a squared detects NOD32 setup exe

Discussion in 'NOD32 version 2 Forum' started by Ocky, Sep 29, 2007.

Thread Status:
Not open for further replies.
  1. Ocky

    Ocky Registered Member

    Joined:
    May 6, 2006
    Posts:
    2,677
    Location:
    George, S.Africa
    Another false positive from a2. Scan detects this:-
    ndntenst.exe/advheur.nup detected: Heuristic.ArchiveBomb.

    Thought I'd mention it in case someone gets the wrong impression. :p

    (Not yet posted in a2 forum - am not a member).
     
  2. Kosak

    Kosak Registered Member

    Joined:
    Jul 25, 2007
    Posts:
    711
    Location:
    Slovakia
    Hi,

    write to tech support of a-squared, please.:thumb:
     
  3. ctrlaltdelete

    ctrlaltdelete Registered Member

    Joined:
    Oct 16, 2005
    Posts:
    318
    Location:
    NL
    I did contact a-squared support a month ago about the detection of some *.nup files in several NOD32 setups.

    Answer;

    "Heuristic.ArchiveBomb means that is probably a file with a unpacking ratio
    1:10000. You can add this file to the whitelist in the scannermodul to skip
    the detection."


    Maybe someone from Eset knows the unpacking ratio of the files....?
     
  4. Kosak

    Kosak Registered Member

    Joined:
    Jul 25, 2007
    Posts:
    711
    Location:
    Slovakia
    Are you using two AV products with switched on realtime protection?
     
  5. GES/POR

    GES/POR Registered Member

    Joined:
    Nov 26, 2006
    Posts:
    1,490
    Location:
    Armacham
    ive seen tons of those kind of detection wich are all bull and offcourse they wont fix m or else whats the point is usin a2 in a layered setup if it doesnt supposedly benefit.
     
  6. Ocky

    Ocky Registered Member

    Joined:
    May 6, 2006
    Posts:
    2,677
    Location:
    George, S.Africa
    Have received the following reply from emsisoft regarding detection
    of the NOD32 installer when scanning with a2. (viz: Heuristic.ArchiveBomb):-

    A bit complicated.
     
  7. Marcos

    Marcos Eset Staff Account

    Joined:
    Nov 22, 2002
    Posts:
    14,374
    It seems that our attorney will need to hunt them a bit if they insist on that approach and refuse to fix it ;)
     
  8. GES/POR

    GES/POR Registered Member

    Joined:
    Nov 26, 2006
    Posts:
    1,490
    Location:
    Armacham
    For a change: Go go Marcos.:thumb:
     
  9. deckie49

    deckie49 Registered Member

    Joined:
    May 25, 2004
    Posts:
    33
    the good folks at a2 have known about this for some time. if you left click and add to whitelist, you will get the following:
    Name: Heuristic.ArchiveBomb

    Description:
    Archive Bombs are not really Malware, but can crash Malware scanners.
    The idea behind is simple: A Malware writer creates an archive file such as zip that is very small, but contains very large files. If a file is filled with the same characters, a 1 GB file can be compressed down to a few bytes. A Malware scan engine that supports scanning of archive files would try to unpack the content to the harddisk to scan, but fill up the disk with unpacked data until the system crashes.
    Other archive bombs are manipulated archive files, that let the scanner unpack and scan in an endless loop.
    The a-squared scan engine detects such archive bombs with a heuristic scan module. In some rare cases, regular archives are flagges as archive bombs if the content looks very similar to archive bombs.



    interestingly enough, this is right below a nice advertisement to purchase the anti-malware program.
     
  10. i_kenefick

    i_kenefick Registered Member

    Joined:
    Nov 29, 2005
    Posts:
    135
    Location:
    Cork, Ireland.
    Well, no serious company would allow a heuristic false positive being declared on a competing product not to be fixed. You can be sure that you weren't the only person to submit this file and you can also be sure that this researcher who replied wasn't the only one to receive it. They will fix this alright but how long it takes them depends on how much they value their customers. People generally get pissed off about security software breaking legitimate applications.
     
  11. SamSpade

    SamSpade Registered Member

    Joined:
    Oct 22, 2006
    Posts:
    415
    I ran A2 today and it came back w three false positives, including three different nod32 files plus a ccleaner file. A2 is wound a bit tight right now, it seems.
     
  12. Denny

    Denny Registered Member

    Joined:
    Mar 16, 2002
    Posts:
    43
    NOD32 found AWPR.exe in the a2archive temp update files today and said it is probably a variant of the Win32/Genetk trojan. Quarantined/Deleted

    I suspect this to be a FP as this is the update archive of a-squared.

    If I was the cynical type, it would have crossed my mind that NOD32 is poking them in the eye.

    D
     
  13. Kosak

    Kosak Registered Member

    Joined:
    Jul 25, 2007
    Posts:
    711
    Location:
    Slovakia
  14. ASpace

    ASpace Guest

  15. Kosak

    Kosak Registered Member

    Joined:
    Jul 25, 2007
    Posts:
    711
    Location:
    Slovakia
    Thanks;)
     
  16. ChicknDip

    ChicknDip Registered Member

    Joined:
    Aug 15, 2007
    Posts:
    59
    Forget about a2, it ain't a malware scanner, it's a FP-generator on the fly.
     
Thread Status:
Not open for further replies.