ESET NOD32 Detecting LOTS of False Positives

Discussion in 'ESET NOD32 Antivirus' started by TJColin, May 27, 2011.

Thread Status:
Not open for further replies.
  1. TJColin

    TJColin Registered Member

    Joined:
    May 27, 2011
    Posts:
    7
    Hello,

    Over about the course of about the last week, we have noticed that ESET NOD32 is increasingly detecting a lot of false positives.

    This is a serious problem for us as an ISV, because it is detecting a lot of our own programs as being viruses.

    We have had a problem in the past where we found that we had to disable "Advanced Heuristics" for our Update Modules not to be detected as potential viruses, but now it has gone crazy, detecting Win32/TrojanDownloader.Small.PAC trojan in hundreds of files.

    Yesterday afternoon I submitted a sample of the false positives to samples@eset.com (as described here), however have not received a response yet (not even an automated one).

    Has anyone else experienced this behaviour? I have done a search of the ESET forums but cannot find anyone else reporting this.

    I found that some recent threads in the the "Prevx" forum group are reporting a very similar problem (see here), however I do not know how or if "Prevx" relates to NOD32.

    Has anyone encountered a similar issue? Has anyone any advice as to what we can do?

    Thanks for your help,

    Colin
     
  2. danieln

    danieln Eset Staff

    Joined:
    Jan 7, 2009
    Posts:
    112
    It is very unlikely for the static signature Win32/TrojanDownloader.Small.PAC trojan to create a false positive. This detection target infected files and the cleaner is available too.
    Other vendors detect the malware too as Virus.Win32.Murofet.a or Trojan.Zbot.B!inf
    Try to submit the file to the www.virustotal.com to see how it is detected.

    What exactly was the mentioned problem in the past, what files was detected and what was the detection name?
     
  3. TJColin

    TJColin Registered Member

    Joined:
    May 27, 2011
    Posts:
    7
    Hmmm... So the alternative is that something has got in actually been modifying hundreds of files to include this trojan. Eek! Right, back when I know more...
     
  4. TJColin

    TJColin Registered Member

    Joined:
    May 27, 2011
    Posts:
    7
    Do you think it could be theoretically possible for this trojan to co-exist with NOD32 on the same machine?

    One of our users reported seeing a message about a virus on Monday. NOD32 (installed, running, and up-to-date) cleaned it, but since then, this has been appearing more. His machine in particular has had NOD32 reporting locating the virus in all sorts of random network locations - I wonder if the virus is scanning for places to install itself, injecting its code, and then NOD32 is detecting its presence?
     
  5. TJColin

    TJColin Registered Member

    Joined:
    May 27, 2011
    Posts:
    7
    We have two infected machines.

    The first one was infected at approximately 10:02 BST on Monday 23rd May, and the initial virus detected by NOD32 was Win32/Agent.SOE trojan.

    NOD32 reported this virus as cleaned.

    By 10:05, on the same machine, NOD32 began detecting random .exes on the machine as having been infected by TrojanDownloader.Small.PAC trojan. This appears to have been the source of the outbreak.
    I am not sure how it managed to "escape" past NOD32, but I do notice that subsequent NOD32 definitions have included an update for the Win32/Agent.SOE trojan.

    At the time, we had disconnected the computer from the network, restarted it, done a scan, etc., and it appeared removed.

    After a couple of days, we noticed that a number of our Update Modules (self-extracting zips which run a VB6 program which updates some files) had become corrupt and would not run. Checking logs discovered that NOD32 had been "cleaning" these files.

    As I described in my first post, we have previously had the problem whereby we have had to disable "Advanced Heuristics" as these programs were erroneously detected as containing a virus ("probably unknown NewHeur_PE virus"). I have previously submitted a sample and a description of this problem from within NOD32 but did not receive a response.

    As NOD32 was up-to-date on all our PCs and servers, and as we had previously had the false-positive detection problem on these files, we mistakenly assumed that the same problem had happened again... Looks like we were wrong!

    We are now working to clear up the mess... :S
     
  6. danieln

    danieln Eset Staff

    Joined:
    Jan 7, 2009
    Posts:
    112
    Disabling the advanced heuristics is a serious security compromise as it not only disables the NewHeur_PE detection but almost all Win32 generic signatures relying on the technology. It is not recommended to leave it disabled.
    I suggest you to send the files detected as probably unknown NewHeur_PE virus per instructions from the http://kb.eset.com/esetkb/index?page=content&id=SOLN141 with this thread URL in the subject. Make sure you submit them from a clean machine (which was not compromised before). If the file exist in more versions, submit several examples.
     
  7. Fiery_WA

    Fiery_WA Registered Member

    Joined:
    Apr 6, 2008
    Posts:
    42
    I am it is saying my GPU drivers downloaded from the Nvidia site, plus as you will see things like the Microsoft Genuine Validation Tool
     

    Attached Files:

Thread Status:
Not open for further replies.