False Positive Fix

Discussion in 'ESET NOD32 Antivirus' started by pmabee, May 22, 2008.

Thread Status:
Not open for further replies.
  1. pmabee

    pmabee Registered Member

    Joined:
    May 22, 2008
    Posts:
    22
    It appears that users in my company that have tripped over this FP issue (Adobe 8 here and Folding at Home on one system) need to be booted in safe mode and have the Eset services disabled. Reboot and do a normal startup, uninstall NOD32, reboot and then push it back to them through the console, apply updates and I haven't seen any problems since.
     
  2. PII_David

    PII_David Registered Member

    Joined:
    Dec 10, 2007
    Posts:
    17
    Great solution...

    We're facing a similar situation and need to do this REMOTELY!

    I'm thinking about setting the NOD32 service to disabled via GPOs...

    Let you know if that fixes it.

    David
     
  3. tlamming

    tlamming Registered Member

    Joined:
    Feb 6, 2008
    Posts:
    14
    This helped me out a great deal. Thanks for the work around. Ive got a ton of computers sitting locked up because of this. No more eset products for my clients..
     
  4. PII_David

    PII_David Registered Member

    Joined:
    Dec 10, 2007
    Posts:
    17
    SUGGESTED FIX for managed environments...

    We are using Nod32 with a Remote Admin console and as long as the machine had 3120 definition files NOD32 on the workstation wasn't checking in nor updating to 3121. Luckily for us only 5 workstation caught this update...


    If you combine their fix with my suggestion you could remotely fix the issues on multiple workstations...

    https://www.wilderssecurity.com/showthread.php?p=1247063#post1247063


    We just tested the following option:

    Create and link Group Policy object (GPO) to the top of your domain using GPMC
    (call it anything you want.)

    Edit the GPO you've just created
    Drill down to:
    Computer Configuration
    Windows Settings
    Security Settings
    System Services
    Locate the Eset Service
    Double click and set to "Disabled" (don't change permissions on it.)

    Close & save the GPO

    To set this GPO so that ONLY machines you WANT
    Select the Scope tab
    Remove Authenticated user
    Click Add
    Choose Object Types | tick the Computers checkbox
    Enter the workstation names
    Click Ok

    Replicate your AD.

    Reboot the workstation once to get the GPO out to them. (You could try a gpupdate /force but that won't actually stop the service...)

    Reboot it again so that setting will take effect... i.e. Eset Service to stop.

    Remove remotely/reboot/reinstall remotely

    NOD32's suggestion to remove the *.DAT of files from 2 places DID not fix this for us! - SEE LINK ABOVE

    • C:\Documents and Settings\All Users\Application Data\ESET\ESET NOD32 Antivirus\Updfiles
    • C:\Program Files\ESET\ESET NOD32 Antivirus

    PS> I've seen and personally dealt with other vendor's definition mess ups... haven't had to reinstall though... I'm willing to listen & learn on how to revert to previous definition files... or delete old ones etc...


    David
     

    Attached Files:

    Last edited: May 22, 2008
  5. edwin3333

    edwin3333 Registered Member

    Joined:
    Aug 29, 2007
    Posts:
    244
    Nod has a built in uninstaller routine.

    Or you could do something like

    at \\machinename 21:00 "msiexe /X eavbe_nt32_enu.msi /q"

    If you are lucky.

    Many of our machines are not responding over the network anymore so it doesn't work for those. VNC doesn't work either, so we have to actually physically go to these remote locations.
     
  6. PII_David

    PII_David Registered Member

    Joined:
    Dec 10, 2007
    Posts:
    17
    That would work too, or use psexec to remotely run it too... but in our case the machine becomes completely unresponsive to any network connections (RDP/Server service etc.) about a minute after it starts up...

    Remote management tools that we tried also failed while the old definition files are in place.

    The following could be used to fix the problem once the service is disabled:

    Gencontrol.exe from Gensortium
    psexec.exe from Sysinternals
    RDPRemoteEnabler.exe from IntelliDadmin

    There is a 3rd alternative that could be used in combination of the tools above...
    as soon as the machine appears to be up on the network use management console and connect to it's services and stop the Eset Service.
    i.e. ping <IP> -t
    As an admin
    run "services.msc"
    At the top where it says Services(Local)
    Right click and choose COnnect to remote computer
    Enter hostname
    Go to town with disabling eset service...

    Usually the machine locked up about 30 seconds later. User rebooted the machine for us, and we then deleted the specified files that NOD32 posted recently. (See link above.) OR remove/reinstall as needed.

    It saved a trip for several remote workstations for us!

    David
     
    Last edited: May 22, 2008
  7. PII_David

    PII_David Registered Member

    Joined:
    Dec 10, 2007
    Posts:
    17
    I forgot to mention that once the machine is fixed, make sure you remove the GPO filtering for that machine otherwise eset service will not start.
     
Thread Status:
Not open for further replies.