NOD32 *still* consider "daemount.exe" being a threat

Hi!

I use a little application called "Daemount" very often. If you are running Dameon Tools together with daemount you can mount and unmount .iso/.img/.cue without opening Daemoun Tools, it only adds a right click menu item and I really enjoy that feature. Over one year ago NOD32 warned me that daemount.exe could be a dangerous file. I submitted it to Eset with a very detailed description and nothing happened. I submitted the file again, still nothing. Today I ran a full system scan and once again NOD warned me about this application.

Is there anything else I can do to make NOD and Eset aware that this application is not dangerous?

Thanks!

 

Maybe this is an heuristic warning, due to a possible malware-like behavior of Daemount.exe, like injecting into explorer.exe to create its context menu entry, or whatever. If you're sure it is no malware you still can ignore the warning (I guess if detected 'on demand', that you have it excluded from AMON) ...

Could you be more specific about what is the error returned by Nod ? I may not be able to help, but more comptent users can

 

Yeah, it probably is. But isnät there a way to make it disappear?

 

Well, if it is excluded from AMON but still detected by Nod32 when doing a full system scan, there's really nothing to do from your part : Nod32 scanner doesn't have for now (mayeb in v3 it will be implemented ) an exclude feature, and it's a pain to include all folders and files except the one that's maybe a FP / heuristic warning on a legit app.

So I'd suggest either you send again the sample to ESET, or PM one of the EST moderators out there (Marcos, Happy Bytes...), maybe they'll know if it is indeed a dangerous application or not, or look closer on this problem...

 

I have Daemount 1.61 and NOD32 and NOD doesn't flag it.

 

Jake:

Even if you run a in-depth-scan? Because here NOD only flags when I'm running the deep scan.

 

Doing one now and will let you know what happens.

 

Did an in depth scan which came up with nothing. Do you have the latest version of Daemount?

 

This still happens!

Deamount was updated a few days ago and I had trouble installing it because of NOD32.

What should I do?

 

Just wild guess: some time ago there was a discussin Deamon Tools will be shipped with adware included. Maybe this was the cause of your issue.

Did you get some specific alert ?

 

Is this the arniworx tool? It has adware included but you can choose not to install that part. With that in mind, try installing it with NOD switched off.

 

No, this is *not* arniwox.
"Daemount" simply adds a "right-click-menu" to .img & .cue files with which you can "mount" and "unmount" images.

Mrtwolman:
I only get "unknown NewHeur_PE virus"

 

Tried downloading it myself.
IMON picks it up instantly, as does AMON and an on demand scan pings it as well.
ESET have recieved a copy of the file via ThreatSense.Net.

It might be worth reviewing your NOD32 settings, and making sure you're right up to date ??

As for it being a FP - we will have to wait for word on this from ESET I suppose - depends why AH has picked it up.

24/05/2006 1:25:41 AM IMON archive hxxp://www.aldostools.com/daemount.zip probably unknown NewHeur_PE virus Connection terminated

Cheers

 

On a sidenote, Panda also labels this file as "suspicious".

Edit: Possibly something to do with the runtime packers used on the .exe?

 

I think not in this case :-

Date: 24.5.2006 Time: 01:23:49
Scanned disks, folders and files: C:\WINDOWS\Temp\daemount.zip
C:\WINDOWS\Temp\daemount.zip »ZIP »daemount_setup.exe »RAR »readme.txt - is OK
C:\WINDOWS\Temp\daemount.zip »ZIP »daemount_setup.exe »RAR »daemount-lang.ini - is OK
C:\WINDOWS\Temp\daemount.zip »ZIP »daemount_setup.exe »RAR »daemount.ini - is OK
C:\WINDOWS\Temp\daemount.zip »ZIP »daemount_setup.exe »RAR »DAEMount.exe - probably unknown NewHeur_PE virus [7] - was a part of the deleted object
C:\WINDOWS\Temp\daemount.zip »ZIP »daemount_setup.exe »RAR »cd.ico - is OK
C:\WINDOWS\Temp\daemount.zip »ZIP »daemount_setup.exe »UPX v12_m2 - is OK
Number of scanned files: 7
Number of threats found: 1
Number of files cleaned: 1
Time of completion: 01:23:49 Total scanning time: 0 sec (00:00:00)

 

File: DAEMount.exe
Status: POSSIBLY INFECTED/MALWARE (Note: this file was only flagged as malware by heuristic detection(s). This might be a false positive. Therefore, results of this scan will not be stored in the database)
MD5 26e0d70ac9b2134160367500a43e8d19
Packers detected: PE_PATCH.UPX, UPX

I'm wondering what PE_PATCH.UPX is? And how can you say it is not because of runtime packers used in this case that 2 antiviruses finds this file suspicious?

I could be wrong though, if so, I'm sorry.

 

I only say that because NOD32 did not indicate packers for DAEMount.exe as per the scan log in my previous post above, although you have evidence from elsewhere suggesting that they are in fact in use on this file, so it may well be the specific packer used that is triggering off AH, but we will see soon

Cheers

 

Please get back to us when you have heard from Eset!

Thanks

 

This is issue is resolved - Aparently a FP as many suspected, also looks like it may have been packer related.

C:\Documents and Settings\Damian\Desktop\daemount.zip »ZIP »daemount_setup.exe »RAR »DAEMount.exe »UPX v12_m2 - is OK

Cheers

 

Thank you kindly for your reply!

NOD32 updated itself right away this morning and now it does not flag daemount.exe.