Alright this is odd and makes no sense to me.

I am working on a program that is throwing up false positive issues. The program contacts an outside website for a small string of information (not related to the user) and displays it for the user. The user has the option to email this from within the program. Nothing malicious about it.

I have the .exe file compiled.

I upload it to Jotti and VirusTotal. Both of them have DrWeb and VBA32 catch it as a possible backdoor worm, but all the others find nothing.
When I scan the file with NOD32, it finds nothing.
But, if I copy and paste the .exe from 1 place to another, NOD32 catches it and marks it as:
{QUOTE->
probably unknown NewHeur_PE virus unable to clean NT AUTHORITY\SYSTEM Event occurred during an attempt to access the file by the application: C:\WINDOWS\Explorer.EXE.
<-QUOTE}
But, if I compile the program and have it save the .exe to the same folder I tried to copy it to, it leaves it alone.

Also, I submitted this FP to Eset a week or so ago.

I can't figure out what in the program could be triggering a FP to start with. is it the fact that it grabs a string from an outside website or that it has email capabilities.

Initially, while working on the program, I had to exclude the entire directory from NOD32, because it would flag it everytime I did anything with it, so maybe that is why it is not catching it on creation.

I dunno, but its irritating to say the least.

Any ideas?

different modules in eset detect more or less stuff, the regular scan module(when you right click and scan) detects less, to help prevent false positives(as was explained to me once), but for instance the web module will detect more(seen this myself, web module detects a virus, but regular scan does not) as would the module that checks it before it executes :)

that explains part of your problem :P

-Brian

@Capp

{QUOTE-> I can't figure out what in the program could be triggering a FP to start with. is it the fact that it grabs a string from an outside website or that it has email capabilities. <-QUOTE}

You should try to understand yourself but I doubt ESET will tell you because this should be internal virus lab information . If they share such information , this would possibly open risk for hackers/mal writers understand the AH better.


{QUOTE-> Any ideas? <-QUOTE}

I would insist more on ESET fixing the issue faster

{QUOTE->
Also, I submitted this FP to Eset a week or so ago.
<-QUOTE}

Please PM me your email address. False positives are treated with high priority so I'd need to make sure we have actually received it at sampes[at]eset.com.

I guess its about the combination of the functions you imported.
and the sequence you triger them.
some of my colleages tell me there are topological stuff involved in the combination analysis. very sophisticated.

So what's the scoup Capp?