NOD32/TH scan issue

I submitted a support ticket and copy of the .dll to Eset so, hopefully they'll react. I'll post to this thread any reply from NOD.

Thanks again to all! Jeff

 

This was Eset's (prompt) response from Mark (who had posted on this thread!).

I, admittedly am new to these forums, but as a businessman I've never had a problem explaining myself clearly. As such, I know that I clearly explained that the issue was TrojanHunter and NOD32 together only, not run individually.

Maybe this is just their way of saying that they don't intend to fix this. Maybe they don't have a copy of TrojanHunter to duplicate the result. I did however, offer that a *Free Trial copy was available!

Well, hopefully spy1 will fare better. He more than makes up for my lack of tech expertise. Anyhow, I replied to this e-mail and attached a screenshot for more clarity so...we'll see.

 

I'm running both software packages and getting the same NOD32 warning windows you've posted, with a different suspect file listed each time. I've contacted technical support of both companies. Neither has offered a solution, other than to disable NOD32 while T.H. scans. In my situation TrojanHunter 4.2 (current build) also detected a false positive copy of TrojanDownloader.Delf.180 inside a tape backup software package.

Eset said "It sounds like TH is launching a bunch of executables to perform its scan which may unnecessarily chew up a bunch of resources. . ."

AMON is detecting some of these temporary files as viral in nature, but unable to quarantine them.

Magus offered the best information so far: ". . . here is what most likely is happening: TrojanHunter is scanning a file and finds that it has been compressed with an executable packer. So it unpacks it to the temp folder at which point kicks in to scan the file (because it monitors all new file creations). NOD finds the file to be bad and blocks access to it." He made no mention of MCANSI.DLL and sugested I exclude \Temp, which I'm not going to do for obivious reasons.

Eset tech support asked me send them a copy of these temporary files NOD32 isn't able to catch and hold. Both have promised "to look into it." I think they need to talk with each other and come up with a solution. Either T.H. needs a special folder to place it's work files, that can be excluded from NOD32 scans or NOD32 needs to be able to exclude files originating from Trojanhunter.exe (which I have added to NOD's exclude list, without effect.)

 

Bohemian9999 - As I indicated on the first page, both Magnus and Gavin were very helpful in dealing with the problem (which is far more than I can say for Eset's "support") I was having in this thread on their site:
http://forum.misec.net/board/TrojanHunter;action=display;num=1139075669;start=15#15

I don't know what to tell you to do about your " false positive copy of TrojanDownloader.Delf.180 inside a tape backup software package." problem, but the alerts both I and oldhead were getting can be eliminated by simply going into the TH main interface, clicking on "Options" and then "Ignore List" and adding the line "C (or whatever your main drive is):\Program Files\Microsoft Office\Office10\MCANSI.DLL there (it gives you a navigation option to get to the file, also).

It would seem to me that the same procedure would work with your other problem, too - at least if you've submitted the file and made sure that it was clean before "Ignoring" it. HTH Pete

 

Spy1 – Thanks for the reply. Both Magnus and Eset were prompt in replying to my initial inquiry. Magnus then promptly fixed the TrojanDownloader.Delf.180 false positive through a definition update. The tape software file was clean and at 38MB too large to easily email. I added MCANSI.DLL to the ignore list, thanks to your suggestion the problem is fixed.

I still think it would be a good idea for TrojanHunter to place all of its work files in a dedicated subdirectory instead of the operating system’s temporary folder, if additional problems arise, that folder could be easily excluded. I believe excluding the OS \Temp folder creates a security risk. If NOD32 was sophisticated enough to exclude all offspring files from an excluded parent file, excluding TrojanHunter.exe would have taken care of the problem. Thanks again.

 

I haven't heard back from Eset since my response to the " not detected by NOD32 nor by any other AV scanner."

Anyone else hear anything with regard to Eset's fix (or lack thereof!) for the MCANSI.DLL issue?

Although the exclusion from TH works fine, I hoped Eset could fix this 'heuristically'(if that's a word *lol*).

 

Bohemian9999 - You're quite welcome.

oldhead - Don't hold your breath. Pete