Beta NOD32 possible false positive MacroExpress3 (MacExp.exe)

[Devinco]

Hi Everyone,

I'm a proud new licensee of NOD32 for one of my systems.
So far it seems to be working well, except for a couple of problems.
I have the new beta version 2.011 and configured as per BlackSpear's excellent extra settings thread. I also have Insight Software Solutions Macro Express 3 (a useful macro utility).
MacroExpress3 has a resident component (MacExp.exe) that NOD32 flags with the following message at boot:

D:\Program Files\Macro Express3\MacExp.exe is infected with probably unknown NewHeur_PE virus. Details merely say probably unknown NewHeur_PE virus.

I also get a message like this:
NewHeur_PE virus found in operating memory. Suggested action is deletion as the file most probably consists only of viral code (if not applicable, choose leave or terminate) No action can be taken on a memory infiltration.

I am a licensee for MacroExpress3 and I also scanned it (prior to NOD32 installation) with NAV2003 and TDS-3 (latest sigs) so I am pretty sure it is not viral.
I added the whole directory D:\Program Files\Macro Express3 (including parsing subdir) to exclusion list in AMON, but still it pops up.
I looked in the NOD32 on demand scanner as well, but there is no exclusion list there.
I understand that if the heuristics thinks it walks like a duck and quacks like a duck, it must be a duck, but this is just a macro utility.

How can I resolve this possible "false positive"?
Also, the alert said "No action can be taken on a memory infiltration".
Why can't NOD32 take any action? Isn't that part of its job?

Thank you

[ronjor]

Send the file in question to support@nod32.com. Zip it up with a password and include the password in your message.

[Devinco]

Quote:

Originally Posted by ronjor

Send the file in question to support@nod32.com. Zip it up with a password and include the password in your message.

Thank you Ronjor.

I will zip it and email it to them. But why should it be done with a password? (just curious)
If it is to prevent email interception, they could get the password from the unencrypted email.
And can this be any password, or does it need to be my NOD32 registration password?

Also, the alert said "No action can be taken on a memory infiltration".
Why can't NOD32 take any action? Isn't that part of its job?

[ronjor]

The password should prevent anyone or thing opening the file.
You could use "possiblefalsealarm" for a password.

I'm not sure any antivirus can clean a memory resident virus. Since I said this we will find out for sure!!

Edit: If a program is in memory, it is in use. You have to terminate the program and stop the execution of the program before it gets in memory.

[Devinco]

Thanks Ronjor!

[Devinco]

Just to update.

Eset has removed this false positive from NOD32 recently.

Thank you Eset.

I had this problem last night and cleaned it out through
Pest Patrol
I still don't know if it was a worm or not
but my NOD & Housecall found it!
EX

[ShunterAlhena]

I'm not a mod or anything, but IMO there wasn't too much point in reviving this dead old thread...

[ronjor]

I agree. Thread closed.