Possible false positives

I'm running the trial version. I get several things flagged as threats. These things had not been flagged by Norton. Maybe this means NOD32 is doing a better job than Norton did or maybe it means these are NOD32 false positives. Is there any good way to find out which?

 

Please post some examples and we can take a look.

Cheers

 

Post here?

Not sure how I would do that.

One is an exe file about 4 MB in in size.

Another is an rtf file about 50 MB in size.

 

No, the actual line that NOD32 is detecting, as in C:\....

Cheers

 

You mean lines from the log?

OK, here's a couple:

H:\IBM CD Contents\Install Files\AOLInstantMessenger\v5.5\Install_AIM.exe »WISE »WxBug.EXE »WISE »MiniBugTransporter.dll - Win32/Adware.WBug.A application

H:\IBM CD Contents\References (Docs & Notes)\uni-SPF\uni-SPF Reference - Chapter 06 - Utilities.rtf - probably a variant of BAT/ServU.F trojan

 

These appear to be on a CD or from a CD, so they would be in a "read only" state, thus not removable.

Cheers

 

If I may put my 2c...

Most (if not all) AVs flag instant messengers as bundled with adware. I find this normal, as they are indeed bundled with all kind of adds, animated gifs and whatnot. I have seen such detections from NOD (and Avira and avast!) with MSN messenger and ICQ as well. So this is not a false positive in a technical sense, but I don't think that adds pose any real threat if any at all. You could download a fresh copy of AOL messenger and then manually scan it to see if it's flagged. If it is, that should give you a clearer picture.
As for the RTF file, it was heuristically detected. That raises some questions whether RTF file can be a carrier of any kind of malware. It is very simple text format, although it supports embedding of objects, so it is possible to call a malware exe from inside the rtf. In any case, I would look for a second (and third) opinion of several online scanners... And maybe even submit the rtf file to ESET for analysis.

Cheers.

 

No, they are not on a CD despite being in (subfolders of a) folder called IBM CD Contents. The contents of that folder was once copied from a CD, but the files in question are now on a hard disk.

Though I have another thread going about inability to delete files, my focus here is whether or not these files should actually be flagged as threats.

 

Me , too .

As for the first one
MiniBugTransporter.dll - Win32/Adware.WBug.A application
it seems it is not a false positive but an adware embedded in an AOL application - common practise nowadays

As for the second , yes , it seems suspicious for a RTF file to be a BAT trojan , but ... who knows . ESET Technical support will know better . Submit that file (the second one) via email to support[at]eset.com (where [at] means @) along with a link to this thread

 

Yes, I don't doubt that analysis of the first one. What "worries" me about this is that Norton never complained. I'm trying to get some feel for whether NOD32 is doing a better detection job or falsely indentifying the file (a worse detection job).

As for the second file, I might try to submit it, but I wonder if it will be possible to submit a file of approximately 50 KB.

Edit: As I suspected, the file is too large to submit. I suppose, if I care enough, I'll have to see if I can extract a smaller piece which is still "suspicious".

 

Hi,

Just a general remark, if I'm allowed (I don't want to go off topic):
RTF files can indeed have embedded objects that can be dangerous
http://www.dslreports.com/forum/remark,18398146
http://isc.sans.org/diary.html?storyid=2528

 

NOD32 is much better than Norton - in many places of comparison including detection rate . Read this:
http://www.eset.com/products/NOD32 vs Symantec.pdf

No , it is real , not a false positive

Actually 50 KB file is small one and all mail clients/web mails should be able to deal with it .

 

I read it. Two things occur to me.

First, it's published by Eset, so, obviously its going to present NOD32 in the best possible light.

Second, I note that supposedly according to PC World April 2007, NOD32 causes a 4% slowdown while Norton causes a 13% slowdown. This may be correctly quoted and the main reason I'm looking at NOD32 is because I do believe it to be less of a drain on the system.

However, I have the June 2007 PC World which contains reviews and comparisons of AntiVirus Applications. In that review the corresponding fugures are 5% and 10%. At least that's still a significant advantage for NOD32, but overall Norton is rated number 2 and NOD32 number 4.

Here are two brief quotes from the magazine:

What does all this mean? I don't know. Probably that there are pros and cons for each and that one can find reviews favoring almost anything if one looks hard enough.

 

Sorry, my mistake. It's 50 MB.

 

Just feeling like commenting the document in your link. I find it to have a good comparison chart, and it is relatively objective and not too subjective, in the way that it shows numbers and statistics and features present and not present, instead of just saying "we are best". It was a nice overview, even though I'm not as "fanatic" about NOD32 as I used to be. Two things I reacted to in the overview/comparison chart:
1. It says Norton Antivirus' Proactive Detection Methods are through "Code Analysis" only; it doesn't mention "Generic Signatures" or "Emulation" like under NOD32. I was under the impression that Norton does have generic signatures? Correct me if I am wrong.
2. Under "Detection and Remediation" it is stated that Norton Antivirus has "Poor remediation of spyware". Does this mean disinfection? I would like to see some facts backing that up rather than just stating it. See "System disinfection" in the comparison chart here. From what I've witnessed on some systems, Norton usually cleans up good/repairs the systems where it finds something.