'Trojan.Win32.Autoit.ac' :eek:

    Next, I went to VirusTotal & Jotti virus online services:

    ~snipped VirusTotal & Jotti results per policy~

    I already did my homework and have sent the infected file to Eset but according to above online services they still don't appear to have released the proper update as today yet. What more should I do?

    I'm back to Kaspersky.

    ____________________________________________________________________________________________________________
     
    Last edited by a moderator: Feb 22, 2007
  2. MalwareDie

    MalwareDie Registered Member

    Joined:
    Dec 8, 2006
    Posts:
    500
    Just wait patiently. it could be a false positive but I wouldn't know for sure.
     
  3. Macstorm

    Macstorm Registered Member

    Joined:
    Mar 7, 2005
    Posts:
    2,531
    Location:
    Sneffels volcano
    But...a false positive already detected by other AVs o_O

    _________________________________________________________________________________________________________
     
  4. NAMOR

    NAMOR Registered Member

    Joined:
    May 19, 2004
    Posts:
    1,526
    Location:
    Arkham Asylum
    it's possible. Look at some of the scanners that detect it, a couple of them are using the same engine. (F-secure = Kaspersky or F-Prot = Authentium)
     
  5. Macstorm

    Macstorm Registered Member

    Joined:
    Mar 7, 2005
    Posts:
    2,531
    Location:
    Sneffels volcano
    Still seems strange to me as others also detect it as infected, CAT-QuickHeal, eSafe (yeah I know it's kav engine), Fortinet, Ikarus, McAfee, Sunbelt, VirusBuster... o_O

    _______________________________________________________________________________________________________
     
  6. IBK

    IBK AV Expert

    Joined:
    Dec 22, 2003
    Posts:
    1,819
    Location:
    Innsbruck (Austria)
    eSafe is not KAV engine. eScan uses KAV engine.
     
  7. Macstorm

    Macstorm Registered Member

    Joined:
    Mar 7, 2005
    Posts:
    2,531
    Location:
    Sneffels volcano
    Yeah I already knew about eScan but I understand that Aladdin's eSafe also uses kav engine o_O

    http://www.aladdin.com/esafe/content_security.asp

    This would explain also why eSafe detect the infected file as 'Win32.Autoit.ac' just like KAV.

    __________________________________________________________________________________________________________
     
  8. dawgg

    dawgg Registered Member

    Joined:
    Jun 18, 2006
    Posts:
    817
    No AV is 100% effective, and most AVs also have the off FP here or there.
    If you think its a FP, compress the file in a .rar or .zip archive and e-mail it to Kaspersky's VirusLab... newvirus@kaspersky.com... also title the subject of the e-mail "Possible False Posotive" and you should receive a reply soon whether its a FP or a malware.
     
  9. Mrkvonic

    Mrkvonic Linux Systems Expert

    Joined:
    May 9, 2005
    Posts:
    8,696
    Hello,
    You could be patient. Re-upload that file again in a week. See what comes up. Send for analysis to several vendors. Ditching your AV based on this would-be incident is not a very wise thing. If so, I should have ditched the computers long time ago. For example, one system error - you buy a new computer?
    Mrk
     
  10. Macstorm

    Macstorm Registered Member

    Joined:
    Mar 7, 2005
    Posts:
    2,531
    Location:
    Sneffels volcano
    Strange thing here is that several virus scanners (not sharing kav engine) also detect it as a malware. After I've reinstalled kav, it won't even allow to download the compressed file and detect it as infected by 'Trojan.Win32.Autoit.ac' http://www.viruslist.com/en/viruses/encyclopedia?virusid=146300

    I sent the file to KL and I'm waiting for their response.

    _______________________________________________________________________________________________________
     
  11. Macstorm

    Macstorm Registered Member

    Joined:
    Mar 7, 2005
    Posts:
    2,531
    Location:
    Sneffels volcano
    I don't think so, my only choices would be mac & linux :shifty: but with the AVs is another story :D

    ______________________________________________________________________________________________________
     
  12. Macstorm

    Macstorm Registered Member

    Joined:
    Mar 7, 2005
    Posts:
    2,531
    Location:
    Sneffels volcano
    Response from Kaspersky's Virus Lab:

    ~Private email removed. - Repost the info without the private email. Ron~
     
    Last edited by a moderator: Feb 22, 2007
  13. lodore

    lodore Registered Member

    Joined:
    Jun 22, 2006
    Posts:
    9,006
    nod32 missed one trojan big deal dont change your antivirus because of it or distrust eset.
    lodore
     
  14. Macstorm

    Macstorm Registered Member

    Joined:
    Mar 7, 2005
    Posts:
    2,531
    Location:
    Sneffels volcano
    Private e-mail was removed by admin, sorry.

    Kaspersky's Virus Lab analyst returned and have confirmed the file is indeed infected as reported above.
     
  15. Macstorm

    Macstorm Registered Member

    Joined:
    Mar 7, 2005
    Posts:
    2,531
    Location:
    Sneffels volcano
    No, I was just trialing nod32 for about two weeks. I'm a long time Kaspersky user.
     
  16. TonyW

    TonyW Registered Member

    Joined:
    Oct 12, 2005
    Posts:
    2,634
    Location:
    UK
    Since you were trialling NOD and Kaspersky confirmed this file is infected, have NOD now updated their definitions to detect same?
     
  17. Macstorm

    Macstorm Registered Member

    Joined:
    Mar 7, 2005
    Posts:
    2,531
    Location:
    Sneffels volcano
    Not yet (according to virustotal & virusscan.jotti). These online virus scan services still return the same results as above o_O
     
  18. dawgg

    dawgg Registered Member

    Joined:
    Jun 18, 2006
    Posts:
    817
    Maybe no other AV has discovered it or bothered adding it to detections (other than those which you posted before).
    At the end of the day, its confirmed and its malicious, just delete it.
     
  19. Macstorm

    Macstorm Registered Member

    Joined:
    Mar 7, 2005
    Posts:
    2,531
    Location:
    Sneffels volcano
    This is exactly what I did from the very first time after kaspersky online virusscanner and the others online scan services detected it. Then reinstalled KAV 6, redownloaded the file (I had to pause kav protection first) and sent the file to kaspersky, eset and avira labs. Only kasp replied and confirmed it is a trojan.
     
  20. Firecat

    Firecat Registered Member

    Joined:
    Jan 2, 2005
    Posts:
    7,927
    Location:
    The land of no identity :D
    The problem is that McAfee and Kaspersky are (in my experience) the only vendors who will pay considerable attention to sample submissions even if the user does not use their product. For others, you need to show them your license key and prove that you are a user of their product in order for your submission to be processed.
     
  21. Mrkvonic

    Mrkvonic Linux Systems Expert

    Joined:
    May 9, 2005
    Posts:
    8,696
    Hello,
    I have sent a FP sample to AVG. I got a very nice and polite reply less than 24 hours later - and the database was updated accordingly. Very clean and professional.
    Mrk
     
  22. aigle

    aigle Registered Member

    Joined:
    Dec 14, 2005
    Posts:
    11,047
    Location:
    Saudi Arabia/ Pakistan
  23. Firecat

    Firecat Registered Member

    Joined:
    Jan 2, 2005
    Posts:
    7,927
    Location:
    The land of no identity :D
  24. Macstorm

    Macstorm Registered Member

    Joined:
    Mar 7, 2005
    Posts:
    2,531
    Location:
    Sneffels volcano
    I have just received a reply from Avira:
    Okay, Kaspersky replied and confirmed it is infected by 'Trojan.Win32.Autoit.ac' but Avira says it's clean.

    I'm stumped o_O
     
  25. dawgg

    dawgg Registered Member

    Joined:
    Jun 18, 2006
    Posts:
    817
    Sometimes there's a crossover on what AVs consider malicious or not.... could be the reason o_O
     
Loading...
Thread Status:
Not open for further replies.