Why it is still "unknown" ?

Discussion in 'NOD32 version 2 Forum' started by gue_st, Jan 20, 2006.

Thread Status:
Not open for further replies.
  1. gue_st

    gue_st Guest

    Justy one example - NOD32 detects it as *Probably unknown NewHeur_PE virus* and says that *File is probably infected with an unknown virus*.

    Actually it is *Trojan-Spy.Win32.Agent.ji* in Kaspersky classification and added to database on 01.01.2006.
    I can hardly believe that it is still really unknown to Eset virus analyzers. So, to whom it is still unknown?

    Of course, there may be no reason to bloat database with less important signatures, if they are detected heuristically (except that quite a few users might have disabled heuristics due to NOD behaviour, mentioned in the thread that didn't go anywhere).
    But then again, if it is the case, there is no need to call them *unknown*.
    Could be *heuristically detected*, *not listed in the database* or anything similar.

    Otherwise, one might think that there is some shortage of knowledge at Eset.:D
     
  2. dvk01

    dvk01 Global Moderator

    Joined:
    Oct 9, 2003
    Posts:
    3,131
    Location:
    Loughton, Essex. UK
    There are a couple of reasons off hand I can easily think of why Nod might still be detecting as unknown PE
    1. it is a low risk & low spreading threat so as the heuristics detect it and protect NOD users , it is not so important to add signatures quickly
    2. No-one has yet bothered to send a sample to NOD to add the signature

    Remamber NOD is written & developed in Eastern Europe so the developers and a lot of it's users might not have the grasp of the English language you have so unknown to them intranslation means the same as anything you have mentioned
     
  3. flyrfan111

    flyrfan111 Registered Member

    Joined:
    Jun 1, 2004
    Posts:
    1,224
    It is true that Eset puts a higher priority to signatures for stuff not detected at all and then on identifying things picked by heuristics. having said that I agree that 3 weeks should be enough time to get something added. While it is ok to use AH to buy some time to compile a definition, it shouldn't take 3 weeks either. But as dvk said how long has Eset had the file? That is unknown at this point, was it sent to them at all?
     
  4. steve1955

    steve1955 Registered Member

    Joined:
    Feb 7, 2004
    Posts:
    1,384
    Location:
    Sunny(in my dreams)Manchester,England
    As i've said in other threads:-I think eset seems to relying on AH picking up threats rather than adding sigs:-I for one would be happier if sigs were added more frequently then we get less of the "unknown" description of malware
     
  5. pykko

    pykko Registered Member

    Joined:
    Apr 27, 2005
    Posts:
    2,236
    Location:
    Romania...and walking to heaven
    Well, for me it's ok to detect them heuristicaly. ;)

    Te most important issue is to add viruses not detected at all.
     
  6. steve1955

    steve1955 Registered Member

    Joined:
    Feb 7, 2004
    Posts:
    1,384
    Location:
    Sunny(in my dreams)Manchester,England
    So you'd be happy for everything to be listed as "unknown"?I'm not saying I don't like things being stopped using heuristics initially but I would like sigs added to cover these threats as well as the threats that are not picked up heuristically:-after all how do we know if everything "unknown" is a threat or just a false +ve?:-I would like to see what threat is being blocked by name
     
  7. dvk01

    dvk01 Global Moderator

    Joined:
    Oct 9, 2003
    Posts:
    3,131
    Location:
    Loughton, Essex. UK
    If users send to eset every "unknown" file that is heuristically detected then I'm sure they will soon add them
    Unfortuantely many users don't bother so Eset never know that anything has been found

    if Eset get several copies of a file then they know it's spreading and take suitable action

    I know several "victims" who click NO when NOD says to send and infected file because they don't realise how important it is
     
  8. gue_st

    gue_st Guest

    At least partly it may be because of odd behaviour of NOD32 if ThreatSense is enabled. First time when I did not want to submit a detedcted sample, it didn't stop bugging me until it is now permanently off. And, at least here, with ThreatSense disabled, it will not submit anything, even if I click the *submit* button. Do you always have time to submit it manually?
    For me it is just another lack of logic in the design, and unfortunately Eset does not want to listen, if I suggest something. In answer I am usually getting a hint that NOD32 is the best and I only can deduct that no changes necessary, because everybody's happy.

    But let's imagine this - what if it is a virus, not detected by AH (it could happen, at least theoretically?). Then there will be no prompt to submit, and this virus will stay undetected forever?
    Of course, there is somebody in Eset (or, at least, should be:D), who knows about new viruses without somebody submitting them - no matter, detected or not. At the end, if no other way, it is not so difficult to check Kaspersky database...:D
     
  9. dvk01

    dvk01 Global Moderator

    Joined:
    Oct 9, 2003
    Posts:
    3,131
    Location:
    Loughton, Essex. UK
    Gue_st

    That is the most illogical comment I have ever heard

    You are complaining that Nod detects an unknown and when you are asked to submit it for examination, you refuse and then continue complaining when nod continues to detect it as unknown

    This is just nonsense and you know it and are just trolling
    Every AV will miss some viruses and Nod is no exception. Without getting into the usual who is better contest I can give hundreds of examples of recent viruses/worms./trojans that KAV didn't detect but NOd did as well as the reverse but once they had been submitted both ( and most others) do detect

    Enough is enough and if you have no proper constructive comments or serious requests for support, I for one will not be replying to your posts which appear now to be designed to inflame rather than ask for help or suport or inform about Nod
     
  10. Happy Bytes

    Happy Bytes Guest

    Yup, you hit the nail. And he shouldn't expect any answers from Marcos and/or me, because this is just a waste of time. If you refuse to refuel your car at the gas station and start complaining 45 min later that you got stuck without petrol in the desert that's just ridiculous.

    The difference is here: If you HAVE THIS VIRUS and you refuse to send it don't blame others if they do not have a proper name for this - because most likely nobody else got infected by this.
     
  11. YeOldeStonecat

    YeOldeStonecat Registered Member

    Joined:
    Apr 25, 2005
    Posts:
    2,345
    Location:
    Along the Shorelines somewhere in New England

    NOD32 is known to use heuristics more than other AV programs, rather than leaning on a massive database. If you don't like how heuristics work, if "not giving a potentially bad file an exact name" causes you to loose sleep and chew your fingernails down to the qwik...then maybe NOD32 isn't for you.
     
  12. steve1955

    steve1955 Registered Member

    Joined:
    Feb 7, 2004
    Posts:
    1,384
    Location:
    Sunny(in my dreams)Manchester,England
    Thats a thing I will be considering when renewal is due!:-Its not that I don't like NOD or heuristics,is just that eset seem to be depending on them more and more to catch things rather than updating the sigs,there was a thread, not that long back,where NOD still didn't detect a nasty almost 3wks after Kav did(https://www.wilderssecurity.com/showthread.php?t=114729) I thought most AV companies subscribed,if thats the correct term, to a kind of central body that informed every company of threats submitted to any of them with a view of keeping the end user protected:- so you cant blame NOD users not submitting samples for all delays in detection(the sample in the thread mentioned HAD been submitted to Eset approx 1 month earlier!)
     
    Last edited: Jan 24, 2006
  13. NOD32 user

    NOD32 user Registered Member

    Joined:
    Jan 23, 2005
    Posts:
    1,766
    Location:
    Australia
    Do you ever recall reading that signatures are added on a priority basis - something that NOD32 detects via heuristics may not be near the top of the list, since you're already protected :)
     
  14. steve1955

    steve1955 Registered Member

    Joined:
    Feb 7, 2004
    Posts:
    1,384
    Location:
    Sunny(in my dreams)Manchester,England
    Priority?over 4weeks being undetected by heuristics until sig was added:-next you'll be saying wasn't high priority because it was deemed a dangerous threat(unless of course your one of the people that gets it on their PC,and has had info stole! it would seem quite an important threat then!)
    It just seems that the developers at eset(I do hope I am wrong in this)seem to be taking the view of a lot of users:-That AH can deal with almost everything
     
    Last edited: Jan 24, 2006
  15. NOD32 user

    NOD32 user Registered Member

    Joined:
    Jan 23, 2005
    Posts:
    1,766
    Location:
    Australia
    Actually steve1955, that is quite true.
    Of course it is better when signatures for undetected things are added sooner rather than later. Adding signatures for Viruses has priority over malware for a start....
    In any case I was speaking about the topic of THIS thread - a virus that IS detected...:)
     
  16. Betimi

    Betimi Guest

    Still it doesn't matter. I think a user that send a file if it is a false alarm or if he want's to add it and the Eset Lab's take more then 3-4 weeks that is so bad.
    A user should not wait 3-4 weeks, sometimes it takes only 3-4 days but still.
     
  17. steve1955

    steve1955 Registered Member

    Joined:
    Feb 7, 2004
    Posts:
    1,384
    Location:
    Sunny(in my dreams)Manchester,England
    Sorry for bringing up parts of another thread into this one,one that seems unpalatable to you,but it was introduced by YeOldStonecat who was actually defending Nod!
    I really would like Nod to be the best AV there is bar none,and just feel quicker updates could go some way towards this
    AH+quick updates(should)=unparalleled detection(hopefully)
     
  18. Itsme

    Itsme Registered Member

    Joined:
    Jan 31, 2004
    Posts:
    148
    Anyway
    I don't care how a virus is found AH or signature. As soon as it is known I would like to see the name to exclude the possiblity of a FP before deleting the infection.
    Ciao
    Itsme
     
  19. NOD32 user

    NOD32 user Registered Member

    Joined:
    Jan 23, 2005
    Posts:
    1,766
    Location:
    Australia
    Who says it takes 3-4 days for any of this? It depends on priority...
    But yes, I agree 3-4 weeks plus sounds like a long time to wait to have an undetected sample added, even if that is because it's not a virus but a malware....
    By the way, don't you normally have to click 'accept' somewhere to get PSW.Win32.Delf.ip onto your system?
     
  20. Zeq

    Zeq Guest

    Black Friday is Looming - Nyxem Attacks Files (24.01.2006)

    The Nyxem worm, which has been spreading since the end of last week, has a destructive payload; on 3rd of each month it overwrites Word, Excel, PowerPoint, PhotoShop, etc. files. Please run a virus check on your computer.

    Emails have the subject headings: '*Hot Movie*', 'A Great Video', 'Arab sex DSC-00465.jpg', 'eBook.pdf', '****in Kama Sutra pics', 'Fw: DSC-00465.jpg', 'Fw: Funny :)', 'Fw: Picturs', 'Fw: Sexy', 'Fwd: image.jpg', 'Fwd: Photo', 'Miss Lebanon 2006', 'My photos', 'Part 1 of 6 Video clipe', 'Re: Sex Video', 'School girl fantasies gone bad', 'The Best Videoclip Ever', 'the file', 'Word file' or 'You Must View This Videoclip!' The attachment arrives as a PIF, SCR or ZIP file, but may also be in MIME formats such as MIM, HQX, B64, BHX, UUE or UU.

    Opening the attachment infects your computer. The worm first copies itself onto the PC, infiltrates the registry, proceeds to terminate anti-virus software processes and deletes files and registry entries. It then searches the computer for email addresses it can use to distribute itself. It has been very successful to date; an Internet counter has registered more than half a million infected computers.

    Contrary to other types of malware, which integrate computers into botnets, Nyxem is designed to cause substantial damage; it has been maliciously programmed to overwrite any files with 'DMP', 'DOC', 'MDB', 'MDE', 'PDF', 'PPS', 'PPT', 'PSD', 'RAR', 'XLS' and 'ZIP' suffixes, with a text file on 3rd of each month.

    This puts any Word documents, Excel spreadsheets, PowerPoint presentations, Access databases, files archived with .zip or .rar, PDFs and Photoshop files at huge risk, as the delete process is executed on all accessible drives. This presents a particular danger to (company) networks; it only requires one infected computer to destroy all the data on the server. Users who want to prevent data loss should run a full backup on the 2nd February and scan their computers for viruses.
     
  21. Jetoni

    Jetoni Guest

    yeah man that's true because that test nod32 detected it without adding any signatures. But do not forgett that was for 2 years ago, we are talking about now and for the future and not going back into :)
    B
     
  22. dvk01

    dvk01 Global Moderator

    Joined:
    Oct 9, 2003
    Posts:
    3,131
    Location:
    Loughton, Essex. UK
    NOD DO detect it & have from day 1 of the outbreak

    this is one of the files

    File: Word_Document.uu
    Status:
    INFECTED/MALWARE
    MD5 de4534f553217c2bf0532076a28a28ba
    Packers detected: UPX
    Scanner results
    AntiVir Found Worm/KillAV.GR
    ArcaVir Found nothing
    Avast Found Win32:VB-CD2
    AVG Antivirus Found nothing
    BitDefender Found Win32.Worm.P2P.ABM
    ClamAV Found Worm.VB-9
    Dr.Web Found Win32.HLLM.Generic.391
    F-Prot Antivirus Found W32/Kapser.A@mm
    Fortinet Found W32/Grew.A!wm
    Kaspersky Anti-Virus Found Email-Worm.Win32.Nyxem.e
    NOD32 Found Win32/VB.NEI
    Norman Virus Control Found Small.KI@mm
    UNA Found nothing
    VBA32 Found Email-Worm.Win32.VB.bi

    As you can see almost every AV has a different name for it. Just because an article doesn't mention nOD doesn't mean it doesn't detect it. That article doesn't mention loads of other AV's who do also detct it
     
  23. NOD32 user

    NOD32 user Registered Member

    Joined:
    Jan 23, 2005
    Posts:
    1,766
    Location:
    Australia
    can you provide a link for the quote you used in your post please.
    Sure, it was a year and a half back but what has that got to do with it - it was just the first example that came to mind. There are plenty of more recent ones here in these forums. FP's are normally fixed with the next update.

    To responde to the OP, why not try quarantine rather than delete till you are quite sure, or try one of the online scans like VirusTotal to see if you can have the detection confirmed?
     
  24. NOD32 user

    NOD32 user Registered Member

    Joined:
    Jan 23, 2005
    Posts:
    1,766
    Location:
    Australia
    Exactly
     
    Last edited: Jan 24, 2006
  25. dvk01

    dvk01 Global Moderator

    Joined:
    Oct 9, 2003
    Posts:
    3,131
    Location:
    Loughton, Essex. UK
    and this is virus total scan showing other names by other AV companies
    This is a report processed by VirusTotal on 01/25/2006 at 01:19:14 (CET) after scanning the file "Word_Document.uu" file.
    Antivirus Version Update Result
    AntiVir 6.33.0.77 01.24.2006 Worm/KillAV.GR
    Avast 4.6.695.0 01.24.2006 Win32:VB-CD2
    AVG 718 01.24.2006 Worm/VB.6.AN
    Avira 6.33.0.77 01.24.2006 no virus found
    BitDefender 7.2 01.24.2006 Win32.Worm.VB.TB
    CAT-QuickHeal 8.00 01.24.2006 W32.Vb.Mi
    ClamAV devel-20051123 01.24.2006 Worm.VB-9
    DrWeb 4.33 01.24.2006 Win32.HLLM.Generic.391
    eTrust-InoculateIT 23.71.59 01.25.2006 Win32/Blackmal.F!Worm
    eTrust-Vet 12.4.2054 01.24.2006 Win32/Blackmal.F
    Ewido 3.5 01.24.2006 no virus found
    Fortinet 2.54.0.0 01.24.2006 W32/Grew.A!wm
    F-Prot 3.16c 01.24.2006 W32/Kapser.A@mm
    Ikarus 0.2.59.0 01.24.2006 Email-Worm.Win32.VB.BI
    Kaspersky 4.0.2.24 01.25.2006 Email-Worm.Win32.Nyxem.e
    McAfee 4681 01.24.2006 W32/MyWife.d@MM
    NOD32v2 1.1377 01.24.2006 Win32/VB.NEI
    Norman 5.70.10 01.24.2006 Small.KI@mm
    Panda 9.0.0.4 01.24.2006 W32/Tearec.A.worm
    Sophos 4.01.0 01.24.2006 W32/Nyxem-D
    Symantec 8.0 01.25.2006 W32.Blackmal.E@mm!enc
    TheHacker 5.9.2.079 01.23.2006 W32/Mywife.mime
    UNA 1.83 01.21.2006 no virus found
    VBA32 3.10.5 01.24.2006 Email-Worm.Win32.VB.bi
     
Thread Status:
Not open for further replies.