False Positive Strangeness + Question

Original file name thcl.exe
Location C:\Program Files\TrojanHunter 5.0

During an automated trojan scan, (and likely part of how Trojanhunter operates) thlc.exe created C:\Windows\TEMP\vzw.exe. Vzw.exe then triggered NOD32 v3 Real time Protection module.

NOD32 v3 indicated - Detected as "probably unknown STEALTH.POLY.CRYPT.TSR.DRIVER virus"

IMPORTANT: Each time Trojanhunter's automated / scheduled scan is run thlc.exe creates a file OF A DIFFERENT NAME in the C:\Windows\TEMP folder.
As such the flagged file in the above report, vzw.exe, was simply one possibly randomly generated file name created by Trojanhunter during it's scan process.
To clarify, ESET may want to focus more on the thlc.exe automated Trojan scan application and not focus so much on the file name being created in the TEMP folder as it seems Trojanhunter is creating files of random names. And it is those random named files that are setting off NOD32 v3

As the flagged file, vzw.exe was submitted to ESET for analysis. But I fear it will turn up nothing and be useless in adding the file to a FP database since thlc.exe (Trojanhunter) is the source of the problem / FP bug.



How should I report this to ESET?

Where do I send the report to?

 

https://www.wilderssecurity.com/archive/index.php/t-65214.html that will give you the work around, as it is a FP. You could also see if excluding TrojanHunter has any effect.

 

Thanks you SB!

 

One thing I think may be significant for someone at ESET to know.

A manual scan by TH uses the file Trojanhunter.exe
An automated scheduled scan by TH uses the file thlc.exe

A manual scan by TH never sets off a NOD32 FP.
An automated / scheduled scan by TH does set off a NOD32 FP.

TH v5.0 was just released in September. It was the first version of TH that offered scheduled scans as part of the application (no need to manually set from Windows Task Scheduler.)

Thus, it seems to me possible that NOD32 "definitions" know trojanhunter.exe as a major application and it is allowed. But this new thlc.exe TH scanning module is as of yet unknown to the guys at ESET. Maybe?

 

Excluding thlc.exe is ineffective. ESET real time protection still throwing up the red flag. Again, I think it's because it is not TH that is being flagged, but rather NOD32 is flagging the randomly named .exe files TH is creating. And of course it is not possible to exclude every possible randomly generated file name.

I have to say I am not happy about being stuck with manual scans only for TH, but if that's what has to be done - so be it.

One last thing I want to try. Will report back.

 

Could you add Nod to TH's Excluded list?

 

I added thcl.exe to the exclusion list in nod32 for AMON the file system monitor and it has stopped the false positives. Hope this helps.

 

I haven't seen AMON since v2.7. Can you tell me step by step what you do so I can give it a try?