i have noticed in the latest def. updates TightVNC is classified as a virus? this isnt great news for us we have 1000's of computers running tightvnc and this means we will not be able to connect to any of our remote clients?

why??

and for the buffs.. ipsec tunnelling always comes first

Hello,

You should find the issue fixed with update version 1.1508.

Bandicoot.

It's not a false positive. It was classified as a potentially dangerous application as it poses a potential security risk. PDA is disabled in all modules by default and you must have enabled it manually at your risk. We cannot guarantee that it will remain undetected forever.

WARNING:
Enabling PDA in a network environment will always lead to detection of remote administration tools.

what exact Potentially Dangerous Application tick box should i untick to make sure TightVNC doesnt del in the future?

If you are using tools for remote administration (such as VNC), you must leave PDA disabled, otherwise NOD32 will detect and remove them.

The PDA group covers remote administration tools and other commercial software that is potentially dangerous (e.g. parental control tools, commercial keyloggers, etc.)

{QUOTE-> what exact Potentially Dangerous Application tick box should i untick to make sure TightVNC doesnt del in the future? <-QUOTE}All of them - there's one in each module and also the on-demand scanner. HTH

Cheers :)

{QUOTE-> If you are using tools for remote administration (such as VNC), you must leave PDA disabled, otherwise NOD32 will detect and remove them.

The PDA group covers remote administration tools and other commercial software that is potentially dangerous (e.g. parental control tools, commercial keyloggers, etc.) <-QUOTE}

I would still like some sort of process to "certify" a set of files or an application as "I know it's there - it's supposed to be, but kill any other PDAs you find." We also use a Remote Administration tool here, and I can't run an On Demand Scan to remove certain malware because the PDA flag will remove the software that we want on there, along with the malware I was originally targeting.

Could Eset PLEASE give that some serious thought? Some sort of "vault" that we can use to protect stuff that network admins NEED on the client PCs, while still allowing a highly aggressive scan on the clients? Maybe under a "So advanced, you'll get in trouble" button? :D

Jack

the problem is with a vault it leaves open to exploits...

ive seen other AV products fail because of this

despite if it can be done... it would be great

{QUOTE-> the problem is with a vault it leaves open to exploits...
ive seen other AV products fail because of this
despite if it can be done... it would be great <-QUOTE}

MD5 or otherwise "fingerprint" any files that are in there and watch 'em really closely. Needless to say, the admin would have to be careful as to determining the files that would go in the "vault" for performance reasons. The ability of NOD to do a Remote Scan is severely limited at this point, since there are some other malware applications that fall under the classification of PDA, and won't be removed unless the flag is set (which removes our preferred app).

Jack

{QUOTE-> I would still like some sort of process to "certify" a set of files or an application as "I know it's there - it's supposed to be, but kill any other PDAs you find."

Could Eset PLEASE give that some serious thought? Some sort of "vault" that we can use to protect stuff that network admins NEED on the client PCs, while still allowing a highly aggressive scan on the clients? Maybe under a "So advanced, you'll get in trouble" button? :D

Jack <-QUOTE}

Yes that is an excellent idea & one that I have hoped to have had for a while now.

Another program that NOD32 returns a "false positive" on (if you have "Potentially Dangerous Application" selected is "Magic Jellybean Keyfinder"

{QUOTE->
Another program that NOD32 returns a "false positive" on (if you have "Potentially Dangerous Application" selected is "Magic Jellybean Keyfinder" <-QUOTE}

It's not actually a false positive. A quote from their website:
The Magical Jelly Bean Keyfinder is a freeware utility that retrieves your Product Key (cd key) used to install windows from your registry.

I for one do not think this is something administrators would like to have in their network.

{QUOTE-> I would still like some sort of process to "certify" a set of files or an application as "I know it's there - it's supposed to be, but kill any other PDAs you find." We also use a Remote Administration tool here, and I can't run an On Demand Scan to remove certain malware because the PDA flag will remove the software that we want on there, along with the malware I was originally targeting.

Could Eset PLEASE give that some serious thought? Some sort of "vault" that we can use to protect stuff that network admins NEED on the client PCs, while still allowing a highly aggressive scan on the clients? Maybe under a "So advanced, you'll get in trouble" button? :D

Jack <-QUOTE}

I'll have to agree with this, this would be the ideal way to handle it.

Marking VNC as a threat is not wise. If you find winvnc.exe modified from it's original size, then sure, mark it, but it is a commercial application that is used to manage workstations in major companies all across the globe.

Without question, the default action should be to warn only and not do anything else.

If you start marking useful programs like VNC as maleware and break their functionality, people will stop using your product.

{QUOTE-> Marking VNC as a threat is not wise. If you find winvnc.exe modified from it's original size, then sure, mark it, but it is a commercial application that is used to manage workstations in major companies all across the globe.

Without question, the default action should be to warn only and not do anything else.

If you start marking useful programs like VNC as maleware and break their functionality, people will stop using your product. <-QUOTE}It's not marked as malware - it's detected as a potentially dangerous application for which detection of is by default disabled... what's the big deal here?

{QUOTE-> It's not marked as malware - it's detected as a potentially dangerous application for which detection of is by default disabled... what's the big deal here? <-QUOTE}

The big deal is that if you run NOD in an enterprise environment and use the On Demand Scan feature of RA, there's no way to kill off all of the undesirable PDAs that may exist on a machine without the potential of also killing off software that is relied on for day-to-day support or maintenance of the PC. Remote control software (VNC, etc.), for instance. Without this ability, I only have two choices - leave the malware there so I have my remote control software, or kill both the malware and my RC software on the machine, then wait until the user reinstalls the RC software so I can work on his/her machine the next time they have a problem.

Jack

The things you have mentioned are indeed two options and whilst it is possible that in your situation they are the only two available to you, I can easily think of several other simple solutions so that you could have your cake and eat it too :thumb:

Cheers :)

Don't forget the third option of switching to another product that isn't broken in this way such as Symantec or McAffee 8)

{QUOTE-> It's not marked as malware - it's detected as a potentially dangerous application for which detection of is by default disabled... what's the big deal here? <-QUOTE}


That's like saying "I'm not calling you a criminal, I'm just locking you up". Who cares what NOD32 is calling it - it's the fact that NOD32 chooses to destroy the functionality of credible and unversally accepted network administration software that is the big deal here.

I downloaded a trial but now that I see what damage it will do to our networks, I'm sorry to say that we're going with someone else. If they introduce functionality that excludes programs that we use here, I'll give it another look.

:thumbd:

I don't understand what the fuss is all about. The point is:

1. Potentially dangerous applications (PDA) cover mainly commercial software for remote administration.

2. PDA are disabled in all modules by default just for the reason mentioned above (unfortunately, not in the In-depth analysis profile, but this will change shortly). If you want to detect PDA, you must enable them INTENTIONALLY.

3. many other AV detect VNC and other admin tools as potentially dangerous applications

Have you tried installing UltraVNC, which is similar to tightvnc but not detected as often as a PDA?

{QUOTE-> Marking VNC as a threat is not wise. If you find winvnc.exe modified from it's original size, then sure, mark it, but it is a commercial application that is used to manage workstations in major companies all across the globe.

Without question, the default action should be to warn only and not do anything else.

If you start marking useful programs like VNC as maleware and break their functionality, people will stop using your product. <-QUOTE}


I agree.... the main problem is that it gives the impression its a virus rather than educating the user that "its a poteintially dangerous program" and ask whether it would be removed or not.

I have already have people think it was a virus as they trust NOD without question..... many people are not so savy to know and understand what the administrator has on thier computer they use, nor is it thier business necessarily.

If it would be a real threat (a virus, trojan, worm, etc.), NOD32 would not call it application in the alert window.

{QUOTE-> I don't understand what the fuss is all about. The point is:

1. Potentially dangerous applications (PDA) cover mainly commercial software for remote administration.

2. PDA are disabled in all modules by default just for the reason mentioned above (unfortunately, not in the In-depth analysis profile, but this will change shortly). If you want to detect PDA, you must enable them INTENTIONALLY.

3. many other AV detect VNC and other admin tools as potentially dangerous applications <-QUOTE}

OK, I had to wait a bit before I got an example of what I've been trying to get across. Here's the log from my RA Console of a scan I did with PDA turned off (so it wouldn't delete my RC software). I've removed entries that don't matter:

Log Details
Scanning Log
NOD32 version 1.1523 (20060505) NT
Operating memory - is OK

Date: 8.5.2006 Time: 08:36:48
Scanned disks, folders and files: C:
C:
C:\pagefile.sys - error opening (File locked)
C:\web.exe - Win32/TrojanClicker.Small.HN trojan
C:\web.exe »NSIS »Updater.exe - Win32/TrojanClicker.Small.HN trojan
C:\web.exe »NSIS »rld.exe - Win32/TrojanClicker.Small.HN trojan
C:\Documents and Settings\xxxxx\Local Settings\Temporary Internet Files\Content.IE5\KT2JG567\minibuginstaller[1].exe - is OK
C:\Documents and Settings\xxxxx\Local Settings\Temporary Internet Files\Content.IE5\KT2JG567\minibuginstaller[1].exe »WISE »file_00000000.bin - archive damaged - the file could not be extracted.
C:\Documents and Settings\xxxxx\Local Settings\Temporary Internet Files\Content.IE5\CD6Z0P2R\spamblockerutility[1].cab - a variant of Win32/Adware.HotBar application - quarantined - deleted
C:\Documents and Settings\xxxxx\Local Settings\Temporary Internet Files\Content.IE5\CD6Z0P2R\spamblockerutility[1].cab »CAB »hbinstie.dll - a variant of Win32/Adware.HotBar application
.
.
.
C:\Documents and Settings\xxxxx\Local Settings\Temporary Internet Files\Content.IE5\7GDM1N9Z\init[1].js - JS/TrojanDownloader.IstBar.AF trojan - unable to clean - quarantined - deleted
.
.
.
C:\Program Files\RAdmin\AdmDll.dll - Win32/RemoteAdmin application
C:\Program Files\RAdmin\raddrv.dll - Win32/RemoteAdmin application
C:\Program Files\RAdmin\Radmin.exe - Win32/RemoteAdmin application
C:\Program Files\RAdmin\R_server.exe - Win32/RemoteAdmin application
.
.
.
C:\Documents and Settings\xxxxx\ntuser.dat - error opening (File locked)
C:\Documents and Settings\xxxxx\NTUSER.DAT.LOG - error opening (File locked)
C:\Documents and Settings\xxxxx\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat - error opening (File locked)
C:\Documents and Settings\xxxxx\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG - error opening (File locked)
.
.
.
C:\WINNT\system32\admdll.dll - Win32/RemoteAdmin application
C:\WINNT\system32\raddrv.dll - Win32/RemoteAdmin application
C:\WINNT\system32\r_server.exe - Win32/RemoteAdmin application
.
.
.
C:\WINNT\system32\config\default - error opening (File locked)
C:\WINNT\system32\config\default.LOG - error opening (File locked)
C:\WINNT\system32\config\SAM - error opening (File locked)
C:\WINNT\system32\config\SAM.LOG - error opening (File locked)
C:\WINNT\system32\config\SECURITY - error opening (File locked)
C:\WINNT\system32\config\SECURITY.LOG - error opening (File locked)
C:\WINNT\system32\config\software - error opening (File locked)
C:\WINNT\system32\config\software.LOG - error opening (File locked)
C:\WINNT\system32\config\system - error opening (File locked)
C:\WINNT\system32\config\SYSTEM.ALT - error opening (File locked)
Number of scanned files: 192891
Number of threats found: 4
Number of files cleaned: 2
Number of active threats: 1
Time of completion: 09:17:46 Total scanning time: 2458 sec (00:40:58 )

Notes:
[4] File cannot be opened. It may be in use by another application or operating system.

From what I can see, if I decide to enable PDA intentionally for a scan, then I will get rid of ALL of the RED entries, including both the undesirable PDAs, as well as my PC software (RAdmin). I KNOW that RAdmin's on there, I PUT it there. I want to get rid of the Win32/TrojanClicker.Small.HN trojan and Win32/Adware.HotBar application files, but cannot via the On Demand Scan feature of RA, since that would require me to turn on PDA, etc., etc., and around we go again...

That's why I want some sort of a vault / checksum / "trusted PDA" function available, so I can hammer everything that's NOT approved.

Jack

We've had this problem with a few people, but we moved to Tightvnc Release Candidate 1.3dev7 on most machines and is stable- Interestingly the it isn't detected as a PDA. Strange huh?

TrojanClicker ain't classified as a PDA. Please submit it to support @ eset.com with a link to this thread if you have come across one that is detected as a PDA.

{QUOTE-> That's like saying "I'm not calling you a criminal, I'm just locking you up". Who cares what NOD32 is calling it - it's the fact that NOD32 chooses to destroy the functionality of credible and unversally accepted network administration software that is the big deal here.

I downloaded a trial but now that I see what damage it will do to our networks, I'm sorry to say that we're going with someone else. If they introduce functionality that excludes programs that we use here, I'll give it another look.

:thumbd: <-QUOTE}

By default it ignores PDAs. IF you enable removing PDAs which are clearly described as Remote Admin tools etc then it will remove them simple. So this is saying "You have the option of removing applications such as remote admin tools from your network as they are frequently used for network abuse".

I'd say that is a very useful feature as I found one employee (at a former employer of mine) using VNC to send approval emails from his colleagues PC in order to commit fraud. We didn't use NOD32 in this environment but if we had we would have scanned the users machines in a different way from the Administrators PCs.

NOD32 let's you have the choice. Make it.

Fairy