Agnitum Outpost Firewall DLL False Positive?

Discussion in 'ESET NOD32 Antivirus' started by ottchris, Jul 9, 2009.

Thread Status:
Not open for further replies.
  1. ottchris

    ottchris Registered Member

    Joined:
    Nov 10, 2007
    Posts:
    3
    A short while ago I returned to my laptop to find a reboot request from NOD32 in order to clean a file. A check of quarantine found 2 copies of engine.dll quarantined two hours apart. This maybe because Outpost Firewall protects itself against deletion attempts for obvious reasons. Here is the scanner log entry:

    09/07/2009 13:03:59 Startup scanner file C:\Program Files\Agnitum\Outpost Firewall\engine.dll probably a variant of Win32/Genetik trojan cleaned by deleting (after the next restart) - quarantined

    There is no log entry for the an identical quarantine two hours previous. I also do not understand the "Startup scanner" reference unless it really means 'signature database update scanner' as the signature files were updated at 11:05 and 13:05 .

    I have a) sent one of the quarantined files to Eset for analysis and b) generated a seperate support request. However, the latter quotes allowing 1 business day for a response. Any suggestions for further action most welcome given the likleyhood that it is a false positive. I am of course holding of any reboot for the moment. Outpost may prevent any deletion and even if it doesn't I can restore from quarantine or backup but I'd rather do something proactive to stop it happening in the first place.

    *Update*

    1. I have an older machine running same versions of NOD32 and Outpost Firewall (engine.dll superfically identical i.e. same file size). Wondered why no NOD32 requests to reboot from that machine and discovered I had the Firewall directory in NOD32's exclusion list!

    2. I have searched Eset's "Virus signature database updates" and "Threat Encyclopedia" on their site for "Win32/Genetik". It's not documented on either of those resources!
     
    Last edited: Jul 9, 2009
  2. Cudni

    Cudni Global Moderator

    Joined:
    May 24, 2009
    Posts:
    6,956
    Location:
    Somethingshire
    exclude from scanning until reply from eset?
     
  3. agoretsky

    agoretsky Eset Staff Account

    Joined:
    Apr 4, 2006
    Posts:
    4,032
    Location:
    California
    Hello,

    Can you provide more information, such as the build and signature version of ESET NOD32 Antivirus, similar version information from Agnitum Outpost Firewall and version of Microsoft Windows?

    Win32/Genetik identifications are based on a combination of generic signatures and heuristic algorithms. It is not a specific malware specimen or even a family, but rather a classification for certain types of behavior commonly seen in malicious code.

    It is possible this is a false positive alarm, but in order to determine that, more information from you (starting with what was asked, above) will be required in order to troubleshoot the problem.

    Regards,

    Aryeh Goretsky
     
  4. Marcos

    Marcos Eset Staff Account

    Joined:
    Nov 22, 2002
    Posts:
    14,374
    Hello,
    I've scanned engine.dll we've received today and it was no longer detected. Please re-scan it with the latest signature db version 4229.
     
  5. ottchris

    ottchris Registered Member

    Joined:
    Nov 10, 2007
    Posts:
    3
    Thanks Marcos, just rescanned with 4229 and confirm now no longer detected. As Cudni suggested I had temporarily excluded it (although that did not prevent it being deleted during an unavoidable reboot) and perhaps that had something to do with the 'rescan quarantined files after every update' option not apparantly taking place. NOD32 had previously quarantined the file twice so although I had to restore one copy after the reboot there was still one copy left in quarantine. According to the log 4229 was downloaded at 18:03 yesterday but there is no indication of any rescan taking place. Nor have I heard anything from ESET. It was only coming back to read this thread that prompted me to rescan.

    Finally, apologies to agoretsky; I usually err on the side of providing too much information but obviously omitted some important details this time.

    Thanks everyone! :)
     
Thread Status:
Not open for further replies.