Resolved: I remain a
NOD32 fan, particularly after the
amazing response from Shaun Norris and his team. They have fixed the problem locally, and making sure the ESET engineers improve their download process in future releases.
Original Post 10/14/11: I have been a
NOD32 fan for a long time, but recently I have been questioning my loyalty, particularly in the light of their very dodgy virus definition update policies. It seems they are perfectly happy to allow a PC to run with definition files that are 448 days old. Or 105 days. Or whatever.
What kind of security is that!?Take a look at the screen shot at the top of the page (click on the image) to see how the software is lying to me. I installed the software two weeks ago on this Windows 7 32 bit PC, and at the time the virus definitions were
updated backwards from version 6364 (20110809) to 5307 (20100723) and then later to 6516 (20111004). OK, so it had a glitch. It came right. Wrong!
This morning I returned to the machine, after leaving it running by itself for 10 days. The virus definitions are back to 5307. No amount of cajoling can persuade the machine to download the correct version and not mislead me:
Other versions of the software have experienced similar problems. This PC was using version 4.2.71.2 and it had an issue with the definitions, so I removed the software and installed version 50.93,0. The same thing happened on a brand new Windows 7 machine I was setting up from scratch. Other PCs running Windows 98 and version 2.7 are reverting back to July 2011.
So my question is this: how can the software allow the definitions to roll backwards? How can the servers still have definition files that are
448 days old?
Are they insane? They are supposed to be a
security company. Yet they issue software with bugs in it, and have a policy that doesn't remove old virus definitions, giving careless users a false sense of security. That's worse than no security at all.
ESET CEO Richard Marko is still blissfully unaware of this problem
Update Mon 17th Oct: I have been assigned a bug report number #TICKET 57298
Update Tues 18th Oct: ESET requested the configuration file and SysInspector log that I sent on Friday 14th. I am starting to get annoyed as well as alarmed. In the meantime the definition files are now over 450 days old! And they want me to run
WireShark to capture all the packets. WTF?!
Update Wed 19 Oct: Posted an update to the
Wilders Security Forum.
Update Thu 20 Oct: Definitions are now 454 days old, i.e. 64 weeks. After making enquiries this morning I discover the ESET engineers are waiting for a log that I have already sent them. I sent the following reply:
Yes, I am on M-Web but the problem also occurs when using ISDSL which is what most of the [customer] connections use.
Yes, I sent you the event log. TWICE. Here it is: [I have removed duplicates]
14/10/2011 03:24:54 PM ESET Kernel The program modules have been updated.
14/10/2011 03:24:52 PM Update module Updater: retval = 0x0000, failures: 0 NT AUTHORITY\SYSTEM
14/10/2011 02:59:19 PM Update module Updater: Switch DEVEL modules retval = 0x00005007 [NOT NEED] NT AUTHORITY\SYSTEM
14/10/2011 01:43:30 PM ESET Kernel The program modules have been updated.
14/10/2011 01:43:28 PM Update module Updater: retval = 0x0000, failures: 0 NT AUTHORITY\SYSTEM
14/10/2011 01:43:23 PM Update module Updater: Switch DEVEL modules retval = 0x00005007 [NOT NEED] NT AUTHORITY\SYSTEM
14/10/2011 01:42:56 PM ESET Kernel The program modules have been updated.
14/10/2011 10:56:12 AM ESET Kernel The program modules have been updated.
11/10/2011 06:53:02 PM Update module An error occurred while downloading update files. NT AUTHORITY\SYSTEM
11/10/2011 04:53:00 PM Update module An error occurred while downloading update files. NT AUTHORITY\SYSTEM
05/10/2011 08:51:06 PM Update module An error occurred while downloading update files. NT AUTHORITY\SYSTEM
05/10/2011 03:46:12 PM ESET Kernel Virus signature database successfully updated to version 6519 (20111005).
05/10/2011 11:46:10 AM ESET Kernel Virus signature database successfully updated to version 6518 (20111005).
04/10/2011 09:46:01 PM ESET Kernel Virus signature database successfully updated to version 6517 (20111004).
04/10/2011 06:06:00 PM ESET Kernel Virus signature database successfully updated to version 6516 (20111004).
04/10/2011 06:05:57 PM Update module Updater: retval = 0x0000, failures: 1 NT AUTHORITY\SYSTEM
04/10/2011 04:46:44 PM ESET Kernel The program modules have been updated.
04/10/2011 12:49:52 PM ESET Kernel The program modules have been updated.
This is clearly an ESET issue because it is ESET software doing the download, and ESET software that is lying to me about the result, and ESET software that is allowing is virus definition files to go backwards.
I understand that transparent proxies may be involved, but then please explain why two adjacent computers on the same connection can have different results? One works fine and the other doesn’t update.
I really think that ESET is not taking this matter seriously. If your engineers have any further requests or questions, please ask them to contact me directly.
Update 2: Thu 20 Oct 2011: I got a call from Shaun Norris at ESET South Africa, who assured me that they are not ignoring the problem, and have requested further info from me. This is most reassuring. In the meantime I think I have figured out how things are going wrong: their update mechanism is broken. It is vulnerable to faulty proxy servers (such as those used by M-Web) and doesn't use https. It also has no check to see if the version it is updating is older than the existing version. WTF!?
Update: Fri 21 Oct 2011: Shaun Norris set up an alternate proxy for me to try, and also contacted M-Web to get them not to cache the ESET virus definitions. Last night I tried a new installation, which worked flawlessly. I'm waiting to be able to connect to the "afflicted" PC (the office opens on Monday) to see whether these changes will help.
Update: Monday 24 Oct 2011: The virus definitions have updated to the correct version, and appear to be stable. I have sent the logs through to Shaun Norris. All is well for now, and hopefully the ESET Engineers will fix this bug before it endangers other customers.
Update: Tuesday 5 June 2012: Version 5.2.9.1 was just released. It addresses some of these issues, according to the release notes.