WinSpywareProtect problem

Discussion in 'ESET NOD32 Antivirus' started by zexr, Jul 23, 2008.

Thread Status:
Not open for further replies.
  1. zexr

    zexr Registered Member

    Joined:
    Jul 7, 2008
    Posts:
    10
    I had very disturbing evening today, WinSpywareProtect got on my PC and NOD32 didn't stop anything !
    He couldn't find anything, even when this virus got on my PC I somehow run Scan for NOD 32 but nothing, he didn't found any problems.
    I had latest database update, full protection on everything, browsers, emails etc. Did a scan 6 hours before this happened.

    Then after struggling for 4-5 hours with this thing, I've found some free software to remove this thing and he found over 100 threats on my PC, again NOD32 found zip, zero, nada, big 0 of threats.

    I cannot belive NOD32 didn't found anything, I showed this to few people so I wasn't crazy when NOD32 finished full scanning he found NOTHING.

    Just terrible.
     
    Last edited: Jul 23, 2008
  2. Marcos

    Marcos Eset Staff Account

    Joined:
    Nov 22, 2002
    Posts:
    14,374
    Please refer to this post.
     
  3. zexr

    zexr Registered Member

    Joined:
    Jul 7, 2008
    Posts:
    10
    Sorry but I couldn't find anything that could answer my questions, worries...

    As far as I saw on search engines this virus/malware or whatever isn't new since yesterday and if some low budget unknown companies have recognition for this malware then there is no excuse why you wouldn't have this too.
    Besides as I said I've found completely free software that cleaned my system perfectly.

    Also per that post it seems like you are suggestion people something like "don't go anywhere else except microsoft.com" any other web site is potencial risk.
    If I will use only microsoft.com or cnn.com on whole internet in world of today's technology and information, then we better go back in caves.

    In other words if I have NOD32 or any other AV software to protect me from cnn.com web site then there is no point of having AV software if I will only visit those 2 web sites.
     
  4. SmackyTheFrog

    SmackyTheFrog Registered Member

    Joined:
    Nov 5, 2007
    Posts:
    767
    Location:
    Lansing, Michigan
    Macros's link can be summarized as "No single antivirus program is ever going to provide complete protection". Your absolute first priorities for keeping a system secure and clean (beyond using common sense) is making sure OS and application patches are installed as soon as they are available and not running with an administrative account for day-to-day usage. Spyware today evolves rapidly for the purpose of evading definition databases; scanners can miss them due to the large volume of mutations the same code goes through to mask itself. If you take the previous two precautions for safe computer usage, you have mitigated the risk of almost all spyware/malware installs except for the very few which install via an exploit that elevates privileges. Failure to keep patched or use a user account on your system will result in spyware/malware getting missed by an active scanner no matter what program you use, Nod32 or otherwise.
     
  5. Marcos

    Marcos Eset Staff Account

    Joined:
    Nov 22, 2002
    Posts:
    14,374
    Actually there will be a more better protection against threats like this, but every development takes some time. Still, no matter how good a certain protection is, nothing will ever 100% protect you if don't practice safe surfing and run an outdated system with admin rights.
     
  6. niceTyp

    niceTyp Registered Member

    Joined:
    Jul 15, 2008
    Posts:
    11
    But what I don't understand is the fact that I send MalWare and Rootkits to Eset. And nothing is happend. Ok Maybe only one Person receive and test the malware thats why it take longer time to inlclude in the Database.
    But when over 50% of the main virus scanner include the malware than eset should thing about the speed to handle received malware.

    And I thing also that it's better to warn of 10 or 20 corrupted malware than include no malware.

    And if this development take more and more time it is for me a reason to use an other scanner or better without a scanner than if I practice safe surfing and run an updated system without admin right i don't need Nod32.. thx for your help.
     
  7. Marcos

    Marcos Eset Staff Account

    Joined:
    Nov 22, 2002
    Posts:
    14,374
    You should take into account that there are thousands of threats detected only by NOD32 that are missed by other AVs (I have a fresh experience from a recently spammed piece of malware). Also one can get infected even when practising safe surfing as there are security wholes in the oper. systems that can be exploited by malware to get into your computer even without visiting suspicious sites.

    As for adding detection, one should take into account the fact that enourmous number of new threats emerges on a daily basis that are being modified until they are not detected by certain AV programs.
    Each sample is assigned a certain priority. Samples from distributors and users are treated with utter priority and are usually added almost instantly. In the case of a fast spreading piece of malware, detection is added to the next update. Samples from malware collectors who do not provide any further information about the malware and keep sending us dozens or hundreds of files are treated with lower priority. It is in the interest of each AV vendor not to add detection for every single file, but for whole malware families without producing FP on clean files. If each signature would cover only 1 particular file, we would easily end up with 100+ MB signature databases and a similar memory consumption.
     
  8. Philippe_FR22

    Philippe_FR22 Registered Member

    Joined:
    Sep 6, 2007
    Posts:
    249
    Hello, you are right but... It is now an evidence, today most of threats are malwares/trojans comming with rogues like winspywareprotect, win antivirus 2008/2009 etc... and it is clear that more and more people are infected by such threats... And AV did not detect anything !!! AV detection method must be enhanced now with IDS/HIPS functionalities because signature based detection, heuristics (adv or not) are not sufficients...

    Another interesting solution is to sandbox web navigators (with the exception of favorites)...



    Regards
     
  9. Kayracc

    Kayracc Registered Member

    Joined:
    Jul 5, 2008
    Posts:
    96
    Nod does okay, i actually am a bit disappointed at all how long it takes them to add stuff to definitions, but i guess i fall into the later, with sending in tons and tons of malware for them

    that being said, i just found an exe, amero.exe that only avg, bitdefender and nod detect, 2 others detect the packers

    so it swings both ways :)

    and a AV 2009 that only 1 av detects

    marco's is very right, there changing these multiple times a day, fairly impossible to keep up
     
    Last edited: Jul 24, 2008
  10. Marcos

    Marcos Eset Staff Account

    Joined:
    Nov 22, 2002
    Posts:
    14,374
    All new variants of Amero that I've seen were intercepted when dowloading from the web. Please PM me the location of the file that was not detected during the download.
     
  11. Marcos

    Marcos Eset Staff Account

    Joined:
    Nov 22, 2002
    Posts:
    14,374
    We've seen malware that was able to circumvent HIPS as well as the protection of system files. When running malware with admin rights, everyhing is possible and there's no 100% solution that will protect you. As I said, using common sense as well as keeping the OS and other software always up to date is crucial for keeping your system virus free.
     
  12. Kayracc

    Kayracc Registered Member

    Joined:
    Jul 5, 2008
    Posts:
    96
    edit NM
     
  13. ablatt

    ablatt Registered Member

    Joined:
    Nov 14, 2004
    Posts:
    128
    Location:
    Canada
    As a NOD32 subscriber, I have been reading these type of "NOD32 doesn't detect so-and-so" threads with interest for a while.

    I try to be objective and realize that some may be bashing from other AV companies/fanboys and that not every product detects everything.

    However, the more I read these things, and the more I see sites like http://mtc.sri.com/live_data/av_rankings/ (don't know if it is accurate or not), I start to wonder whether detection rates are slipping.
     
  14. Kosak

    Kosak Registered Member

    Joined:
    Jul 25, 2007
    Posts:
    711
    Location:
    Slovakia
    Hello,

    did you read this?

     
  15. SmackyTheFrog

    SmackyTheFrog Registered Member

    Joined:
    Nov 5, 2007
    Posts:
    767
    Location:
    Lansing, Michigan
    Bear in mind that those kinds of lists can be completely bunk because it doesn't adjust detection rates against false positives (which the disclaimer notes) and for god knows what reason VirusTotal is still using v2.
     
  16. MikeMcr

    MikeMcr Registered Member

    Joined:
    Sep 3, 2004
    Posts:
    10
    Can we please stop implying this is the fault of users running with Admin rights; it is getting silly. The topic is about "WinSpywareProtect". We were infected on a Windows Vista system, fully "patched", UAC enabled, running as a Non-Admin standard user. The user did not have any passwords that would have elevated their access level.

    If you actually examine what WinspywareProtect does than you'd discover it does not need Admin rights. It installs into non-protected folders and non-protected areas of the registry. The only defence here is NOD, which failed. This is the second time I've had to manually remove WinSpywareProtect this month.
     
Thread Status:
Not open for further replies.