[False Positive] Bankerfix

Discussion in 'NOD32 version 2 Forum' started by Einstein, Feb 29, 2008.

Thread Status:
Not open for further replies.
  1. Einstein

    Einstein Registered Member

    Joined:
    Feb 29, 2008
    Posts:
    4
    Hello guys from Eset

    I'd like to report a false positive of Nod32.

    http://img256.imageshack.us/img256/8359/falsepositivemc7.jpg

    Bankerfix is a tool developed by Linha Defensiva, targeting to remove brazilian bankers. Nod32 are detect one file of Bankerfix like a virus, specialy fix.reg, one file of this tool.

    More informations about Bankerfix can be found in this post:
    http://linhadefensiva.uol.com.br/forum/index.php?showtopic=29145

    and the tool can be downloaded in:
    http://linhadefensiva.uol.com.br/dl/bankerfix

    Please fix this false positive soon as posible.

    Thanks in advance,

    Fabio Assolini
    CastleCops MIRT Handler | www.castlecops.com
    ASAP Member
     
    Last edited: Feb 29, 2008
  2. ASpace

    ASpace Guest

    If you want fast reaction from ESET send an email directly to ESET Threat Labs.
    email samples@eset.sk
     
  3. nodyforever

    nodyforever Registered Member

    Joined:
    Oct 30, 2007
    Posts:
    549
    Location:
    PT / Lisbon
    false positive fixed, v3 not detected file virus.


    Cheers:cool:
     
  4. Einstein

    Einstein Registered Member

    Joined:
    Feb 29, 2008
    Posts:
    4
    Still not solved.

    Until today our users have great problems with Nod32, that still insist to detect fx.reg, one component of Bankerfix like a Win32/Spy.Bancos .AUM.trojan.

    Other user report this same problem:
    https://www.wilderssecurity.com/showthread.php?t=205584

    Its a great false positive.

    I send a lot of emails to Eset suppport, but they dont send one simple answer.

    Its incredible the unwillingness of Eset developers

    :mad:
     
  5. agoretsky

    agoretsky Eset Staff Account

    Joined:
    Apr 4, 2006
    Posts:
    4,031
    Location:
    California
    Hello,

    Thank you for your report, Fabio. The issue is being investigated.

    Regards,

    Aryeh Goretsky
     
  6. Einstein

    Einstein Registered Member

    Joined:
    Feb 29, 2008
    Posts:
    4
    Aryeh,

    The problem is with this file:
    http:/p.download.uol.com.br/linhadefensiva/bankerfix/2008-02-22-1.zip

    When this file is unziped, fx.reg, is detected by Nod32.

    Fx.reg is a simple reg file used by our tool like a definition list to remove bankers entrances in Windows Registry.

    We sended 6 e-mails and notifications to Eset, but we haven't receveid an answer until now.

    Thanks for you support,
     
  7. agoretsky

    agoretsky Eset Staff Account

    Joined:
    Apr 4, 2006
    Posts:
    4,031
    Location:
    California
    Hello,

    The false positive alarm on the FX.REG file has been fixed and should appear within signature updates of 3018 and newer.

    Regards,

    Aryeh Goretsky
     
  8. Einstein

    Einstein Registered Member

    Joined:
    Feb 29, 2008
    Posts:
    4
    Aryeh,

    Thank you very much for your support.

    Problem solved!

    All the best,
     
    Last edited: Apr 12, 2008
Thread Status:
Not open for further replies.