a squared detects NOD32 setup exe

Another false positive from a2. Scan detects this:-
ndntenst.exe/advheur.nup detected: Heuristic.ArchiveBomb.

Thought I'd mention it in case someone gets the wrong impression.

(Not yet posted in a2 forum - am not a member).

 

Hi,

write to tech support of a-squared, please.

 

I did contact a-squared support a month ago about the detection of some *.nup files in several NOD32 setups.

Answer;

"Heuristic.ArchiveBomb means that is probably a file with a unpacking ratio
1:10000. You can add this file to the whitelist in the scannermodul to skip
the detection."


Maybe someone from Eset knows the unpacking ratio of the files....?

 

Are you using two AV products with switched on realtime protection?

 

ive seen tons of those kind of detection wich are all bull and offcourse they wont fix m or else whats the point is usin a2 in a layered setup if it doesnt supposedly benefit.

 

Have received the following reply from emsisoft regarding detection
of the NOD32 installer when scanning with a2. (viz: Heuristic.ArchiveBomb):-

A bit complicated.

 

It seems that our attorney will need to hunt them a bit if they insist on that approach and refuse to fix it

 

For a change: Go go Marcos.

 

the good folks at a2 have known about this for some time. if you left click and add to whitelist, you will get the following:
Name: Heuristic.ArchiveBomb

Description:
Archive Bombs are not really Malware, but can crash Malware scanners.
The idea behind is simple: A Malware writer creates an archive file such as zip that is very small, but contains very large files. If a file is filled with the same characters, a 1 GB file can be compressed down to a few bytes. A Malware scan engine that supports scanning of archive files would try to unpack the content to the harddisk to scan, but fill up the disk with unpacked data until the system crashes.
Other archive bombs are manipulated archive files, that let the scanner unpack and scan in an endless loop.
The a-squared scan engine detects such archive bombs with a heuristic scan module. In some rare cases, regular archives are flagges as archive bombs if the content looks very similar to archive bombs.



interestingly enough, this is right below a nice advertisement to purchase the anti-malware program.

 

Well, no serious company would allow a heuristic false positive being declared on a competing product not to be fixed. You can be sure that you weren't the only person to submit this file and you can also be sure that this researcher who replied wasn't the only one to receive it. They will fix this alright but how long it takes them depends on how much they value their customers. People generally get pissed off about security software breaking legitimate applications.

 

I ran A2 today and it came back w three false positives, including three different nod32 files plus a ccleaner file. A2 is wound a bit tight right now, it seems.

 

NOD32 found AWPR.exe in the a2archive temp update files today and said it is probably a variant of the Win32/Genetk trojan. Quarantined/Deleted

I suspect this to be a FP as this is the update archive of a-squared.

If I was the cynical type, it would have crossed my mind that NOD32 is poking them in the eye.

D

 

Hi,

send this file to ESET tech support, please => http://www.eset.com/support/contact.php

 

You mean this one:
http://www.eset.com/threat-center/up/submit.htm

because with the above there is no way to send attachment

 

Thanks

 

Forget about a2, it ain't a malware scanner, it's a FP-generator on the fly.