the 89 line executable that demos a NOD32 bug

well... although a moderator has not replied yet to this thread. one of them must have talked to eset set. because a eset tech support person just contacted me today about this bug in nod32. hopefully this will lead to this bug getting fixed. be sure though that i plan on keeping everyone here informed about this bug.

 

I have been in contact with you through PM last week and this week. From those PMs, you provided me with your contact info and I told you that our support team would contact you. They called you today, upon my request, and are going to work with the virus labs to take a 3rd look at your software. They will look to see if there is any way in which we can correct your issue without leaving our customers vulnerable to malware. Our concern is that the library you use for your software is also used by malware writers. ESET Security Products don't specifically pick up your software as the threat but instead pick up that library as the threat. We thank you for speaking to a representative over the phone and I'm sure that he has assured you that we will keep in contact.

Thank you,

Richard

 

and i very much appreciate you getting them in contact with me. i will be posting information about my communications with them on this forum so other users and developers know what to expect as far as bug fixes from eset.

while i understand your concern that a library has ben used by malware it still does not fix the bug that the library itself is detected as the malware not what the software is doing with the library. the nod32 team made a bad assumption on this one. and we all know what happens when you assume. my goal is to get this fixed at large so software that uses this library is not flagged just because they are using the library. instead it should require further analysis of what the software is doing with the library.

 

well after being very much assured yesterday that someone would contact me today. i have yet to hear from anyone from eset via email/phone or voice mail.

 

Our support staff was in contact with you at the end of the work day yesterday. They are currently working on this today and they will be in contact with you.

 

Rmuffler,

i very much appreciate you getting them in contact with me. they did not leave me a message yesterday so i'm hoping they will be contact with me soon.

 

although i was not able to talk with them directly. an eset engineer did contact me yesterday stating they were still working on this bug.

 

yesterday as of 5:30 pm est i did not receive a status update from an eset engineer. i did try to contact with no success at the contact number they gave me.

 

well i never received any status update from eset on this even after COB EST. maybe they'll contact us today.... maybe not....

 

yet again. no contact from an eset engineer and contacting them at the contact number they gave me did not yield an answer or a callback.

can anyone explain why?

 

yesterday still no contact from an eset engineer about this issue they are "supporting" me on.

i would really like an ESET/NOD32 representative to answer these questions.

1. where is this list of toolkits that will give a positive?
1a. since your blocking madcodehook it is obvious that nod32 has a list of toolkits that will give a positive. where are these listed?
2. where is this list of toolkits that give a negative?
3. what makes them different?
4. whats to stop those from being "misused by malware" and start being flagged?
5. what does madcodehook do that those dont?

 

If it's a legit application, send it in a password protected archive to samples[at]eset.com with "False positive" in the subject. Always provide as much information about the application and its purpose as possible.

 

Marcos,

can you please read before posting.... i have already sent you the application to the email address you specified as well as posted a link where you can download it.

 

I've installed the application you referred to from http://www.getgsc.com. It's not detected whatsoever.

 

marcos,

again... please read before posting... the application is here http://www.fileswap.com/share/?id=85137246c8103963068cfe72b4c44e3e it is linked in the first post of the thread.

 

This is what I get: The file you requested has not been found or may no longer be available.

Anyways, don't post link to executables, but PM them instead.

 

i have reuploaded it to http://www.fileswap.com/share/?id=f6876a9f998f6472cc26708e27444456

i would PM you the link but i have 5 PMs to you which have gone unanswered so i cant assume that avenue works.

 

Just to add, in one of your previous PMs you wrote:
.....@gameservers.com

you can download the software at http://www.getgsc.com/

If you have created another legit application exploiting Madcodehook, send it to samples[at]eset.com. Please always provide more details about it so that we know what purpose it serves for. As I said, GSC client that you was referring to is not detected whatsover and so far we haven't received any other application from you that you distribute and is still detected.

 

marcos,

your attitude for this is horrible. "If you have created another legit application exploiting Madcodehook" 1. why do you continue to use "exploit" when referring to madcodehook. it is a library for performing function level hooking. 2. why should a program have to prove their innocence? 3. again for the THIRD time i did email the example to the email address you gave. i have also posted it to the website above to allow you to download it. so all nod32 can see this bug in action. 4. you arent even using the PMs im referring to that you havent answered.

why is it so hard for you to understand these facts.

 

Quite the contrary. We fully understand it, it's not a bug but heuristic detection of a suspicious behavior. It's like with commercial tools for remote administration. These also trigger heuristic detection because of the malware-like behavior. However, if we are reported such an application we remove detection quickly.

The file you have created was just an application created on purpose to demonstrate detection of an application exploiting Madcodehook. It's not a legal application that you distribute. It's a code that triggers heuristic detection and has no other purpose and it's not and will never be used by other people in the world. If it was an application that you distribute, we'd remove detection immediately. GSC client that utilizes Madcodehook and is available for public is not detected whatsoever.

 

Marcos,

thats the point. no one can seem to explain what malware like behavior this demo application is doing. care to explain?

 

That's exactly what I said. It's necessary to send us an application you distribute so that it's not detected on clients' computers. Sending just an executable with certain functions that you created on purpose to demonstrate Madcodehooks detection is not enough. As soon as you convey us an application that you're going to distribute, we'll whitelist it and your clients won't have any problems with detection (the case of GSC client).

 

ok. so again im at the point where i need to prove my applications innocence....

while adding apps to a "whitelist" does solve their problem first they need to be actively testing with nod32 installed. and considering you dont list toolkits you actively flag or combinations of toolkits you actively flag your forcing companies to spend thousands of dollars on software that they will have to discard once they test with nod32.

so what does this demo app do that is malware like?

however none of this answers any of the questions i asked.

1. where is this list of toolkits that will give a positive?
1a. since your blocking madcodehook it is obvious that nod32 has a list of toolkits that will give a positive. where are these listed?
2. where is this list of toolkits that give a negative?
3. what makes them different?
4. whats to stop those from being "misused by malware" and start being flagged?
5. what does madcodehook do that those dont?

 

What application do you mean? Is there other application than GSC client that is being distributed and is detected? If so, please send it to samples[at]eset.com with "False positive" in the subject and we'll fix it. Applications created just for the purpose of demonstrating detection of Madcodehook is not a subject to whitelisting.

 

Marcos,

for the FOURTH time i have already emailed the demo referenced in this thread several times to the email address. if you'd like you can download the demo referenced above and see for yourself that it is detected. im not sure why you seem to not be able to read this.

why do you also seem to be unable to read this?

so what does this demo app do that is malware like?

however none of this answers any of the questions i asked.

1. where is this list of toolkits that will give a positive?
1a. since your blocking madcodehook it is obvious that nod32 has a list of toolkits that will give a positive. where are these listed?
2. where is this list of toolkits that give a negative?
3. what makes them different?
4. whats to stop those from being "misused by malware" and start being flagged?
5. what does madcodehook do that those dont?