Would you please ESET fix this False Positive? This tool is crucial for me, and its new beta is detected as a NewHeur PE_virus:

hxxp://www.gmer.net/gmer110b.zip (I replaced 't' with 'x')

This tool was created to detect and delete rootkits, hiden services and processes, and has many other useful features like system integrity monitoring and protection, etc. I submited the sample, but it is not fixed so far.

Thanks in advance.

-{ Quote: "Complete scanning result of "gmer110bawaryjny.zip", received in VirusTotal at 04.25.2006, 22:05:10 (CET).

Antivirus Version Update Result
AntiVir 6.34.0.24 04.20.2006 no virus found
Avast 4.6.695.0 04.25.2006 no virus found
AVG 386 04.25.2006 no virus found
Avira 6.34.1.58 04.25.2006 no virus found
BitDefender 7.2 04.25.2006 no virus found
CAT-QuickHeal 8.00 04.25.2006 no virus found
ClamAV devel-20060202 04.25.2006 no virus found
DrWeb 4.33 04.25.2006 no virus found
eTrust-InoculateIT 23.71.139 04.25.2006 no virus found
eTrust-Vet 12.4.2177 04.25.2006 no virus found
Ewido 3.5 04.25.2006 no virus found
Fortinet 2.71.0.0 04.25.2006 no virus found
F-Prot 3.16c 04.21.2006 no virus found
Ikarus 0.2.59.0 04.25.2006 no virus found
Kaspersky 4.0.2.24 04.25.2006 no virus found
McAfee 4748 04.25.2006 no virus found
NOD32v2 1.1507 04.25.2006 probably unknown NewHeur_PE virus
Norman 5.90.16 04.25.2006 no virus found
Panda 9.0.0.4 04.25.2006 no virus found
Sophos 4.05.0 04.25.2006 no virus found
Symantec 8.0 04.25.2006 no virus found
TheHacker 5.9.7.135 04.25.2006 no virus found
UNA 1.83 04.25.2006 no virus found
VBA32 3.11.0 04.25.2006 no virus found

Aditional Information
File size: 279974 bytes
MD5: ec74173e600b867d3005ae587b506a1a
SHA1: f39857f22b05f1a00d1762aa69279537d30af005" }-

Did you send it to samples[at]eset.com? It's usually faster that way than using the built in feature in NOD.

Yes I did, it was also sent via ThreatSense.

-{ Quote: "Would you please ESET fix this False Positive? This tool is crucial for me, and its new beta is detected as a NewHeur PE_virus:

hxxp://www.gmer.net/gmer110b.zip (I replaced 't' with 'x')

This tool was created to detect and delete rootkits, hiden services and processes, and has many other useful features like system monitoring and protection, etc. I submited the sample, but it is not fixed so far.

Thanks in advance." }-

If you look at what the file does then you can excuse NOD32 flagging it as potentially malicious.

Tonight I was with a client and I cleaned his infected machine . The trial of NOD32 flagged an exe file in C:\Windows\System32 as NewHeur PE_virus

I didn't submitted it , I just renamed it. :)
May be it is false positive , may be not , I hope it is not :)

-{ Quote: "If you look at what the file does then you can excuse NOD32 flagging it as potentially malicious." }-

I do understand why NOD could flag it, but I just ask to fix it.

It does system monitoring? Then I want my NOD to detect it.

sounds like it should be detected as a Potentially Dangerous Application, which it may be if the sample was submitted via ThreatSense and Eset update it as such to the database.

If it does get categorised as a PDA then you would be able to unselect the option to detect Potentially Dangerous Applications. That would of course mean other such apps would go undetected, but that would be your choice.

lee

-{ Quote: "It does system monitoring? Then I want my NOD to detect it." }-

I don't know what you mean, but this is an option which you can select in this tool. It is not a tool to hack, or destroy anything. This tool is a mix of Process Guard, RegDefend, Rootkit Revealer (with deleting capabilities), Process Explorer and simple outbond only firewall (with app filtering), it can also log many system events. For sure it was not developed to harm, but to protect systems and remove nasties.

If you go to this site and look at screenshots, you will know what I mean:

http://www.gmer.net/index.php

Well I don't understand b/c I can't read a word of it lol... But assuming you mean file system monitoring or system integrity monitoring then I would understand. System monitoring brought to mind (my mind anyway) spyware.

I know you don't understand a word in Polish, but screenshots speak for themselves. I hope it would be translated into English soon, as it is a briliant and FREE tool.

My English is far from being perfect, so sometimes I might be misunderstood.

Thank you very much ESET, it is fixed now!!! Great work!!!

Misunderstandings are commonplace on the www - that's for sure. Glad to see it's the right kind of ssytem monitor and sorry I misunderstood; also glad things are fixed. 8)

I think this thread is a suitable one to express "my" case as well...

I was looking for Soulseek plugins the other day and I stumbled upon Soulseek Stats (http://threetwosevensixseven.blogspot.com/2004/12/soulseek-stats.html). As explained in the link it just gathers into .csv files some information regarding your uploads/downloads (who downloaded what etc) to keep tracks of what's going on with your Soulseek times.

At first it didn't even allow me to install it...got a message about "probably unknown NewHeur_PE virus". I decided to take the risk anyway (for a reason I can't explain, the quarantine was empty and couldn't send the file to you guys), so I disabled nod32 for a moment, installed the plugin and enabled my precious antivirus again. Doing its file scanning in the background it did alert me again about the possibility of NewHeur_PE virus, so I decided to upload the SoulseekStats.exe (not the .exe of installation) to jotti, virustotal and virus.org. Here are the results for the first two:

Jotti
AntiVir Found nothing
ArcaVir Found nothing
Avast Found nothing
AVG Antivirus Found nothing
BitDefender Found nothing
ClamAV Found nothing
Dr.Web Found nothing
F-Prot Antivirus Found nothing
Fortinet Found nothing
Kaspersky Anti-Virus Found nothing
NOD32 Found probably unknown NewHeur_PE (probable variant)
Norman Virus Control Found nothing
UNA Found nothing
VirusBuster Found nothing
VBA32 Found nothing

VirusTotal
AntiVir 6.34.0.24 04.20.2006 no virus found
Avast 4.6.695.0 04.26.2006 no virus found
AVG 386 04.27.2006 no virus found
Avira 6.34.1.58 04.27.2006 no virus found
BitDefender 7.2 04.28.2006 no virus found
CAT-QuickHeal 8.00 04.26.2006 no virus found
ClamAV devel-20060202 04.27.2006 no virus found
DrWeb 4.33 04.27.2006 no virus found
eTrust-InoculateIT 23.71.141 04.28.2006 no virus found
eTrust-Vet 12.4.2181 04.27.2006 no virus found
Ewido 3.5 04.27.2006 no virus found
Fortinet 2.71.0.0 04.27.2006 suspicious
F-Prot 3.16c 04.26.2006 no virus found
Ikarus 0.2.59.0 04.27.2006 no virus found
Kaspersky 4.0.2.24 04.28.2006 no virus found
McAfee 4750 04.27.2006 no virus found
Microsoft 1.1372 04.28.2006 no virus found
NOD32v2 1.1510 04.27.2006 probably unknown NewHeur_PE virus
Norman 5.90.17 04.27.2006 no virus found
Panda 9.0.0.4 04.27.2006 no virus found
Sophos 4.05.0 04.27.2006 no virus found
Symantec 8.0 04.28.2006 no virus found
TheHacker 5.9.7.135 04.25.2006 no virus found
UNA 1.83 04.27.2006 no virus found
VBA32 3.11.0 04.27.2006 no virus found

Should I worry?

Send it to samples [at] eset [dot] com for analysis. This is the fastest way to determine weather the detection is true or not.

I wrote Soulseek Stats, and I do make sure I scan new versions with an up-to-date Anti-Vir (http://www.free-av.com/) before I upload them. I did however, compress the EXE with UpX (http://upx.sourceforge.net/), and I imagine this is what might have triggered what is quite possibly a false positive.

Cheers, Threetwosevensixseven

Nope, NOD32 does not use packer detection as some other AVs unfortunately do.