False positive Flash and CdburnerXP

Discussion in 'ESET NOD32 Antivirus' started by phcahill, Jul 29, 2010.

Thread Status:
Not open for further replies.
  1. phcahill

    phcahill Registered Member

    Joined:
    Jul 29, 2010
    Posts:
    3
    Nod32 has just quarantined both adobe flash (in memory) and CdBurnerXp.
    I have tried fresh downloads and these are blocked by NOD32.

    Could this be a false positive or is Adobe infected?
    Nod32 4.2.58.3
    Update 5322 (20100729)


    Downloading Flash via adobe's
    29/07/2010 6:46:14 PM Real-time file system protection file C:\ProgramData\NOS\Adobe_Downloads\nos855.dat a variant of Win32/TrojanDropper.Agent.OVE trojan cleaned by deleting - quarantined DAD\phcahill Event occurred on a new file created by the application: C:\Program Files\NOS\bin\getPlusPlus_Adobe.exe.

    downloading CdBurnerXp
    29/07/2010 6:37:54 PM HTTP filter file http://ember.cdburnerxp.se/cdbxp_setup_4.3.6.2284.exe a variant of Win32/Kryptik.BNX trojan connection terminated - quarantined DAD\phcahill Threat was detected upon access to web by the application: C:\Program Files\Internet Explorer\iexplore.exe.
     
  2. jimwillsher

    jimwillsher Registered Member

    Joined:
    Mar 4, 2009
    Posts:
    668
    I've just downloaded the second file you linked to, and NOD quarantined it for me too (sig 5321).
     
  3. phcahill

    phcahill Registered Member

    Joined:
    Jul 29, 2010
    Posts:
    3
    Could someone try a fresh adobe flash install and see if nod32 traps it. Please update nod database 1st.

    Thanks
    Paul
     
  4. Marcos

    Marcos Eset Staff Account

    Joined:
    Nov 22, 2002
    Posts:
    14,374
    Kryptik.BNX is an old detection so it must be they have recently changed something in the code or added new binaries to the package that triggered detection. Please update to the latest signature version 5322 to fix the FP.
     
  5. jamtoday

    jamtoday Guest

    With signature version 5322, just tried to download latest version of Flash Player from Adobe website and installation failed. Two variants of Win32/TrojanDropper.Agent OVE trojan quarantined in respect of flashplayer and nos objects.
     
    Last edited by a moderator: Jul 29, 2010
  6. Proximm

    Proximm Registered Member

    Joined:
    Jul 8, 2009
    Posts:
    10
  7. newen

    newen Registered Member

    Joined:
    Jul 29, 2010
    Posts:
    2
    NOD32 after update 5322
    29.7.2010. 11:30:26 Startup scanner file C:\Windows\SysWOW64\Macromed\Flash\FlashUtil10h_ActiveX.exe a variant of Win32/TrojanDropper.Agent.OVE trojan cleaned by deleting - quarantined
    C:\Program Files (x86)\Adobe\Adobe Flash CS5\Players\Debug\InstallAX.exe - a variant of Win32/TrojanDropper.Agent.OVE trojan - cleaned by deleting (after the next restart) - quarantined
    C:\Program Files (x86)\Adobe\Adobe Flash CS5\Players\Debug\InstallPlugin.exe - a variant of Win32/TrojanDropper.Agent.OVE trojan - cleaned by deleting (after the next restart) - quarantined
    C:\Program Files (x86)\Adobe\Adobe Flash CS5\Players\Release\InstallAX.exe - a variant of Win32/TrojanDropper.Agent.OVE trojan - cleaned by deleting (after the next restart) - quarantined
    C:\Program Files (x86)\Adobe\Adobe Flash CS5\Players\Release\InstallPlugin.exe - a variant of Win32/TrojanDropper.Agent.OVE trojan - cleaned by deleting (after the next restart) - quarantined
    C:\Program Files (x86)\Adobe\Adobe Flash Builder 4\player\win\10.1\InstallAX.exe - a variant of Win32/TrojanDropper.Agent.OVE trojan - cleaned by deleting (after the next restart) - quarantined
    C:\Program Files (x86)\Adobe\Adobe Flash Builder 4\player\win\10.1\InstallPlugin.exe - a variant of Win32/TrojanDropper.Agent.OVE trojan - cleaned by deleting (after the next restart) - quarantined

    This is going to mess up my CS5 instalation...
     
  8. docdlb

    docdlb Registered Member

    Joined:
    Jul 29, 2010
    Posts:
    2
    What is the source of your CS5?
     
  9. xkyborg

    xkyborg Registered Member

    Joined:
    Jul 6, 2010
    Posts:
    4
    Number of blocked attacks: 8. Detected flash files as threats, LOL. And yesterday I wanted to install Kane & Lynch 2 Demo from Steam, and NOD32 detected it as threat during installation...
     
    Last edited: Jul 29, 2010
  10. CrunchieBite

    CrunchieBite Guest

    Same here on multiple machines running different OSes with Nod v4.2.58.3 defs 5322.

    C:\Windows\SysWOW64\Macromed\Flash\FlashUtil10h_ActiveX.exe a variant of Win32/TrojanDropper.Agent.OVE trojan cleaned by deleting - quarantined.
     
  11. newen

    newen Registered Member

    Joined:
    Jul 29, 2010
    Posts:
    2
    You expect me to say that it is torrent downloaded pirated software so you can blame the bad haxx0rz for this false positive? It is from a nice and shiny retail box.
    Eset confirmed false possitive and it is working on a fix.
     
  12. PaulB2005

    PaulB2005 Registered Member

    Joined:
    Apr 19, 2005
    Posts:
    525
    NOD32 4.2.58.3 Def 5322

    29/07/2010 11:43:02 Startup scanner file C:\Windows\system32\Macromed\Flash\FlashUtil10h_ActiveX.exe a variant of Win32/TrojanDropper.Agent.OVE trojan cleaned by deleting - quarantined

    No warez here either

    Just detected it when opening legit bank website....
     
  13. jamtoday

    jamtoday Guest

    Assuming the Adobe Flash Player detections are false positives, and once ESET has done the necessary fix, should I just delete the quarantined items and re-download Flash Player? Or has the quarantine corrupted any files which need to be removed first?
     
  14. docdlb

    docdlb Registered Member

    Joined:
    Jul 29, 2010
    Posts:
    2
    no...just curious - anyway its fixed now update 5323 !
     
  15. FanJ

    FanJ Updates Team

    Joined:
    Feb 9, 2002
    Posts:
    2,564
    Confirmed the FP detection of Adobe Flash:

    D:\Adobe Flash Player\Flash Version 10_1_53_64\install_flash_player_ax.exe - a variant of Win32/TrojanDropper.Agent.OVE trojan
    D:\Adobe Flash Player\Uninstaller 2010_06_10\uninstall_flash_player.exe - a variant of Win32/TrojanDropper.Agent.OVE trojan

    MD5:

    The file D:\Adobe Flash Player\Flash Version 10_1_53_64\install_flash_player_ax.exe has the following Checksum(s)
    MD5 - 9B9089FE6CB9690BAA4B8297DB004083

    The file D:\Adobe Flash Player\Uninstaller 2010_06_10\uninstall_flash_player.exe has the following Checksum(s)
    MD5 - D049CF4ECD36EAC817D6D9025B470639


    System: XP-home SP3

    NOD32_2010_07_29_1.gif
     
  16. nonoise

    nonoise Registered Member

    Joined:
    Jun 6, 2008
    Posts:
    322
    Is this solved with update 5323?
     
  17. FanJ

    FanJ Updates Team

    Joined:
    Feb 9, 2002
    Posts:
    2,564
    Yep, it is fixed with 5323 :thumb:

    I did a right-click scan with the new database 5323 on my folder D:\Adobe Flash Player (where my Adobe Flash installers and uninstallers are located), and no more warning.

    Thanks ESET for the quick fix :)

    PS: I don't have CDburnerXP so cannot tell about that one.

    Edited to add:
    I will later do a full system scan
     
  18. phcahill

    phcahill Registered Member

    Joined:
    Jul 29, 2010
    Posts:
    3
    cdburnerxp now fine too.

    Thanks Eset for being so quick off the mark. 1st time this has happened in the many years I have been using nod32. At least it did not attack system files like other AV software has done.

    Thanks to all for confirming and raising the profile of this issue.

    Paul
     
  19. FanJ

    FanJ Updates Team

    Joined:
    Feb 9, 2002
    Posts:
    2,564
    Just did a full scan with 5323: the Flash FP is indeed fixed :)

    NOD32_2010_07_29_2.gif
     
  20. jamtoday

    jamtoday Guest

    Referring to my earlier posts (nos. 5 & 13), I re-downloaded Flash Player and it installed OK. Should I now delete the 3 quarantined items from the previous failed download/installation?
     
  21. FanJ

    FanJ Updates Team

    Joined:
    Feb 9, 2002
    Posts:
    2,564
    I guess you can do so, if you like and if those files are still there in the quarantine.
     
  22. rhminus

    rhminus Registered Member

    Joined:
    Jul 29, 2010
    Posts:
    1
    Still getting false positive for "OVE Trojan" in 5324, but different files :D (including svchost.exe sys file, which I made sure is a clean one).
    Reported to eset.
     
  23. Marcos

    Marcos Eset Staff Account

    Joined:
    Nov 22, 2002
    Posts:
    14,374
    1, I can't see any such report of FP sent to samples[at]eset.com
    2, detection with that name causing FP was completely removed in update 5323 so there's no chance it would be reported with newer versions
     
Thread Status:
Not open for further replies.