XMON and EAV failed to detect virus!

Discussion in 'ESET NOD32 Antivirus' started by EvilDave UK, Jul 15, 2008.

Thread Status:
Not open for further replies.
  1. EvilDave UK

    EvilDave UK Registered Member

    Joined:
    Dec 20, 2005
    Posts:
    275
    Location:
    United Kingdom
    Email came in yesterday with an attachment, which got delivered to my mailbox. Email sat in there unread (didn't have time to open it). More than 24 hours later XMON decides it's a virus (while it was running a manual scan). Both EAV 3.0 and XMON 2.7 Real Time scans didn't pick it up.

    Virus turned out to be:

    UPS_INOICE_107.zip - Win32/TrojanDownloader.Small.ODR trojan - deleted<BR>
    UPS_INOICE_107.zip > RAR > UPS_INOICE_107\UPS_INVOICE_107.exe - Win32/TrojanDownloader.Small.ODR trojan

    What's all this about?
     
  2. Bubba

    Bubba Updates Team

    Joined:
    Apr 15, 2002
    Posts:
    11,271
    Perhaps the "24 hours later" issue is because update 3267 came out late in the PM last night with Win32/TrojanDownloader.Small.ODR added :doubt:

    The UPS_INVOICE_107.exe being targeted, try using Federal Express next time :ouch:

    Just kidding ;)
     
  3. EvilDave UK

    EvilDave UK Registered Member

    Joined:
    Dec 20, 2005
    Posts:
    275
    Location:
    United Kingdom
    But my point is shouldn't EAV have detected it anyway? ESET reckon they're better at catching in the wild viruses than any other provider, but they failed this time...
     
  4. mickhardy

    mickhardy Registered Member

    Joined:
    May 16, 2005
    Posts:
    140
    Location:
    Australia
    My users live life on the edge and our customer base includes many countries with dodgy old software and often little or no anti virus software. As a result, we are often at the forefront of new threats. XMON deletes several thousand incoming viruses per year. XMON has missed only two new threats in the five years we've been running it. Both of these were correctly identified as suspect by my users and referred to me and both were added to the definitions within 24 hours.

    I'm more than happy with their anti-virus performance but far from impressed with ESS, which has been completely removed from our Network.
     
  5. ASpace

    ASpace Guest

    No , because they use the same techniques and threat database . They update at the same time and that is why it happened that way . Having an antivirus doesn't mean you are fully protected - you should still follow basic rules such as common sense , don't open/read/answer to emails from unknown sourses , etc
     
  6. EvilDave UK

    EvilDave UK Registered Member

    Joined:
    Dec 20, 2005
    Posts:
    275
    Location:
    United Kingdom
    XMON and EAV failed to detect yet another virus!

    This is similar to my last post, but again, both XMON and EAV missed a virus. Got an email yesterday mid-morning with an attachment:

    " UPS_INVOICE_978172.zip"

    Knew from the last similar looking attachment this was a virus. Did a manual scan from within Outlook using EAV... No virus. Copied on to desktop, scanned, no virus (1 file found in attachment according to EAV). Submitted to ESET.

    More than 24 hours later I received the following email:

    "22/07/2008 11:09:35 - XMON - Antivirus Monitor for MS Exchange Server Threat Alert triggered on SBSVR1: UPS_INVOICE_978172.zip > ZIP > UPS_INVOICE_978172.exe is infected with Win32/PSW.Agent.NIF trojan."

    But this is too late. If every user in the company received this and opened it, they'd all have a virus by now, which both the server and client AV failed to detect. A zero-day virus, and nothing, no warning from the AV!

    I scanned the ZIP file last night on VirusTotal. A number of other AV companies detected it as a trojan, others said "suspicious file". Yeah it's suspicious... EAV and XMON have the option to scan-for and remove potentially unsafe applications, adware, spyware and riskware. Surely this suspicious looking file should have fit into one of those categories?

    Clearly not...

    This is useless to me! 24+ hours is too long. And with damage already done, it makes the investment into ESET's AV a pointless one, especially if other AV providers knew this was a virus before ESET did.

    What does ESET have to say about this?
     
  7. GAN

    GAN Registered Member

    Joined:
    Mar 3, 2007
    Posts:
    355
    Re: XMON and EAV failed to detect yet another virus!

    This question been asked/answered a million times before in this forum and other forums for other av software. I guess some people expect the AV software to be 100% bullet proof which is not the case. Sometimes nod32 is the first one to detect a threat and sometimes they might be the last. Eset, Symantec, Trend, Kaspersky and everyone else work hard to stop threats fast and it's not like Eset can be the first one every time. So if you find eset to be useless because they didn't find it first i guess you might find any AV software useless since they all might be late to stop a threat sometimes. It's not like the "potentially unsafe applications" feature never fails to find a threat.

    You might consider using a AV software running on the server which is from another vendor then the AV software running on the client. A lot of companies choose to do so and that will give some extra security since there are two different engines scanning the mail.

    I agree that 24+ hours is not very impressive, but you cannot expect eset to always detect any threat before any other AV software.
     
  8. FlyingHorse

    FlyingHorse Registered Member

    Joined:
    Dec 9, 2005
    Posts:
    12
    Location:
    33?59'43.1"N 84?09'03.1"W
  9. The Hammer

    The Hammer Registered Member

    Joined:
    May 12, 2005
    Posts:
    5,619
    Location:
    Toronto Canada
  10. FlyingHorse

    FlyingHorse Registered Member

    Joined:
    Dec 9, 2005
    Posts:
    12
    Location:
    33?59'43.1"N 84?09'03.1"W
    Re: XMON and EAV failed to detect yet another virus!

    Actually I did read the entire article. Your quote above omits a very important part of the entire sentence. "Since the inception of VB100 awards in 1998, ESET's antivirus products boast a success rate of over 96 percent..."

    Also if you visit the VB100 website you'll find this statement:

    "In order to display the VB100 award a product must have been tested by Virus Bulletin and in those tests it must have demonstrated, in its default mode, 100 per cent detection of In the Wild test samples and no false positives in a selection of clean files."
     
  11. GAN

    GAN Registered Member

    Joined:
    Mar 3, 2007
    Posts:
    355
    Re: XMON and EAV failed to detect yet another virus!

    In any case there is a difference between 100% for the "wild test samples" and 100% in general. The wild test samples does not include every existing threat so it's not even relevant to my statement.
    Can you show me a statement from eset where they say that nod32 detect 100% of all existing threats?.....well i didn't think so....

    I think what i said in my post is pretty clear and i was not talking about the "wild test samples". There is a difference between a statement that says 100% of the wild test samples and 100% period.
     
  12. FlyingHorse

    FlyingHorse Registered Member

    Joined:
    Dec 9, 2005
    Posts:
    12
    Location:
    33?59'43.1"N 84?09'03.1"W
    Re: XMON and EAV failed to detect yet another virus!

    I'm sorry, but it wasn't clear to me that you were generalizing about AV software. From the OP's own statements I assumed that this discussion centered on In the Wild and Zero Day threats. My mistake.
     
Thread Status:
Not open for further replies.