Hi,

We're having a number of customers with one of the latest updates in Eset Antivirus having problems where applications that have been made for them using Delphi 2007 are being detected as virus threats and deleted off their system.

We don't want to disable their antivirus software, but don't know what to do regarding NOD wanting to disallow access or delete these programs.

Firstly, is there a way to tell NOD/EAV to ignore a particular file?

Secondly, what should I do about reporting this problem? (Is this the right spot, or should I be sending an email somewhere)?

This is not just happening to newly compiled applications, but older applications too since an EAV update.

We have advised our clients to turn off Advanced Heuristics to avoid this problem.

Nod detects these files as:

Probably a variant of Win32/Agent trojan

A copy of one of our smaller applications to reproduce the problem can be found at http://www.wsdsites.net/temp/Startup.zip

Thanks & Regards

Adam.

Additional information:

- There are multiple applications being incorrectly detected

- I have tested BOTH Delphi 2007, and Delphi 7 and both are raising incorrectly (so problem appears not to be isolated to Delphi 2007)

- NOD is incorrectly detecting files compiled on Windows XP and Windows Vista (Business)

- This only seems to be a problem with v3.x. v2.7 does not appear to falsely detect.

Thanks & Regards

Adam.

This is seems to be a False Positive with the packager. An ESET representative should be in contact with you tomorrow, as this will need further communication to fix.

Hi,

Thanks for your reply. Unfortunately I haven't received a reply here, nor on the emails I sent through to eset yet. Sorry for the impatience, but I've waited a day, and this problem is becoming a real headache trying to maintain numerous sites and customers.

I have sent 2 emails to samples@eset.com with detailed descriptions, and links to download 4 different applications (executables) that all contain the same problem to try and help out.

Is there somewhere else I should be sending the emails to? Do they get 'lost' at this email address?

Cheers

Adam.

Send a PM to Marcos ;D Did you attach this threads URL in the emails?

I also have Eset deleting part of my Subversion repository database files causing me to have to recover the database from backups after turning Off Eset protection. There must be a better way to create exclusions. It is highly unlikely a database file will ever be used as a VB script file.

Real-time file system protection file C:\dev\repos\db\revs\0\9 VBS/Solow.A worm cleaned by deleting - quarantined NT AUTHORITY\SYSTEM Event occurred during an attempt to access the file by the application: C:\WINDOWS\Explorer.EXE.

-{ Quote: "Send a PM to Marcos ;D Did you attach this threads URL in the emails?" }-

Hi Funkydude - No, I haven't attacked this threads URL in my email (the email states the same and more).

Marcos - is that the users full name that I should PM?

Thanks & Regards

Adam.

Yes he is an ESET moderator here.

Zuik I already gave you an answer in the other thread (http://www.wilderssecurity.com/showthread.php?t=205847), your double post is unnecessary and rude.

Well handled funkydude!8)

OK - it's now thursday. I haven't had any correspondense from Nod at all yet (first sent email on Monday).

Have tried here, PM'ing Marcos and sending emails. I'm trying to be patient and can understand how from time to time Antivirus software can raise incorrect detections - all part of software, and I accept this.

However - not being able to get a single reply from eset after 4 days via 3 different methods is a bit much.

Is there any other way I can try and get onto eset support to notify them of this issue? Just a response to know they've received my emails would be a start.

:(

As far as I know, the FP was fixed about 2 days ago. Make sure that you have updated to the latest version (currently 3824).

Looks like this one's a wrap.

-{ Quote: "As far as I know, the FP was fixed about 2 days ago. Make sure that you have updated to the latest version (currently 3824)." }-

Hi Marcos

Thanks for your reply. Have done an update, re-enabled advanced heuristics and so far looks good.

In future if something like this happens again, can you please tell me where is the best place to send and email to communicate with regarding these issues?

Best Regards

Adam.

-{ Quote: "
Thanks for your reply. Have done an update, re-enabled advanced heuristics and so far looks good." }-

Do you mean you enabled advanced heuristics in the on-demand scanner setup? Real-time protection wouldn't normally catch that file at all unless it's copied elsewhere or modified.

-{ Quote: "
In future if something like this happens again, can you please tell me where is the best place to send and email to communicate with regarding these issues?
" }-
The recommended way of reporting FPs is to email them to samples[at]eset.com in a ZIP/RAR archive protected with the password "infected" and "False positive" in the subject. It's important to enclose further information about the file, such as the program name, version or better the exact url where the file can be downloaded from.
If it's not fixed in the upcoming updates (let's say withing 1-2 days), you can escalate it to customer care of your local distributor.

Hi Marcos,

-{ Quote: "Do you mean you enabled advanced heuristics in the on-demand scanner setup? Real-time protection wouldn't normally catch that file at all unless it's copied elsewhere or modified. " }-

Correct and correct. We had clients updating their software and were having files deleted once the 'update' occurred.

We also started experiencing problems ourselves when the file was created (on a compile).

-{ Quote: "
The recommended way of reporting FPs is to email them to samples[at]eset.com in a ZIP/RAR archive protected with the password "infected" and "False positive" in the subject. It's important to enclose further information about the file, such as the program name, version or better the exact url where the file can be downloaded from.
If it's not fixed in the upcoming updates (let's say withing 1-2 days), you can escalate it to customer care of your local distributor." }-

Thanks for that. I thought that was the case, but wanted to confirm as I haven't received a reply since I emailed a couple of emails through (with different /additional details) at the start of the week.

Not urgent now, as it looks like the problem is resolved, but it would have been nice to have received some sort of confirmation that the emails were received / were being looked into or were being fixed.

Thanks for your replies. Have been greatly appreciated.

Adam.

Sorry for the double post, not my intent to be rude.

-{ Quote: "Yes he is an ESET moderator here.

Zuik I already gave you an answer in the other thread (http://www.wilderssecurity.com/showthread.php?t=205847), your double post is unnecessary and rude." }-