False positive from scan.dat

Discussion in 'NOD32 version 2 Forum' started by beenthereb4, Mar 8, 2006.

Thread Status:
Not open for further replies.
  1. beenthereb4

    beenthereb4 Registered Member

    Joined:
    Jun 29, 2004
    Posts:
    568
    What a headache, Nod32 gives a false positive on scan.dat, which is a Mcafee definitions file!! I submitted this, but it's not fixed.
     
  2. flyrfan111

    flyrfan111 Registered Member

    Joined:
    Jun 1, 2004
    Posts:
    1,224
    Most likely it is not NOD's fault. It is most likely McAfee's fault for not encrypting something and NOD is picking it up. This used to be quite common as most other AV maker's detected Panda's definitions because Panda didn't use encryption. AV's would pick up on the definition because it would contain the same code strings as the trojan or virus in order to detect it.
     
  3. beenthereb4

    beenthereb4 Registered Member

    Joined:
    Jun 29, 2004
    Posts:
    568
    I thought that might be the case too, but numerous other Antivirus programs do not produce the false positive. This points to NOD as the culprit.
     
  4. ronjor

    ronjor Global Moderator

    Joined:
    Jul 21, 2003
    Posts:
    57,802
    Location:
    Texas
    To be fair, Nod does state during the installation procedure, no other antivirus programs be present on the hard drive. Unpredictable behavior can result under these circumstances.
    Most antivirus programs stipulate this request as well.
     
  5. beenthereb4

    beenthereb4 Registered Member

    Joined:
    Jun 29, 2004
    Posts:
    568

    From the manual:
    Note the difference.
     
  6. ronjor

    ronjor Global Moderator

    Joined:
    Jul 21, 2003
    Posts:
    57,802
    Location:
    Texas
    Difference noted.

    This statement still stands. "Unpredictable behavior can result under these circumstances."
     
  7. shanijee

    shanijee Registered Member

    Joined:
    Feb 1, 2006
    Posts:
    107
    Location:
    Faisalabad(Pakistan)
    it remind me those days when i istall panda antivirus and then uninstall avast on other
    os then i scan pc from avast it detect pav.sig(panda definition file) as virus
    see this page
    http://www.avast.com/eng/faq_panda.html
     
  8. flyrfan111

    flyrfan111 Registered Member

    Joined:
    Jun 1, 2004
    Posts:
    1,224
    So much for my idea then. How big is the dat file? You could submit it and Eset can take a look and see what NOD is hitting on. Anyone else using NOD and McAfee with the same problem?
     
  9. Marcos

    Marcos Eset Staff Account

    Joined:
    Nov 22, 2002
    Posts:
    14,376
    Did you send it to samples[at]eset.com so that I can have a look at it? Also be sure that you have the most current version 1.1435 installed.
     
  10. beenthereb4

    beenthereb4 Registered Member

    Joined:
    Jun 29, 2004
    Posts:
    568
    Nod32 rules! It's fixed with version 1.1435 (but was still there in version 1.1434)

    Thanks!!
     
  11. pykko

    pykko Registered Member

    Joined:
    Apr 27, 2005
    Posts:
    2,236
    Location:
    Romania...and walking to heaven
    ESET is always fast in fixing FP. That's a good point. :)
     
  12. beenthereb4

    beenthereb4 Registered Member

    Joined:
    Jun 29, 2004
    Posts:
    568
    Uh Oh, todays new scan.dat triggers Nod32 again. I sent a sample to samples@eset.com. Hope it makes it, it's 7 megs.
     
  13. fosius

    fosius Registered Member

    Joined:
    Oct 14, 2004
    Posts:
    479
    Location:
    Partizanske, Slovakia
    Scan.dat was probably updated that's why it was detected again. You should add scan.dat to AMON's exclusion list.
     
  14. beenthereb4

    beenthereb4 Registered Member

    Joined:
    Jun 29, 2004
    Posts:
    568
    Yeah, you'd think that would do it, but the exclusion list only works for one copy of the file that stays in a given folder. I need to be able to copy, move and update scan.dat. I frequently update and rebuild copies of BartPE which contain multiple antivirus scanners.
     
  15. beenthereb4

    beenthereb4 Registered Member

    Joined:
    Jun 29, 2004
    Posts:
    568
    Latest definitions fix it again, let's hope they have a long-term solution!
     
  16. beenthereb4

    beenthereb4 Registered Member

    Joined:
    Jun 29, 2004
    Posts:
    568
    Another update ---- and another false positive!
     
  17. shanijee

    shanijee Registered Member

    Joined:
    Feb 1, 2006
    Posts:
    107
    Location:
    Faisalabad(Pakistan)
  18. pykko

    pykko Registered Member

    Joined:
    Apr 27, 2005
    Posts:
    2,236
    Location:
    Romania...and walking to heaven
    What FP ?
     
  19. beenthereb4

    beenthereb4 Registered Member

    Joined:
    Jun 29, 2004
    Posts:
    568
    Hint: What is the topic title of this thread?
     
  20. flyrfan111

    flyrfan111 Registered Member

    Joined:
    Jun 1, 2004
    Posts:
    1,224
    For those making fun of NOD for detecting McAfee's DAT files. It seems McAfee produced a DAT file that was falsely detecting malware and deleting files, which sounds a lot like something a virus would do so. Here is the story reported by Internet Storm Center. So much for Quality Control.


    Handler's Diary March 11th 2006


    previous - next
    McAfee/NAI rolls bad pattern

    Published: 2006-03-11,
    Last Updated: 2006-03-11 01:29:45 UTC by Daniel Wesemann (Version: 1)

    NAI/McAfee today released pattern version 4716 only hours after 4715 had come out. Pattern 4715 triggered false positive virus alerts for "W95/CTX" on a number of files that are part of quite prominent third party products. Good for you if you have your AV configured to "quarantine" bad files and not to delete them outright, this makes restoring the chewed up files after a false positive considerably faster. Nevertheless, things like this can get messy pretty quickly if the AV scanner starts to quarantine vital components of your environment.

    If you weren't affected and/or are using a different AV product, it might still be worthwhile to spend a couple of minutes on the following questions:
    • How would you detect such a "bad pattern" in your environment, and, more importantly, how would you distinguish between "false positive" and "virus outbreak" ?
    • Would you have the capability to roll back to the last "known good" pattern if help from the vendor were not forthcoming ? Where exactly do these patterns come from ? Is the previous pattern version available there as well ?
     
  21. Marcos

    Marcos Eset Staff Account

    Joined:
    Nov 22, 2002
    Posts:
    14,376
    The thing is that McAfee doesn't encrypt some stuff in their virus definitions which is ridiculous. No wonder that heuristics picks it up then.
     
  22. beenthereb4

    beenthereb4 Registered Member

    Joined:
    Jun 29, 2004
    Posts:
    568
    OK, would it be resonably safe for me to exclude the .dat extension from scans?
     
Thread Status:
Not open for further replies.