AV Software Wars

Discussion in 'ESET NOD32 Antivirus' started by Henry Altaras, Mar 14, 2010.

Thread Status:
Not open for further replies.
  1. Henry Altaras

    Henry Altaras Registered Member

    Joined:
    Mar 3, 2009
    Posts:
    10
    1. The product a-squared Anti-Malware is detecting two registry keys belonging to NOD32 AV 4.2.35 as a threat: Trace.Registry.VirusShield2009!A2

    2. The detected registry locations are:
    HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\Image File Execution Options\equi.exe
    HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\Image File Execution Options\ekrn.exe

    3. The a-squared Anti-Malware Web site (http://www.emsisoft.com/en/malware/?Trace.Registry.VirusShield2009!A2) provides the following information on the above threat:

    "Registry traces are known references of Spyware/Adware which are stored in the Windows registry database. Traces may be autorun keys which make Spyware/Adware run automatically on Windows startup. Traces may also be registrations of Spyware/Adware DLL files which are registered to hijack the Windows Explorer or the web browser. Traces cannot be harmful by definition. They are only some kind of helpers to enable Malware to be installed and run on your computer."

    4. The scan log is attached.
     

    Attached Files:

  2. Thankful

    Thankful Savings Monitor

    Joined:
    Feb 28, 2005
    Posts:
    3,744
    Location:
    New York City
  3. Triple Helix

    Triple Helix Webroot Product Advisor

    Joined:
    Nov 20, 2004
    Posts:
    12,014
    Location:
    Ontario, Canada
    Other AV's will at times detect other AV's and programs as malware which are false Positives you should upload those two files which are in C:\Program Files\Eset to EMSI software so they can get them fixed! http://www.emsisoft.com/en/support/submit/

    HTH,

    TH

    Edit: Thankful beat me to it! ;)
     
  4. Thankful

    Thankful Savings Monitor

    Joined:
    Feb 28, 2005
    Posts:
    3,744
    Location:
    New York City
    As I posted above, I sent the traces to Emsisoft as well as posted in their forum. The ball is in their court. In the last two weeks I have sent several FPs to Emsisoft. I have removed A squared Free due to the hassle the FPs have been causing.
     
  5. Triple Helix

    Triple Helix Webroot Product Advisor

    Joined:
    Nov 20, 2004
    Posts:
    12,014
    Location:
    Ontario, Canada
    See my Edit! ;)

    Cheers,

    TH
     
  6. Thankful

    Thankful Savings Monitor

    Joined:
    Feb 28, 2005
    Posts:
    3,744
    Location:
    New York City
    No problem.
    Thanks.
     
  7. 3x0gR13N

    3x0gR13N Registered Member

    Joined:
    May 1, 2008
    Posts:
    754
    I highly doubt they are FPs. The "Image File Execution Options" is a OS feature, and depending on the value specified (debugger) it can disable programs from executing- hence frequently used to "hijack" or disable AVs from running. The keys don't belong to Eset AV.
     
  8. Thankful

    Thankful Savings Monitor

    Joined:
    Feb 28, 2005
    Posts:
    3,744
    Location:
    New York City
    There is no value set for those two registry values.
    It is also possible the new version of NOD32 (4.2.35.0) introduced those two registry values.
     
  9. 3x0gR13N

    3x0gR13N Registered Member

    Joined:
    May 1, 2008
    Posts:
    754
    Yes, that's why I said "depending on the value specified". That's why Eset is running.
    Doubt it. ;) But I'll check.
    Edit: just downloaded and installed the latest version and it does indeed place those keys to prevent hijacking by malware. :)
     
    Last edited: Mar 14, 2010
  10. Thankful

    Thankful Savings Monitor

    Joined:
    Feb 28, 2005
    Posts:
    3,744
    Location:
    New York City
    Thanks for checking.
     
  11. Marcos

    Marcos Eset Staff Account

    Joined:
    Nov 22, 2002
    Posts:
    14,376
    They should check for the presence of the Debugger value instead of just the reference to egui.exe/ekrn.exe in that key.
     
  12. Henry Altaras

    Henry Altaras Registered Member

    Joined:
    Mar 3, 2009
    Posts:
    10
    Thank you for the interest. I suppose we should wait for information that is more conclusive.
    I have reported the issue to a-squared as a possible false positive. So far no reply.
     
  13. Thankful

    Thankful Savings Monitor

    Joined:
    Feb 28, 2005
    Posts:
    3,744
    Location:
    New York City
    This is no longer detected by A-Squared Free.
     
Thread Status:
Not open for further replies.