Sending virus from System Restore?

How do I send a probable false positive found by NOD32 in System Restore? AMON automatically quarantined it and then told me to send it to sample (not samples) @nod32.com. I already sent another one from my programs folder than I got a reply today was a false positive and will be corrected.

I don't know how to send this one. Plus, I don't know how to read what was found in System Restore (all the numbers and letters look meaningless to me) to know where on my system the original file is so I could send that instead.
AMON has alerted on this twice already today.

Why in the world hasn't Eset made it so I can send DIRECTLY from quarantine? Why make it difficult and time consuming when every other av I've tried can send directly with ONE CLICK of the mouse from quarantine? Doesn 't Eset think my time is valuable? I almost didn't bother to send the first false positive because of this lack of courtesy in providing an easy, quick method for me to send.

Time Module Object Name Virus Action User Info
9/3/2004 4:44:19 AM AMON file C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP368\A0110958.exe probably unknown NewHeur_PE virus NT AUTHORITY\SYSTEM
Time Module Object Name Virus Action User Info
9/3/2004 12:53:24 PM AMON file C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP368\A0110958.exe probably unknown NewHeur_PE virus quarantined NT AUTHORITY\SYSTEM

 

Hi Mele, as you have AMON set with Quarantine ticked, the file should be found in C> Program files> Eset> Infected

Hope this helps...

Cheers

 

Thank you! Got it zipped and sent.

 

My pleasure, all the best...

Cheers

 

This is the email that had the extra dot in the address and got bounced back to me as undeliverable. So, I got ready to send it again and, on impulse, decided to first unzip the attachment just to see what AMON would do as I had a funny feeling.
Sure enough,when I save it and then uzip it, I can't open it and NOD32 doesn't peep. It's a odd extension NQF that changes to NQI when zipped? What is that? When I unzip the file is 1kb in size ...this is unzipped. Before I zipped it, it was 124kb so shouldn't it unzip to the original size?

So am I doing this correctly? The suspect file is from System Restore and I went to program files/Eset/infected, found it and zipped it. As I've said before, if Eset wants us to send them samples they need to make it quick and easy to do so. Why can't I just highlight the file in quarantine and click a send to Eset button!!! That is how other av do it.

 

I think you can just send the files as they are, as in they will not be bounced by the Eset servers if they are not zipped, due to their file extension…

Do this by going to:

C Drive
Program Files
Eset
Infected

Highlight the 2 files to be sent (same date, different file extensions) and then Right Click> Send To> Mail Recipient

As per my screenshot...

Hope this helps...

Cheers

 

I can't do that. First of all, when I right click and select "send to email recepient" it is automatically zipped. When I unzip it there is a 1kb file not 224kb that it was before being zipped. So how can Eset tell anything from that? Second, my ISP's virus scanner will kill it on outbound unless zipped and password protected. Of course, if this really is a false positive and Symantec Corporate scanner knows this then it will get through without being password protected. But if the zipping is doing something weird which it appears to be then I don't see how sending this is useful.

Ordinarily, I would zip and password protect the original file to send since I can't send the quarantined file directly from quarantine. But I don't know what file this. It has a bunch of letters and numbers because it was found by AMON in system restore so I don't know how to figure out what file it is so I could go to the original file and zip that and send.

Geez! This is getting ridiculous. I am taking all this time only because I don't want AMON to keep alerting on this because that is irritating. I'm not doing this to help Eset find false positives because they haven't made the process to send easy.

I guess I will email tech support and ask how to send this.

 

Mele,
since the files in quarantine are encrypted, there's no chance they could be stripped out by another AV. Another option is not to quarantine infected files but rename their extension, enclose them as an attachment to an email and send them to Eset for analysis.

We plan to make a signifficant improvement to NOD32 making sending of samples to Eset much easier some time soon.