Exclusions not excluded?!

Discussion in 'ESET NOD32 Antivirus' started by XIII, Jan 27, 2009.

Thread Status:
Not open for further replies.
  1. XIII

    XIII Registered Member

    Joined:
    Jan 12, 2009
    Posts:
    451
    NOD32 gives some false positives on a few programs that use AutoIt(-like) tools for automation (in this case some custom made Nero installers from the MSFN forums). I have added these files to the NOD32 exclusions, but still the on-demand scan stalls on these files, asking me what I want to do with them (delete or no action).

    What I want to achieve: NOD32 should ignore/skip the files I configure and finish the scan, without any user interaction, but also without deleting any files.

    How can I achieve this?

    (I'm using NOD32 3.0.684)
     
  2. funkydude

    funkydude Registered Member

    Joined:
    Apr 5, 2004
    Posts:
    6,852
    Could you post a screenshot of your exclusions so we can see if you've done them properly.
     
  3. SmackyTheFrog

    SmackyTheFrog Registered Member

    Joined:
    Nov 5, 2007
    Posts:
    767
    Location:
    Lansing, Michigan
    The exclusion list is for the Real-Time Scanning module. With on-demand scans you need to deselect the directories and files you want excluded from the scanning profile. If you are getting false positives, it is better to submit them to Eset so the signatures can be updated to correct the issue.
     
  4. Marcos

    Marcos Eset Staff Account

    Joined:
    Nov 22, 2002
    Posts:
    14,374
    The exclusion list is actually effective for both real-time protection and the on-demand scanner.
     
  5. SmackyTheFrog

    SmackyTheFrog Registered Member

    Joined:
    Nov 5, 2007
    Posts:
    767
    Location:
    Lansing, Michigan
    Yep, you're right. My bad on that.
     
  6. XIII

    XIII Registered Member

    Joined:
    Jan 12, 2009
    Posts:
    451
  7. XIII

    XIII Registered Member

    Joined:
    Jan 12, 2009
    Posts:
    451
    That's also what the GUI suggests (if you look at the small lines).
     
  8. XIII

    XIII Registered Member

    Joined:
    Jan 12, 2009
    Posts:
    451
    Hm, "false positive" might actually be the wrong term in this case...

    The programs probably do use AutoIt, but I trust these, so don't want to be bothered by NOD32 about them every scan. I don't want to trust AutoIt applications in general though. That's why I would like to exclude the four programs you see in the screen dump.
     
  9. funkydude

    funkydude Registered Member

    Joined:
    Apr 5, 2004
    Posts:
    6,852
    I suggest you remove them all and create the following filter:

    J:\Downloads\Install\CD\Nero\nero_*.*
     
  10. XIII

    XIII Registered Member

    Joined:
    Jan 12, 2009
    Posts:
    451
    Why?

    Does NOD32 not allow exact matches, but only wildcards?

    EDIT: it seems to help anyway (tested it by doing a custom scan on J:\Downloads\Install\CD\Nero)
     
    Last edited: Jan 27, 2009
  11. XIII

    XIII Registered Member

    Joined:
    Jan 12, 2009
    Posts:
    451
    Unfortunately it did not help for a complete scan: that one still stalls on the files that are supposed to be excluded...
     
  12. ahsan_khan

    ahsan_khan Registered Member

    Joined:
    Feb 9, 2008
    Posts:
    24
  13. Marcos

    Marcos Eset Staff Account

    Joined:
    Nov 22, 2002
    Posts:
    14,374
    Again, it's not a false positive in the true sense of the word. I've already explained that it uses code obfuscation that is exploited by malware to prevent antivirus programs from seeing their code. ESET doesn't detect it as malware, but as a potentially unwanted application which you have agreed to detect.
     
  14. XIII

    XIII Registered Member

    Joined:
    Jan 12, 2009
    Posts:
    451
    True, but does that option (detecting potentially unwanted applications) have higher priority than the exclusion option?

    I don't understand why the files are scanned while I configured them as an exclusion...
     
  15. Marcos

    Marcos Eset Staff Account

    Joined:
    Nov 22, 2002
    Posts:
    14,374
    I'd suggest exporting your EAV configuration and sending it to customer care along with the appropriate entries from the threat log where detection of excluded files is logged.
     
  16. ahsan_khan

    ahsan_khan Registered Member

    Joined:
    Feb 9, 2008
    Posts:
    24
    do you know 90% people will not run my file if ESET is giving this warning.
    potentially unwanted means that there maybe something wrong in file, so users will not run my file...
    that's why i always recommend users to use AVG Free or McAfee because these antiviruses give less false positive warnings.
    ESET should do something about it...

    What you think?
     
  17. funkydude

    funkydude Registered Member

    Joined:
    Apr 5, 2004
    Posts:
    6,852
    Why would you obfuscate your program?
     
  18. ahsan_khan

    ahsan_khan Registered Member

    Joined:
    Feb 9, 2008
    Posts:
    24
    For protecting my script/code to prevent from decompiling and cracking. for making my code safe from hackers.
    did you get it?
     
  19. funkydude

    funkydude Registered Member

    Joined:
    Apr 5, 2004
    Posts:
    6,852
    So use another method for compiling?
     
  20. ahsan_khan

    ahsan_khan Registered Member

    Joined:
    Feb 9, 2008
    Posts:
    24
    can you explain more... what you want to say?

    Obfuscator makes the code unreadable, so, hackers and crackers can bot access the saved information in code.
    There is no alternative for autoit scripts if we want to use any other compiler. only default compiler works for Autoit script (*.AU3) files.
     
  21. ahsan_khan

    ahsan_khan Registered Member

    Joined:
    Feb 9, 2008
    Posts:
    24
    where are you Marcos & funkydude o_O

    please answer to my previous post.

    bump
     
  22. funkydude

    funkydude Registered Member

    Joined:
    Apr 5, 2004
    Posts:
    6,852
    Well I have no idea what program you're making, what language you're using, etc.

    All I'm saying is other legitimate programs seem to survive fine without the use of "malware abused" packers/obfuscators etc, etc.
     
  23. ahsan_khan

    ahsan_khan Registered Member

    Joined:
    Feb 9, 2008
    Posts:
    24
    thanks for your helpful reply but i am using AutoIt Script for automation of a program. ever heard about it? (Google it)
    i don't want my customers to decompile it and get the source, passwords, or any other information from it.

    what should i do now? packing and obfuscation methods flag my exe as a virus always.

    if you are going to say that you should send these files to ESET then pls don't suggest me this because all of my scripts always get flages as a virus.

    thanks!
     
  24. edwin3333

    edwin3333 Registered Member

    Joined:
    Aug 29, 2007
    Posts:
    244
    Could it be that this is an issue with accessing the file using it's short name?

    When we use other antivirus software, such as CA Etrust, exclusions require us to enter both the long name and the short name. This is because some software always converts to DOS 8.3 naming and uses that.

    Your path is obviously using long names, so perhaps you can try entering the short name?

    To see a short name, you DIR /x and it will show you each path's short name. For example,

    C:\Documents and Settings\Fred\My Documents\My FaxPress\*.*
    becomes
    c:\docume~1\Fred\MyDocu~1\MyFaxP~1\*.*

    Anyway, this solved this issue for us on other antivirus products. We currently don't have many exclusions in Nod32, and the ones we do are short names so they wouldn't run into this issue.
     
  25. ahsan_khan

    ahsan_khan Registered Member

    Joined:
    Feb 9, 2008
    Posts:
    24
    but i want to know, why autoit programs are always flaged as a virus?
     
Thread Status:
Not open for further replies.