Possible Smitfraud fix False Positive ?

@nameless: you're tip is of course, but that's the only valid point you're making and when you are saying in the beginning ... "So if your request is addressed, ...someone else will come around, complaining ...Then, someone else will run another "cleanup" utility that detects and deletes 0-byte files (and such utilities do exist).And so on." then "By the way, I will say that it's pretty far from ideal that NOD32 does not automatically create a quarantine directory and registry value when it needs to." begs for sarcasm and it btw is not intended to be nasty.

 

Very sorry not to have seen any reaction from Eset, so far.......and I still think it's important enough!!!
So....please!!!

 

I'm not quite sure Ben, but I thought by reading this posting of Get that NOD is working on it?

 

This was the official answer from Eset to this problem.

 

Just great, sorry, I missed that.

 

"There will be a workaround added for this to the upcoming installers and Macecraft (JV16), and, as I can imagine, others will be asked to add the key to their whitelist."

Just tested it with the new Nod and the newest JV16 and it still isn't fixed. Wasn't Nod32 2.7 the upcoming installer?

 

Hm, takes a long time to answer something that doesn't look like a difficult question . A simple yes or no will do.

 

I wonder if Eset overlooked this posting? I also am curious for the answer.

 

That's not very plausible looking at the 24 hours between postings. The question just isn't answered.

Not giving an answer is an answer in itself. Draw your own conclusions. Mine is to move on to another AV, when my licence has expired.

 

It looks like you're right Get. Sad to see this issue doesn't seem to be fixed and even sadder that we stay in the dark for the reason why...

 

I've just installed jv16 Powertools 2006, ran a registry cleaner and it didn't find any ESET key as redundant, thus it didn't delete anything that could affect NOD32.

 

That's because you already had the infected-folder. When you haven't, because you didn't quarantine anything yet the key responsible for the creation of the infected-folder will be found. That's the problem. Many people will delete everything JV16 (or another regcleaner for that matter) finds and the infected-folder will never be created. When that happens and NOD quarantines/deletes something it will only be deleted. That way I once lost something (false positive) of which I had a backup, but when you loose something irreplaceable without a backup it's a big problem.

 

Regcleaners are powerful tools and usually they cause more troubles than improvements in the speed and/or stability
You MUST backup and double-ckeck EVERYTHING you want to delete
Consider using tools like ERUNT

 

Nope, I intentionally renamed the original "infected" folder and didn't create a new one nor did I quarantine anything. I gather they excluded this key from scanning.

 

To test it I also renamed the empty infected-folder and still JV16 finds the key (Error severity: High, Error description: File or directory "C:\Program Files\Eset\infected" does not exist). It's not excluded from scanning on my pc, but even if it did that's not really the point. The point is it doesn't exclude it after a fresh Nod32-install.

 

Did you actually use jv16 Powertools 2006 as I did?

 

Yes and old version too. Made no difference, but even when regcleanerbrands exclude this key then still a lot of people use the old versions so then the problem will still exist for those people. When the infected-folder would be created as soon as you install Nod32 then there would be no problem whatsoever, so for me it's hard to grasp why that isn't/can't be done.

 

Please PM the exactr instructions how to replicate the problem as I was unable to do so. The registry cleaner didn't flag the key with the path to the infected folder even if it didn't actually exist.

 

Did last evening. Maybe something went wrong so I will paste it here also to be on the safe side:


The actual problem can be replicated by uninstalling NOD32 and then installing it again. There won't be an infectedfolder untill there's something quarantined. When you run for example JV16 before the infectedfolder is created then it wil flag the key:

[HKEY_LOCAL_MACHINE\Software\Eset\Nod\CurrentVersion\Common]
"QuarantineDirectory"="C:\\Program Files\\Eset\\infected"

When you already have an infectedfolder and don't want to go through the uninstall/install-routine you can change the name of the infectedfolder as you did and when you then run JV16 it will also flag the key because then the key won't be pointing at something. It then also says: "Error description: File or directory "C:\Program Files\Eset\infected" does not exist", which is true by then, because after renaming "infected" it will not exist anymore by that name.

 

Still curious, what's going on?

 

Marcos, on another computer, also found the problem to be present and will contact Macecraft (jv16) to get it fixed asap and it will be fixed in NOD32 3.0 at latest.

 

Glad to see the problem will be solved!