Win32/Delf.NRP false positive

Hi, new to NOD.

update to 3954 has found Win32/Delf in a programme that I've been running for years; the virus is in mmm.dll of Hace's Mmm software that cleans up the windows context-menu.

This must be a false positive.

http://hace-software.com/programs.shtml

What do I do now please?

 

I've downloaded MMM free from http://hace-software.com/download.shtml, installed it and scanned it with an up-to-date version of EAV, but no threat was reported. Did I actually install the right file?

 

Hi Marcos
Thanks for your reply.
Sorry - my fault.

I actually have the purchased version Mmm+.

http://hace-software.com/programs.shtml

 

Could you send just mmm.dll with "False positive" and this thread's url in the subject to samples[at]eset.com?

 

Sent one minute ago

 

I can confirm that I am getting the same message using the free version of Mmm.

 

I have the paid version of MMM+ and I am getting the same detection. I contacted HACE and was told it is a false positive. I downloaded a fresh copy of MMM+ but installation is blocked by NOD32.

 

I've uploaded mmm.dll from the free version to VirusTotal, NOD32 reported it as clean. Could you please do the same with your mmm.dll and compare MD5? Mine was 69047a6aaf1d8c8e670c1d1e01a92744

 

Done (though I don't know what this means).

MD5 = 6132cbf0705227585b5d339d5f2c9bd3

 

Did it again and got a different value:-

c464fee5a2ffe71e9a25d8ebe3d43ac4

 

I wonder if it's possible something else is modifying the file? Not necessarily viral.

 

More info:-~Virus Total screenshot removed per Policy. - Ron~

 

Hello,

I'm also having the same problem with Mmm+ (paid version) and NOD32.
I uploaded mmm.dll to VirusTotal and got 6 detections. These are the detections I got:

~VirusTotal results removed per Policy. - Ron~

MD5: 6132cbf0705227585b5d339d5f2c9bd3

I still think it's a false positive, because NOD won't even let me install Mmm.

 

Sorry - I'm new to this forum; I've now read the rules.

Two AV programmes (including NOD32), on Virustotal, reported Delf.NRP; another four reported "suspicious".

 

I've also been caught with this False Positive. It's been going on for ten days or so now - how long does it take ESET to sort this out?

 

We're yet to receive a sample of that file. Could someone please send it to samples[at]eset.com in an archive protected with the password "infected" and "False positive" in the subject? Baj1936, what was the subject of the email you sent us? I couldn't find any with the file in question attached.

 

I sent a sample 2 weeks ago from within the Nod32 program.
I just sent an email as per the instructions in the above post.

 

From the quarantine window in NOD32, you can right click a file and select SUBMIT FILE FOR ANALYSIS. I have done this several times is the past 2 weeks with no response. This time I sent the file in an email as per Marcos' instructions.

 

To Marcos,

This was the subject -- "False Positive "http://www.wilderssecurity.com/showthread.php?p=1344628#post1344628". This URL differs slightly from the present URL but it is the one I used on November 7 (I store all my copies for a month or two).

The mmm.dll file was not compressed.

 

Could you please send just the file that is detected? The installer requires a serial number to continue installation.

 

I just sent the dll file

 

All OK now.

Update 3613.

At last.

Thanks.

 

Additional copy sent, titled and passworded as per Marcos' instructions above.
Email subject line: "False Positive - mmm.dll Attn:Marcos"

<edit>
Seems this may be fixed according to latest post above from Baj1936. Let's hope so! Major wrist-slap to ESET for taking so absurdly long, though.

Marcos - two questions:
1. surely dealing directly and properly with HACE would have got you a full copy to test?
2. there's clearly something wrong with ESET's internal systems if you said yesterday that "We've yet to receive a sample of that file", but Al92lt1 says he sent the file several times over the previous two weeks via Nod32's own "submit file for analysis" reporting system. Would have thought those submissions would have priority investigation, rather than being totally ignored as appears the case. Don't they get investigated at all?

 

Samples must be submitted by email to samples[at]eset.com with a clear subject (e.g. "False positive" if you suspect a file to be detected incorrectly). ThreatSense.Net serves mainly for statistical purposes, we receive several thousands of new unique files through it on a daily basis. Files submitted manually are in 99% garbage (e.g. text files, photos, etc.).

 

But as it is present , I think you must adjust it so that the samples manually sent from users via ThreatSense.NET also come to your attention .

It seems that samples received from ThreatSense.NET rarely get any special attention apart from the mainly statistical function.