WinAntivirus2009

Discussion in 'ESET NOD32 Antivirus' started by briwlls, Jul 28, 2008.

Thread Status:
Not open for further replies.
  1. briwlls

    briwlls Registered Member

    Joined:
    Nov 23, 2005
    Posts:
    25
    A client system was plagued by WindowsAntivirus2009.

    Modified the Nod32 v3 scan options to include Potentially Unwanted Applications. A full system scan and didn't even find the virus and/or malware, even though popups and other obvious infections are bouncing all over the screen.

    It took a program titled SuperAntiSpyware to detect and remove the infection.

    How can the best antivirus software not catch this?
     
  2. Bakker

    Bakker Registered Member

    Joined:
    May 28, 2008
    Posts:
    90
    Also had one user yesterday who managed to get this installed, did get this message in RAS:
    Code:
    C:\WINDOWS\system32\scui.cpl	Win32/Adware.XPAntivirus application	cleaned by deleting - quarantined	Event occurred on a new file created by the application: C:\Program Files\Antivirus 2009\av2009.exe.
    But had to manualy remove the application. And revoke his local admin rights :)
     
  3. Big Apple

    Big Apple Frequent Poster

    Joined:
    Aug 22, 2006
    Posts:
    724
    Who says it's the best?
     
  4. nonoise

    nonoise Registered Member

    Joined:
    Jun 6, 2008
    Posts:
    322
    here, here and here for example.
     
    Last edited: Aug 1, 2008
  5. Marcos

    Marcos Eset Staff Account

    Joined:
    Nov 22, 2002
    Posts:
    14,374
    Rogue AV authors adopt very fast to famous antivirus programs and release dozens of new undetected variants on a daily basis. Just have a look at the forums of other AVs and you'll see.
     
  6. Kayracc

    Kayracc Registered Member

    Joined:
    Jul 5, 2008
    Posts:
    96
    I concur with marcos, i find daily samples of these that have little to no detection, one sample i found yesterday had 2/35 detection at virustotal :)
     
  7. Big Apple

    Big Apple Frequent Poster

    Joined:
    Aug 22, 2006
    Posts:
    724
    Yes, they have a nerve.....ever since the release of version 3.0, it has never been the same as it used to!
     
  8. Kayracc

    Kayracc Registered Member

    Joined:
    Jul 5, 2008
    Posts:
    96
    guys relax, nod32 is a good AV, i have a few gripes with them, but oh well it does it's job

    i wasn't lying when i said these rogue programs change daily

    look at the sample i got today

    AVG - - Agent_r.H

    eSafe - - Suspicious File

    Panda - - Suspicious file

    Symantec - - SecureExpertCleaner


    no other av touches it

    while i don't think eset responds very well to submissions, marco's said it right one time, people like me that spam submit items get low priority, often times i don't remember where the files came from, and can give 0 information

    Chances are other av's wouldn't have saved you either way

    -Brian
     
  9. saberfox

    saberfox Former Poster

    Joined:
    Jul 23, 2008
    Posts:
    84
    It seems to be though that it is precisely these samples that are important and need to be processed ASAP. If you ask me, ESET is making a grave mistake by ignoring you just because you send them many samples.
     
  10. mkuntic

    mkuntic Registered Member

    Joined:
    Mar 6, 2008
    Posts:
    54
    I have only one thing to say: I'm glad I'm not in the antivirus industry.

    And here's a free hint to all: whitelisting.
     
  11. nonoise

    nonoise Registered Member

    Joined:
    Jun 6, 2008
    Posts:
    322
    What about ThreatSense - Detecting Unknown Malicious Software? Is it on holidays :)?
     
  12. YeOldeStonecat

    YeOldeStonecat Registered Member

    Joined:
    Apr 25, 2005
    Posts:
    2,345
    Location:
    Along the Shorelines somewhere in New England
    There are a lot of these recent "rogue" products slipping past over the last several months...I'm getting lots of clients getting hit by them. Most of them seem to come from the same trojan family..WinFixer/Defender2008/XPAntivirus2008/2009, etc etc. I see mentions of the ZLob trojan, Virtumunde, Smitfraud, etc.

    They seem to be slipping past many AV products.
     
  13. blomq012

    blomq012 Registered Member

    Joined:
    Jul 29, 2008
    Posts:
    1
    Re: NOD32 blocking Windows Automatic Update + Some Websites

    I have the same problem along with antivirus 2009 constantly popping up and asking me to install it. If you hear anything , please let me know & i will do the same. I read a post on the antivirus 2009 that said they had found a program to get rid of anti2009
     
  14. Kayracc

    Kayracc Registered Member

    Joined:
    Jul 5, 2008
    Posts:
    96
  15. Marcos

    Marcos Eset Staff Account

    Joined:
    Nov 22, 2002
    Posts:
    14,374
    Re: NOD32 blocking Windows Automatic Update + Some Websites

    Please send a log from ESET SysInspector to samples[at]eset.com with this thread's url and we'll help you remove it completely.
     
  16. hex_614

    hex_614 Registered Member

    Joined:
    Jul 17, 2008
    Posts:
    155
    Location:
    Manila, Philippines
    the same thing happend to me, im using avira professional 8.1 in the office and yet i was infected by the virus and could not remove it, pop ups always appear when ever i click folders and click the back button. only SAS clean my infected pc. and now i change my antivirus to AVG 8.0 which i think does the well.
     
  17. Kosak

    Kosak Registered Member

    Joined:
    Jul 25, 2007
    Posts:
    711
    Location:
    Slovakia
    Hello,

    every AV misses samples today. If you want, I can send you undetected files by AVG. :D

    Regards
     
  18. pmabee

    pmabee Registered Member

    Joined:
    May 22, 2008
    Posts:
    22
    2 systems completely HOSED yesterday by this crapware, both running 3.0.669 with latest defs.

    2 False positives and 1 HUGE miss later I will be requesting a refund from ESET for this absolutely USELESS AV.

    I actually identified the exe file that the virus came in and scanned it directly with NOD32, NOTHING!! Using AVG FREE, yes FREE! it immediately detected and quarantined.

    I am horrified that I have 200 users here now who are unprotected....unless they are being attacked by Adobe Acrobat.....
     
  19. Marcos

    Marcos Eset Staff Account

    Joined:
    Nov 22, 2002
    Posts:
    14,374
    As it's been stated above by other users, these rogue antispyware programs are frequently modified to evade detection by famous AVs. As an additional protection, ESS/EAV blocks access to the websites hosting these fraud tools, but there is still a chance one could get it from elsewhere. We have tested our collection consisting of hundreds of these fraud tools and the AV you mentioned detected just a few of them. It always depends on what files you test - there are variants that would be detected by us and missed by other AVs and vice-versa.

    Which false positive do you mean? If a false positive is sent to samples[at]eset.com with "False positive" in the subject, it's fixed quickly usually in the next update.
    As for the huge miss, which one you mean? Would you be please more specific?

    Would you please provide more details as to why you connect Adobe Acrobat with this issue?
     
  20. pmabee

    pmabee Registered Member

    Joined:
    May 22, 2008
    Posts:
    22
    If you aren't aware of the 2 false positives, one that was deleting Acrobat as a virus then i'm not sure you even use NOD32. There are plenty of posts in this forum regarding the false positives, I even posted a temporary workaround for one of them.

    The HUGE miss? This winantivirus 2009 isn't the only thing that it drops on your system, in the package are multiple version of zlob and at least 5 other spyware/virus packages. For NOD32 to be running UP TO DATE and miss all of these things being dropped on to the machine, COME ON! "Best in real time detection" my a$$!

    I will be talking with my sales rep regarding a refund, any AV that misses all of that at the same time has no place here....
     
  21. Marcos

    Marcos Eset Staff Account

    Joined:
    Nov 22, 2002
    Posts:
    14,374
    We have already explained that this was not a standard false positive and was caused by various coincidences. A file detected on one computer would not have been detected on all others, hence it passed the internal pre-release tests.

    As I have explained, no famous antivirus programs 100% detect these rogue antispyware programs as their authors can easily adopt to detection techniques of any AV vendor. As I have said, we detect hundreds of variants of this rogue software that the antivirus program you mentioned missed. We understand that we do not detect 100% of malware, especially these "antispyware" fraud tools, and we have never claimed to detect 100% of all malware. If you suspect your computer from being infected, you can always send a log from ESET SysInspector to samples[at]eset.com and we'll analyse it. We should be able to find any malware, even if missed by all AV scanners in the world.
    As I say, the best protection is using common sense, keeping the programs up to date and avoid running OS in the account of an admin user when not necessary. No AV program will ever gurantee that no malware will slip through it so the users themselves must adhere to certain security rules instead of blindly believing that an AV will save them at any time. An AV program can only eliminate the risk of getting infected, but will never be able to 100% protect you from malware.

    I wonder how many users who have moved to another AV got shortly infected by malware missed by the new AV that would have been otherwise detected by their previous AV ;) At any rate, our users are free and can decide themselves what product they want to use. I think that many of our users could testify how many times NOD32 has saved them.
     
    Last edited: Jul 30, 2008
  22. Chappy

    Chappy Registered Member

    Joined:
    May 1, 2007
    Posts:
    69
    Well, I've been an avid NOD32 fan for almost 10 years and was an Independent AV tester back when Independents were still used by some of the big (nowadays) AV companies back in the day.

    I also got nailed with Zlob just yesterday and it was missed with AV 3.0.669 #3331, on a known Zlob file that has been on Google search results for almost 3 WEEKS now!!! Of course I already knew that WinAntiVirus is a known Rogue product, so that won't catch me and I could tell that the Security popups were not Windows generated.
    After removing with MalwareBytes (written by my good buddy RubberDucky...Thanx Marcin!!), I searched for the exe's and dll's I found installed by Zlob and some of these have been known for some time now, so why haven't they been added to NOD32 DB yet?

    Marcos, I better than most, understand that no AV product will catch 100% of malware yet. I decompiled and studied virus/trojan/spyware injection processes on sandoxed systems for many years, I know how persistent and cunning they can be...remember the LOP.com boyz?? Those buggers released over 100 new varients a day from over 20,000 affiliate sites back in 05.

    But NOD's advanced heuristics "should" pick up on the "activity" of this one since it does use known malware techniques. My Comodo FW (without Defence + active) picked it up as an "exe exhibiting known malware procedures", which immediately notified me even before the 1st popup appeared. That's when I realized the NOD had missed known malicious behavior and was aghast...gasp!! My FW doesn't receive daily updates so it has to rely upon a whitelist/blacklist of known apps and certain characteristics that this crud exhibits. So for Comodo to catch what NOD32 didn't just floors me as I doubt their knowledge of malware behavior is not as vast as Eset's should be, and the heuristics engine should have caught this.
    Another thing that bothered me is when I scanned the known infected/dropped folder "Applications" in Program Files (x86), NOD reported it failed to open the 2 ZLOB exe's because they were Locked. Fairly simply way to defeat an AV woiuldn't you say...so NOD reported it was a "Clean" scan...wow.

    I have to say that I'm a bit concerned that this Zlob Trojan is not triggering something within Nod32, even without having the latest exe and dll names in the sig DB. Signatures alerts are the old way of cathching nasties, back when they didn't change their process names daily, they're quickly becoming obsolete in today's world of constantly transforming malware programs. Heuristics and recognized possibly unwanted behaviors are what makes today's AV products able to keep up with these threats, and it's obvious that right now, the bad guys are winning this race.
     
  23. briwlls

    briwlls Registered Member

    Joined:
    Nov 23, 2005
    Posts:
    25
    Re: NOD32 blocking Windows Automatic Update + Some Websites

    Marcos,

    I submitted a couple samples of infected machines using sysinspector to samples@nod32.com, not even as much as a courtesy response to say we received your file.

    It's been two weeks since I submitted the files and Nod32 is still doing nothing to prevent, detect and/or remove any of these Winantivirus variants.

    I search the KB via ESET's website and Winantivirus isn't even mentioned.

    A month or so ago I submitted an email to customer service that when viewing knowledge base articles that they are in frames and can't be printed, and that they needed to add a print button to these KB articles. A rep responded saying that they'd bring this to the attention of the webmaster. Something so simple still not done.

    Now I hear Nod32 ads on Jim Rome's popular sport show.

    I think given all the above I see what's happening:

    Symantec mass market, push crap ignore customer and due to advertising dollars all the popular crap magazines i.e. PC World give them great reviews so they make $$$.

    Nod32 v 2.7 and earlier, no mass market, push great product and IT professionals push and rave about the product. v 3.0 and later cut out small channel partners, push a buggier/slower product (just look at how many version releases there have been), advertise to get good reviews in PC World and consumer related sites, ignore customer requests end result Nod32 is making more $$$ while they can until they reach Symantec 'crap' status.

    Somebody at ESET's camp is clearly only focused on making money and not on the product/customer.
     
  24. Kayracc

    Kayracc Registered Member

    Joined:
    Jul 5, 2008
    Posts:
    96
    My antivirus 2008 submissions have been well responded, but i think thats just because marco's took special attention to them

    that being said, i alone submit so many files through the program from trying to dl stuff, imagine everyone else aswell, sucks but it's truth

    -Brian
     
  25. Marcos

    Marcos Eset Staff Account

    Joined:
    Nov 22, 2002
    Posts:
    14,374
    Re: NOD32 blocking Windows Automatic Update + Some Websites

    Please PM me your email address, I'll try to get the status of the emails.
     
Thread Status:
Not open for further replies.