Exclusion list doesn't work.

Discussion in 'NOD32 version 2 Forum' started by DarkHawke, Apr 30, 2007.

Thread Status:
Not open for further replies.
  1. DarkHawke

    DarkHawke Registered Member

    Joined:
    Apr 20, 2007
    Posts:
    5
    I'm evaluating the trial version of NOD and one problem I'm having with it is truly annoying me. NOD seems to think that files related to the HSN toolbar I have installed for my browsers are infected with something it calls "Win32/Toolbar.HSN application." Well, for my money I think it's just being picky, but every attempt at preventing them frakkin' little balloons complaining about it has yet to work. I don't want to kill the notifications, as something legitimately infected might show up, so I've tried using the AMON exclusion list to target every directory and file in the alerts. And, thanks to looking through related threads here, I have included both long and short paths for all of the above. Still, I get the annoying balloons.

    Specifically, the files flagged are:
    C:\Program Files\HSN\bar\1.bin\HSNHTTP.DLL
    C:\Program Files\HSN\bar\1.bin\HSNDATA.DLL
    C:\Program Files\HSN\bar\1.bin\HSNHTML.DLL
    C:\Program Files\HSN\bar\1.bin\hsnSkin.DLL
    c:\program files\hsn\bar\1.bin\hsnbar.dll

    so I have exclusion list entries for each of those files and for each directory level beginning with the "HSN" directory and below. And for each file or directory, there's a long path as above and a short path, e.g. "c:\progra~1\hsn\bar\1.bin\hsnbar.dll". Lotsa entries and lots of time working on what should be a trivial thing. What have I missed? Any other info y'all need? Thank y'all for your help with this.
     
  2. ASpace

    ASpace Guest

    Hello and Welcome to Wilders !

    This toolbar is not very good and that's why NOD32 detects it . I strongly recommend you uninstall it and then perform full scan with NOD32 .

    If you decide to keep it , you can try the following:
    1. Open NOD32 Control Center
    2. Click on AMON -> Setup
    3. Choose "Options" tab
    4. Uncheck detection for "Potentially unsafe applications"

    Confirm with OK

    5. Open IMON -> Setup
    6. Choose "Miscellaneous" tab
    7. Choose Scanner and press Setup
    8. Uncheck detection for "Potentially unsafe applications"

    Confirm with OK

    Hide NOD32 Control Center
     
  3. JAB

    JAB Registered Member

    Joined:
    Apr 17, 2007
    Posts:
    36
    I don't think the question is why NOD32 detects it. The question is why it still scans the files after DarkHawke has added their directories to the exclusion list.

    DarkHawke: I'm assuming that you added the directories to the exclusion list in AMON. Is the detection occuring because of AMON realtime scan or because of NOD32 on-demand scan?

    /jab
     
  4. DarkHawke

    DarkHawke Registered Member

    Joined:
    Apr 20, 2007
    Posts:
    5
    HiTech_boy:
    Well, I checked the settings in both the AMON and the IMON. Both already had the settings for potentially unsafe applications AND potentially unwanted applications unchecked, but for the sake of argument, I checked them, okayed them, then went back into the setup, unchecked them, okayed that and, well, no balloons yet and no new alerts in the logs, though this is the first time since I made the "changes" that I've had the 'puter on, so we'll have to see what happens.

    I still don't know what the problem is with this toolbar. Googling the "rogue" application turns up only that NOD32 detects it. Nothing more specific about what it is or why NOD32 would consider it a problem.

    JAB:
    Correct on both counts: allegedly the exclusion list should have addressed the problem, and yes, I added not just the top level directory, in this case C:\Program Files\HSN\, but each subdirectory in turn down to the one containing the problem DLLs, e.g. C:\Program Files\HSN\bar\ and C:\Program Files\HSN\bar\1.bin\, as well as the short path, substituting "Progra~1" for "Program Files" in each case. Simply put, I've got 16 lines in the AMON exclusions list to deal with what should have only needed 1 line, and they didn't work. So far the procedure I noted above @HiTech_boy seems to have stopped the balloon notifications.

    And this is dealing solely with the real-time scan, not the on-demand. The on-demand does pick up these problem DLLs, but it's not anywhere NEAR the annoyance of a balloon popping up every five minutes to tell you about an alleged problem that (A) doesn't really exist and (B) shouldn't even be detected anymore.
     
  5. ASpace

    ASpace Guest

    ...which means it is ready ;)

    If it is detected , there is something . Anyway , it is no longer detected in your computer .

    Thanks for updating the thread
     
  6. DarkHawke

    DarkHawke Registered Member

    Joined:
    Apr 20, 2007
    Posts:
    5
    Not anymore. The alerts are back. Any other suggestions? Perhaps re-installing NOD?

    Not sure what that means. If it really is a problem, why no detail, and why nothing from any other source?
     
  7. JAB

    JAB Registered Member

    Joined:
    Apr 17, 2007
    Posts:
    36
    Well, for what it's worth, AntiVir doesn't like it either. You could try passing it through VirusTotal to see how picky NOD and AntiVir are really being.

    Are you absolutely positive it's AMON generating the alert and not IMON? When all else fails, reinstalling is not a bad option.

    /jab
     
  8. KDNeese

    KDNeese Registered Member

    Joined:
    Dec 16, 2005
    Posts:
    236
    Probably has something to do with the heuristic detection, which I believe reacts to behavioral anomalies as well as signatures. There is something this toolbar is doing that is setting it off. Not a good sign. Don't write it off as a false positive just yet.

    HSN Shopping Bar is flagged as malware by SNORT rules:

    http://www.bleedingsnort.com/cgi-bin/viewcvs.cgi/rules/bleeding-sid-msg.map?rev=1.1412

    http://www.bleedingsnort.com/cgi-bin/viewcvs.cgi/sigs/MALWARE/MALWARE_USER_Agents?rev=1.137

    I also notice that according to some HijackThis logs I looked at, the HSN bar also places the HDN website in the IE trusted zone. Unless that action was specifically done by the user, that is also not a good thing, and something indicative of spyware. Also, the very fact that HSN gives some sort of discount for those who download the bar tells me that there is a very good chance the toolbar is spyware and is being used as a marketing tool to monitor users' surfing habits (as is the case with most toolbars, BHO's). I've also noticed that HSN.exe (if associated with the toolbar) places itself in the System32 folder as well as in the autostart programs. Normon Antivurus flags it as malware: DNS Changer, W32/Agent Trojan, W32/Banker Trojan... so NOD is not alone in its assessment. At any rate, I don't think it's a good idea to keep it.
     
  9. DarkHawke

    DarkHawke Registered Member

    Joined:
    Apr 20, 2007
    Posts:
    5
    Kaspersky, Panda, and VBA32 (?) picked it up as well via VirusTotal, but AntiVir passed it on that site. Odd. Still, with the added details KDNeese provided (thanks!), I guess it's not the best thing to have on my system. Doesn't explain why I couldn't prevent the alerts, but I guess they'll end soon!:D

    How would I tell the difference? I tried using the IMON exclusion list, but you can only exclude applications with the ".exe" extension, not DLLs. The point seems kinda moot now, though.
     
  10. csamanta

    csamanta Registered Member

    Joined:
    Jan 22, 2007
    Posts:
    6
    In my experience, the exclusions stuff in NOD32 doesn't really work the way you might expect. It seems there's no way to tell NOD32 "I don't care how bad this thing is, just ignore it anyway". However, things that NOD32 flags are at least worth your attention.

    If you have software that you're really sure is ok, and can provide details about it, you can contact NOD32 support and discuss with them. I have found them to be quite responsive.

    (I would agree about the caution on toolbars -- there's too much malware floating about, pretending to be helpful. It doesn't matter if it came from a "reputable large corporation", remember Sony's rootkit?)
     
  11. ASpace

    ASpace Guest

    No , not needed . Sorry for the late pesponse by me.

    Now try this , should work!

    1. Open NOD32 Control Center
    2. Click on AMON -> Setup
    3. Choose "Options" tab
    4. Uncheck detection for "Potentially unsafe applications"
    5. Unckeck detection for "Potentially unwanted applications"

    Confirm with OK

    6. Open IMON -> Setup
    7. Choose "Miscellaneous" tab
    8. Choose Scanner and press Setup
    9. Uncheck detection for "Potentially unsafe applications"
    10. Uncheck detection for "Potentially unwanted applications"

    Confirm with OK

    Hide NOD32 Control Center


    N.B. If after the above instructions it still gets detected , then it should be in another cathegory (e.g.Spyware/Adware/Riskware) and it is really nasty
     
  12. JAB

    JAB Registered Member

    Joined:
    Apr 17, 2007
    Posts:
    36
    I have every detection option in AntiVir on its most aggressive setting. Perhaps that is the difference. The detection was "ADSPY/MyWebSearch.978288".

    You could disable IMON and see if you still get detection warnings.

    /jab
     
  13. DarkHawke

    DarkHawke Registered Member

    Joined:
    Apr 20, 2007
    Posts:
    5
    Well, I guess it was, as I had already unchecked both the potentially unsafe AND unwanted selections in both AMON and IMON. I still got the alert. However, given the further detail on what the HSN toolbar may be doing to my system, I opted to uninstall it, and there have been no further alerts or problems. Thank you to everyone who replied with suggestions and further information about this situation. I greatly appreciate your help! :)
     
  14. ASpace

    ASpace Guest

    You are welcome !

    I my self never install toolbars (incl. Google toolbar , ICQ toolbar ...) because when one reads their EULA they may get really concenrned about privacy
     
Thread Status:
Not open for further replies.