ESET NOD32 5.2.9.1 (False Positives ++)?!

Discussion in 'ESET NOD32 Antivirus' started by Cruachan, Nov 29, 2012.

Thread Status:
Not open for further replies.
  1. Cruachan

    Cruachan Registered Member

    Joined:
    Jun 7, 2012
    Posts:
    23
    Location:
    United Kingdom
    Hi Marcos or anyone else who cares to chip in,

    I have a 32GB USB memory stick which performs flawlessly and I use it to transfer music related data (recordings and documents) between a couple of PCs in my home (both Windows 7 SP1 and both with NOD32 5.2.9.1). It has been in use for a couple of years now and has never let me down. NOD32 is configured on insertion of the stick to 'Scan Later' yet on one PC (my laptop) NOD32 today began scanning the stick's content regardless and places >100 files into quarantine!

    False Positives.JPG

    You will see from the above image the type of file being detected and all are being reported as being a Caphaw.J trojan.

    I've tried configuring NOD32 not to scan drive F:\*.* but it makes no difference. I try restoring the files but NOD32 immediately puts them all back again into quarantine. Changing Removable Media Rules to block access works, but I've discovered that that rule applies to me as well, not just NOD32, so no help there.

    What is happening? Am I misunderstanding something? Why has this just started to occur? All the files on the stick were created in house and nothing has been imported from outside. All these detections appear to be links for some strange reason although these don't appear in the folder, only the parent files. All the files are accessible by Word Starter 2010 on my laptop. Most, if not all, of the files were created with Word 2002 (XP) on my desktop PC.

    How can I stop this from happening? It's becoming quite irritating, not least because I'm at a loss for an explanation.

    Thank you.

    Mike
     
    Last edited: Nov 30, 2012
  2. Marcos

    Marcos Eset Staff Account

    Joined:
    Nov 22, 2002
    Posts:
    14,374
    This is unlikely to be a false positive. Such lnk files are created by Caphaw in local folders and remote shares. I ran across these files when troubleshooting a malware issue on a user's system and requested adding a detection a day ago. So far we haven't received any FP via LiveGrid. If you want to make sure, submit a few of such lnk files to ESET as per the instructions here.
     
  3. Cruachan

    Cruachan Registered Member

    Joined:
    Jun 7, 2012
    Posts:
    23
    Location:
    United Kingdom
    Hi Marcos,

    I have done as you asked from within the Quarantine module of NOD32:

    Highlighted all the detections (146), right-clicked and selected 'Submit for Analysis'. I have included a link to this thread for your lab technicians. I note that while all the objects appear to be links they are in fact from several folders. All are from the F:\ drive, my 32GB Memory Stick. I'll perform an in-depth scan of C:\ as it has copies of all those affected parent files.

    Will I get any feedback from your laboratory?

    Should I leave these detected (? infected) objects in quarantine meantime?

    Regards,

    Mike
     
  4. Marcos

    Marcos Eset Staff Account

    Joined:
    Nov 22, 2002
    Posts:
    14,374
    I'll check it out. However, it's not a good idea to submit so many files as a separate ticket will be created for each.
     
  5. Cruachan

    Cruachan Registered Member

    Joined:
    Jun 7, 2012
    Posts:
    23
    Location:
    United Kingdom
    Hi Marcos,

    Have you received any feedback yet?
    Waiting patiently....

    Regards,

    Mike
     
  6. Marcos

    Marcos Eset Staff Account

    Joined:
    Nov 22, 2002
    Posts:
    14,374
    I couldn't find those files. However, you can submit them to VirusTotal, for instance, Microsoft started detecting this malware 1-2 days after we did.
     
  7. Cruachan

    Cruachan Registered Member

    Joined:
    Jun 7, 2012
    Posts:
    23
    Location:
    United Kingdom
    Hmm!?

    Does beg the question as to how I submit files that don't appear to be accessible by me in the first place? As I said, these all seem to be links to parent files and are promptly re-quarantined by ESET NOD32 as soon as they are restored.

    If you were unable to "find" these files, which were submitted using the module embedded in NOD32, it does make me wonder whether these have indeed been false positives or strange NOD32 detections of the phantom variety.

    No more are being detected on any of my PCs or memory sticks so I guess I'll let quarantine delete them all in due course and forget about it.

    BTW, why was it necessary for me to take the initiative to obtain a response? Wouldn't it have been more helpful had you advised me of the difficulty you were experiencing along with some suggestions as to how it could be resolved rather than taking the easier route by passing the buck to another scanning engine? What does this say about NOD32?

    Mike
     
    Last edited: Dec 13, 2012
Thread Status:
Not open for further replies.