Is vnchooks.dll a FP in def ver 3755?

Is anyone else seeing this false positive?

vnchooks.dll is infected with Win32/WinVNC application

Thanks,
-John

 

Hello jftuga,

To submit a potential false positive file to ESET for analysis, please follow the step-by-step instructions from our Knowledgebase article:

http://www.eset.com/support/kb.php?option=com_kb&Itemid=29&page=articles&articleid=141

Thank you,
Richard

 

My opinion just from the reading the post:
vnchooks.dll is from some VNC server so when it is identified as Win32/WinVNC application it is indentified exactly.
It is detected as "application" - it is a detection not enabled by default, so the file is undetected with default setting.
When someting is detected as application, it doesn't mean it is always a threat.
If you installed the application (the VNC server), disable detection of Potentially unsafe applications (if you enable it) in real-time protection and you can run it safely.

I don't know, probably the file got detected, because it was installed by some backdoor which is silently installing the VNC server on a victim's PC.

 

I submitted it as a FP for my network.

After the update hit, all of my systems and servers started finding it in the same application. Ours is a single-click VNC setup for our software company to do updates to the systems. Been using it for years. It also flagged all the .tmp files associated with it. I have added it to our exclusions list to prevent further detections.

 

We use single-click as well and this is the culprit. How do you add it to the exclusion list? Did you add vnchooks.dll or did you do it another way?

I can update the main package on the server and then push it out to the clients that may or may not be powered on (330 machines). I have to keep track (by hand) which systems have the new package. We use nod 32 v2.70.39. Is there a better way to do this?

Thanks,
-John

 

Go under Amon, click the Exclusions Tab, Add a "File" and choose the vnchooks.dll and the name of the .exe that is being used.

 

I don't think this will work for us as the vnchooks.dll file is installed in a randomly named directory, something like:

c:\Doc & Settings\<user>\Local Settings\Temp\7z.tmp

Within this directory resides the vnchooks.dll.

Any suggestions? Right now I have our kixtart logon script removing these kind of directories.

-John

 

I believe that as long as you have the .exe excluded, you should be fine. The .tmp files are created at random so having them excluded will be rather difficult.

As I said, I submitted the file as FP, so it should be corrected shortly.

 

Is it not fixed yet? FP's are usually fixed within a day when they have the source file. I'd resubmit it.

 

I just sent it in 3 hours ago

 

I don't think it's a F.P. - it's certainly P.U.A. of one sort or another even if that's inconvenient.

Cheers