Erroneous MBR Virus

Discussion in 'ESET NOD32 Antivirus' started by spidey, Mar 3, 2009.

Thread Status:
Not open for further replies.
  1. spidey

    spidey Guest

    I just updated from NOD32 v2.7 to the new v4. The detected threat is "Startup scanner boot sector MBR sector of the 0. physical disk probably unknown TSR.BOOT virus unable to clean". I have my disk encrypted with Jetico BCVE. Is there any way to exclude my boot drive w/o turning off "Boot Sectors" under "Objects" which turns off boot sector scanning on all of my drives? Thank you for any help.
     
  2. Marcos

    Marcos Eset Staff Account

    Joined:
    Nov 22, 2002
    Posts:
    14,374
    Please contact customer care for further instructions.
     
  3. spidey

    spidey Guest

    Thanks Marcos. I posted a request with customer care in addition to submitting this post.
     
  4. spidey

    spidey Guest

    Just received what seems to be a scripted reply from ESET to follow the instructions at http://kb.eset.com/esetkb/index?page=content&id=SOLN141. Not sure that zipping up a file to email makes much sense when it's the non-standard encrypted MBR that's causing the false positive.
     
  5. funkydude

    funkydude Registered Member

    Joined:
    Apr 5, 2004
    Posts:
    6,852
    Sure if it's a file causing the alarm then they will need to inspect it.
     
  6. spidey

    spidey Guest

    I realize that, but when the message I report contains "boot sector MBR sector of the 0. physical disk" it's pretty clear that it isn't a file involved. Just makes me wonder if their support don't actually read the customer care requests or don't understand the difference between a file and an MBR. Or maybe I don't! :)
     
  7. De Hollander

    De Hollander Registered Member

    Joined:
    Sep 10, 2005
    Posts:
    718
    Location:
    Windmills and cows
    Perhaps they want a copy of your MBR.
     
  8. Marcos

    Marcos Eset Staff Account

    Joined:
    Nov 22, 2002
    Posts:
    14,374
    Customer care representatives should provide you with a tool for creating an image of the boot/mbr sectors which you would subsequently send to samples[at]eset.com with "False positive - boot virus" in the subject. If you haven't received it yet, let me know and I'll upload it somewhere for you.
     
  9. spidey

    spidey Guest

    I haven't received a reply from ESET yet. Can I use HDHacker to obtain the MBR to send to samples[at]eset.com? Will I get a reply from ESET to let me know what their results are after emailing the MBR? Thanks for your advice Marcos!
     
  10. agoretsky

    agoretsky Eset Staff Account

    Joined:
    Apr 4, 2006
    Posts:
    4,032
    Location:
    California
    Hello,

    Just to check, is the TSR.BOOT virus still being reported in the MBR of the hard disk drive?

    Regards,

    Aryeh Goretsky
     
  11. DanL

    DanL Registered Member

    Joined:
    Nov 25, 2004
    Posts:
    159
    Wasn't this a past issue with certain brands of laptops?
    I had it on 2 Gateways last summer. False positive.
     
  12. spidey

    spidey Guest

    Hi. I'm not sure. I did submit my MBR to ESET using their MBR tool and received a reply that it was indeed a false positive that would be fixed in the next virus definitions release. However, during the time I was waiting for the reply, my system began experiencing random blue screen errors. I reverted back to NOD32 v2.7 thinking that v4 was responsible based on posts I have read here and the timing of the blue screens so soon after installing v4. I subsequently found out by using MEMTEST86+ that the blue screens were being caused by a defective stick of RAM. During the time I had run v4, I didn't see any advantages over v2.7 to re-install it (mainly I don't like the proxy method of web scanning vs. the method used by 2.7). Sorry that I can't report back definitively. If I decide to give v4 a go again, I'll post back. Thanks for checking back in with me.
     
  13. agoretsky

    agoretsky Eset Staff Account

    Joined:
    Apr 4, 2006
    Posts:
    4,032
    Location:
    California
    Hello,

    A false positive alarm of the TSR.BOOT MBR virus on Jetico BCVE encrypted disk volumes was recently fixed, so unless report otherwise, I will assume the issue has been resolved for you as well. If it is not, or you once again receive a report of a virus in the MBR of the encrypted disk volume, please post a message in the forum.

    Regards,

    Aryeh Goretsky
     
Thread Status:
Not open for further replies.