Advanced Heuristics ignores Exlusion List?

Discussion in 'NOD32 version 2 Forum' started by enduser999, May 24, 2006.

Thread Status:
Not open for further replies.
  1. enduser999

    enduser999 Registered Member

    Joined:
    Apr 17, 2005
    Posts:
    418
    Location:
    The Peg
    Back in 2003 people in this thread:

    https://www.wilderssecurity.com/showthread.php?t=10222&highlight=exclusion heuristic

    indicated that they were having problems with excluding files from AMON even when using the NOD32 Exclusion list. Yesterday at a client's this problem occurred and no matter whether I entered the filename, the full path to the filename AMON's Advanced Heuristics still silently quarantined the file. Since the file is a major application that they used I had to disable Advanced Heuristics on all workstations and their Win2k3 server. I have submitted the file to ESET for study. Since they do not have any IT department if this occurs again I would like to be able to add the file in question to a exclusion list if I know that it is a false positive.
     
  2. Marcos

    Marcos Eset Staff Account

    Joined:
    Nov 22, 2002
    Posts:
    14,374
    Did you submit it to samples[at]eset.com? Please re-send it to support[at]eset.com so that I can have a look at it.
     
  3. enduser999

    enduser999 Registered Member

    Joined:
    Apr 17, 2005
    Posts:
    418
    Location:
    The Peg
    Well thought I did yesterday along with the Quarantined file but have just emailed a password protected RAR with the file in question.

    Any reason why the exclusion list is still apparently being bypassed by AMON Adv Heuristics? Have not tried doing a manual scan using NOD32 on the file after adding it to the exclusion list so do not know if that also quarantine it.
     
  4. NOD32 user

    NOD32 user Registered Member

    Joined:
    Jan 23, 2005
    Posts:
    1,766
    Location:
    Australia
    This thread may offer some more insight than the one you mentioned earlier. https://www.wilderssecurity.com/showthread.php?t=69331

    Basically you may need to enter both the long and the short path for exclusion since AMON recognises explicitly the way each file is accessed.

    Cheers :)
     
  5. enduser999

    enduser999 Registered Member

    Joined:
    Apr 17, 2005
    Posts:
    418
    Location:
    The Peg

    Well I know that in this case the file in question was on the hard drive in two different directories and that the full path to one of these 2 direcotries had been entered into the exclusion list as well as the file name itself and AMON still quartined it when I tried to do a copy and paste via Windows explorer.

    It appears that when sends a false positive file such as this that one does not get any sort of reply back from ESET once the problem has either been verified and fixed with an virus update. I find that a bit frustrating since I have to remember to test each submitted file after each subsequent virus signature update to see if NOD32 is still flagging the file in question. If it isn't then I have to remove the false positive file from the client's exclusion list(s).
     
  6. beetlejuice69

    beetlejuice69 Registered Member

    Joined:
    Mar 16, 2005
    Posts:
    780
    I`ve been waiting 2 months for Eset to fix a FP that it grabs. Putting it in the exclusion list means nothing to Amon...sad really.
     
  7. FirePost

    FirePost Registered Member

    Joined:
    Jul 29, 2005
    Posts:
    212
    Would you clarify that you did indeed use the complete path name in long AND shortened form?
    C:\progra~1\problem.file
    C:\program files\problem.file
     
  8. Marcos

    Marcos Eset Staff Account

    Joined:
    Nov 22, 2002
    Posts:
    14,374
    What FP do you mean? False positives are always dealt with using high priority and in most cases are remedied in the upcoming update.
     
  9. enduser999

    enduser999 Registered Member

    Joined:
    Apr 17, 2005
    Posts:
    418
    Location:
    The Peg
    No what I did enter was
    problem.file
    c:\program files\problem.file

    Why is it that NOD32 can not parse the file name off the latter or evern

    c:\progra~1\program.file ?

    This is the first anti-virus application that I have seen that required this extra work by the end user. Especially when the exception dialog box allows one to point to the file with the result of having the long name into the list. As well one can simply paste the filename only into the dialog box and it gleefully takes it without complaining.

    Is it normal pratice of ESET not to notify the submitter that ESET has verified that the submision was indeed a false positive and that it was fixed in a definition release like one of ESET's competitors does?
     
  10. beetlejuice69

    beetlejuice69 Registered Member

    Joined:
    Mar 16, 2005
    Posts:
    780
    The one for OnlineArmor. Nod still keeps flagging oaui.exe as an unknown somthing or other. I can`t remember what Nod said I cleaned out my event log and quarantine.
     
  11. FirePost

    FirePost Registered Member

    Joined:
    Jul 29, 2005
    Posts:
    212
    I do not know. The linked thread had some theories. I just know that is what was stated in several threads dealing with apparent exclusion failures.
    Yes. But then as mentioned you need BOTH so the long cut and paste IS okay as just possibly incomplete for all processes. There is a utility mentioned by rumpstah here nod32 exclusion list not working... that allows one to just copy and paste both forms.
    I linked the home page if you would like to read about it.
    Ninotech Path Copy 4.0
     
  12. enduser999

    enduser999 Registered Member

    Joined:
    Apr 17, 2005
    Posts:
    418
    Location:
    The Peg
    Thanks.. added to my machine here but it is kinda backwards to have to do it for any of my clients who would have this problem. This problme/shortcoming apparently has been around for a long time. Too bad there is not a right mouse click in the threat log to allow one to add a false positive file to the the exclusion list with two mouse clicks rather than 6 or more mouse clicks per excluded file one has to perform currently.
     
Thread Status:
Not open for further replies.