ANOTHER FALSE ALARM!!!!!

Discussion in 'NOD32 version 1 Forum' started by ZOUAVE, Mar 4, 2003.

Thread Status:
Not open for further replies.
  1. ZOUAVE
    Offline

    ZOUAVE Guest

    hello

    i find a another false alarm.

    please download this and i'm sur at 100% is not a virus!!!

    h**p://www.pipo.com/guillermito/viguard/VG_faux_positif.zip


    thank you
    ZOUAVE

    - Made link unclickable, not needed at this point - LWM
  2. LowWaterMark
    Offline

    LowWaterMark Administrator

    Well, I have to guess that you are correct about that not being a virus, since that zip file is supposed to contain a set of .exe files that duplicate known signatures of real viruses. I can only imagine it's used for testing some AVs and to show they produce false positives. You can probably find other such test files like those out there.
  3. mrtwolman
    Offline

    mrtwolman Eset Staff Account

    From those files, only the second is detected as "probably unknown Win32 virus". This detection if it would occured in the VB test would not be considered as false possitive due the "probably" viral character of the filesand would not disqualify NOD32 from VB 100% award.
    The file itself is patched in that way, the entry point is in the stub portion of the MS-DOS EXE header. There is a jump directing the code flow out of the file which may confuse heuristic engine....
    Eset has been informed.
  4. JacK
    Offline

    JacK Registered Member

    Hi LWM,

    Right, done by Guilllermitto, 2 years ago from NG fr.comp.securite.virus to demonstrate weaknesses in detection of Viguard.
    NOD 32 don't make a false positive : on one of the sample it says "Possible virus" ;)


    Rgds,
  5. jan
    Offline

    jan Former Eset Moderator

    Hi ZOUAVE,

    >i find a another false alarm.

    You are right, it is a false alarm.

    > I can only imagine it's used for testing some AVs and to show they produce false positives.

    The file is used for testing - we didn't have many requests from our customers who would need from us to remove this "false alarm". If we will have more such requests we will do it.

    Thanks. :)

    jan
  6. Dallby
    Offline

    Dallby Registered Member

    Just for info

    I have found that Norton, AVG and EZ-Trust AV all failed to spot anything suspicious about this test file in question but Nod (Amon) detects it just by going into the folder containing it or when any other app tries to access it.

    Well done Nod32, Keep up the good work guys.
  7. LowWaterMark
    Offline

    LowWaterMark Administrator

    Well, actually Dallby, as nice as it would be for this to be considered a good thing, it actually isn't...

    As Jan said, "The file is used for testing - we didn't have many requests from our customers who would need from us to remove this "false alarm". If we will have more such requests we will do it."

    Also, as JacK pointed out, NOD32 only says "possible virus", so perhaps it's not really a false positive, since it does not mistakenly call it a specific virus.

    In any case, Welcome to Wilders and the NOD32 forum!!

    Best Wishes,
    LowWaterMark
  8. Dallby
    Offline

    Dallby Registered Member

    Thanks for clearing that up, I had misunderstood the earlier posts, I've just started using Nod after testing out various other AV's and am impressed (Just bought it), was perviously using Norton.

    >Also, as JacK pointed out, NOD32 only says "possible virus", so perhaps it's not really a false positive, since it does not mistakenly call it a specific virus.<

    At least it means Nod is doing something in the background and not just pretending to, it isn't stating there is a positive virus but alerting the file to be suspicious. Have I got the right idea ?

    I had expected the other AV's I've tried to have had some reaction to the test file because isn't that the whole point of having a safe file that resembles a virus to use to see if the AV's are working or am I going off at a tangent again ? :)
  9. LowWaterMark
    Offline

    LowWaterMark Administrator

    Yes, that's right. It is saying there is a suspicious file, so this does tell you that NOD32 is active and detecting stuff, but, it really shouldn't detect this.

    This specific file is not an official AV test file, but one meant to fool an AV scanner, so, detection is something to avoid.

    It can be a fine line between detecting a real virus and something that has many but not all the characteristics of a virus. I'm sure all AV products struggle to stay sensitive, but not too sensitive - if you understand my meaning.
  10. Marcos
    Online

    Marcos Eset Staff Account

    Hi all,

    the archive is currently being examined and, in case a false positive is confirmed, it will be remedied ASAP.
  11. Dallby
    Offline

    Dallby Registered Member

    A-ha it all becomes clear now I wasn't aware that it wasn't an official test file like the EICAR test file. That explains why it couldn't be identified specifically and labled a possible win32*** type virus.

    Thanks for the info.
Thread Status:
Not open for further replies.