the 89 line executable that demos a NOD32 bug

Indeed... so, please

 

while useful information it doesnt answer the 5 questions.

so again we come back to the same questions.

can any moderator answer these questions?

1. where is this list of toolkits that will give a positive?
2. where is this list of toolkits that give a negative?
3. what makes them different?
4. whats to stop those from being "misused by malware" and start being flagged?
5. what does madcodehook do that those dont?

 

is it that no moderator can answer these questions?

1. where is this list of toolkits that will give a positive?
1a. since your blocking madcodehook it is obvious that nod32 has a list of toolkits that will give a positive. where are these listed?
2. where is this list of toolkits that give a negative?
3. what makes them different?
4. whats to stop those from being "misused by malware" and start being flagged?
5. what does madcodehook do that those dont?

 

is eset even interested in helping software developers under these situations?

 

at least for another day they are not interested in helping software developers move past bugs in the ESET NOD32 system.

 

bumping because of no response.

 

I wish someone would bump you and your stupid thread right out of the forum!

 

that still doesnt answer the questions.

is it that no moderator can answer these questions?

1. where is this list of toolkits that will give a positive?
1a. since your blocking madcodehook it is obvious that nod32 has a list of toolkits that will give a positive. where are these listed?
2. where is this list of toolkits that give a negative?
3. what makes them different?
4. whats to stop those from being "misused by malware" and start being flagged?
5. what does madcodehook do that those dont?

 

I'm no moderator, but here's my take on it. Answers in order:

1. Proprietary information to Eset
1a. See #1
2. See #1
3. See #1
4. Nothing. If it happens, they'll be flagged as well
5. Probably nothing, but if you own a place of business and members of a local biker gang (madcodehook) usually cause trouble whenever they come in, how many times does it have to happen before they're not allowed back (flagged as possibly malicious)?

Probably a better question to you would be Why don't you find another toolkit?

My $.02

 

thank you for answering however i am looking for a moderator to answer. however i do appreciate you answering. if this information is proprietary then how are developers suppose to know to avoid these libraries. wouldn't you be upset as a developer if you spent 100k on a library that ESET is going to absolutely flag as a virus and they gave you no information at all about it?

if there is no difference then why is this one being flagged? earlier in the thread i gave example of another toolkit which was "misused by malware" however ESET doesnt flag. why?

thats what im trying to do. im asking ESET which toolkits i can use which they dont have a problem with so i can use those toolkits instead. hence my questions.

so once again....

is it that no moderator can answer these questions?

1. where is this list of toolkits that will give a positive?
1a. since your blocking madcodehook it is obvious that nod32 has a list of toolkits that will give a positive. where are these listed?
2. where is this list of toolkits that give a negative?
3. what makes them different?
4. whats to stop those from being "misused by malware" and start being flagged?
5. what does madcodehook do that those dont?

 

OK, a followup question for you. If a moderator said the exact same thing that I just tried to explain, would you finally understand and accept things as they are or keep pasting the same questions over and over again?

Marcos (moderator) already stated "The solution is not to use Madcodehook."
Marcos (moderator) already stated "Once again and the last time - Madcodehook is very often misused by malware and thus it's not a false positive. Applications based on it will always be caught by heuristics."

This thread reminds me of the old joke:
"Doctor! It hurts when I do this!"
"Quit doing that."

You continue to refer to this as "a bug." It's not. It's just how NOD works. It's your responsibility as a programmer to make your code compatable with A/V software, not the other way around (within reason, of course). By "within reason," I don't mean "Hey A/V guys! Make a fundamental change to your software that will impact the overall protection of your user base so that my niche application will work!"

Here's the solution: Bulk email your clients. Tell them this - "My software is incompatable with NOD32. You, as the consumer, have a choice to make. Switch applications if you want to keep NOD, or switch A/V vendors if you want to keep my app." Easy that way. Choice is up to the consumer. Poll them to see which way they go.

 

if a moderator answered the way i did. i would assume that they arent interested in helping the development community work with their software, and i would have to accept that any library i want to use would have to be tested with NOD32 first. however i would still continue to ask why they favor one library over another (when both do the same thing) to me that is just unfair.

it is! im sorry you dont see it that way. they are flagging apps with false positives based on what libs they use not what the application does. if 99% of all speeders drove fords does that mean that everyone driving a ford is speeding? that isnt right. why is it that there are thousands of key logger virus out there that use DInput and GetAsyncKeystate and yet dinput and GetAsyncKeyState arent flagged as viruses? it should be what your application is doing not what it calls. so yes that is a bug!

how am i suppose to do that without a list of libraries to avoid that will absolutely generate a positive? would you really want to spend 5000 hrs of development time using and learning a library just to find out that NOD32 flags it as a virus? they obviously have a list. im just asking where it is so i can avoid those libraries.

here im trying to change my software so i dont have to do this by using libs that ESET isnt going to flag. yet i just cant get a list so i change my software.

 

@anotherjack
A lot of people already tried to talk some sense into musikit and the mods already gave him the final answer. As you can see musikit is the only one that do not understand the answers and just keep on asking the same questions and annoy everyone.
The best thing is to add musikit to your ignore list like i assume most others have done already and let him run his own pointless thread. In most forums he would have been banned already for this kind of behavior.

 

As a developer who has run into similar issues with other products;

Your customers have turned on Hueristics in NOD32. Heuristics often detects things which are not "viruses" but virus like. Your situation. For me, CA eTrust detected 100% of my Turbo PASCAL (DOS version) programs as viruses. For the exact same reason your toolkit is being detected. I switched to a different PASCAL, recompiled, and moved on. Currently our Delphi, Java, and VB libraries do not get tagged as possible virus.

For your customers, explain to them they the problem is Hueristics in NOD32. On your behalf and theirs, can contact eSET. Alternatively explain to them how to disabled Heuristics in realtime.




As a developer and as the Nod32 admin and a 675 user license holder, I want this toolkit blocked by heuristics. KeyFinder.exe, LC5, Process.exe are all detected and are tools I use. NOD32 realtime doesn't block these the way I have it setup, but my weekly scans of all PC's does have the scan setting in place to detect but not clean these. I want to know if anyone other than me has a copy of these programs.

That gives you options I've not see mentioned in this huge thread. I do want these things blocked. In fact, I'd like to see more of this. Antivirus 2009 aka XP antivirus is an example. I've found regular expressions I've been able to drop into Squid to block new sites as they pop up. I subscribe to a list which updates constantly with these new URIs and blocks them (URL Filter) But my road users don't have those benefits. So far I've had to deal with a dozen infections with road users and zero on the LAN. That's from a base of 60 road users and 575 LAN users. I'd love eSet to impliment some sort of malware blocking in the HTTP side which updates with known bad sites or regular expressions. Examples being /i av200?.exe Antivirus200?.exe AV200?Install.exe A?installer_........\.exe

Point is I'd rather have a few false positives to save off one infection.

 

GAN,

this doesnt help. what is needed is a moderator to answer these questions..

is it that no moderator can answer these questions?

1. where is this list of toolkits that will give a positive?
1a. since your blocking madcodehook it is obvious that nod32 has a list of toolkits that will give a positive. where are these listed?
2. where is this list of toolkits that give a negative?
3. what makes them different?
4. whats to stop those from being "misused by malware" and start being flagged?
5. what does madcodehook do that those dont?

 

What is really needed is that you learn to read and mainly understand the written words..

And until this happens...

Everyone, please do not feed the trolls!

 

doktornotor,

your the one that obviously can not read. as i fully understand what marcos stated in that there and are seeking information to adjust my end. please you are the one that is trolling!

 

yet another day that ESET refuses to help developers.

 

bump...

is it that no moderator can answer these questions?

1. where is this list of toolkits that will give a positive?
1a. since your blocking madcodehook it is obvious that nod32 has a list of toolkits that will give a positive. where are these listed?
2. where is this list of toolkits that give a negative?
3. what makes them different?
4. whats to stop those from being "misused by malware" and start being flagged?
5. what does madcodehook do that those dont?

 

Edwin: (No need for me to quote your large post )
madCodeHook isn't detected by heuristics - it is detected by means of a signature. Yes, developers can just make their own hooks or move on to another library. I myself see little reason in detecting this specific library; but afterall, it's Eset's choice.

Also...

Will Eset still detect madCodeHook even after such a decision by Mathias?

 

pseudo,

THANK YOU!

its good to see some responsible people out there that understand what the issue is!

but please to all moderators

is it that no moderator can answer these questions?

1. where is this list of toolkits that will give a positive?
1a. since your blocking madcodehook it is obvious that nod32 has a list of toolkits that will give a positive. where are these listed?
2. where is this list of toolkits that give a negative?
3. what makes them different?
4. whats to stop those from being "misused by malware" and start being flagged?
5. what does madcodehook do that those dont?

 

another day... no answer

 

another day - the same troll

 

hitechboy you arent helping the situation

is it that no moderator can answer these questions?

1. where is this list of toolkits that will give a positive?
1a. since your blocking madcodehook it is obvious that nod32 has a list of toolkits that will give a positive. where are these listed?
2. where is this list of toolkits that give a negative?
3. what makes them different?
4. whats to stop those from being "misused by malware" and start being flagged?
5. what does madcodehook do that those dont?

 

bumping thread because of no response.