Definitions REVERT to 20100723

I decided to update my working NOD32 version 4.x to the latest version. Big mistake. The file was eavbe_nt32_enu dated 01/09/2011

I uninstalled, and deleted any ESET folders on the hard drive, and any ESET entries in the registry, and rebooted. I also used CCleaner to empty the recycle bin, and remove all browser cache files.

The new install had virus definitions dated 20110112. I changed the program component update to “always”.
When I ran the update they went backwards to 20100723

I cleared the update cache and rebooted.
In spite of the program saying that no update is necessary, I ran the update again. After a download of around 36MB I am told that the last successful update was 2 minutes ago but the version is 5307 (20100723)

Now I am getting hourly notifications to say the program components have updated, but nothing appears to have changed.

Do I try reinstalling again? My licence expires in 2013.

Donn

P.S. How can ESET be so irresponsible as allow the program to download virus definitions that are 436 days old?

 

The symptoms points to malware infection.
I would contact customer care.

 

I sent the configuration export to customer care but they haven't been very helpful so far.

I will take my SysRescue CD to work and see if it comes up with anything. Can anyone suggest a good online malware scanner?

FWIW, The machine was disconnected from the net when I uninstalled the old NOD32 ver 4.x software, and at that stage the virus definitions were current. The chances of malware infection are very small: the machine does not download email and is used to surf only a handful of reputable sites.

 

more troubleshooting while you wait for CC
http://kb.eset.com/esetkb/index?page=content&id=SOLN2206

 

I'd suggest:
1, running the ESET uninstall tool in safe mode
2, installing the latest version 5.0.93

 

Today I installed a brand new Windows 7 Professional SR1 x86 machine, using the MSDN .iso file and a Technet licence key, which activated correctly. I also installed Microsoft Visual Studio 2010, SQL Server 2008 R2 Express, and a ton of updates from Windows update.

All of the installed software was pre-scanned by ESS 5.0.93.0 with today's virus definitions before being installed. So I am confident there is no malware on the machine. Then, as per instructions from the South African ESET support, I downloaded

ESET NOD32 Antivirus Business Edition (32bit):
http://download.eset.com/download/win/eavbe/eavbe_nt32_enu.msi

On installation it correctly displayed the expiry date of 2013/01/30 and virus definitions of 20110112. It is version 4.2.71.2 as expected. All well and good ...

When the update completed, the software has now reverted to the 20100723 date, as described in my original post. This was on a different machine, also 32bit Windows 7 Professional.

I have uninstalled the NOD32 Business Edition (there is no released version 5 on the www.nod32.co.za web site) and "upgraded" the antivirus protection to Microsoft Security Essentials until I can get an explanation of this problem. Fortunately the machine in question won't have internet access for several weeks.

It is all very well suggesting that I use version 5 Home Edition, but this is causing havoc at work because all the dialogues are new and we keep getting support calls complaining about weird new behaviour. I am also reluctant to deploy it given the fact that my personal license for ESS on my laptop is blocking tracert.

I would also like someone at ESET to please explain how they can possibly permit anyone to download virus definitions that are over 400 days old with a clear conscience. This is highly irresponsible, and I sincerely hope it was a mistake and will be fixed.

 

It is not that old sigatures were downloaded but for some reason incremental updates are not installed. Since you are the only one having experienced this issue, it may take more iterations and efforts from customer care to figure out what's going on. I'd start off with supplying customer care with: 1, SysInspector log, 2. Procmon log from the moment of update, 3. your EAV settings.

 

Er, no. Actually the old signatures were downloaded, or the software is lying about the version number. See attached screen shot. It clearly shows version 5307 (20100723) whereas today's version is 6515, i.e. 1208 versions later.

 

I uninstalled version 4, and used the live installer to install version 5 after a reboot and removing all 3 "ESET keys from the registry and checking for any folders called "ESET" on the hard drive.

The live install's virus definitions were version 6364 (20110809) but have now changed to ...



This is confirmed by



The file em002_32.dat is only 24,250,088 bytes, but should be 32,894,708 bytes, judging by the files on my laptop which is using ESS 5.

I even changed the user name and password to my ESS5 license number, with no difference.

Now what?

 

After I ran SysInspector and exported the NOD32 settings to an XML file, the software managed to update itself correctly.



I guess the problem has gone away for now.

 

I spoke too soon: I came back to the machine after 10 days:



This is getting ridiculous. ESET South Africa finally gave me a bug report ticket number 57298 and asked me to resubmit the SysInspector and config files I had *already* submitted. They assure me that they have passed on all the details I sent them, but I'm sceptical.

I have now written a blog article about the problem, and it seems that I'm not the only one experiencing this.

Why does ESET allow its software to lie to the user? Why does it keep virus definitions available that are over 450 days old? This is insane.

 

Definitions are now 64 weeks old. Fantastic!

Why do the servers dish out rubbish like this? Is ESET really trying to sabotage their own users? It boggles the mind!

 

All update servers actually have always served current updates. Please create a package containing the following stuff for perusal, upload it somewhere and PM me the download link:
- em002_32.dat from the ESET install folder
- the content of the %ALLUSERSPROFILE%\Application Data\ESET\%ProductName%\Updfiles folder
- Wireshark log with http communication captured from the moment of a problematic update (the capturing should be started before running a manual update and stopped after the notification about successful update)
- Process Monitor log from the moment of a problematic update
- SysInspector log + EAV/ESS configuration might be of help as well

 

If that is the case then why does the software accept older definition files and install them? Why does it lie about the result?

Granted, there may be a problem with a faulty transparent proxy at the ISP, but surely the update mechanism was designed to deal with this? Apparently not.

Why does the update mechanism allow the definitions to go from 20111005 to 20100723 ?

 

Unfortunately, without getting the additional stuff for perusal it's impossible to determine the cause of the problem. I assume that the information about available updates was retrieved fine from the update servers but something went haywire during the download and subsequent compilation of the update files. Does the problem occur only on one computer or on others with a different oper. system as well?

 

Unfortunately I have sent all the info that I have, and the machine is unavailable until Monday. But this is what I have figured out about the update mechanism: it's broken.

a) It doesn't use HTTPS, only HTTP. That makes it vulnerable to any bad proxy, not to mention any man-in-the-middle attacks. Surely if there are problems downloading it should try HTTPS?

b) It doesn't check the version downloaded. If the version downloaded is *older* than the version already installed, it allows the older version to be installed.

c) I'm not sure about this, but it would appear that the file names to be retrieved do not change. In other words, when it wants the current version information, it asks for "update.ver" and not "updateYYYDDMM.ver", so any old proxied/cached version will do. That's how it gets a 64-week old version without any alarms going off.

BTW, The 64-week old version is right there in the updt.ver file, downloaded from 89.202.157.227, 62.67.184.68, um12.eset.com and um18.eset.com:

Fortunately my em002_32.dat file is 33212031 bytes but on the "afflicted" pc it is the version listed above (24250482 bytes = 23682kb), as shown here:



So much for keeping the product up to date! ESET is supposed to make security software, not bug-prone crapware!

 

Usually the Compilation of a single .DAT file will require 1-3 .NUP files (ENGINE0, ENGINE1, ENGINE2).

 

How about 24250482 + 0 + 0 ? Just an idea

The downloads kept bombing out, or were interfered with by a faulty proxy server, according to ESET South Africa.