CommFort+NOD32=Win32/Packed.Themida

Discussion in 'ESET NOD32 Antivirus' started by Maxim Mirgorodsky, Oct 28, 2008.

Thread Status:
Not open for further replies.
  1. Maxim Mirgorodsky

    Maxim Mirgorodsky Registered Member

    Joined:
    Oct 28, 2008
    Posts:
    11
    NOD32 with virus signatures from October 17, 2008 and later alerts on all files protected with Themida 1.9.5.0 and 1.9.9.0 (the same situation may be with other versions).

    CommFort (http://www.commfort.com/) executable files for all versions for the latest year and a half are among such files.

    We sent twelve different files that are within the CommFort software and are suspicious for the antivirus to samples@eset.com a week ago (from maxim @ commfort.com). There are dozens of such files but we can’t find them easily.

    We haven’t got any response yet as well as situation change.

    Please help us to solve the problems.

    Regards,
    Maxim Mirgorodsky
    CEO of CommFort software Ltd.
     
  2. NOD32 user

    NOD32 user Registered Member

    Joined:
    Jan 23, 2005
    Posts:
    1,766
    Location:
    Australia
    Hi,

    I'm not sure after re-reading you post whether you beleive these should be detected or if you believe them to be false positives?

    In either case this post may be of assistance.

    Cheers :)

    EDIT: Just downloaded 'CommFort (server + client)'.
    Neither the archive itself or the two .exe files it contains are currently detected here?
     
  3. Maxim Mirgorodsky

    Maxim Mirgorodsky Registered Member

    Joined:
    Oct 28, 2008
    Posts:
    11
    We are talking about the false alerts. Today we released a new version of CommFort protected by the latest beta-version of WinLicense (Themida) in which the NOD alert cause is fixed. The previous CommFort version is available at: http://www.tucows.com/preview/512736
     
  4. doktornotor

    doktornotor Registered Member

    Joined:
    Jul 19, 2008
    Posts:
    2,047
    This nothing detected. Do I have to install it or what?
     
  5. Maxim Mirgorodsky

    Maxim Mirgorodsky Registered Member

    Joined:
    Oct 28, 2008
    Posts:
    11
    Yes, install it.
     
  6. doktornotor

    doktornotor Registered Member

    Joined:
    Jul 19, 2008
    Posts:
    2,047
    OK, this is only detected when you enable scanning for "potentially unwanted applications", which - given the massive abuse of Themida by malware - is most likely by design. Already debated before.
     
  7. Maxim Mirgorodsky

    Maxim Mirgorodsky Registered Member

    Joined:
    Oct 28, 2008
    Posts:
    11
    So, what am I supposed to do now? I have sent some CommFort files to at least prevent the antivirus from triggering false alarms on them. The result is negative. Every day CommFort users bombard the technical support with complaints on the false virus detection warnings issued by NOD32.
     
  8. Maxim Mirgorodsky

    Maxim Mirgorodsky Registered Member

    Joined:
    Oct 28, 2008
    Posts:
    11
    Do ESET officials ever show up on this forum?
     
  9. Marcos

    Marcos Eset Staff Account

    Joined:
    Nov 22, 2002
    Posts:
    14,374
    Actually I downloaded both the server and client from your website yesterday and the FP was fixed in the next update. The file you've submitted will be fixed, but note that it's detected as a potentially unsafe application (PUA) because of the packer used and not as malware. In order for PUA to be detected, the users must agree with detection of such applications and intentionally enable detection as it's disabled by default.
     
  10. Maxim Mirgorodsky

    Maxim Mirgorodsky Registered Member

    Joined:
    Oct 28, 2008
    Posts:
    11
    The 12 files that I have sent over a week ago are still detected as viruses (that’s right, viruses; at least the Russian version of NOD32 writes: "Virus detected") When will the false virus detection be fixed for at least those 12 files?
     
  11. Marcos

    Marcos Eset Staff Account

    Joined:
    Nov 22, 2002
    Posts:
    14,374
    We've received only 1 email with samples attached on Oct 22. Anyway, Themida is detected as a potentially unsafe application because it's massively abused by malware to evade detection. Any further variants packed with Themida may be detected again. Potentially unsafe applications cover commercial programs that can be misused by malware, and are disabled by default. They are only detetected if the user chooses to detect them and intentionally agrees with detection.
     
  12. Maxim Mirgorodsky

    Maxim Mirgorodsky Registered Member

    Joined:
    Oct 28, 2008
    Posts:
    11
    Just sent you the files once again to samples@eset.com. But instead of attaching them to the message, I have enclosed the download URL (it’s a bit hard to send 25MB as an attachment).
     
  13. Maxim Mirgorodsky

    Maxim Mirgorodsky Registered Member

    Joined:
    Oct 28, 2008
    Posts:
    11
    Gentlemen,
    I'd like to see your response to the submission of the files.
     
  14. Maxim Mirgorodsky

    Maxim Mirgorodsky Registered Member

    Joined:
    Oct 28, 2008
    Posts:
    11
    And again we have a lot of complaints - NOD32 detects the CommFort client installation file as the "Win32/Kryptik.AE" Trojan file and the executable file as "Win32/Packed.Themida". And if the NOD32 settings are set to default, it deletes these files. We are asking you to solve this situation immediately, we have sent the necessary files in archives protected with a password to samples@eset.com today.
     
  15. danieln

    danieln Eset Staff

    Joined:
    Jan 7, 2009
    Posts:
    112
    I disagree with this statement.
    Themida is not detected as default, only when users chose to turn on the p.unwanted applications.

    The Win32/Kryptik.AE trojan seems to be a FP and the lab will work on that.

    The solution of your problem with the optional Themida protector detection depends mostly on you. You may:
    1. Use something else than Themida
    or
    2. Simiply explain the users that your Themida modified executables are 100% safe (that's true) and It is OK to run them with the setting of PUA disabled.
    or
    3. Kindly send every build to the lab before release with the words in subject: "Please white-list this build to prevent any detection (Themida)"

    Because of the Themida protector the lab (nor the legal department) is able to auto-white list all your Themida executables which you will create in the future as you desire. The lab would like to do it for you, but currently it is not possible. You are the one who have to choose from the proposed solutions.
     
  16. Maxim Mirgorodsky

    Maxim Mirgorodsky Registered Member

    Joined:
    Oct 28, 2008
    Posts:
    11
    1. It is very expensive to change the protection system. There is no guarantee that a new protection system won’t be in the same situation as Themida is in now.
    2. We lose a part of our users acting like this.
    We have no choice – we must choose point 3.:

    As it is necessary to write often and quite often 5-10 files will be added at a time to the white list (we release different distributives for different license types) please provide us with the requirements to such messages. It is obvious what to specify in the subject field. The questions are:
    1) Is it possible to include 5-10 files simultaneously into the message?
    2) Is it necessary to add them to an archive (protected with a password)?
    3) Is there any limit for the message size?
    4) What is the email address and what should be written in the message body?
     
  17. danieln

    danieln Eset Staff

    Joined:
    Jan 7, 2009
    Posts:
    112
    Not a problem.

    Yes, some email server can delete it if you send it unencrypted.

    Yes, it depends on individual settings on email servers.

    I suggest you to write something like this: "According to our aggement we are sending you new version of.... which we are going to release soon. Executables use Themida protector and we quarantee they are safe to use. Please verify and white list them in your product. Please notify us... "

    In the case you don't receive any reply in 2 work days, write a post to the forum with request about the status.
    I don't know, what is your current release frequency?

    If you don't like sending files in email, you may put the files somewhere on your server and send the direct link instead. FTP can be used as well. In the case of HTTP and FTP there is no need to password protect the archives and there is no problem with their size.
     
  18. funkydude

    funkydude Registered Member

    Joined:
    Apr 5, 2004
    Posts:
    6,851
    No, unless you have a limit to what you can send.
     
  19. Maxim Mirgorodsky

    Maxim Mirgorodsky Registered Member

    Joined:
    Oct 28, 2008
    Posts:
    11
    Okay, we will send files then but hope this inconvenience is temporary (if such protection strategy will be chosen by other antivirus developers – we will be simply unable to send the files to all).

    And one suggestion: it may be useful to change the protection scheme in the way that the ‘potentially unwanted applications’ aren’t deleted automatically. Or at least you may display a ‘potentially unwanted applications’ launching confirmation message.
     
  20. danieln

    danieln Eset Staff

    Joined:
    Jan 7, 2009
    Posts:
    112
    The NOD32 version 4 (currently in public beta stage) is already dealing with the PUA in different way. Notification alert is changed and the color too (yellow).
     
Thread Status:
Not open for further replies.