after some quiet times - false positive again

hi

the application im developing is yet again considered as a virus (false positive). i sent the as requested to samples@... email.

will i receive an email back with an answer about it?
how can i be sure this problem won't repeat in the future? it seems that for a long time you did a good job about it but now the problem is back

thanks

 

a link to think about:

~~ VT link removed per this policy. ~~

Note by LowWaterMark about VT/Jotti results... we've often encourage people to state in simple language what the results actually state, without the need to provide the link. It is enough to say that you found a file that when submitted to VT, the detection was 1/41 with only ESET detecting it. More often than not, that is a sign of a false positive.

 

For some bizarre, possibly protectionist reason, the mods here ban links to virustotal. So expect your posting to diseappear.... (and probably mine too)

 

as long as my original topic stays and my problem fixed, im ok with that
thanks for the warning

 

you reported it so it most probably will be fixed, and maybe is already, as it was in the past.

 

do you know the phrase: "quit smoking? it's easy i've done it lots of times".
true, eventually eset fixed it (and now it's back) but they are considered as a serious AV company and since nod32 deletes the file without questioning, it's a problem to the end user (and surely for me, the developer) that from time to time, he can't use the application because of it.

and telling me to tell the user to exclude or to change the settings of nod32 is not a serious answer.

 

never heard of it. I quit smoking once and never looked back
it is understandable to be frustrated with having to prove to AV company that there is nothing to detect. At the same time almost all arguments were covered in your last year thread
https://www.wilderssecurity.com/showthread.php?t=239306

 

im not going to open this issue again, that's for sure
i just want my app to be clean and considered that way for life without me needing to check it often

and i admire ppl like you who stopped smoking and never looked back! really!
i never started to smoke, because i was too busy asking eset to stop false detecting my application ;-)

 

Your post won't disappear into the night. There were several reasons for the virus total ban one of which is that such links were part of the arsenal used in A vs B threads. Another was this Av (Insert name here) detects this threat. So how come you don't. Which was far more common and solved nothing as no Av is 100%.

 

maybe the default behavior should be asking the user what to do instead of deleting the file without asking causing the user to feel lost and angry.

 

again a user complaint about nod32 deleting the file thinking it's a virus. may i at least know if and when eset will notify me about this fix? how can i ask users to trust me when time after time the file is deleted because it is supposedly a virus?

your work and sales are based on your reputation, but what about our (the developers) reputation?

at least update me about this issue, some respect won't do harm

 

The should improve at least the following:

1. Identify the executable as a legitimate application by adding a properly filled VERSION INFO to the executable. Currently the VERSION INFO is missing.
2. Use stable version of the run-time packer. The latest executable made recently is using the UPX 2.92 beta (23 Jan 2007). Available stable version is 3.05 (27 Apr 2010)

Current compression ratio is most probably achieved by the the following switches:
upx.exe --ultra-brute --lzma -o emailaya.exe emailaya_original10MB.exe

LZMA compression method is not a recommended default and according the notes of the authors “runtime decompression is about 30 times slower than NRV”
http://upx.sourceforge.net/upx-news.txt

Some important notes regarding the packing/protecting of the legitimate applications can be found in the McAfee's article Who Digs the Elephant Trap?
http://www.avertlabs.com/research/blog/index.php/2009/05/28/who-digs-the-elephant-trap/

 

1. regarding the version info: thanks for the tip
2. i now use 3.05, the compression ratio is less good than the previous one but still bearable and NOD32 didnt recognize it as a virus so i will continue using 3.05 hoping the problem won't repeat in the future.

the above proves that your previous statements (in a separate email) were not true but since it's not relevant (for now), i hope it will continue to be irrelevant in the future.

thanks

 

Notify me when you will have a version with the 1&2 ready.

Another appreciable thing is the pre-release antimalware checking of all released executables. It will reduce surprises and user complains in the case of false positive, it is a good way to verify the application intended for release is free of any malware.
Randy Abrams wrote in his blog posts more than once about the importance of such process.
The original unpacked executables can be scanned too. Especially when some protection envelopes are being used, they introduce a security risk for the user, since they may prevent the AV solutions to effectively find problem in the underlying code.