• All Community
    • All Community
    • Forums
    • Ideas
    • Blogs
Advanced

Not what you are looking for? Ask the experts!

This forum thread needs a solution.
Kudos0

NIS 2009 build 125 bug? If I restore a threat, NIS 2009 won't detect it again.

NIS 2009 build 125 bug? If I restore a threat, NIS 2009 won't detect it again.
I try to restore some threats from quarantine, and after I restore them, NIS 2009 build 125 can't detect them again.
(I had used both Auto-detect and Right-Click Scan)
I just try some threats, and almost all of them are like that.

If you want, I can upload those threats.

They can be detected yesterday, but after I restore them from quarantine, they can't be detected again.

Message Edited by ONE on 09-09-2008 07:50 PM

Replies

Kudos0

Re: NIS 2009 build 125 bug? If I restore a threat, NIS 2009 won't detect it again.

If you restore them you tell NIS that you trust them so Norton won't have to scan them anymore
"All that we are is the result of what we have thought"
Kudos0

Re: NIS 2009 build 125 bug? If I restore a threat, NIS 2009 won't detect it again.


ONE wrote:

NIS 2009 build 125 bug? If I restore a threat, NIS 2009 won't detect it again.
I try to restore some threats from quarantine, and after I restore them, NIS 2009 build 125 can't detect them again.
(I had used both Auto-detect and Right-Click Scan)
I just try some threats, and almost all of them are like that.

If you want, I can upload those threats.

They can be detected yesterday, but after I restore them from quarantine, they can't be detected again.

Message Edited by ONE on 09-09-2008 07:50 PM

Two things come to mind:
- How were those threats detected, manual file scan, AP, or Sonar?
If by Sonar, then a file scan will not detect them. 
- Did you change the advanced heuristic level?
If detected at the aggressive level, then lesser levels may not detect them.
 
Pieter 
Kudos0

Re: NIS 2009 build 125 bug? If I restore a threat, NIS 2009 won't detect it again.


PieterV wrote:

ONE wrote:

NIS 2009 build 125 bug? If I restore a threat, NIS 2009 won't detect it again.
I try to restore some threats from quarantine, and after I restore them, NIS 2009 build 125 can't detect them again.
(I had used both Auto-detect and Right-Click Scan)
I just try some threats, and almost all of them are like that.

If you want, I can upload those threats.

They can be detected yesterday, but after I restore them from quarantine, they can't be detected again.

Message Edited by ONE on 09-09-2008 07:50 PM

Two things come to mind:
- How were those threats detected, manual file scan, AP, or Sonar?
If by Sonar, then a file scan will not detect them.
- Did you change the advanced heuristic level?
If detected at the aggressive level, then lesser levels may not detect them.
Pieter

1. I forgot, and I can't detect again, so I am not sure. But some of them are detected as Suspicious. I think maybe it's AP detected.
2. I didn't use aggressive level.

Those threats are here:

[THREAT LINK REMOVED]

You can download it to try.
If you downloaded, you can delete this link.

Then I want to suggest, if the threats restore, NIS 2009 should ask "Will NIS 2009 detect the threats again or not in the future?", and let users chose detect or not is better.

( I remembered when NIS 2009 is beta, it asked. )
Now I can't make them be detected again, how can I fix it?
I didn't see any setting can fix it, make my NIS 2009 detect them again.

[edit: removed threat link per the Participation Guidelines and Terms of Service. Link still available from Administrator for futher review.]

Message Edited by ONE on 09-10-2008 12:28 AMMessage Edited by ONE on 09-10-2008 12:31 AMMessage Edited by ONE on 09-10-2008 12:32 AMMessage Edited by Tony_Weiss on 09-10-2008 10:26 AM
Kudos0

Re: NIS 2009 build 125 bug? If I restore a threat, NIS 2009 won't detect it again.

You mention the beta allowed you to exclude and the release version not:

When you restore items from quarantine, NIS 2009 will only directly allow you to exclude low risk items, not high risk.

For high risk threats you must first create an exclusion, by threat or by file, and then restore from quarantine.

This behavior is the same in the beta and the released version.

We will take your recommendation for the enhanced workflow into account in future versions.

Pieter

Kudos0

Re: NIS 2009 build 125 bug? If I restore a threat, NIS 2009 won't detect it again.


PieterV wrote:

You mention the beta allowed you to exclude and the release version not:

When you restore items from quarantine, NIS 2009 will only directly allow you to exclude low risk items, not high risk.

For high risk threats you must first create an exclusion, by threat or by file, and then restore from quarantine.

This behavior is the same in the beta and the released version.

We will take your recommendation for the enhanced workflow into account in future versions.

Pieter


But I think if the action "restore" will make the threats won't be detected anymore, NIS 2009 should notice. (Both Low rish and High risk)
I don't know how to make them be detected again now, I suggest if they are exclusion, NIS 2009 should let user change it can be detected or not.(In Setting)
Now the problem can't be solved.
If I infected those threats in the future, and NIS 2009 won't notice me because I had restored them before, it's danger, so I think I must re-install NIS 2009 to make it be detected..

Message Edited by ONE on 09-10-2008 12:01 PM
Kudos0

Re: NIS 2009 build 125 bug? If I restore a threat, NIS 2009 won't detect it again.


ONE wrote:

PieterV wrote:

You mention the beta allowed you to exclude and the release version not:

When you restore items from quarantine, NIS 2009 will only directly allow you to exclude low risk items, not high risk.

For high risk threats you must first create an exclusion, by threat or by file, and then restore from quarantine.

This behavior is the same in the beta and the released version.

We will take your recommendation for the enhanced workflow into account in future versions.

Pieter


But I think if the action "restore" will make the threats won't be detected anymore, NIS 2009 should notice. (Both Low rish and High risk)
I don't know how to make them be detected again now, I suggest if they are exclusion, NIS 2009 should let user change it can be detected or not.(In Setting)
Now the problem can't be solved.
If I infected those threats in the future, and NIS 2009 won't notice me because I had restored them before, it's danger, so I think I must re-install NIS 2009 to make it be detected..

Message Edited by ONE on 09-10-2008 12:01 PM

One correction to what I wrote earlier, any non-viral threat will allow exclusion, not any low-risk threat.

I don't think there is a need to reinstall, unless you see the exclusions in the [settings][exclusions][scan exclusions]/[signature exclusions], NIS would not exclude the threats.

Do you still have the information about the threats in the history view, if you do, what are the threat names that were detected?

Pieter

Kudos0

Re: NIS 2009 build 125 bug? If I restore a threat, NIS 2009 won't detect it again.


PieterV wrote:

ONE wrote:

PieterV wrote:

You mention the beta allowed you to exclude and the release version not:

When you restore items from quarantine, NIS 2009 will only directly allow you to exclude low risk items, not high risk.

For high risk threats you must first create an exclusion, by threat or by file, and then restore from quarantine.

This behavior is the same in the beta and the released version.

We will take your recommendation for the enhanced workflow into account in future versions.

Pieter


But I think if the action "restore" will make the threats won't be detected anymore, NIS 2009 should notice. (Both Low rish and High risk)
I don't know how to make them be detected again now, I suggest if they are exclusion, NIS 2009 should let user change it can be detected or not.(In Setting)
Now the problem can't be solved.
If I infected those threats in the future, and NIS 2009 won't notice me because I had restored them before, it's danger, so I think I must re-install NIS 2009 to make it be detected..

Message Edited by ONE on 09-10-2008 12:01 PM

One correction to what I wrote earlier, any non-viral threat will allow exclusion, not any low-risk threat.

I don't think there is a need to reinstall, unless you see the exclusions in the [settings][exclusions][scan exclusions]/[signature exclusions], NIS would not exclude the threats.

Do you still have the information about the threats in the history view, if you do, what are the threat names that were detected?

Pieter


Both my [scan exclusions]/[signature exclusions] are empty, but my NIS 2009 still can't detect them.
http://my.picpimp.info/viewer.php?file=pdmjv43mlcdramggbl.jpg
http://my.picpimp.info/viewer.php?file=d3b7a8smg8qnpnphz.jpg
So I think I must re-install.. Maybe it's a bug..

I don't know, because my history is big.
But I upload the threats in my previous reply of this thread, you can try to scan them.

Kudos1 Stats

Re: NIS 2009 build 125 bug? If I restore a threat, NIS 2009 won't detect it again.

Hi ONE.

We had a look at your files.

With the advanced heuristic level set to off or auto:

Using yesterdays definitions 0/4 files are detected.

Using todays definitions 2/4 files are detected.

With the advanced heuristic level set to aggressive:

Using yesterdays definitions 4/4 files are detected.

Using todays definitions 4/4 files are detected.

The automatic setting allows aggressive mode to kick-in when a large number of threats are found relative to the number of clean files on a system. This is not a scenario many people should encounter, but it is possible if there is a downloader Trojan on your computer that has been particularly active or the system has been exposed to many threats for some reason (unpatched PC with no firewall? Risky behavior and minimal protection?) Our goal here was to provide a means of dealing with deep infections that would otherwise strain the effectiveness of conventional methods *without* having the heuristics trigger unnecessarily when other methods will work adequately.

If your heuristic level was set to auto, and during your testing you were actively infecting your machine, or you had a large number of infected files on the system, that would explain what you see.

Pieter

Kudos0

Re: NIS 2009 build 125 bug? If I restore a threat, NIS 2009 won't detect it again.


PieterV wrote:

Hi ONE.

We had a look at your files.

With the advanced heuristic level set to off or auto:

Using yesterdays definitions 0/4 files are detected.

Using todays definitions 2/4 files are detected.

With the advanced heuristic level set to aggressive:

Using yesterdays definitions 4/4 files are detected.

Using todays definitions 4/4 files are detected.

The automatic setting allows aggressive mode to kick-in when a large number of threats are found relative to the number of clean files on a system. This is not a scenario many people should encounter, but it is possible if there is a downloader Trojan on your computer that has been particularly active or the system has been exposed to many threats for some reason (unpatched PC with no firewall? Risky behavior and minimal protection?) Our goal here was to provide a means of dealing with deep infections that would otherwise strain the effectiveness of conventional methods *without* having the heuristics trigger unnecessarily when other methods will work adequately.

If your heuristic level was set to auto, and during your testing you were actively infecting your machine, or you had a large number of infected files on the system, that would explain what you see.

Pieter


Thank you, PieterV.
Those threats were detected yesterday, but the threat name are different from previous.
(From example, I think one threat previous name is Suspicious.AH.XX, not its name is Trojan.Packed.NsAnti)
So I think that's the reason that they can be detected again.

(All the threats were detected. But I only used auto level, not aggressive level.) 

Yes, I set my heuristic level to auto.
I always downloaded a large number of threats to scan, and then submitted the threats that NIS 2009 not found.
(But I didn't try to make them infect my PC.)
So.. That's the reason my NIS 2009 auto level detection as aggressive level detection?

Anyway, I still hope the restore risks exclusions setting can be custom in the future version of NIS 2009.
(I meant, if user want to restore a risk, NIS 2009 ask user the risk will be detected in the future or not.)

Message Edited by ONE on 09-11-2008 09:13 PMMessage Edited by ONE on 09-11-2008 09:15 PMMessage Edited by ONE on 09-11-2008 09:16 PM
Kudos1 Stats

Re: NIS 2009 build 125 bug? If I restore a threat, NIS 2009 won't detect it again.


ONE wrote:

Thank you, PieterV.
Those threats were detected yesterday, but the threat name are different from previous.
(From example, I think one threat previous name is Suspicious.AH.XX, not its name is Trojan.Packed.NsAnti)
So I think that's the reason that they can be detected again.

(All the threats were detected. But I only used auto level, not aggressive level.) 

Yes, I set my heuristic level to auto.
I always downloaded a large number of threats to scan, and then submitted the threats that NIS 2009 not found.
(But I didn't try to make them infect my PC.)
So.. That's the reason my NIS 2009 auto level detection as aggressive level detection?


The Suspicious.AH detection is from aggressive mode.

The Trojan.Packed.NsAnti detection is from a new signature that was added yesterday.

Yes, NIS didn't know you were just testing, it automatically changed the heuristic level because it thought you were being infected.

Pieter

This thread is closed from further comment. Please visit the forum to start a new thread.