Beta NOD32 possible false positive MacroExpress3 (MacExp.exe)

Discussion in 'ESET NOD32 v3 Beta Forum' started by Devinco, Jul 26, 2004.

Thread Status:
Not open for further replies.
  1. Devinco

    Devinco Registered Member

    Joined:
    Jul 2, 2004
    Posts:
    2,524
    Hi Everyone,

    I'm a proud new licensee of NOD32 for one of my systems.
    So far it seems to be working well, except for a couple of problems.
    I have the new beta version 2.011 and configured as per BlackSpear's excellent extra settings thread. I also have Insight Software Solutions Macro Express 3 (a useful macro utility).
    MacroExpress3 has a resident component (MacExp.exe) that NOD32 flags with the following message at boot:

    D:\Program Files\Macro Express3\MacExp.exe is infected with probably unknown NewHeur_PE virus. Details merely say probably unknown NewHeur_PE virus.

    I also get a message like this:
    NewHeur_PE virus found in operating memory. Suggested action is deletion as the file most probably consists only of viral code (if not applicable, choose leave or terminate) No action can be taken on a memory infiltration.

    I am a licensee for MacroExpress3 and I also scanned it (prior to NOD32 installation) with NAV2003 and TDS-3 (latest sigs) so I am pretty sure it is not viral.
    I added the whole directory D:\Program Files\Macro Express3 (including parsing subdir) to exclusion list in AMON, but still it pops up.
    I looked in the NOD32 on demand scanner as well, but there is no exclusion list there.
    I understand that if the heuristics thinks it walks like a duck and quacks like a duck, it must be a duck, but this is just a macro utility.

    How can I resolve this possible "false positive"?
    Also, the alert said "No action can be taken on a memory infiltration".
    Why can't NOD32 take any action? Isn't that part of its job?

    Thank you
     
  2. ronjor

    ronjor Global Moderator

    Joined:
    Jul 21, 2003
    Posts:
    57,802
    Location:
    Texas
    Send the file in question to support@nod32.com. Zip it up with a password and include the password in your message.
     
  3. Devinco

    Devinco Registered Member

    Joined:
    Jul 2, 2004
    Posts:
    2,524
    Thank you Ronjor.

    I will zip it and email it to them. But why should it be done with a password? (just curious)
    If it is to prevent email interception, they could get the password from the unencrypted email.
    And can this be any password, or does it need to be my NOD32 registration password?

    Also, the alert said "No action can be taken on a memory infiltration".
    Why can't NOD32 take any action? Isn't that part of its job?
     
  4. ronjor

    ronjor Global Moderator

    Joined:
    Jul 21, 2003
    Posts:
    57,802
    Location:
    Texas
    The password should prevent anyone or thing opening the file.
    You could use "possiblefalsealarm" for a password.

    I'm not sure any antivirus can clean a memory resident virus. Since I said this we will find out for sure!! :D

    Edit: If a program is in memory, it is in use. You have to terminate the program and stop the execution of the program before it gets in memory.
     
    Last edited: Jul 26, 2004
  5. Devinco

    Devinco Registered Member

    Joined:
    Jul 2, 2004
    Posts:
    2,524
    Thanks Ronjor!
     
  6. Devinco

    Devinco Registered Member

    Joined:
    Jul 2, 2004
    Posts:
    2,524
    Just to update.

    Eset has removed this false positive from NOD32 recently.

    Thank you Eset.
     
  7. ExLover

    ExLover Guest

    I had this problem last night and cleaned it out through
    Pest Patrol
    I still don't know if it was a worm or not
    but my NOD & Housecall found it!
    EX
     
  8. ShunterAlhena

    ShunterAlhena Registered Member

    Joined:
    Aug 1, 2004
    Posts:
    134
    Location:
    Szigethalom, Hungary
    I'm not a mod or anything, but IMO there wasn't too much point in reviving this dead old thread... :rolleyes:
     
  9. ronjor

    ronjor Global Moderator

    Joined:
    Jul 21, 2003
    Posts:
    57,802
    Location:
    Texas
    I agree. Thread closed.
     
Thread Status:
Not open for further replies.