Another bad signature update

Discussion in 'NOD32 version 2 Forum' started by sedell, Jul 11, 2008.

Thread Status:
Not open for further replies.
  1. sedell

    sedell Registered Member

    Joined:
    Apr 4, 2005
    Posts:
    26
    I get into work today to find Autodesk Inventor has been killed on all of our engineering machines because NOD32 nailed iDrop.ocx as a variant of Win32/AdInstaller application. Not only has it been on the machines unaltered for about 1.5 years, but I ran it through VirusTotal which showed all clear. Took a couple of hours to straighten out and restore the file on all of the PCs.

    Now, I get home, there's a message from a family member with computer problems. She got caught by the MS DNS patch that killed internet access when ZoneAlarm is installed. I go to download the new ZoneAlarm free to help her out, and NOD32 nails that as, you guessed it, a variant of Win32/AdInstaller application. I can't verify this one since it's over VirusTotal's max size.

    If one file gets nailed, maybe it is infected, but two totally unrelated files from completely separate and unrelated sources? I sure don't believe NOD32 is right.

    What is going on here? NOD32 used to be a program I trusted and relied on for years, and recommended to everyone. After this, the fiasco with a bad update a week or so ago that caused all the Word documents on the network to get swallowed, and another bad update not long before that, I'm having serious doubts. Throw in the bugged V3 release that shouldn't have seen light of day, and I'm about to start looking for alternatives.

    What happened to Eset?
     
  2. Kosak

    Kosak Registered Member

    Joined:
    Jul 25, 2007
    Posts:
    711
    Location:
    Slovakia
    Hello,

    ZoneAlarm include toolbar, which is signed as "Win32/AdInstaller". Could you please disable detection of "Potentially unsafe applications" and try scan these files once again?

    Regards
     
  3. sedell

    sedell Registered Member

    Joined:
    Apr 4, 2005
    Posts:
    26
    And hasn't it been there for some time now? I downloaded ZA free just two days ago to fix someone else's computer, and that download didn't get nailed as adware. That person was running ZA free along with NOD32 since the machine was built two years ago, and they never had a detection. Even if ZA just added a new toolbar today, it doesn't explain NOD32 suddenly nailing other files as adware, that are part of paid software that have been on the machines, along with NOD32, for years. That's the problem here. Files that have been on machines and scanned clean dozens, if not hundreds of times, are suddenly getting detected as unsafe and removed, crippling our ability to work on these machines. NOD32 is not new to these machines, the files it is detecting are not new to these machines - the only thing new in these scenarios is the virus definitions.
     
  4. noway

    noway Registered Member

    Joined:
    Apr 24, 2005
    Posts:
    351
    Why don't you uncheck the detection options for "potentially unwanted/unsafe applications" and/or stop setting the app to clean automatically? Regardless of the "luck" you may have had in the past, you are playing with fire when you set it up the way you're doing it now. If in doubt, submit to VirusTotal and THEN decide what to do with it. I know that doesn't explain the false positives but your life might be easier if you go this route, since all antivirus software has bugs/problems with the updates at one time or another.
     
    Last edited: Jul 11, 2008
  5. Kosak

    Kosak Registered Member

    Joined:
    Jul 25, 2007
    Posts:
    711
    Location:
    Slovakia
    It wasn't "bad signature update". Look here and see that it has been detected early.
     
  6. agoretsky

    agoretsky Eset Staff Account

    Joined:
    Apr 4, 2006
    Posts:
    4,032
    Location:
    California
    Hello,

    Please submit a copy of the IDROP.OCX file in a .ZIP or .RAR archive protected with a password of "infected" to samples@eset.sk.

    For the Subject: use "False Positive - Autodesk Inventor file" and put the the version information from your copy of NOD32 and the URL of this message thread in the body of your message.

    Regards,

    Aryeh Goretsky
     
  7. sedell

    sedell Registered Member

    Joined:
    Apr 4, 2005
    Posts:
    26
    Because, when you maintain hundreds of machines, not automatically cleaning/quarantining means users, or the potential malware itself, has all that time while you look into the alert to potentially infest the rest of the network and do further damage. By the time you look into the alert, then start running around to all of these machines to respond manually (assuming you can even get to the machines since you have a mobile workforce out of the building), you could have a network so infested it could take weeks to recover. The same goes for potentially unwanted/unsafe applications. In a network environment, you don't want potentially unwanted/unsafe applications. You could have similar damage done while you respond. My life might be easier with false positives, but significantly harder for the legitimate alerts. Not to mention I'd lose my job once management found out that malware spread across the network because I set the AV software to not actually do anything.

    I submitted it first thing in the morning when I noticed that machines had been cleaned and I confirmed it was a bad detection, right from the quarantine folder using the submit feature.
     
Thread Status:
Not open for further replies.