Hello Friedrich

I see ESET/NOD32 is doing their best to make life a misery for us again.

I use web-based updating based on your example and ESET is flagging the
update file as suspicious and "most likely containing a new threat" -
see attachment.

The so-called suspect africlock-update.exe is signed with Comodo yet
this still happens.

Any ideas or advice?

Regards

Daan Marais

Do what the dialog says - submit it to ESET. I'd also open a support
ticket

--

Russ Eggen
RADFusion International, LLC

Thanks Russ, both done - will update here when I hear from them.

Daan

Appreciate it as I have ESET too and they came up with false positives
in the past. Problem was, they seemed awfully slow in providing a fix.

--

Russ Eggen
RADFusion International, LLC

Hi Daan,

ESET is a never ending story. We even had to add additional compiler
warnings.

For example:

---
CHANGE : IDE: Under certain circumstances, customers with "ESET security
solutions" installed (e.g. NOD32) sometimes get a "Fatal
Compiler Error: GEN1094: Cannot inject stub loader entrypoint:
Para1: C:\yada\yada.exe Para2: 91648 Para3: 6664" error during
the setup compilation process. This is caused by a
(false-positive) bug in ESET products. We have added an
additional compiler text: 'Note: If you are using an ESET
product and you see this error message, please contact ESET
Customer Care and refer to #TICKET 83977'.
---

Always report false-positives to the protection software vendor.

http://www.lindersoft.com/forums/showthread.php?p=69157

Friedrich

Hello Friedrich

Yes - it is a shame because it is actually a very good anti-virus IMO -
we have been using it since 2005 and never had a single problem with
viruses in that time.

We actually recommend it to our customers as well, despite the injection
problem you mentioned and which I also experienced - maybe time for a
bit of thought...

In any event, here is the ticket number, from their South African
office: [Ticket#2013050910001476]

Regards

Daan

I'd beg to differ. I got called into to take over the HW support for a
company and found viruses on their server & workstations becuase the
default settings which is how the previous HW support company installed
it. Some malware is not considered to be a virus and thus can get into
a system unhindered then opens up a backdoor for the authors to do what
they like with their system. Malware whilst not technically a virus can
and do open up backdoors onto systems for other bad software, like
making it a botnet for example.

I've hilighted numerous bugs in their software and wrong default
settings which has been relayed back to Romania for them to fix. As I
dont get paid to reports bugs I've stopped reporting them to ESET.

Below is part of one such conversation. Considering Flash & Java were
used in something like 80% of all hack attempts in 2012, the email
reply below from Eset is significant imo.

I also find it funny that ESET UK who sell their own antispam products
for MS Exchange and they use MS Exchange if you look in the email
headers, feel their technology is so superior they use Symantecs
recently purchased Messagelabs anti-spam service. Nothing like faith in
one's own products hey?
http://mxtoolbox.com/SuperTool.aspx?action=mx%3aeset.co.uk&run=toolpage

I've compared Eset's antispam against Messagelabs and messagelabs comes
out tops becuase they can see patterns which can only be seen from a
cloud or peer2peer setup where data is exchanged between all sites. For
example the only way to update the white/black lists in Eset is to stop
the service, update the white/black list then start the service again.
In that time frame an email containing a virus could enter the MS
exchange and you have zero scanning protection. They dont even have an
API to facilitate the white/black list updates for external programs to
use other, you have to write your own code to control the management of
services.

Eset have risen to prominence due to the generous kick backs they give
companies who provide HW support to SME's who resell their products.

Their CPU load on workstations is higher than other AV products I've
reviewed as well, due to customers complaining their workstations have
slowed down.

This is part of a long conversation that I sent to Eset support.

Re the Java virus, I’ll check the strict cleaning option as was using
the ERA program on the server to push a new task in this case a scan
with cleaning enabled to the workstation.

Is there anyway the AV can scan and block these though, we’d rather not
let them into the network and systems in the first place.


And this is what I got back. Its worth noting an AV update typically
contains the automated updated variations of a known or existing virus.
AV companies can take anything from a few months to a few years to
reverse engineer and decide if a program they are suspicious about is
actually considered and defined as a virus. Thats right if I released a
new virus into the world today, it could take them at least a few
months to spot it, its why Stuxnet and others took so long to find and
track down.

----------->8---------------
From: Jonathan Deane [mailto:x@eset.co.uk]
Sent: 13 September 2012 08:21
To: Robot
Subject: RE: ESET Support



The only way to prevent Java exploits is to uninstall Java.



Can you send me an export of your EMSX configuration.



*** It is VERY important that if you reply to this message you include
ALL previous correspondence

Jonathan Deane MCTS, ESET Certified Technician
Technical Team Leader - ESET UK

p: 0845 838 0832 - Opt 3 (Support) f: 0845 838 0834 e:
x@eset.co.uk w: www.eset.co.uk

Thanks for sharing, Richard!!!

> I've hilighted numerous bugs in their software and wrong
> default settings which has been relayed back to Romania
> for them to fix. As I dont get paid to reports bugs I've
> stopped reporting them to ESET.

Dealing with the ESET Customer Care guys (Bratislava, Slovak Republic) was a
nightmare. I had to give up -- seriously thought about committing suicide.

http://www.lindersoft.com/forums/showthread.php?p=67142#post67142

Friedrich

My Norton 360 is finally about to expire. Norton has often annoyed
me, so I was planning change. I figured it would be ESET, but I'm
wondering if there's something "better". What's your take on the
subject?

Mike Hanson
www.boxsoft.net

So what should I use instead? (Currently on Norton 360, but about to
expire.)

Mike Hanson
www.boxsoft.net

AVG is not too shabby. But I switched to ESET on the recommendation of
a few other developers.

The only downside to ESET seems to be slow responses on support tickets.
I really don't know if its their attitude or they go through an
exhaustive checklist or they check all the submissions they get.

Kaspersky is another good one. I was very impressed with their free
nasty virus removal tool, which you make a CD and boot from that. It
was the only product that removed a very nasty trojan from my machine.
I was about to re-install my OS if that did not work, something I
*never* want to do!

Whichever one you pick, I've come to the conclusion that no single AV
product can protect your machine 100% of the time from 100% of all virus
programs. This is why I also use MS Defender and a couple of others
that check for certain nasty buggers.

--

Russ Eggen
RADFusion International, LLC

Thanks, Russ. It's just sad that we need these things at all.

Mike Hanson
www.boxsoft.net

Agreed. I remember the good old days when viruses were restricted to
Apple products only <bg>

--

Russ Eggen
RADFusion International, LLC

they were called worms !

--
JP
__________________________________________________ _____

For those who do not understand ... : "Qui bene amat bene castigat."
__________________________________________________ _____

DMC - Data Management Center : a tool to let you Migrate Import Export
Transfer your Data
www.dmc-fr.com

they were called viruses here.

--

Russ Eggen
RADFusion International, LLC

> So what should I use instead? (Currently on Norton 360, but about to
> expire.)

http://www.shadowserver.org/wiki/pmwiki.php/AV/Viruses
"The tables on each page represent the results of the Anti-Virus tests
against the malware that we collect each day. Each AV vendor has
different capabilities and success in detecting malware that is
collected. No single vendor detects 100%, nor can they ever. To expect
complete protection will always be science-fiction."

Todays best AV appears to be Symantec's AV engine which detected 85% of
the viruses and 88% over the month but this changes over time so
something good today or this month may perform more poorly in 3 or 6
months time.
http://www.shadowserver.org/wiki/pmwiki.php/AV/VirusDailyStats
http://www.shadowserver.org/wiki/pmwiki.php/AV/VirusMonthlyStats
http://www.shadowserver.org/wiki/pmwiki.php/AV/VirusYearlyStats

The most secure is to run a combination of AV scanners but no
combination rarely catches 99% of the viruses anyway, but other
measures like packet filtering can also help stop unwanted things
getting into your system.

For people who cant afford a paid for IDS Firewall this one is
opensource http://pfsense.org/. Different charging model, ie you pay
for support as and when needed, but there is a free package you can
download which uses Snort.org probably the premier packet filtering app
out there. things like teamviewer will get picked up so people will
need to install an exception for Teamviewer as it has a number of
methods in which to get out and connect back to their server. In fact
installing teamviewer is probably a good test for system security, if
it can connect to their server, your system is not secure.

If you need your system to be secure, its best to create rules in your
firewall which limits the type of traffic in and out of your setup.

Most firewalls allow all traffic to flow out freely and obviously block
incoming, so any malware that doesnt get picked up by your AV could
open up a port out of your system and who knows what happens next.

FWIW.

Richard Rose

One other thing, if you want the means to be able to find out what
hacked you, I'd recommend getting a switch like the Cisco SG 200-08.
Its got a facility built in where you can you mirror the traffic down a
seperate port connection to a seperate device which just logs all the
packets in and out. This way if you get hacked you have the ability to
review all the packets leading up to the hack which can be useful for
identifing how you got hacked and thus can prevent it from happening
again or inform the relevant software vendor how you got hacked so they
can fix the bug in their software.

http://en.wikipedia.org/wiki/Port_mirroring

Richard Rose

Very interesting...!!

Friedrich

Thanks Richard, but now my head hurts. <g>

So what you're telling me is that I'm already using the best option
(with Norton 360 from Symantec), which I could only improve by loading
up even more system-slowing virus checks.

And I could start packet filtering, which means something new to suck
up even more of my time. <sigh>

Mike Hanson
www.boxsoft.net

There is no easy solution. Its about weighing up the risks versus
rewards, but armed with a better picture of the situation and risks we
are exposed too can lead us to make a more informed decision, whatever
that might be.

Its too easy to hand over money and think thats it my systems are safe.

Of course alot of risk can be avoided with simple common sense, like
avoiding opening attachments from unknown sources although known
sources could still be a risk as we cant ultimately vouch for the
integrity of a customers system should they decide to send us an
attachment, something SV might need to consider with PTSS attachments.

Same goes with visiting websites which might have been hacked and have
some malicious code delivered via the webpages. I have seen a couple
years back an advertising/content-serving company deliverying banner
ads with a virus in it to a number of popular UK websites, not to be
confused with Scareware http://en.wikipedia.org/wiki/Scareware.
This is why I use extensions like Ghostery, NoScript and
Self-Destructing Cookies in firefox. You can block off-site traffic
which is a common method of delivering viruses or malicious code if the
server has been hacked.

One thing I have seen though, is I visted a website a while back which
was delivering malicious code, I only knew it was delivery this becuase
up popped a google webpage warning this site was known to have
malicious code and I shouldnt go any further. The problem was, I had
gone to that website not from a google search result but direct by
typing in the url into Firefox.

So how did Google know where I was going unless Firefox reports the
results back to Google? The default search box in the toolbar is
Googles maybe thats how they know or maybe because Google contributes
money for the development of firefox in exchange for browsing habits is
another reason, or maybe simply by monitoring the googleapis.com they
can do this? Who knows?

Either way, there is no perfect solution that exists today, but I do
take advantage of the free/evaluation AV solutions by downloading them
and doing a full all-file extension scan with the maximum number of
recursions set for archive files like zip and whatever the maximum
heuristics settiings is if thats an option as well, just to see if
anything pops up.

Take scanning a zip file, if the AV default number of recursions is 1
to 2 deep, whats stopping a virus writer from burying a virus in a 10
deep recursive zip? Its a game of cat and mouse we are forced to play
unfortunately, becuase some people will do anything for money.

Once a month or once a quarter with a different AV to the normal AV
left overnight scanning is something I am happy with (cost v time) but
if it wasnt for the firewall packet filtering I wouldnt really know
what my system is upto and who its communicating with especially as its
hard to see what is slipping in or out with fast net access. In the old
days with dialup you could spot somethings becuase it slowed the net
access up, hard to do today though. Do I want my systems and broadband
to become tied up in some botnet? No and by virtue of what I do for a
job I also increase the risk of being accused of being behind potential
hack attempts as they could have come from my IP addresses.

This is a good video to watch on what is involved in keeping the net
safe and what some of the viruses writers are like.
http://www.ted.com/talks/mikko_hypponen_fighting_viruses_defending_the_net. html

Other things to consider and worth keeping an eye on is hacking forums.
After all what better way to keep abreast of their current thinking!
There are also some excellent programming minds on these forums which
could do with some guidance as an alternative recruitment source.

Richard Rose

Thanks Richard - we do run a fairly tight setup here with a proper IPCOP
firewall and in-house-developed e-mail (thanks to NetTalk) so that may
account for some of our good luck to date.

ESET responded to me that the offending file was in fact clean and would
no longer be detected. So far so good, and apparently true. This week, I
placed an updated version on the website and downloaded it again, lo and
behold, NOD32 complains again (as I half expected...)

I guess we just have to grin and bear it.

Regards

Daan