What a headache, Nod32 gives a false positive on scan.dat, which is a Mcafee definitions file!! I submitted this, but it's not fixed.

Most likely it is not NOD's fault. It is most likely McAfee's fault for not encrypting something and NOD is picking it up. This used to be quite common as most other AV maker's detected Panda's definitions because Panda didn't use encryption. AV's would pick up on the definition because it would contain the same code strings as the trojan or virus in order to detect it.

{QUOTE-> Most likely it is not NOD's fault. It is most likely McAfee's fault for not encrypting something and NOD is picking it up. This used to be quite common as most other AV maker's detected Panda's definitions because Panda didn't use encryption. AV's would pick up on the definition because it would contain the same code strings as the trojan or virus in order to detect it. <-QUOTE}

I thought that might be the case too, but numerous other Antivirus programs do not produce the false positive. This points to NOD as the culprit.

To be fair, Nod does state during the installation procedure, no other antivirus programs be present on the hard drive. Unpredictable behavior can result under these circumstances.
Most antivirus programs stipulate this request as well.

{QUOTE-> To be fair, Nod does state during the installation procedure, no other antivirus programs be present on the hard drive. Unpredictable behavior can result under these circumstances.
Most antivirus programs stipulate this request as well. <-QUOTE}


From the manual:
{QUOTE-> You must only install ONE anti-virus On-Access
scanner at one time (a scanner that is always running
while your PC is switched on); otherwise you could
cause serious system instability.
If you are installing NOD32 with another anti-virus
program, please make sure you do not enable both
On-Access scanners at once. <-QUOTE}

Note the difference.

Difference noted.

This statement still stands. "Unpredictable behavior can result under these circumstances."

it remind me those days when i istall panda antivirus and then uninstall avast on other
os then i scan pc from avast it detect pav.sig(panda definition file) as virus
see this page
http://www.avast.com/eng/faq_panda.html

{QUOTE-> I thought that might be the case too, but numerous other Antivirus programs do not produce the false positive. This points to NOD as the culprit. <-QUOTE}

So much for my idea then. How big is the dat file? You could submit it and Eset can take a look and see what NOD is hitting on. Anyone else using NOD and McAfee with the same problem?

Did you send it to samples[at]eset.com so that I can have a look at it? Also be sure that you have the most current version 1.1435 installed.

{QUOTE-> Did you send it to samples[at]eset.com so that I can have a look at it? Also be sure that you have the most current version 1.1435 installed. <-QUOTE}

Nod32 rules! It's fixed with version 1.1435 (but was still there in version 1.1434)

Thanks!!

ESET is always fast in fixing FP. That's a good point. :)

Uh Oh, todays new scan.dat triggers Nod32 again. I sent a sample to samples@eset.com. Hope it makes it, it's 7 megs.

Scan.dat was probably updated that's why it was detected again. You should add scan.dat to AMON's exclusion list.

{QUOTE-> Scan.dat was probably updated that's why it was detected again. You should add scan.dat to AMON's exclusion list. <-QUOTE}

Yeah, you'd think that would do it, but the exclusion list only works for one copy of the file that stays in a given folder. I need to be able to copy, move and update scan.dat. I frequently update and rebuild copies of BartPE which contain multiple antivirus scanners.

Latest definitions fix it again, let's hope they have a long-term solution!

Another update ---- and another false positive!

nod32 is great because it detecting mcafee false positive in scan.dat
see this
http://www.nod32usa.com/nod32-and-virus-news/archives/402-McAfee-bad-pattern-update-causes-file-deletion-problems.html
http://www.nod32usa.com/nod32-and-virus-news/archives/406-McAfee-antivirus-update-wreaks-havoc.html

{QUOTE-> Another update ---- and another false positive! <-QUOTE}

What FP ?

{QUOTE-> What FP ? <-QUOTE}

Hint: What is the topic title of this thread?

For those making fun of NOD for detecting McAfee's DAT files. It seems McAfee produced a DAT file that was falsely detecting malware and deleting files, which sounds a lot like something a virus would do so. Here is the story reported by Internet Storm Center. So much for Quality Control.


Handler's Diary March 11th 2006 (http://isc.sans.org/diary.php?date=2006-03-11)


previous (http://isc.sans.org/diary.php?storyid=1178) - next (http://isc.sans.org/diary.php?storyid=1180)
McAfee/NAI rolls bad pattern

(http://isc.sans.org/diary.php?storyid=1179) Published: 2006-03-11,
Last Updated: 2006-03-11 01:29:45 UTC by Daniel Wesemann (Version: 1)

NAI/McAfee today released pattern version 4716 only hours after 4715 had come out. Pattern 4715 triggered false positive virus alerts for "W95/CTX" on a number of files that are part of quite prominent third party products. Good for you if you have your AV configured to "quarantine" bad files and not to delete them outright, this makes restoring the chewed up files after a false positive considerably faster. Nevertheless, things like this can get messy pretty quickly if the AV scanner starts to quarantine vital components of your environment.

If you weren't affected and/or are using a different AV product, it might still be worthwhile to spend a couple of minutes on the following questions:

How would you detect such a "bad pattern" in your environment, and, more importantly, how would you distinguish between "false positive" and "virus outbreak" ?
Would you have the capability to roll back to the last "known good" pattern if help from the vendor were not forthcoming ? Where exactly do these patterns come from ? Is the previous pattern version available there as well ?

The thing is that McAfee doesn't encrypt some stuff in their virus definitions which is ridiculous. No wonder that heuristics picks it up then.

{QUOTE-> The thing is that McAfee doesn't encrypt some stuff in their virus definitions which is ridiculous. No wonder that heuristics picks it up then. <-QUOTE}

OK, would it be resonably safe for me to exclude the .dat extension from scans?