the 89 line executable that demos a NOD32 bug

bumping thread because of no response.

 

bumping thread because of no response.

 

bumping since the admins still have not replied

 

musikit,

First, let me briefly note the organizational structure of this site. I am an Admin at this site. I have no connection of any form with Eset, nor do the other Admins, or most moderators for that matter. Further, this is not a dedicated Eset site. Their support forums are hosted here, as are the support forums of a number of other companies representing a diverse array of applications. I'm answering since you've explicitly requested Admin input.

With respect to your problem, the Eset subforum moderators (i.e. Eset employees) have already responded and have indicated that those answers are final. Once again, those answers are:

• Madcodehook is very often misused by malware and thus it's not a false positive. Applications based on it will always be caught by heuristics (from here).
• The solution is not to use Madcodehook. Anything that is in 99% misused by malware will be subject of detection. We insist on detection regardless of the threating from you. Even Zlob authors were threating us with taking legal actions in the past and now you can see every AV detecting them. That's my last word on this subject, everything has been said and explained. (from here)

You clearly don't accept those answers, but those are the ones that have come from the only folks in a position to provide you with a response. There's a saying that goes - "Insanity: doing the same thing over and over again and expecting different results" - which seems to apply to much of this thread.

My expectation is that this issue involves a number of subtle technical issues based on the comments provided thus far. It should be understood that this problem may not be resolvable to the complete satisfaction of both parties. However, the likelihood of progress occurring would probably increase substantially if a dispassionate technically oriented discussion were pursued and maintained offline.

My sincere advice is that talking at people should be replaced with attempts to engage and discuss the matter with the people in a position to render assistance. That discussion is best handled among the key technical players only. Perhaps there is room for movement on both sides, perhaps there are some opportunities for an operational solution that neither party has considered as yet. Whether or not that's the case, I have no idea. However, I do know that those possibilities simply will not emerge on the current path being followed.

Blue

 

blue why is it that you keep repeating the same thing i already understand when i've asked several follow up questions with no reply.

1. where is this list of toolkits that will give a positive?
1a. since your blocking madcodehook it is obvious that nod32 has a list of toolkits that will give a positive. where are these listed?
2. where is this list of toolkits that give a negative?
3. what makes them different?
4. whats to stop those from being "misused by malware" and start being flagged?
5. what does madcodehook do that those dont?

if you have read the previous posts i state that i understand that your company is unjustly blocking madcodehook. this is a bug but i degress. however my application needs to do function level hooking. and i do not see anywhere on your sit lists of libraries that will generate a positive. how am i suppose to not use libraries that generate a positive if your company refuses to publish them.

you also stated that you are blocking madcodehook because it has been used in malware. again a bug you should be detecting the malware not the library there are also libraries that have been used by malware that you guys dont detect. im asking why? what makes madcodehook different then these?

again 2 months no reply to these follow up questions.

 

First of all, I've not "kept repeating" anything to you. This is the first comment that I've made to you on the topic.

Let me explicitly stop you here to repeat that Eset is not my company. I am not an Eset employee. I have no commercial relationship with Eset. Their support forums are hosted at this site, but this site is not part of Eset either. The only people here that have a relationship with Eset are the Eset subforum moderators. They are Eset employees. The Wilders Security Forums website is a distinct entity.

The problem you face is not a bug, it is apparently a heuristic based detection.

You really need to hold this discussion with a lot more attention to detail and precision. I am an Admin here, but this is not "my site". Eset is not "my company". Eset is not the owner of this site. If you want to have a productive discussion with Eset, my suggestion is to reach out offline, pursue the discussion offline, and pursue it with a much higher level of precision.

Once again, you are convolving me and Eset. We are quite separate. You need to hold this discussion with Eset. Given the path that this thread has followed, it's clear that this direction is not, and will not, work. As I noted above..., "Insanity: doing the same thing over and over again and expecting different results". If you desire a different result, follow a different path.

Blue

 

blue,

so what your telling me is that no eset representative can answer these questions.

1. where is this list of toolkits that will give a positive?
1a. since your blocking madcodehook it is obvious that nod32 has a list of toolkits that will give a positive. where are these listed?
2. where is this list of toolkits that give a negative?
3. what makes them different?
4. whats to stop those from being "misused by malware" and start being flagged?
5. what does madcodehook do that those dont?

 

musikit,

If you wish to have a productive exchange with me, I suggest that you not put words in my mouth.

I was quite clear above. You have an answer you don't want. Replaying the same post over and over again is not suddenly going to change that. I don't know what Eset employees know or don't know. I don't know their internal technical information. I'm not Eset, nor am I their representative, nor are any of the non-Eset moderators or Admins on this site their representative.

Blue

 

BlueZannetti,

the team you are on are representatives of ESET as the team you are on are supporting ESET's product. if i was posting in the wrong place originally. i.e. requesting support for a product this website does not support then the team you work for should have notified me.

however i have open support questions to the team you are part of. if no one on the team you are part of is able to answer them then please post the contact information to a representative who can answer them, get me in contact with someone who can answer them. otherwise as ESET has the team you are working on supporting ESET's product i would expect to see answer.

1. where is this list of toolkits that will give a positive?
1a. since your blocking madcodehook it is obvious that nod32 has a list of toolkits that will give a positive. where are these listed?
2. where is this list of toolkits that give a negative?
3. what makes them different?
4. whats to stop those from being "misused by malware" and start being flagged?
5. what does madcodehook do that those dont?

see it is a bug as ive given the team you are part of many examples of libraries which have been misused by malware which you dont detect. also since this library is used in many products that are not malware the heustic is wrong. hence a bug.

 

Ok, usually i don't do that but here is the advise: Not everyone who posts here in the forum - no matter if moderator or admin - is directly associated with ESET. And they don't have any influence on ESET as such - they would have to go the same way everyone else would have to go.

Your complaining that ESET detects your own programs using that library? Ask them if they can whitelist your app if they don't want to remove the lib detection ( for a good reason )

 

i've stated in the previous posts i've made i've been trying to do that for over 2 years and have no received a response from ESET. now your telling me to contact them when

1. they don't answer.
2. you haven't given me contact information.

 

They do answer, but you don't accept the answer. They have clearly told you there will be no further replies so you got their final answer. Keep asking a list of the same questions twice a day at this point will not give you any more answers. Everyone else in here seems to understand that.

It's not the forum members or the forum admins job to give you any contact info. It's easy to find if you go to www.eset.com and i'm sure you can find it since you found this website. As BlueZannetti said most of the admins or mods in here is not related to eset in any way.

I believe you been given a lot of hints by members and even the admin of this board to stop spamming the board and take this issue directly with eset. Maybe it's time to follow the advice since you know that posting the same questions over and over again will not make eset give you any further replies.

 

i'm sorry they dont. because if they did i would have discussed with them first and never have found this forum.

at all phone numbers and email addresses found at this website http://www.eset.com/company/contact.php have not yielded a response from any ESET representative.

so until a contact appears which will allow me to speak to a ESET representative i will continue to use this forum for what it is designed for. to notify you of NOD32 bugs.

additionally why is it that only after 2 months does this information appear that you guys arent technical support for ESET/NOD32? its a little strange. it sounds more like you guys are just either trying to push me off to a nonexistant line of communication or you guys are just trying to get rid of me. which isnt the correct way to support the product.

 

Like in any other forum there is a text below the username where it sayd "Administrator", "Moderator", "Eset Moderator" and so on. Those that says "Eset....something" you can assume is related to Eset and the rest not. This forum is not for Eset only so that is why most of the admins and mods in here is not related to Eset at all. You cannot assume that everyone in here work for Eset.

Your behavior will get you nowhere, but since i'm not a moderator or admin in here i can only try to talk some sense into you which seems like an impossible task.

 

Perhaps in your haste to cut and paste the same thing over and over, you may have missed the subtitles under various names. Please refer to page 1 of this thread where you were answered by Marcos (Eset Moderator) and zamendo (Eset Staff). You have received what you asked for - an answer to your question, with the advice that the operation will not change. The fact that you don't agree with this answer is of no consequence. It is what it is.

Take the hint.

 

anotherjack,

on your advice i did go back and re-read all posts by those two people. and i find nothing except to submit samples to the samples email address.

no contact information.
no explaination as to why this bug exists.
no answer to these questions.

1. where is this list of toolkits that will give a positive?
1a. since your blocking madcodehook it is obvious that nod32 has a list of toolkits that will give a positive. where are these listed?
2. where is this list of toolkits that give a negative?
3. what makes them different?
4. whats to stop those from being "misused by malware" and start being flagged?
5. what does madcodehook do that those dont?

 

Musikit

Have you ever considered that one reason you do NJOT get answers to your questions is that you insist on acting like a ~snipped phrase~.

You make NO attempt to understand what ESET IS saying,

You make NO attempt to understand what Wilders forum adminiistrators are saying.

You make NO attempt to understand the setup of the Wilders forums as a generic home for multiple security related support forums.

You make NO attempt to understand the difference between Administrators, Moderator, ESET Administrator or any other forum title.

You persist in the belief that if you yell long enough and loud enough that you will get them to give in to you and give you what you want.

Remember the issue is as has been stated, Madhook IS used to hook Windows functions. Madhook IS used by virus / trojan creators. ESET has decided (rightly or wrongly it is THEIR decision to make) that Madhook IS treated as an undesirable library.

ACCEPT IT.

Asking ESET for alternatives means of doing what you claim IS needed opens the back door to allow illegitimate usage of that self same technique by others to circumvent security tools.

 

1. they have an internal list of software that they automatically detect as viruses. all im asking is where it is published.
2. in reference to your quote above. so then they arent really detecting viruses are they then? because if by using a different toolkit the virus is no longer detected then they never detected the virus in the first place. thats a bug in NOD32.

 

1 - Ummm, if it's an internal list, then by definition, it's not published. Proprietary information not for public disclosure and that sort of thing. A.K.A. "None of your business, sorry"
2 - This is called "being proactive."

 

Do you actually understand any of the replies in this thread?
Do you understand that you will get no further reply from eset? If the answer is yes then why keep posting? And don't post that silly list of questions once again as a reply since that doesn't answer the question.

 

WRONG.

From Marcos - "Once again and the last time - Madcodehook is very often misused by malware and thus it's not a false positive. Applications based on it will always be caught by heuristics. Amen."

From Marcos - "The solution is not to use Madcodehook. ... That's my last word on this subject, everything has been said and explained."

I think that's about it. They do it, you don't like it. Oh well.

"I want to see your proprietary information!" "No."
"I'll keep bumping until I get an answer!" "Disk space is cheap, and you'll look like a troll."
"I'll keep posting the same thing over and over!" "Go ahead. See #2"
"I'll tell my mommy!" "She doesn't care."
"I'll use a different library so it doesn't trigger NOD!" "There you go. Have a cookie."
"But then I'll have to do some work!" "Yep."
"That's not fair!" "Life's not fair. Get over it."

 

This is another reason posting like this doesn't work. No one (or almost) is actually reading what you're asking.
Your questions seem reasonable, at least the main one - what can you use.

But spamming doesn't help, it does the opposite.

 

anotherjack,

where does the response that marcos posted answer any o the questions i asked?

maybe one day when you get a clue you understand that the security through obscurity that nod32 is giving you is not security.

one of these 3 things is a bug in NOD32 flat plain as day

1. nod32 recognizes all programs using madcodehook as a virus regardless of what they do.
2. nod32 does not recognize programs that use other toolkits like madcodehook as viruses.
3. a virus switching from madcodehook to another library that does what madcodehook does, does not get the virus caught.

in either case why cant you all accept this is a bug? even if you say that madcodehook is a virus (which it isnt) why would a virus switching from toolkitA to toolkitB not get it detected? thats a bug.

 

The answer is that those questions or any other questions from you regarding this issue will NOT be answered.....THAT's the answer....get it? How hard could it be to understand what everyone else seems to understand.

I'm not sure if you are the one to tell people what they do not understand, but if you feel that way then move on to another antivirus. You spamming this forum won't make eset change nod32 to make you happy. Seems like other nod32 customers are happy the way it is and i'm sure eset survive without you as a customer.

That's the way it works....something is detected and something is not detected. Some tools might give a false positive and some not. No antivirus is perfect. It's not like the antivirus check the name of the application and the signatures is a list of applications names. It's a bit more complicated then that, but you just refuse to understand any of this. If you had any idea how "Advanced Heuristics" works you would not ask this question.

At this point you should realize that no one feel like helping because of your behavior. Even if i had the answers i would choose to not answer because of your behavior.

 

Dingdingding! Wrong again.

First, it's not "security by obscurity." Here's the phrase I used - "proprietary information." Also covered by "trade secret." Same as (assuming some familiarity with U.S. snack foods) Hostess telling Sara Lee that it wants the recipe for their snack cakes because they want to make theirs taste like them. It won't happen. You're asking for NOD's "recipe" for avoiding detection, even though you've already been told "It's not the recipe, it's the INGREDIENT." If you keep putting poo in your batter, NOD's never going to eat it. Remove the poo.

As to your points:
1 - No, that's incorrect. It doesn't necessarily say "It's a virus," it says "It's using MadCodeHook, and I've been told to flag ALL MadCodeHook as malicious." That's it. Period. Full stop, end of story. Nothing more.
2 - It hasn't been told to. It HAS been told to flag ALL MadCodeHook as malicious. It's already been said that it will ALWAYS be flagged. Plain and simple, NOD WILL FLAG MADCODEHOOK AS MALICIOUS - BY DESIGN.
3 - Hey! Why don't YOU use that "other library that does what MadCodeHook does?" THAT would solve ALL of this.