CommFort+NOD32=Win32/Packed.Themida

NOD32 with virus signatures from October 17, 2008 and later alerts on all files protected with Themida 1.9.5.0 and 1.9.9.0 (the same situation may be with other versions).

CommFort (http://www.commfort.com/) executable files for all versions for the latest year and a half are among such files.

We sent twelve different files that are within the CommFort software and are suspicious for the antivirus to samples@eset.com a week ago (from maxim @ commfort.com). There are dozens of such files but we can’t find them easily.

We haven’t got any response yet as well as situation change.

Please help us to solve the problems.

Regards,
Maxim Mirgorodsky
CEO of CommFort software Ltd.

 

Hi,

I'm not sure after re-reading you post whether you beleive these should be detected or if you believe them to be false positives?

In either case this post may be of assistance.

Cheers

EDIT: Just downloaded 'CommFort (server + client)'.
Neither the archive itself or the two .exe files it contains are currently detected here?

 

We are talking about the false alerts. Today we released a new version of CommFort protected by the latest beta-version of WinLicense (Themida) in which the NOD alert cause is fixed. The previous CommFort version is available at: http://www.tucows.com/preview/512736

 

This nothing detected. Do I have to install it or what?

 

Yes, install it.

 

OK, this is only detected when you enable scanning for "potentially unwanted applications", which - given the massive abuse of Themida by malware - is most likely by design. Already debated before.

 

So, what am I supposed to do now? I have sent some CommFort files to at least prevent the antivirus from triggering false alarms on them. The result is negative. Every day CommFort users bombard the technical support with complaints on the false virus detection warnings issued by NOD32.

 

Do ESET officials ever show up on this forum?

 

Actually I downloaded both the server and client from your website yesterday and the FP was fixed in the next update. The file you've submitted will be fixed, but note that it's detected as a potentially unsafe application (PUA) because of the packer used and not as malware. In order for PUA to be detected, the users must agree with detection of such applications and intentionally enable detection as it's disabled by default.

 

The 12 files that I have sent over a week ago are still detected as viruses (that’s right, viruses; at least the Russian version of NOD32 writes: "Virus detected") When will the false virus detection be fixed for at least those 12 files?

 

We've received only 1 email with samples attached on Oct 22. Anyway, Themida is detected as a potentially unsafe application because it's massively abused by malware to evade detection. Any further variants packed with Themida may be detected again. Potentially unsafe applications cover commercial programs that can be misused by malware, and are disabled by default. They are only detetected if the user chooses to detect them and intentionally agrees with detection.

 

Just sent you the files once again to samples@eset.com. But instead of attaching them to the message, I have enclosed the download URL (it’s a bit hard to send 25MB as an attachment).

 

Gentlemen,
I'd like to see your response to the submission of the files.

 

And again we have a lot of complaints - NOD32 detects the CommFort client installation file as the "Win32/Kryptik.AE" Trojan file and the executable file as "Win32/Packed.Themida". And if the NOD32 settings are set to default, it deletes these files. We are asking you to solve this situation immediately, we have sent the necessary files in archives protected with a password to samples@eset.com today.

 

I disagree with this statement.
Themida is not detected as default, only when users chose to turn on the p.unwanted applications.

The Win32/Kryptik.AE trojan seems to be a FP and the lab will work on that.

The solution of your problem with the optional Themida protector detection depends mostly on you. You may:
1. Use something else than Themida
or
2. Simiply explain the users that your Themida modified executables are 100% safe (that's true) and It is OK to run them with the setting of PUA disabled.
or
3. Kindly send every build to the lab before release with the words in subject: "Please white-list this build to prevent any detection (Themida)"

Because of the Themida protector the lab (nor the legal department) is able to auto-white list all your Themida executables which you will create in the future as you desire. The lab would like to do it for you, but currently it is not possible. You are the one who have to choose from the proposed solutions.

 

1. It is very expensive to change the protection system. There is no guarantee that a new protection system won’t be in the same situation as Themida is in now.
2. We lose a part of our users acting like this.
We have no choice – we must choose point 3.:

As it is necessary to write often and quite often 5-10 files will be added at a time to the white list (we release different distributives for different license types) please provide us with the requirements to such messages. It is obvious what to specify in the subject field. The questions are:
1) Is it possible to include 5-10 files simultaneously into the message?
2) Is it necessary to add them to an archive (protected with a password)?
3) Is there any limit for the message size?
4) What is the email address and what should be written in the message body?

 

Not a problem.

Yes, some email server can delete it if you send it unencrypted.

Yes, it depends on individual settings on email servers.

I suggest you to write something like this: "According to our aggement we are sending you new version of.... which we are going to release soon. Executables use Themida protector and we quarantee they are safe to use. Please verify and white list them in your product. Please notify us... "

In the case you don't receive any reply in 2 work days, write a post to the forum with request about the status.
I don't know, what is your current release frequency?

If you don't like sending files in email, you may put the files somewhere on your server and send the direct link instead. FTP can be used as well. In the case of HTTP and FTP there is no need to password protect the archives and there is no problem with their size.

 

No, unless you have a limit to what you can send.

 

Okay, we will send files then but hope this inconvenience is temporary (if such protection strategy will be chosen by other antivirus developers – we will be simply unable to send the files to all).

And one suggestion: it may be useful to change the protection scheme in the way that the ‘potentially unwanted applications’ aren’t deleted automatically. Or at least you may display a ‘potentially unwanted applications’ launching confirmation message.

 

The NOD32 version 4 (currently in public beta stage) is already dealing with the PUA in different way. Notification alert is changed and the color too (yellow).