the 89 line executable that demos a NOD32 bug

Marcos,

1. so which tools similiar to madcodehook are not detected as viruses?
2. what is madcodehook doing that those are doing that makes it a virus?
3. why do you refuse to answer the question of why isnt MS Detours flagged as a virus even though it has been "misused by malware"?

following your suggestion is fine with us. we just want to use a toolkit you arent going to flag as a virus.

 

I see the situation is now resolved to your liking. As to the use of a toolkit that won't be flagged; easily done if you know what your doing.

 

Ok, that was a bit hard to understand after reading your posts.

You obviously don't understand how the detection works. If one tool is detected it doesn't mean that all other similar tools is detected as a threat. The detection doesn't check based on what category the program fit into. Like programs packed with UPX many antivirus solutions detect as a threat even if it can be any kind of program. If the other tools you are talking about where blocked as well would that make you happy and then you would stop spamming this forum?

This is like asking if one virus is blocked why isn't all other blocked as well which would give the software a 100% detection rate.

Come on....let's not make this into a childish discussion.


You have already been given an answer. What part is it that you don't understand. Eset told you that Madcodehook is often used by malware so they decided it should be blocked. You don't have to accept the answer, but there is no need to keep nagging since that's the final answer. That's the answer you can give to your users. To block madcodehook will give you better protection, but unfortunately it can give some false positives as well in rare cases. Would it be better to let a lot of malware pass just to make you happy?

 

ok fine they listed it as a positive. where is this list of toolkits that will give a positive? where is this list of toolkits that give a negative? what makes them different?

the end goal is that our software isnt a virus and should be flagged as a virus. we chose a tool that nod32 has a problem with. which toolkits doesnt nod32 have a problem with? whats to stop those from being "misused by malware" and start being flagged? what does madcodehook do that those dont?

why can no one answer these questions?

 

Eset is a professional company and i'm sure they don't block madcodehook just to annoy you. I'm sure they know what they are talking about without the need to provide you with futher any proof.

You still don't get it. Madcodehook by it self doesn't do anything.

No offence, but it seems like you are the only one that doesn't understand the answer that have already been given.

Marcos also told you that the final answer is given so why do you keep asking?

 

then why is it being picked up as virus?

i've asked here the following...

1. where is this list of toolkits that will give a positive?
2. where is this list of toolkits that give a negative?
3. what makes them different?
4. whats to stop those from being "misused by malware" and start being flagged?
5. what does madcodehook do that those dont?

i havent seen an answer to those. if there were answered i would very much appreciate a link to where they were answered.

 

Like i said you don't get it. It have been said a lot of times already it's often used by malware. So i guess it's hard to create an exception for your program only that doesn't do anything and still block the malware that use madcodehook.

Such a list is impossible to create.....i find it very surprising that you cannot understand that.
The detection is not based on the category of the tools, but signatures. So a program that is not detected as a threat could be detected as a threat when a new version is released even if the new version do exactly the same thing....there is no guarantee. Nod32 is known to have few false positives, but like any other AV software there are some.

If you keep nagging you might end up on everyones ignore list and then you will probably not get a lot of answers in the future. Seems like there is no way to end this discussion with you so i'm done here.

Anyway as already said by the eset staff they will not give you any further explanation so why do you keep posting when you know the only result is that you annoy the forum members? Please do not repeat the "give me a list of tools....." you said that too many times already.

 

bombs are used by terrorist does that mean that everyone who has bombs are terrorist? i could come up with 50 other examples like this if you'd like. for example.. MS Detours is used by malware. why isnt MS Detours get picked up?

 

You are kidding, right? No reputable security vendor will give you a guarantee something's not going to be detected as malware; we don't live in a static world. Once a tool starts to get massively abused by malware authors, it will end up on blacklists of AV and antimalware companies.

You've already got your answer, stop asking over again.

See answer to #1.

See answer to #1.

 

So bombs should be allowed to bring on airplanes if you are not a terrorist? And how should anyone know which one that are terrorists?
Like antivirus software might stop a certain behavior even if not a virus because that kind of behavior of a program could be dangerous.....and the result a program that is not a virus might be blocked as well. That why you are not allowed to bring a knife on a airplane because no one know why you brought the knife.

Yes, i'm sure everyone could come up with a lot of silly examples, but this discussion is turning into a silly endless discussion. Good luck with your program.

 

can any moderator answer these questions?

1. where is this list of toolkits that will give a positive?
2. where is this list of toolkits that give a negative?
3. what makes them different?
4. whats to stop those from being "misused by malware" and start being flagged?
5. what does madcodehook do that those dont?

 

The bomb and terrorist analogy is creeping me out. IMO marcos gave a acceptable answer and if you do not use nod32 why bother with the thread at all.

 

I have to admit that this thread should get a prize for the Thread with th greatest amusement value.

 

im glad its acceptable to you since it doesnt effect you, your project or your users. however since it effects me, my project, and my users again i am going to ask..

can any moderator answer these questions?

1. where is this list of toolkits that will give a positive?
2. where is this list of toolkits that give a negative?
3. what makes them different?
4. whats to stop those from being "misused by malware" and start being flagged?
5. what does madcodehook do that those dont?

 

While not being a moderator, let's see if I can answer your questions in a way you'd accept.

First, as far as I'm aware, your program was detected by heuristics ("NewHeur_PE", as opposed to a specific name). In most cases, the heuristics works by seeing if a program has certain "suspicious" properties, and if enough of those are present, the file itself is flagged as "possibly malicious".

Apparently, certain functionality provided by MadCodeHook is deemed to be suspicious and contributes to the total "evilness" of the program. This is not MCH-specific -- any library or tool doing that would get some "bad points". It can also be seen that MCH by itself is NOT sufficient to raise the "evilness" high enough, because if it was, the examples provided by Madshi on the homepage would also be detected. Some of the other features of your program are likely to be contributing too.

For example, if I take the set of executables having property P, I have ever encountered, slightly more than 92% of them were malicious, about 6% were of questionable type (cracks and patches) and 2% were "clean". The malicious ones are growing in number, while the "clean" ones are mostly stagnating. Would you find it unreasonable to declare programs having property P guilty-unless-proven-innocent and add specific exceptions for the clean ones?

Obviously, differentating between "good" programs with property P and "bad" programs with property P can only be made based on something specific to them -- so if one distills just the "essence" of property P into a program, there would be nothing useful to differentiate it from the others.

Perhaps this is why your program is not going to be excluded from detection by ESET? I've seen a different program (GSC or something like that) mentioned on the Madshi forum and it seems they (ESET) have fixed the misdetection already. So, asking them to fix their misdetection of the actual program, rather than a minimalistic example would be the right approach to take?

 

well i dont know what country ESET operates in however in the USA everyone is innocent until proven guilty.

if a program is doing suspicious things then ESET should automatically send that program to ESET and have it inspected. it is determined to be a virus then i can accept that it be flagged as a virus. however my program nor the example code i have provided is doing anything virus like. hence we are innocent. so we should not be flagged guilty.

it you look at the example code provided here, you will see it does the following

1. initialize madcodehook.
2. create an object.
3. initialize openssl.
4. shutdown.

funny. those things arent virus like. so why is it flagged as a virus?

so again we come back to the same questions.

can any moderator answer these questions?

1. where is this list of toolkits that will give a positive?
2. where is this list of toolkits that give a negative?
3. what makes them different?
4. whats to stop those from being "misused by malware" and start being flagged?
5. what does madcodehook do that those dont?

 

The way you have bad mouthed Eset in this thread It is a wonder they responded to you at all. You should have addressed this issue by pm or email to their support not posting it in an open forum and ranting on and on trying to get sympathy for yourself. They would probably be much more receptive to you if you would have done it through their support channels instead of running amuck here.

bigc

 

so again we come back to the same questions.

can any moderator answer these questions?

1. where is this list of toolkits that will give a positive?
2. where is this list of toolkits that give a negative?
3. what makes them different?
4. whats to stop those from being "misused by malware" and start being flagged?
5. what does madcodehook do that those dont?

 

give it a rest please..........

 

Two responses by Eset Staff should suffice. They have no intention of changing their detection. That should even be obvious to the OP by now.

 

The Eset staff already said there will no further explanation and also that the detection will not be changed so at this point posting the same list of questions once a day is just spam. Musikit also clearly stated that he have no respect for the other members of this board or the mods/admins by saying that he will register a new account if banned so he/she can continue to spam the forum.

I suggest that no one post a reply and let Musikit run this thread on his own posting the same questions once a day until he realize how pointless that kind of behavior is....or getting banned which is more likely to happen before he run out of steam.

 

so again we come back to the same questions.

can any moderator answer these questions?

1. where is this list of toolkits that will give a positive?
2. where is this list of toolkits that give a negative?
3. what makes them different?
4. whats to stop those from being "misused by malware" and start being flagged?
5. what does madcodehook do that those dont?

 

Agreed. Dont feed the troll.

 

this bug is closing in on its second month since reported and no moderator has answered the questions below. does eset even care about bug fixes or detecting viruses?

 

Hi musikit,

It seems a dire situation.

Hopefully this post by Marcos may be of assistance to you: --> here
And similarly this post by anton may also be helpful: --> here

Cheers