False positive and problem excluding files

Discussion in 'ESET NOD32 Antivirus' started by shares, Apr 7, 2011.

Thread Status:
Not open for further replies.
  1. shares

    shares Registered Member

    Joined:
    Apr 6, 2011
    Posts:
    2
    Hello!

    I've got a bit of a problem with the real time file system protection in NOD32. One of our developers is trying to compile some software in Visual Studio 2010 but NOD32 keeps detecting it as a virus and deleting (presumably through Heuristic analysis.)

    The information that is logged says:

    "Threat probably a variant of Win32/Genetik trojan"
    "Info Event occurred on a new file created by the application: C:\Program Files\Microsoft Visual Studio 10.0\VC\bin\link.exe."

    Which suggests to me that it maybe doesn't like the way the file is being created. So my first question is; is it reasonable to assume this is a false positive?

    Secondly, I have tried excluding the file from scanning so the guy can get on with his work in the mean time and I cannot get it to work. Or rather, the wildcard function doesn't work.

    If I put in the full path to that executable it works but I don't want to. I want to just exclude that filename from scanning but putting c:\*filename.exe doesn't work. I've tried various combinations such as c:\*\filename.exe c:\*\*filename.exe c:\*filename.exe* but it seems that unless I put the full exact path to the file it doesn't work!

    Windows 7 SP1 64-bit. I've also observed the problem on a 32bit Vista box
    ESET NOD32 Antivirus 4.2.71.2
    Virus signature database: 6020 (20110406)
    Update module: 1031 (20091029)
    Antivirus and antispyware module: 1296 (20110301)
    Advanced heuristics module: 1115 (20101116)
    Archive support module: 1128 (20110315)
    Cleaner module: 1050 (20101207)
    Anti-Stealth support module: 1024 (20101227)
    SysInspector module: 1217 (20100907)
    Self-defense support module: 1018 (20100812)
    Real-time file system protection module: 1004 (20100727)

    Thanks!

    Paul
     
  2. Marcos

    Marcos Eset Staff Account

    Joined:
    Nov 22, 2002
    Posts:
    14,374
    It's a heuristic detection which is triggered by a highly unusual and suspicious code in your application. Please submit the file to ESET per the instructions here and include as much information as possible (ie. the purpose of the application, a download link, the source code, etc.)
     
  3. shares

    shares Registered Member

    Joined:
    Apr 6, 2011
    Posts:
    2
    Interestingly, the detection only occurs when they run a debug build. A normal build doesn't produce the same issue. I wonder if it's an issue with Visual Studio 2010?
     
  4. Marcos

    Marcos Eset Staff Account

    Joined:
    Nov 22, 2002
    Posts:
    14,374
    Hard to say what triggers detection without getting the file for perusal.
     
Thread Status:
Not open for further replies.