False positive - Cannot exclude from detection

Discussion in 'ESET NOD32 Antivirus' started by Sir George, May 21, 2012.

Thread Status:
Not open for further replies.
  1. Sir George

    Sir George Registered Member

    Joined:
    Nov 10, 2007
    Posts:
    32
    I use a Real Estate site, RealUp, for posting data. Nod 32 warns me there is a threat, which I am certain is a FP, because two other well respected AV programs do not detect anything and VirusTotal shows ESET as the only program rating the site as infected.

    ESET doesn't seem to do much about the problem; I have submitted the file(s) for analysis and the site still pops up the warning insert window. Even more annoying is the fact that in "Advanced Options" the check box for "Exclude from detection" is dimmed out, not available as an option.

    Does anyone know how to get ESET to respond or disable the warning popup?

    Thanks in advance for any help.
     
    Last edited: May 21, 2012
  2. Marcos

    Marcos Eset Staff Account

    Joined:
    Nov 22, 2002
    Posts:
    14,374
    Please copy & paste the appropriate record from your ESET Threat log here.
     
  3. djackino

    djackino Registered Member

    Joined:
    Oct 28, 2010
    Posts:
    49
    ESET 5.0.95: In the last hour (since defs 7155), I am getting "address blocked" messages (on what appear to ad servers placing ads on webpage), and the following virus warnings:
    5/21/2012 8:52:19 AM HTTP filter file http://ad.doubleclick.net/adj/N6344...3a03c5cc283/click.ic?;ord=634731871589368360? HTML/ScrInject.B.Gen virus connection terminated - quarantined TFSG\djackino Threat was detected upon access to web by the application: C:\Program Files\Internet Explorer\iexplore.exe.

    5/21/2012 8:52:18 AM HTTP filter archive http://ad.doubleclick.net/adj/N6344...3a03c5cc283/click.ic?;ord=634731871589368360? HTML/ScrInject.B.Gen virus connection terminated - quarantined TFSG\djackino Threat was detected upon access to web by the application: C:\Program Files\Internet Explorer\iexplore.exe.

    Both of the above files have been sent to ESET for analysis as possible False Positives. The website in question is an all news radio station in Washington, DC, USA (I will PM the actual URL as requested). I have never had any problems with this website, which I go to multiple times a day.

    A full scan of the C: drive by ESET shows nothing infected, also ran Malware Bytes which also found nothing.

    Spybot found one tracking cookie for ad.yieldmanager.com which I removed.
     
  4. Sir George

    Sir George Registered Member

    Joined:
    Nov 10, 2007
    Posts:
    32
    As requested;
    (begin log)
    5/21/2012 6:21:59 AM Real-time file system protection file C:\Users\Robert\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\J0GA9DDU\mlist_nty[1].htm JS/Kryptik.P trojan cleaned by deleting (after the next restart) - quarantined ROBERT\Robert Event occurred on a new file created by the application: C:\Program Files (x86)\Internet Explorer\iexplore.exe.
    (end log)

    Thanks for your help!
     
  5. Sir George

    Sir George Registered Member

    Joined:
    Nov 10, 2007
    Posts:
    32
    OK, I submitted the log file and now I am right where I get when sending a file to ESET...no reply! :doubt:
     
  6. Marcos

    Marcos Eset Staff Account

    Joined:
    Nov 22, 2002
    Posts:
    14,374
    JS/Kryptik.P is a correct detection, it's not FP. What website did you visit when the detection was triggered? (obfuscate the url to make it unclickable)
     
  7. Sir George

    Sir George Registered Member

    Joined:
    Nov 10, 2007
    Posts:
    32
    The link I use that generates the message is for members only and requires a login. I don't know if you have the ability to override it, but here's the link;

    http://wwwDOTrealupDOTcom/member/mlist_nty.asp

    Additionally, as I mentioned in my prior post, VirusTotal shows Nod32 as the only AV program to list this as a virus/trojan.
     
    Last edited by a moderator: May 22, 2012
  8. Marcos

    Marcos Eset Staff Account

    Joined:
    Nov 22, 2002
    Posts:
    14,374
    It seems that it's necessary to log in to trigger the detection. Nevertheless, I'm quite positive there must be a script utlizing the same kind of obfuscation as malware writers do to protect their creations from being scanned and detected by AV programs. The best would be if the owners of the website in question contacted ESET so that we could help them locate the problematic script.
     
  9. Sir George

    Sir George Registered Member

    Joined:
    Nov 10, 2007
    Posts:
    32
    Thanks for the reply. Back to my original question, why is Nod32 AV preventing me from using the "Advanced Options" check box for "Exclude from detection"? Is there a way to either enable that option or a work around?
     
  10. Marcos

    Marcos Eset Staff Account

    Joined:
    Nov 22, 2002
    Posts:
    14,374
    You can exclude a particular file from scanning in the advanced setup. The option for excluding from detection in the alert window is only applicable for potentially unwanted applications for security reasons.
     
Thread Status:
Not open for further replies.