ESET & TurboTax files: False Positives?

Discussion in 'ESET NOD32 Antivirus' started by Tarl, Jun 1, 2011.

Thread Status:
Not open for further replies.
  1. Tarl

    Tarl Registered Member

    Joined:
    Jun 1, 2011
    Posts:
    3
    It appears several ESET NOD32 users are having an issue with threats identified in TurboTax files. (See https://ttlc.intuit.com/post/show_f...ects-certain-turbotax-files-as-possible-virus)

    For all I know, these are false positives. But based on the fact that ESET detected the following threat prior to picking up on a cascade of threats in TurboTax, I'm wondering if the initial infection of Java/Agent.CA trojan caused subsequent problems or infections in my TurboTax files.

    Here's the first threat identified by ESET on 5/25 during a regularly scheduled scan. It does not appear to be targeting TurboTax files.

    C:Users\*Username*\AppData\Local\Low\Sun\Java\Deployment\cache6.0256a752759-66971b4f » ZIP » Lware.class - Java/Agent.CA trojan - was a part of the deleted object

    The next two alerts occurred as the result of real-time protection -- not a scheduled scan:

    5/29/2011 7:27:05 PM
    Real-time file system protection file
    C:WindowsInstaller$PatchCache$Managed5F579832AAEB210DA4B0000000000009.0.236\_lld.2.8v.niW.2scitsigarfnI_rgnerepw_
    probably a variant of Win32/PSW.OnLineGames.FRWEPAN trojan
    cleaned by deleting - quarantined
    NT AUTHORITYSYSTEM
    Event occurred during an attempt to access the file by the application: C:WindowsSystem32svchost.exe.

    5/29/2011 7:29:11 PM
    Real-time file system protection file C:WindowsInstaller$PatchCache$ManagedB00E525A9066E244D9DC4654C332E3D810.0.307\_lld.2.8v.niW.2scitsigarfnI_tib23_rgnerepw_
    probably a variant of Win32/PSW.OnLineGames.FRWEPAN trojan
    cleaned by deleting - quarantined
    NT AUTHORITYSYSTEM
    Event occurred during an attempt to access the file by the application: C:WindowsSystem32svchost.exe.

    Then, a few minutes later, EST picked up on this. It's the first time I see TurboTax appearing in the threat log:

    5/29/2011 7:41:33 PM
    Real-time file system protection file
    C:\PROGRAM FILES\TURBOTAX\32BIT\INFRAGISTICS2.WIN.V8.2.DLL probably a variant of Win32/PSW.OnLineGames.FRWEPAN trojan
    cleaned by deleting - quarantined NT AUTHORITY\SYSTEM
    Event occurred during an attempt to access the file by the application: C:WindowsSystem32svchost.exe.

    During a scan a few hours later, ESET later detected the same Trojan variant in a TurboTax 2009 .dll file:

    C:program\Files\TurboTaxHome & Business 2009\32bit\Infragistics2.Win.v8.2.dll

    The next morning, another scan caught the same Trojan variant in this TurboTax 2010 .dll file:

    C:program Files\Intuit\Turbo Tax\TY10\PER\MSI\WinPerReleaseEngine.msi

    ...and also in that same file within TurboTax 2009:

    C:program Files\Intuit\Turbo Tax\TY09\PER\MSI\WinPerReleaseEngine.msi

    I've since quarantined several files and deleted those that ESET couldn't quarantine. The result is that TurboTax no longer launches.

    I contacted ESET support asking if, in their opinion, these TurboTax detections are false positives. I received a bit of a boilerplate response basically describing how I can configure ESET to keep from scanning TurboTax files.

    But here's my question: Are these, in ESET's opinion, genuine threats? It's interesting that other TurboTax/ESET users are experiencing the same issues at the same time.

    Thanks in advance for any insights you can offer.
     
  2. Marcos

    Marcos Eset Staff Account

    Joined:
    Nov 22, 2002
    Posts:
    14,374
    You must be using an outdated signature database. This FP was fixed several days ago.
     
  3. Tarl

    Tarl Registered Member

    Joined:
    Jun 1, 2011
    Posts:
    3
    Thanks for the fast reply. So these were known FPs?

    I have NOD32 configured to update hourly, so I guess I got caught in a pretty narrow window.

    If these are known FPs, then I'm happy. I'll just reinstate/reinstall the files and all should be fine.

    Thanks again.
     
  4. siljaline

    siljaline Former Poster

    Joined:
    Jun 29, 2003
    Posts:
    6,619
    There is no need to reinstall your software, assuming it is current and that your virus signatures are current. Updating hourly via your scheduler is every sixty minutes by default.

    If only the TurboTax files were quaratined you may remove them. Awaiting further details.

    Thanks.
     
    Last edited: Jun 2, 2011
  5. jimwillsher

    jimwillsher Registered Member

    Joined:
    Mar 4, 2009
    Posts:
    668
    I think he's referring to reinstalling the files that were removed as FPs, rather than reinstalling ESET.


    Jim
     
  6. Marcos

    Marcos Eset Staff Account

    Joined:
    Nov 22, 2002
    Posts:
    14,374
    It should be ok just to restore them from quarantine. This can be done globally on all computers using ERA.
     
  7. Tarl

    Tarl Registered Member

    Joined:
    Jun 1, 2011
    Posts:
    3
    Thanks guys. Yes, I was referring to reinstalling TurboTax 2010, which is one fix that someone on the TurboTax board suggested.

    But if these truly are FPs, then restoring them out of quarantine ought to do the trick.

    Bottom line....based on your responses, it appears these TurboTax files, once restored or reinstalled (whichever method successfully gets TurboTax operating again), should pose no threat to my system. And that's precisely what I needed to know.

    Thanks again.
     
  8. siljaline

    siljaline Former Poster

    Joined:
    Jun 29, 2003
    Posts:
    6,619
    You are welcome, let us know if we can be of further assistance.

    Regards,
     
Thread Status:
Not open for further replies.