NOD32 False Positive

MegaHertz · #1 May 29th, 2003, 09:39 AM

I updated Outpost firewall this morning to the latest beta and after the update was complete AMON notifies me that a file (opst_ui.dll) is infected with an unknown variant of CRYPT.WIN32 virus. This prevents Outpost from loading at start up and the only way I can use it is to add the file to my exclusion list for AMON.

NOD32 Antivirus System information
Virus signature database version:***1.419 (20030528)
Dated:***Wednesday, May 28, 2003
Virus signature database build:***3677

Information on other scanner support parts
Extended heuristic module version:***1.001 (20030430)
Extended heuristic module build:***1024
Archive support module version:***1.001 (20030430)
Archive support module build version:***1031

Information on installed components
NOD32 For Windows NT/2000/XP - base
Version:***2.000.1
NOD32 For Windows NT/2000/XP - Internet support
Version:***2.000.1
NOD32 for Windows NT/2000/XP - standard component
Version:***2.000.1

Operating system information
Platform:***Windows 2000
Version:***5.0.2195 Service Pack 3
Version of common control components:***5.81.4916
RAM:***1024 MB
Processor:***Intel(R) Pentium(R) III CPU family 1400MHz (1396 MHz)

Time***Module***Object***Name***Virus***Action***User***Info
5/29/2003 7:33:58 AM***AMON***file***D:\Agnitum\Outpost Firewall\opst_ui.dll***probably unknown CRYPT.WIN32 virus*********
5/29/2003 7:20:28 AM***AMON***file***D:\Agnitum\Outpost Firewall\opst_ui.dll***probably unknown CRYPT.WIN32 virus******HOME-19737A4***\**********
5/29/2003 7:13:07 AM***AMON***file***D:\Agnitum\Outpost Firewall\opst_ui.dll***probably unknown CRYPT.WIN32 virus******HOME-19737A4***\*******
5/29/2003 7:00:03 AM***AMON***file***D:\Agnitum\Outpost Firewall\opst_ui.dll***probably unknown CRYPT.WIN32 virus*********
5/29/2003 6:58:11 AM***AMON***file***D:\Agnitum\Outpost Firewall\opst_ui.dll***probably unknown CRYPT.WIN32 virus******NT AUTHORITY\SYSTEM***
5/29/2003 6:55:54 AM***AMON***file***D:\AGNITUM\OUTPOS~1\opst_ui.dll***probably unknown CRYPT.WIN32 virus******HOME-19737A4***\**********

P.S. - I have sent a bug report to Agnitum.

jan · #2 May 29th, 2003, 12:21 PM

Hi MegaHertz,

pls. send the sample to samples@eset.com with cc to support@eset.com with a subject "FA opst", if possible.

Thanks,

jan

MegaHertz · #3 May 29th, 2003, 12:45 PM

Will do as soon as I get home for lunch.

jan · #4 May 30th, 2003, 04:26 AM

Thanks for your fast feedback.

It'll be fixed in the next virus signatures dbase update (scheduled today).

Cheers,

jan

MegaHertz · #5 May 30th, 2003, 10:01 AM

And thanks to you and all the fine folks at Eset for your outstanding support.

#6 May 31st, 2003, 04:06 PM

now that i have my Nod32 back(yea)
i am getting the same "alert"
and it shuts down OutPost??

LowWaterMark · #7 May 31st, 2003, 04:13 PM

Hi hayc,

Until Jan comes back and confirms whether the f/p was fixed yet or not, have you tried adding the file to the exclusions list as noted in the first post? (Just to get Outpost back up until this is fixed.)

Best Wishes,
LowWaterMark

#8 May 31st, 2003, 04:17 PM

will try that thanks for your help. did not see that

#9 May 31st, 2003, 04:26 PM

well for some reason it will not let me do it??
must be doing something wrong..
Mega if your out there a little help please.
thank you

MegaHertz · #10 May 31st, 2003, 04:27 PM

The defs released today (see below) fixed it for me I have now removed opst_ui.dll from AMON's exclusion list and so far no problems.

Kudos to the folks at Eset for getting things sorted out so quickly.

NOD32 Antivirus System information
Virus signature database version:***1.422 (20030531)
Dated:***Saturday, May 31, 2003
Virus signature database build:***3687

#11 May 31st, 2003, 04:30 PM

i have the same .def file as you but am getting the same
Virus alert on the same file. how do i get it to exclude this one??
thanks i am now wondering what is going on?

#12 May 31st, 2003, 04:32 PM

this is what i am getting in the log file.

Time***Module***Object***Name***Virus***Action***User***Info
5/31/03 13:21:09 PM***AMON***file***C:\Program Files\Agnitum\Outpost Firewall\opst_ui.dll***probably unknown CRYPT.WIN32 virus******Unknown User***
5/31/03 13:20:14 PM***AMON***file***C:\PROGRAM FILES\AGNITUM\OUTPOST FIREWALL\OPST_UI.DLL***probably unknown CRYPT.WIN32 virus******Unknown User***
5/31/03 13:19:25 PM***AMON***file***C:\PROGRAM FILES\AGNITUM\OUTPOST FIREWALL\OPST_UI.DLL***probably unknown CRYPT.WIN32 virus******Unknown User***
5/31/03 13:18:36 PM***AMON***file***C:\Program Files\Agnitum\Outpost Firewall\opst_ui.dll***probably unknown CRYPT.WIN32 virus******Unknown User***
5/31/03 13:17:57 PM***AMON***file***C:\Program Files\Agnitum\Outpost Firewall\opst_ui.dll***probably unknown CRYPT.WIN32 virus******Unknown User***
5/31/03 13:17:36 PM***AMON***file***C:\Program Files\Agnitum\Outpost Firewall\opst_ui.dll***probably unknown CRYPT.WIN32 virus******Unknown User***
5/31/03 13:15:33 PM***AMON***file***C:\PROGRAM FILES\AGNITUM\OUTPOST FIREWALL\OPST_UI.DLL***probably unknown CRYPT.WIN32 virus******Unknown User***
5/31/03 13:12:05 PM***AMON***file***C:\PROGRAM FILES\AGNITUM\OUTPOST FIREWALL\OPST_UI.DLL***probably unknown CRYPT.WIN32 virus******Unknown User***
5/31/03 12:59:07 PM***AMON***file***C:\PROGRAM FILES\AGNITUM\OUTPOST FIREWALL\OPST_UI.DLL***probably unknown CRYPT.WIN32 virus******Unknown User***
5/31/03 12:57:06 PM***AMON***file***C:\PROGRAM FILES\AGNITUM\OUTPOST FIREWALL\OPST_UI.DLL***probably unknown CRYPT.WIN32 virus******Unknown User***

LowWaterMark · #13 May 31st, 2003, 04:40 PM

hayc, you are using NOD32 v2 (beta) right? I don't know, but, perhaps the false positive is still in that for some reason versus NOD32 v1, which I think MegaHertz is running?

Edit: Okay, this maybe relevent perhaps.

#14 May 31st, 2003, 04:42 PM

i am using Nod32V2 beta yes??

MegaHertz · #15 May 31st, 2003, 05:01 PM

Hayc59,

Did you read the PM I sent you over here? In case you didn't and also in case it may be helpful for someone else I will provide the instructions here. First you must shut down AMON only and then add the file to AMON's exclusion list. Restart AMON and you should be good to go.

#16 May 31st, 2003, 05:24 PM

yes i got it.

and its in excluded folder, just wondering why its not happening to you but is doing it to me?
are you using the V2beta version?

MegaHertz · #17 May 31st, 2003, 05:31 PM

I don't think so my beta flag is missing from the control center (see screenshot).

#18 May 31st, 2003, 05:37 PM

ok i think that is whats going on?? hasn't been updated on the beta version. you have an e-mail!! and thanks for your help!!

DavidH · #19 June 1st, 2003, 11:56 PM

Hello,

I'd put this in the Beta Forum, but for some reason this thread was started in this forum even though it seems that I am still using NOD32 Beta 5. First of all, I am not sure how some people seem to be using a final release as I have not been able to download a final release from any of the Eset or NOD32 sites or find the stand-alone executable for the final official version. At this point, I am using NOD32 Beta 5 and have updated my definitions to 1.423 dated June 1 and still have the problem with NOD32 falsely calling opst_ui.dll a virus or possible virus. Just what is the situation? Here are the specifications for my installation of NOD32. I should also note that I am a licensed user and am using the username and password for my paid license. That username and password are good until about March of 2004. So, the issue is not that I was using the temporary Beta Tester username and password.

NOD32 Antivirus System information
Virus signature database version:***1.423 (20030601)
Dated:***Sunday, June 01, 2003
Virus signature database build:***3689

Information on other scanner support parts
Extended heuristic module version:***1.01
Extended heuristic module build:***1048866423
Archive support module version:***1.001 (20030430)
Archive support module build version:***1031

Information on installed components
NOD32 For Windows NT/2000/XP - base
Version:***1.199.16
NOD32 For Windows NT/2000/XP - Internet support
Version:***1.199.17
NOD32 For Windows NT/2000/XP - NOD32 On-demand Scanner
Version:***1.199.16

Operating system information
Platform:***Windows XP
Version:***5.1.2600 Service Pack 1
Version of common control components:***5.82.2800
RAM:***512 MB
Processor:***AMD Athlon(tm) processor (1200 MHz)

Thanks for your attention to this matter.

Have a good day.

jan · #20 June 2nd, 2003, 09:53 AM

Hi all,

pls. wait for the today's NOD update (1.424) - check for the NOD conflict with Outpost after updating NOD to that version and give feedback.

Comment to the "Beta5" label:

The NOD32 will be released in a couple of days - consider the version without the "Beta" label as a Release candidate for getting more taste for v2.

Thks.

jan

#21 June 2nd, 2003, 01:02 PM

NOD32 Antivirus System information
Virus signature database version:***1.424 (20030602)
Dated:***Monday, June 02, 2003
Virus signature database build:***3695

updated to new version this morning and all is well
update fixed the Amon alert. thanks Jan and Co. for all your hard work!! bravo to you.

jan · #22 June 3rd, 2003, 03:36 AM

Hey Gordon,

>updated to new version this morning and all is well
update fixed the Amon alert. thanks Jan and Co. for all your hard work!! bravo to you.

Nice to hear you've got rid of it now

. Thanks goes to our virus and heuristics expert.

Enjoy NOD with Outpost!

jan

Thread Tools	Search this Thread
Show Printable Version Email this Page	Search this Thread: Advanced Search