This is a great example of how ineffective the current AV products are against day zero attacks! They simply can’t catch what they don’t know and they don’t know a lot!!!
In that Virustotal’s scan you linked to, every one of the AV tools you mention in your post, and quite a few more, correctly recognize the malware. My guess is that the problem is somewhere between outdated signature bases and not-too-PC-literate users. Lucky you to recognize suspicious behaviour (btw why in that Comodo’s screenshot the file is declared ‘safe’?)
Part of my work is related with Virus, I have my own computer shop and a workshop where I fix the computer problems……
Most of this problems are related with virus and spyware, in the last 7 years I don’t know how many of them I’ve killed : ) In all this time I don’t know how many A/V Solutions I’ve test…. Toooons of them, be sure….
Panda, Norton, Mcafee, Kaspersky, Nod, blablablabla, and my final conclusion is that to be the best is not only to have the best definition files in the world or to have an impressive heuristic algorithm or the most impressive GUI, not, the best is simply protect the system which seems Comodo is doing : )
In the case I mentioned before, yes 3 of the 4 computers were from my customers, but McAfee Asap in my computer and it was up to date and any of them said nothing. When comodo said me something about a file in my pendrive I didn’t care if the file was or not safe, I know my pendrive and what it must do when I plug it in a computer with this little advisory Comodo saved my laptop and also me to be spied by someone in the world, while Asap, Nod, and Kaspersky didn’t.
PD; The worm is not new, it appeared in summer 2007 (more or less) and yes the website results shows us that the A/V catch this worm, but locally they didn’t.
The link in that noslan’s blog post leads to virustotal’s results at the time of submitting the sample. I’m pretty sure virustotal doesn’t store files for constant re-checking after virus databases update. I also understand that noslan checked the sample immediately after catching it with CFP’s help, which was only a couple days ago at any rate (those results say file received Feb 19th now that I checked that). This was the reasoning behind my saying that at the 4 customer PCs, the AV solutions installed weren’t used to their full potential. Also, the story is from this month, and the worm dates back over half a year…
Noslan, I can’t agree more that an AV solution alone is insufficient protection these days. It’s encouraging to know that one can use CFP to avoid a worm in the system. However, the way you succesfully used CFP required a certain level of knowledge on your part, which a lot of people out there still lack. Calling malware ‘safe executable’ can only confuse people, and frankly that screenshot belongs with the bug reporting forum.
Now for McAfee on YOUR system saying nothing, I’d want to recheck my AV settings if I had such a case Is real-time scanning running, when are files scanned (access, execution,…), are there any exceptions. A big Q is whether on-demand scanner picks that knight.exe up. If all is well, it’s probably down to WinAPI level, where I’d guess CFP was just the first along the chain to catch that execution attempt (btw did you have CFP popup saying some process wanted to execute knight.exe in the first place, as in your screenshot it appears already running?).
EDIT: already running, huh? what was that mcafeeasap thinking indeed?..
McAfee Asap is my workshop laptop not in my personal laptop, Asap works as resident, doesn’t have so many options it means that it works as real time scanning not on demmand (it can scan also on demand but it’s config is in real time).
My pendrive was configurated with an autorun.inf exacuting an exe file (my knowledge about it was the name of this exe file) the autorun.inf was read protected and knight.exe deleted it and put it’s own and also copied itself from the infected computer to my pendrive all this wit one of the mentioned A/V solutions installed (i don’t know wich cos now all of them are infected (and cleaned))
The “safe” and “already running” messages appear cos the screen capture was taken the second time I plugged the pendrive, in the first momment I didn’t thin to blog it :P.
So again, I really don’t wanna enter in a deep technic discussion let’s say that I want somethink that, at least, advises me when something happends and, for now only Comodo did it and stills doing (R)
Whatabout BitDefender 2008 ,it has the best proactive defence in the antivirus world.Have you tryed BD 2008 also?im very curious.
Have you tried also Trend Micro?
As for NOD 32 is just a joke.
Few days ago KAV 7 was eaten by a trojan.