hi

2 days ago i sent a sample file which NOD detects as a virus. it is an application im developing so I know it is not a virus. it seems that an update from 2-3 days ago made NOD to detect it as a virus even though it is NOT.

it is a really urgent issue for me and for some of my users. i sent an email as described but i got no reply for 2 days now. how can i know the stats of this submission?

please advice

send the sample 2 samples[at]eset.com in a zipped archieve
and Subject it as, FALSE POSITIVE DETECTION

and if u can, upload it to rapidshare, and send the link to marcos,
with the same subject

regards

hi
thank you for your quick reply

i sent the email to the address u wrote here with the subject: "false positive - please check" exactly as described (zipped file with a certain password which i mentioned in the content of the email along with a description of the problem).

about the other action u told me: PM is currently unavailable. any other way i can contact him?

thanks

Hi
this really become urgent as more and more users of my application cant use it. please let me know what can be done

thanks.

i must add that other anti viruses DID NOT detect this file as a threat. currently all my users that also use NOD32 CAN NOT use my application. some even lose data after NOD32 deleted the application exe file. not to mention the bad reputation im getting since people think im spreading viruses (the explanation that this is a false positive doesnt really affects them, justifiably i must add). i sent the sample last wednesday and got no reply about it.

i think this is absurd.

FYI: over 6 months ago i had the same problem with a different anti virus and they fixed it in 2 days.

as i suspected: the "problem" is im using UPX to compress my exe. the regular one is ok while the compressed one is a "virus". because this is for sure a false positive and i need to keep compressing my exe before releasing my application i plead u to start taking repsonsiblity for your false positive and take care of this problems. understand that some of my users cant work now!!!!!
what r u waiting for exactly?

i now sent the file again using the tools inside NOD32 itself. i clicked send, the window closed and nothing more happened. how can i be sure this action actually did something?

pm me with the rapidshare link, hey temporarily wht u can do is

just exclude the file / whole software folder from NOD32 engine,

will run file until the update occurs.

just so u know, only yesterday, the PM was available again so i PM to marcos.
now i PM to u the same thing.

as i wrote before: the problem is not me, but my users, i cant tell all of them to do that, specially not new users who stumble upon it and when they want to try it it tells them it is a virus.

i hope this problem will be over soon

hi

few days ago i sent an email about a false positive one of my users reported to me. im talking about the file that can be downloaded from here: http://www.emailaya.com/downloads.php

im the developer of this application and there is no virus there. this is not the first time NOD32 recognize it as a false positive. last time ESET people fixed this but it seems that now they didnt.

im using UPX to compress the exe and i guess this is the reason of the false positive detection. this is very urgent so please fix it. thanks.

I donwnloaded it without problems, it is not detected.
md5sum emailaya.exe
356d595459ca402d5fa6301d2c10588f *emailaya.exe

Not detected at VT:
NOD32 4010 2009.04.15 -

he said he tested it this morning and it didnt work for him. i will tell him to check again and tell me his signature date

thanks

so after this issue was solved with 20090415 it is back. see attached image, he is using the most updated signature file and still the file is detected as a virus (false positive, needless to say).

how can this thing be fixed FOR GOOD?

Virus signature database: 4033 (20090424)
Update module: 1028 (20090302)
Antivirus and antispyware scanner module: 1210 (20090423)
Advanced heuristics module: 1092 (20090309)
Archive support module: 1093 (20090415)
Cleaner module: 1040 (20090401)
Anti-Stealth support module: 1010 (20090302)
Personal firewall module: 1045 (20090325)
Antispam module: 1011 (20090114)
SysInspector module: 1212 (20090414)
Self-defense support module : 1005 (20081105)

24/04/2009 11:53:59 PM Real-time file system protection file C:\emailaya.exe.part probably unknown NewHeur_PE virus deleted - quarantined Event occurred on a file modified by the application: C:\Program Files\Mozilla Firefox\firefox.exe.

24/04/2009 11:53:18 PM Real-time file system protection file C:\xxxx probably unknown NewHeur_PE virus cleaned by deleting - quarantined Event occurred on a new file created by the application: C:\Program Files\Mozilla Firefox\firefox.exe.

24/04/2009 11:53:06 PM HTTP filter file http://www.emailaya.com/emailaya.exe probably unknown NewHeur_PE virus connection terminated - quarantined Threat was detected upon access to web by the application: C:\Program Files\Mozilla Firefox\firefox.exe.

so even 4033 is not good....

eset fixes this and then it reappears... isnt it time to fix it for good? i can't chase you all the time and users keep thinking this is a virus while it is not and can't use it until eset releases a new fix - this is really not a serious way to handle this problem.

thank you

The file I've downloaded was not detected. If you have a new version of the application, submit it in a ZIP/RAR archive protected with the password "infected" to samples[at]eset.com. Also enclose the download url and provide as much information about the program and its purpose.

stackz just posted a log of his tests that shows nod32 does recognize it as a virus (he is not the user im talking about but he is not the only one to report me about this).

i keep doing this, send u the file as u request, u fix it and after a week/month/etc... again it detects it as a false positive, can u give me a solution that will work for good?

the file in question is the one that can be downloaded here: http://www.emailaya.com/downloads.php. it's an email application, nothing more. im using UPX to compress the exe file, i guess this is the reason for all this but eset should handle such cases... no? it's about time it will.

sorry about my aggressive response here but believe me that getting reports that my application is a virus every time is not nice (understatement)

It's alredy fixed in the update that is currently being distributed to the update servers. I'm not sure if detection can be fixed for future variants, but I'll drop a message to my colleague dealing with samples. If not, just send any newer versions that is detected to samples[at]eset.com with "FP" in the subject and we'll whitelist it.

hi

im developing an application that is constantly detected as a virus (only) by NOD32. as a result, i saw several posts on several forums on the net warning other people from using my application because of that. needless to say this is a false positive that keeps coming back, but telling that to the users doesnt really sounds convincing, even though ESET support confirmed this is the case.

the solution i was given is to send the new file to them everytime i release a new version (before major releases it can be even 1-2 releases in a week) so this solution is not acceptable. a more problematic issue with this, is that sometimes after ESET fixes this issue and new updates of the sig file are released, again, the file is falsely detected as a virus. i can't know about it until someone tells me about it, then i need to re-send the file, support examines the file and re-distribute a fix for that. all this procedure takes time and in the meantime these users can't work on it, moreover, other people (new users) that download the file and use NOD32, are warned of a virus and doesnt want to use it anymore, some of them, posts topics on forums warning others users about it and i dont need to write the consequence of this issue.

i think that a more elegant solution should be proposed from ESET specially when ESET admits that this is the engine problem and the file is clean. i expect that a serious company like ESET will solve the problem on their side instead of me needing to update you everytime when a new version is out (and as explained, even that is not enough).

Amos

As you've been told, your application gains a lot of points for suspicious activity when assesed by advanced heuristics. You were given advice that using a different packer would lower the number of these points so it would be undetected then. Alternatively you can send every newer version to ESET for whitelisting before you release it. That's all we can say on this subject.

i was told not to use a packer at all and i surely want/need to use it. i was also told that the packer im using is considered the most clean/safe packer so using a different one wont get me where i want.

2 things:
1) if your engine has a problem with this packer, fix the problem. u admit that this packer is ok, u admit my application is ok and still you have a problem with it and the problem is ONLY with NOD32.

2) i asked for information to know what causes those extra points you wrote here and u refused to tell me. so u dont even give ME a chance to try to fix the problem. you consider your solutions serious? i dont.

your 2 solutions sounds to me as: you are ok, we think you are bad but we wont tell u why, deal with it. NOT serious.

bugs and problems should be fixed by the developers of the application itself. specially when we are talking about antiviruses that needs to be extra careful. reading on forums that a clean application should not be used because it contains a virus is not a nice thing to read when u r the developer of such application.

{QUOTE-> i was told not to use a packer at all and i surely want/need to use it. i was also told that the packer im using is considered the most clean/safe packer so using a different one wont get me where i want.
<-QUOTE}

In such case, the only solution is to send every newer version to ESET as you've been instructed. This is my last answer on this subject as everything has been said and explained and you were given all options how to solve the problem. Amen.

{QUOTE-> In such case, the only solution is to send every newer version to ESET as you've been instructed. This is my last answer on this subject as everything has been said and explained and you were given all options how to solve the problem. Amen. <-QUOTE}

That's why I love Eset support, u really care about ur customers. It's not the first time that a developer makes an application that is only detected by NOD32, funny thing is when it comes to a real virus, nod32 fails many times, or it detects it after a long time. If u say that its a problem with the packer, then why other AV's dont detect it, and for sure u'll never answer that.

Hey emailaya, they will never help u here, this remembers me an old thread with the same problem as you, sadly to say that it didn't have a happy end, just like here. If u wanna see it here it is http://www.wilderssecurity.com/showthread.php?t=223391

And don't forget to say thx to Marcos for the "great" help he gives u. :thumbd:

here is an email i got to show that this method doesnt prove itself, i sent the file over 24 hours ago and still it detects it as a virus (false positive), so can i have a better solution to handle YOUR problem?

i can tell him its a false positive, do you think he will believe me? i dont think so, maybe you can tell him that?

i can tell him to wait for you to fix it (as i told him previously) but it just means that the next version i will release will again be blocked for no good reason...

i just lost another potential customer that could have bought my application, will you pay me a compensation for that?

{Email contents snipped - Blue}

he can always check with online scanner while waiting for Eset
http://virusscan.jotti.org/en

{QUOTE-> he can always check with online scanner while waiting for Eset
http://virusscan.jotti.org/en <-QUOTE}

and then what? im not sure the online scanner wont detect it as well... moreover, NOD32 blocks the file from executing on his computer. i can tell him to do a lot of things (exclusion, false positive, remove heuristic and more) but he will only think im cursing him... and the truth is i will agree with him.

i can tell him that the problem is only with NOD32 and maybe he should think of using a different antivirus but if he bought this one, not sure he will be happy to throw it away and buy another one "just for me".

i remember when i had the same problem with another application the developer gave me "instructions" on what to do, bottom line was to uninstall what i was using and install a different anti virus, needless to say i didnt do it.

antiviruses should have a lot of responsibility for what they are doing and if there is a problem, it needs to be fixed. all antiviruses already fixed this issue except one (guess which?) so you tell me from where should i (or that user) get the help/fix i (that user) need.

{QUOTE->
antiviruses should have a lot of responsibility for what they are doing and if there is a problem, it needs to be fixed. <-QUOTE}
just as much as the software developers do. The idea is to reassure the user that the prog is fine and the false positive(s), which are fact of life with AV in general, will be fixed at some stage.

{QUOTE-> just as much as the software developers do. The idea is to reassure the user that the prog is fine and the false positive(s), which are fact of life with AV in general, will be fixed at some stage. <-QUOTE}

my app is fine, ESET people wrote that themeselves and still their "fix" is by me sending them the new version everytime and not fixing the mechanism and as you can see this solution is not good and as you can see, another potential customer gave up because of that (and he is not the only one). less customers means less money (income) for me, will eset ppl compensate me on that?

so no other AV is flagging your app?

{QUOTE-> so no other AV is flagging your app? <-QUOTE}

nope, magic ah?
ONLY nod32 detects it and even with that, eset people admit its a false positive

download is blocked with latest 4153. Hopefully Eset will fix it soon. Did you actually test if other AVs also detect it?

{QUOTE-> download is blocked with latest 4153. Hopefully Eset will fix it soon. Did you actually test if other AVs also detect it? <-QUOTE}

you mean still blocked, over 24 hours since i emailed them the file and still it is blocked, i hope that now u understand my problem, i dont even want to think about current users who suddenly can't work with it just because ESET think they shouldnt....

and again, NO OTHER antivirus have this problem, JUST nod32

i wonder if someone from eset will reply to this topic, i will be surprised if they will, they cause business problems and can't take the smallest responsible for it! if they were the one to be damaged im sure their reaction would be different but as long as it's not them... they spit...

you can read here that this is not a new issue: http://www.wilderssecurity.com/showthread.php?t=239306&highlight=emailaya and you can see how they refuse to take responsibility for their bugs

you are obviously constantly developing but because of your coding approach and Eset's approach in detecting malware there is a conflict. You need to persevere by sending them new version so that they can exclude it every time and at the same type asking them to have a more permanent solution or slightly amending your coding so that is not flagged by AV engine. let your users know that at the moment there is an detection issue and that you are in contact with Eset about it.

I think what ESET suggested you to do was to submit them your file in advance, then they fix it (remove detection for it) and then you release your program on your website. If you would not have first released it on your website (on a saturday) like you did the previous times, you would not been always in the situation where you have to complain to eset afterwards that users are complaining to you about your program being flagged.
btw, eSafe also has a FP on it (Suspicious File).

{QUOTE-> you are obviously constantly developing but because of your coding approach and Eset's approach in detecting malware there is a conflict. You need to persevere by sending them new version so that they can exclude it every time and at the same type asking them to have a more permanent solution or slightly amending your coding so that is not flagged by AV engine. let your users know that at the moment there is an detection issue and that you are in contact with Eset about it. <-QUOTE}

we are having an old discussion here but i will reply:
1) ESET REFUSE to tell me what is the cause of the false positive. they gave me only part of the reason and even that reason was partially. i wanted to know the reason so I can fix it but they are not cooperative in this matter.

2) im sending them the new version before releasing but just like now, almost 48 hours after i sent it to them, they still didnt fix it and in the meantime i get emails from potential customers saying they wont use it until it is fixed, BUT it will never be fix because ESET refuse to do so and the given solution is not good enough.

3) i asked them several times to give me a permanent solution to no avail. they refuse to fix it and refuse to give me a more complete information about the problem so even I can't fix it.

4) i can't reach ALL my users, specially not the new ones because they download it, it get blocked and the user moves on... he doesnt care for all this, his AV say this file is a virus, then it is a virus... he doesnt care for the story behind it

i hope now, my situation is clearer.

i meant place a note about false positive on your site

{QUOTE-> I think what ESET suggested you to do was to submit them your file in advance, then they fix it (remove detection for it) and then you release your program on your website. If you would not have first released it on your website (on a saturday) like you did the previous times, you would not been always in the situation where you have to complain to eset afterwards that users are complaining to you about your program being flagged.
btw, eSafe also has a FP on it (Suspicious File). <-QUOTE}

really nice of you. you go all the way to the root of the problem but misses the main problem: if ESET would have fix this issue then ALL your explanation was irrelevant. even if we ignore the fact that this is NOT a serious solution (i hope u can agree on that) then the time to process their solution takes TOO LONG. im releasing my release according to my time schedule and i DONT need to do it according to ESET's, specially if almost 48 hours after sending them the sample file, they still DIDNT fix it!

about eSafe: i will ask them about it but i promise you this will be fixed very soon, unlike NOD32 which takes forever (or should i say never?) to fix that

here is a link from virus total:

~Link removed per forum Policy. (http://www.wilderssecurity.com/showthread.php?t=180057)~

now you tell me who's to blame here

{QUOTE->
about eSafe: i will ask them about it but i promise you this will be fixed very soon <-QUOTE}

I highly doubt that, Fp's I sent were never fixed, and they were a lot ;)

{QUOTE-> I highly doubt that, Fp's I sent were never fixed, and they were a lot ;) <-QUOTE}

this is a new case of FP since it was ok until recently, meaning they already fixed it once, im sure they will fix it again. unlike NOD32 the last FP case of eSafe was months ago (which was already fixed as i mentioned). NOD32 is one long consecutive FP which is not to be fixed by ESET, why? they wont tell u

dont get me wrong, FP might happen from time to time, but they are doomed to be fixed. if the developers tell me they wont fix it, then we have a problem. in other words: my problem is not the FP but ESET telling me they wont fix it.

{QUOTE-> i meant place a note about false positive on your site <-QUOTE}

yesterday i sent them the final version to be released, maybe this time they will take it more seriously? anyway i thought of a great slogan for ESET:
"the bug is ours, but it's your problem."
catchy, no?

{QUOTE-> i meant place a note about false positive on your site <-QUOTE}

i feel very honored reading this: http://news.softpedia.com/news/NOD32-Mistakenly-Flags-Photoshop-CS3-As-Virus-86284.shtml

even great apps like photoshop got beaten by NOD32. unfortunately im not adobe so even when it comes to days, they are not fixing it.

notice the irony, the problem was solved (completely) after several hours and the moderator said it took them time to find the source of the problem. in my case it takes them days! to simply whitelist the app (because they are not willing to fix it) and even then they dont find the respect of emailing me about it, they simply started to ignore their own solution.... how nice of them.

small update:
i want to thank Rmuffler (eset moderator) for his PM about trying to solve my problem. i want to express my gratitude to him and to hope that his actions will bring this story to its end.

Hello emailaya,

I want to thank you for the post.

Concerning your issue, I have sent you another PM and our virus lab is working to get this resolved. Please let me know if you have further issues.

Thank you,
Richard