after some quiet times - false positive again

Discussion in 'ESET NOD32 Antivirus' started by emailaya, May 22, 2010.

Thread Status:
Not open for further replies.
  1. emailaya

    emailaya Registered Member

    Joined:
    Sep 20, 2008
    Posts:
    33
    hi

    the application im developing is yet again considered as a virus (false positive). i sent the as requested to samples@... email.

    will i receive an email back with an answer about it?
    how can i be sure this problem won't repeat in the future? it seems that for a long time you did a good job about it but now the problem is back

    thanks
     
  2. emailaya

    emailaya Registered Member

    Joined:
    Sep 20, 2008
    Posts:
    33
    a link to think about:

    ~~ VT link removed per this policy. ~~

    Note by LowWaterMark about VT/Jotti results... we've often encourage people to state in simple language what the results actually state, without the need to provide the link. It is enough to say that you found a file that when submitted to VT, the detection was 1/41 with only ESET detecting it. More often than not, that is a sign of a false positive.
     
    Last edited by a moderator: May 22, 2010
  3. jimwillsher

    jimwillsher Registered Member

    Joined:
    Mar 4, 2009
    Posts:
    668
    For some bizarre, possibly protectionist reason, the mods here ban links to virustotal. So expect your posting to diseappear.... (and probably mine too)
     
  4. emailaya

    emailaya Registered Member

    Joined:
    Sep 20, 2008
    Posts:
    33
    as long as my original topic stays and my problem fixed, im ok with that
    thanks for the warning
     
  5. Cudni

    Cudni Global Moderator

    Joined:
    May 24, 2009
    Posts:
    6,956
    Location:
    Somethingshire
    you reported it so it most probably will be fixed, and maybe is already, as it was in the past.
     
  6. emailaya

    emailaya Registered Member

    Joined:
    Sep 20, 2008
    Posts:
    33
    do you know the phrase: "quit smoking? it's easy i've done it lots of times".
    true, eventually eset fixed it (and now it's back) but they are considered as a serious AV company and since nod32 deletes the file without questioning, it's a problem to the end user (and surely for me, the developer) that from time to time, he can't use the application because of it.

    and telling me to tell the user to exclude or to change the settings of nod32 is not a serious answer.
     
  7. Cudni

    Cudni Global Moderator

    Joined:
    May 24, 2009
    Posts:
    6,956
    Location:
    Somethingshire
    never heard of it. I quit smoking once and never looked back :)
    it is understandable to be frustrated with having to prove to AV company that there is nothing to detect. At the same time almost all arguments were covered in your last year thread
    https://www.wilderssecurity.com/showthread.php?t=239306
     
  8. emailaya

    emailaya Registered Member

    Joined:
    Sep 20, 2008
    Posts:
    33
    im not going to open this issue again, that's for sure
    i just want my app to be clean and considered that way for life without me needing to check it often

    and i admire ppl like you who stopped smoking and never looked back! really!
    i never started to smoke, because i was too busy asking eset to stop false detecting my application ;-)
     
  9. The Hammer

    The Hammer Registered Member

    Joined:
    May 12, 2005
    Posts:
    5,619
    Location:
    Toronto Canada
    Your post won't disappear into the night. There were several reasons for the virus total ban one of which is that such links were part of the arsenal used in A vs B threads. Another was this Av (Insert name here) detects this threat. So how come you don't. Which was far more common and solved nothing as no Av is 100%.
     
  10. emailaya

    emailaya Registered Member

    Joined:
    Sep 20, 2008
    Posts:
    33
    maybe the default behavior should be asking the user what to do instead of deleting the file without asking causing the user to feel lost and angry.
     
  11. emailaya

    emailaya Registered Member

    Joined:
    Sep 20, 2008
    Posts:
    33
    again a user complaint about nod32 deleting the file thinking it's a virus. may i at least know if and when eset will notify me about this fix? how can i ask users to trust me when time after time the file is deleted because it is supposedly a virus?

    your work and sales are based on your reputation, but what about our (the developers) reputation?

    at least update me about this issue, some respect won't do harm
     
  12. danieln

    danieln Eset Staff

    Joined:
    Jan 7, 2009
    Posts:
    112
    The should improve at least the following:

    1. Identify the executable as a legitimate application by adding a properly filled VERSION INFO to the executable. Currently the VERSION INFO is missing.
    2. Use stable version of the run-time packer. The latest executable made recently is using the UPX 2.92 beta (23 Jan 2007). Available stable version is 3.05 (27 Apr 2010)

    Current compression ratio is most probably achieved by the the following switches:
    upx.exe --ultra-brute --lzma -o emailaya.exe emailaya_original10MB.exe

    LZMA compression method is not a recommended default and according the notes of the authors “runtime decompression is about 30 times slower than NRV”
    http://upx.sourceforge.net/upx-news.txt

    Some important notes regarding the packing/protecting of the legitimate applications can be found in the McAfee's article Who Digs the Elephant Trap?
    http://www.avertlabs.com/research/blog/index.php/2009/05/28/who-digs-the-elephant-trap/
     
    Last edited: May 27, 2010
  13. emailaya

    emailaya Registered Member

    Joined:
    Sep 20, 2008
    Posts:
    33
    1. regarding the version info: thanks for the tip
    2. i now use 3.05, the compression ratio is less good than the previous one but still bearable and NOD32 didnt recognize it as a virus so i will continue using 3.05 hoping the problem won't repeat in the future.

    the above proves that your previous statements (in a separate email) were not true but since it's not relevant (for now), i hope it will continue to be irrelevant in the future.

    thanks
     
  14. danieln

    danieln Eset Staff

    Joined:
    Jan 7, 2009
    Posts:
    112
    Notify me when you will have a version with the 1&2 ready.

    Another appreciable thing is the pre-release antimalware checking of all released executables. It will reduce surprises and user complains in the case of false positive, it is a good way to verify the application intended for release is free of any malware.
    Randy Abrams wrote in his blog posts more than once about the importance of such process.
    The original unpacked executables can be scanned too. Especially when some protection envelopes are being used, they introduce a security risk for the user, since they may prevent the AV solutions to effectively find problem in the underlying code.
     
Thread Status:
Not open for further replies.