Changing False Positive Result.

Discussion in 'ESET NOD32 Antivirus' started by Labcenter, Aug 20, 2008.

Thread Status:
Not open for further replies.
  1. Labcenter

    Labcenter Registered Member

    Joined:
    Aug 20, 2008
    Posts:
    1
    Hi,

    One of software applications is registering as a false positive with the NOD32 antivirus software.

    We have tested the app in question against all other antivirus software without any problems - results screenshot from VirusTotal here : h**p://img106.imagevenue.com/img.php?image=68588_virustotal_122_886lo.jpg

    Is there anything that can be done about this or is it an inconvenience that users of both software packages will simply have to live with ?

    Regards,
    Iain.
     
  2. Marcos

    Marcos Eset Staff Account

    Joined:
    Nov 22, 2002
    Posts:
    14,374
    Please compress the file in question with WinRAR or another ordinary packer, protect the archive with the password "infected" and send it to samples[at]eset.com with "False positive" in the subject. Also we'll appreciate if you enclose the url the program can be downloaded from.
     
  3. demonio

    demonio Registered Member

    Joined:
    Oct 21, 2007
    Posts:
    48
    Hello marcos
    I sent a false positive not yet correct
    falso positivo LG
    ;)
     
  4. tlamming

    tlamming Registered Member

    Joined:
    Feb 6, 2008
    Posts:
    14
    Hello,

    I'm also getting a false positive for a managed service agent that we are rolling out. Ive sent it to the email address above. The subject is "false positive" and the zip file is zcopy.zip

    How long does it usually take for a sample to get whitelisted ?

    Thanks!

    Travis
     
  5. tlamming

    tlamming Registered Member

    Joined:
    Feb 6, 2008
    Posts:
    14
    Guys, I'm getting false positives all over the place on this managed services client by Zenith infotech. Ive submitted a ton of files, but have recieved no response. What is the deal?
     
  6. Marcos

    Marcos Eset Staff Account

    Joined:
    Nov 22, 2002
    Posts:
    14,374
    The variant of zcopy.exe we have received at samples[at]eset.com is no longer detected, it was fixed a couple of days ago. If you have a newer variant that is detected with the latest signature database version, submit it to samples[at]eset.com in a password protected archive and "False positive" in the subject.
     
  7. tlamming

    tlamming Registered Member

    Joined:
    Feb 6, 2008
    Posts:
    14
    Marcos,

    I appreciate the reply. Would it make sense for me to zip the entire program directory so that you guys can scan it? There are multiple different file types that are getting triggered.
     
  8. Marcos

    Marcos Eset Staff Account

    Joined:
    Nov 22, 2002
    Posts:
    14,374
    Ok, if the archive is not too large, send it to samples[at]eset.com with this thread's url in the subject.
     
  9. tlamming

    tlamming Registered Member

    Joined:
    Feb 6, 2008
    Posts:
    14
    Its kind of big, I'll try to send just the exe's that are triggering.
     
  10. edwin3333

    edwin3333 Registered Member

    Joined:
    Aug 29, 2007
    Posts:
    244
  11. tlamming

    tlamming Registered Member

    Joined:
    Feb 6, 2008
    Posts:
    14
    Okay, I've sent some. This particular zip file is from the client that takes updates from the NOC and distributes them to workstations that are being monitored on the network. I'll send over some more false positives after that. The remote control aspect of these files must be what is setting off nod32, I suppose. Thanks again!

    Travis
     
  12. tlamming

    tlamming Registered Member

    Joined:
    Feb 6, 2008
    Posts:
    14
    Marcos,

    just sent another file. Hopefully, this is the last one!
     
  13. tlamming

    tlamming Registered Member

    Joined:
    Feb 6, 2008
    Posts:
    14
    marcos,

    eset is finding another file from this company. Is there any way you guys can open a dialogue so I dont have to single handedly submit every single file that eset finds?

    they are a managed services company. www.zenithinfotech.com
     
  14. tlamming

    tlamming Registered Member

    Joined:
    Feb 6, 2008
    Posts:
    14
    more false positives for the same client. Ill email you.
     
  15. tlamming

    tlamming Registered Member

    Joined:
    Feb 6, 2008
    Posts:
    14
    Marcos,

    Did you recieve my email with the new file?

    Should I just disable heuristics? Where are all of the config settings for that?
     
Thread Status:
Not open for further replies.