Strange NOD32 alert

Just wanted to chime in here and say, we have 60+ machines in our offices, all running 4.2.35.0, and *none* of them have ever seen this issue.

Soon after this thread started I specifically asked everyone to let me know immediately if they see one of these, and have not had one report - and just sent an email on Monday asking if anyone had seen one, and again, not one person has.

So, while this is obviously a real problem for the people experiencing it, it is not happening to everyone on 4.2.x, which obviously makes it much harder for ESET to find and fix (for those complaining about how long it takes, do you *really* think ESET doesn't want to fix things like this??)...

So, logic dictates that it must be something else that is similar between all of your systems.

I would suggest comparing what *other* software you run in conjunction with ESET, and see if you can find a commonality...

 

115 machines here, from XP to Win7, and none exhibits it either....

 

Hmmm...one other possibility... I just realized that most everyone else I've seen mentioning versions has mentioned 4.2.40+...

We are all still on 4.2.35.0...

Maybe some of you could try downgrading to 4.2.35.0 and see if the problem goes away? It should be much easier for ESET to find/fix it if they could narrow it down to exactly when it was introduced.

 

I should make clear that I have never seen a "ghost flag" since I started with NOD 32 version 2.5 and am now at 4.0.474. I was telling my wife that we weren't going to install version 4.2.64.12 --- Aryeh Goretsky, in another thread, has pointed out to me that the full file number is on the download page; I'm feeling very stupid about not having seen that because it is in plain sight just left of the download click-spot --- and she asked me to describe what a ghost flag was, and I realized that I needed to look back at the earlier messages in this thread and find out! All I could tell her was that it was a problem with unknown implications.

Thanks for the news that there is a "basically confirmed rumor that a new build is imminent."

I was surprised to read your statement that "4.0.474 . . . lacks the Real-time file system protection module." In my NOD32 4.0.474 Advanced Settings entry I do have "Real time file system protection" with a "Documents" subcategory. Maybe the explanation is that I don't have a "Real-time file system protection module"? If so, I'll have to find out what that module does, since I will upgrade at some point to a 4.2 build that does have a "Real-time file system protection module" and I hope doesn't have ghost flags.

Roger Folsom

 

Please excuse my ignorance, but what do you mean by "the 4.2.x branch"? Do you mean that you think the problem arose with the very first 4.2 release (whose .x number I don't know)?

The accuracy of my guess about your meaning does seem to be contradicted by tanstaafl's no ghost flags experience with version 4.2.35.0 (post #77), and maybe contradicted also by jimwillsher's experience (post seventy-eight) depending on whether he is running something earlier than 4.2.40.

Roger Folsom

 

jim does not say what version they are running. also the cause has not been established yet

it for sure did not happen prior to the 4.2.x branch.

could not trace a time line or version history of NOD releases to compare to the dates when the first reports popped up in the forum

 

All ours are 4.2.64.12, except for one on 4.2.58 and our servers with are on 3.0.695. Almost all are 32-bit but we do have half a dozen 64-bit. All are EAVBE, pushed out by ERAS/ERAC.

Apologies, I should have put that in my post.



Jim

 

Same here - all 32bit...

Oh, and Roger - apparently this is *not* a problem in that NOD32's ability to protect is *not* impaired, it is a *visual artifact* only, meaning, it is not considered a 'critical' bug, only a cosmetic one - albeit an admittedly irritating one for those experiencing it.

 

Thanks for clarifying that. It inspired me to re-read the entire thread (albeit hurriedly), and Gaslad's initial post did contain an image of a "ghost flag" so now I have a much clearer understanding of what everyone is talking about.

Nevertheless, some other posts, by siljaline and others, contained "ghost flags" that looked --- at least to me --- different from Gaslad's. Admittedly, appearance to some extent is determined by the operating system (and maybe the computer's graphics card?).

But unless the ghost flag always is identical on any given computer and operating system, a user may dismiss a valid warning as being "just another ghost flag" and not take needed action --- as someone earlier in this thread pointed out.

As a temporary fix, it might be useful as a temporary workaround if someone experienced with ghost flags provided a checklist of what to do when a warning pops up, to determine whether it is a ghost flag that can be ignored or a genuine threat warning.

On the other hand, that suggestion may be worthless or pointless; I don't know enough to know.

Roger Folsom

 

Jim: In an earlier post (# seventy-eight), you mentioned that you had 115 machines. That, together with your mention here of "EAVBE, pushed out by ERAS/ERAC," makes me wonder whether your 4.2.64.12 machines have avoided displaying ghost flags --- while many others have had ghost flags on 4.2.x computers with x>39 --- because you installed them remotely from a central location, and/or your installing servers were using 3.0.695 rather than 4.x.

Just a wild-card guess.

Roger Folsom

P.S. If anyone reading this knows how I can disable smilies so that I wouldn't have to spell-out seventy-eight followed by a paren, please let me know.

 

Not all were installed via ERAC/ERAS. Most are, but whenever I get a new PC to roll out I tend to install the usual stuff - Acrobat, Winzip, ESET - from a USB stick. I then import the ESET config and send the PC to wherever it's going. So from then on the PCs get managed by ERAC/ERAS, but some will have had ESET installed via push and some via USB stick.

Also, that 115 is split across five different managing servers, some of whch have no AV installed at all (just ERAC/ERAS).




Jim

 

Thanks! Roger Folsom

 

Jim Willsher

Well, at least your post #88 doesn't completely demolish my guess about how you have avoided ghost flags --- I think!

Thanks for the reply. Here's hoping that someone at Eset can put together the clues that will eliminate ghost flags.

Roger Folsom

 

You're missing the point...

If the user sees one of these 'ghost flags', then checks the status of NOD32 and everything is ok - ie, make sure it is actually on the current version of the signatures, etc, that it is updating properly without error, etc - then that confirms the ghost flag was a ghost flag.

No one said to *ignore* them - and I'm certainly not saying they shouldn't be fixed - I'm merely pointing out that they are harmless, which means they are probably a lower priority than maybe they should be considering the level of user concern (regardless of whether or not the level of concern is warranted)...

 

tanstaafl: Before I get to your latest post (#91), I have a question. Gaslad's initial post's ghost flag image says "ESET NOD32 Antivirus requires your attention. For more information, click on this notification."

In the few other posts (if any) that contain a not-obscured ghost flag image, have you happened to notice whether the ghost flag uses exactly the same wording as in Gaslad's initial post?

If not, then I will go back and re-read the thread and try to find any evidence as to whether ghost flags always use exactly the same wording. Here's hoping they do, and that ESET's genuine flags use at least slightly different wording.

(I'm handicapped here, because from ESET NOD32 Av 2.5 to 4.0.474.0, I've never received a flag similar to Gaslad's ghost flag, although I have received substantially larger announcements of malware when downloading email, and entirely different-looking demand-scan reports of malware.)

Unfortunately, this is not the first time in my life that I've missed the point....

Understood. And probably most of the contributors to this thread know how to follow your recommendations. But some of the less technically knowledgeable (e.g. me), especially if they weren't aware of this thread's existence, wouldn't know how to do what you recommend.

For example, a year or more ago I happened to discover by accident that the current signature version list is at http://www.eset.eu/support/update-xy1. But note the eu, which I assume stands for Europe. There may be a link to that site somewhere on ESET's regional or national sites, e.g. for the U.S., but I'd hate to look for it while worried about the warning I had recently received.

And I have no idea how to determine whether updates have been installed properly, other than open the ESET window's Update field and see what it says. Did you have something more in mind?

And your "etc." recommendations could use more specificity! <grin>

Such mysteries are why my message #85 suggests "a checklist of what to do when a warning pops up, to determine whether it is a ghost flag that can be ignored or a genuine threat warning." Of course, that should be ESET's job, not yours.

I still find this thread's message #72, especially after "Not to mention....," to be persuasive:

And in the meantime, I hope someone from ESET is reading this and provides a checklist and distributes it, perhaps as a Sticky.

Understood. And thanks for your response.

Roger Folsom

 

just noticed that if invoking first - right click on NOD icon in the task bar notification area - click on log files (which then open the log files) - closing the log files window and later left double clicking the NOD symbol in the task bar notification area does not produce the ghost flag - on my W7 64bit system. seem that once the gui opened that way the ghost flags are not showing

 

It's called using your eyeballs and your head...

Check the date of the last update (make sure it is today/very recent)
Check the Logs - see if they shed any light
etc... (sorry, couldn't resist)

Anyway, like I said, I'm not saying it shouldn't be fixed, but it obviously isn't happening to everyone... and I still haven't seen any of the guys complaining about this doing serious comparisons of the *other* programs they are running. It wouldn't surprise me if it was a minor compatability issue with another product - like maybe a firewall...

 

The developers already have that on the to-do list and we'll be looking into it as soon as time allows.

 

Yet another Ghost Flag non user induced

 

I wonder if this issue could be fixed by doing a full uninstall of the product followed by a registry clean up (recommend powertools -its regcleaner & software uninst. features) and a reboot, then reinstalling Nod32. Just a shot in the dark, who knows.

 

Thanks for the recomendation and suggestion, although the manual uninstaller does remove the Registry enties as well, based on the uninstall logs I have seen.

 

No problem.
Still, you could try it as a second opinion. You have nothing to lose, it wouldn't be the first time that I see this app doing magic things.

 

I have tried all uninstall methods including manual one with eset uninstaller through safe mode. It still shows the same ghost flag. Moreover, this happens on cleanly installed PCs too.

 

Nobody from ESET confirmed that this is a visual bug only. So one doesn't really know if it is so.