False Positive - Gmer

Would you please ESET fix this False Positive? This tool is crucial for me, and its new beta is detected as a NewHeur PE_virus:

hxxp://www.gmer.net/gmer110b.zip (I replaced 't' with 'x')

This tool was created to detect and delete rootkits, hiden services and processes, and has many other useful features like system integrity monitoring and protection, etc. I submited the sample, but it is not fixed so far.

Thanks in advance.

 

Did you send it to samples[at]eset.com? It's usually faster that way than using the built in feature in NOD.

 

Yes I did, it was also sent via ThreatSense.

 

If you look at what the file does then you can excuse NOD32 flagging it as potentially malicious.

 

Tonight I was with a client and I cleaned his infected machine . The trial of NOD32 flagged an exe file in C:\Windows\System32 as NewHeur PE_virus

I didn't submitted it , I just renamed it.
May be it is false positive , may be not , I hope it is not

 

I do understand why NOD could flag it, but I just ask to fix it.

 

It does system monitoring? Then I want my NOD to detect it.

 

sounds like it should be detected as a Potentially Dangerous Application, which it may be if the sample was submitted via ThreatSense and Eset update it as such to the database.

If it does get categorised as a PDA then you would be able to unselect the option to detect Potentially Dangerous Applications. That would of course mean other such apps would go undetected, but that would be your choice.

lee

 

I don't know what you mean, but this is an option which you can select in this tool. It is not a tool to hack, or destroy anything. This tool is a mix of Process Guard, RegDefend, Rootkit Revealer (with deleting capabilities), Process Explorer and simple outbond only firewall (with app filtering), it can also log many system events. For sure it was not developed to harm, but to protect systems and remove nasties.

If you go to this site and look at screenshots, you will know what I mean:

http://www.gmer.net/index.php

 

Well I don't understand b/c I can't read a word of it lol... But assuming you mean file system monitoring or system integrity monitoring then I would understand. System monitoring brought to mind (my mind anyway) spyware.

 

I know you don't understand a word in Polish, but screenshots speak for themselves. I hope it would be translated into English soon, as it is a briliant and FREE tool.

My English is far from being perfect, so sometimes I might be misunderstood.

 

Thank you very much ESET, it is fixed now!!! Great work!!!

 

Misunderstandings are commonplace on the www - that's for sure. Glad to see it's the right kind of ssytem monitor and sorry I misunderstood; also glad things are fixed.

 

I think this thread is a suitable one to express "my" case as well...

I was looking for Soulseek plugins the other day and I stumbled upon Soulseek Stats. As explained in the link it just gathers into .csv files some information regarding your uploads/downloads (who downloaded what etc) to keep tracks of what's going on with your Soulseek times.

At first it didn't even allow me to install it...got a message about "probably unknown NewHeur_PE virus". I decided to take the risk anyway (for a reason I can't explain, the quarantine was empty and couldn't send the file to you guys), so I disabled nod32 for a moment, installed the plugin and enabled my precious antivirus again. Doing its file scanning in the background it did alert me again about the possibility of NewHeur_PE virus, so I decided to upload the SoulseekStats.exe (not the .exe of installation) to jotti, virustotal and virus.org. Here are the results for the first two:

Jotti

Code:

AntiVir  	Found nothing
ArcaVir 	Found nothing
Avast 	Found nothing
AVG Antivirus 	Found nothing
BitDefender 	Found nothing
ClamAV 	Found nothing
Dr.Web 	Found nothing
F-Prot Antivirus 	Found nothing
Fortinet 	Found nothing
Kaspersky Anti-Virus 	Found nothing
[B]NOD32 	Found probably unknown NewHeur_PE (probable variant)[/B]
Norman Virus Control 	Found nothing
UNA 	Found nothing
VirusBuster 	Found nothing
VBA32 	Found nothing

VirusTotal

Code:

AntiVir	6.34.0.24	04.20.2006	no virus found
Avast	4.6.695.0	04.26.2006	no virus found
AVG	386	04.27.2006	no virus found
Avira	6.34.1.58	04.27.2006	no virus found
BitDefender	7.2	04.28.2006	no virus found
CAT-QuickHeal	8.00	04.26.2006	no virus found
ClamA[B][/B]V	devel-20060202	04.27.2006	no virus found
DrWeb	4.33	04.27.2006	no virus found
eTrust-InoculateIT	23.71.141	04.28.2006	no virus found
eTrust-Vet	12.4.2181	04.27.2006	no virus found
Ewido	3.5	04.27.2006	no virus found
[B]Fortinet	2.71.0.0	04.27.2006	suspicious[/B]
F-Prot	3.16c	04.26.2006	no virus found
Ikarus	0.2.59.0	04.27.2006	no virus found
Kaspersky	4.0.2.24	04.28.2006	no virus found
McAfee	4750	04.27.2006	no virus found
Microsoft	1.1372	04.28.2006	no virus found
[B]NOD32v2	1.1510	04.27.2006	probably unknown NewHeur_PE virus[/B]
Norman	5.90.17	04.27.2006	no virus found
Panda	9.0.0.4	04.27.2006	no virus found
Sophos	4.05.0	04.27.2006	no virus found
Symantec	8.0	04.28.2006	no virus found
TheHacker	5.9.7.135	04.25.2006	no virus found
UNA	1.83	04.27.2006	no virus found
VBA32	3.11.0	04.27.2006	no virus found

Should I worry?

 

Send it to samples [at] eset [dot] com for analysis. This is the fastest way to determine weather the detection is true or not.

 

I wrote Soulseek Stats, and I do make sure I scan new versions with an up-to-date Anti-Vir before I upload them. I did however, compress the EXE with UpX, and I imagine this is what might have triggered what is quite possibly a false positive.

Cheers, Threetwosevensixseven

 

Nope, NOD32 does not use packer detection as some other AVs unfortunately do.