[False Positive] Bankerfix

Hello guys from Eset

I'd like to report a false positive of Nod32.

http://img256.imageshack.us/img256/8359/falsepositivemc7.jpg

Bankerfix is a tool developed by Linha Defensiva, targeting to remove brazilian bankers. Nod32 are detect one file of Bankerfix like a virus, specialy fix.reg, one file of this tool.

More informations about Bankerfix can be found in this post:
http://linhadefensiva.uol.com.br/forum/index.php?showtopic=29145

and the tool can be downloaded in:
http://linhadefensiva.uol.com.br/dl/bankerfix

Please fix this false positive soon as posible.

Thanks in advance,

Fabio Assolini
CastleCops MIRT Handler | www.castlecops.com
ASAP Member

 

If you want fast reaction from ESET send an email directly to ESET Threat Labs.
email samples@eset.sk

 

false positive fixed, v3 not detected file virus.


Cheers

 

Still not solved.

Until today our users have great problems with Nod32, that still insist to detect fx.reg, one component of Bankerfix like a Win32/Spy.Bancos .AUM.trojan.

Other user report this same problem:
https://www.wilderssecurity.com/showthread.php?t=205584

Its a great false positive.

I send a lot of emails to Eset suppport, but they dont send one simple answer.

Its incredible the unwillingness of Eset developers

 

Hello,

Thank you for your report, Fabio. The issue is being investigated.

Regards,

Aryeh Goretsky

 

Aryeh,

The problem is with this file:
http:/p.download.uol.com.br/linhadefensiva/bankerfix/2008-02-22-1.zip

When this file is unziped, fx.reg, is detected by Nod32.

Fx.reg is a simple reg file used by our tool like a definition list to remove bankers entrances in Windows Registry.

We sended 6 e-mails and notifications to Eset, but we haven't receveid an answer until now.

Thanks for you support,

 

Hello,

The false positive alarm on the FX.REG file has been fixed and should appear within signature updates of 3018 and newer.

Regards,

Aryeh Goretsky

 

Aryeh,

Thank you very much for your support.

Problem solved!

All the best,