False Positive - Gmer

Discussion in 'NOD32 version 2 Forum' started by auriell, Apr 26, 2006.

Thread Status:
Not open for further replies.
  1. auriell

    auriell Registered Member

    Joined:
    Feb 9, 2005
    Posts:
    105
    Location:
    Warsaw, Poland
    Would you please ESET fix this False Positive? This tool is crucial for me, and its new beta is detected as a NewHeur PE_virus:

    hxxp://www.gmer.net/gmer110b.zip (I replaced 't' with 'x')

    This tool was created to detect and delete rootkits, hiden services and processes, and has many other useful features like system integrity monitoring and protection, etc. I submited the sample, but it is not fixed so far.

    Thanks in advance.

     
    Last edited: Apr 27, 2006
  2. Brian N

    Brian N Registered Member

    Joined:
    Jul 7, 2005
    Posts:
    2,148
    Location:
    Denmark
    Did you send it to samples[at]eset.com? It's usually faster that way than using the built in feature in NOD.
     
  3. auriell

    auriell Registered Member

    Joined:
    Feb 9, 2005
    Posts:
    105
    Location:
    Warsaw, Poland
    Yes I did, it was also sent via ThreatSense.
     
  4. i_kenefick

    i_kenefick Registered Member

    Joined:
    Nov 29, 2005
    Posts:
    135
    Location:
    Cork, Ireland.
    If you look at what the file does then you can excuse NOD32 flagging it as potentially malicious.
     
  5. ASpace

    ASpace Guest

    Tonight I was with a client and I cleaned his infected machine . The trial of NOD32 flagged an exe file in C:\Windows\System32 as NewHeur PE_virus

    I didn't submitted it , I just renamed it. :)
    May be it is false positive , may be not , I hope it is not :)
     
  6. auriell

    auriell Registered Member

    Joined:
    Feb 9, 2005
    Posts:
    105
    Location:
    Warsaw, Poland
    I do understand why NOD could flag it, but I just ask to fix it.
     
  7. Detox

    Detox Retired Moderator

    Joined:
    Feb 9, 2002
    Posts:
    8,507
    Location:
    Texas, USA
    It does system monitoring? Then I want my NOD to detect it.
     
  8. rothko

    rothko Registered Member

    Joined:
    Jan 12, 2005
    Posts:
    579
    Location:
    UK
    sounds like it should be detected as a Potentially Dangerous Application, which it may be if the sample was submitted via ThreatSense and Eset update it as such to the database.

    If it does get categorised as a PDA then you would be able to unselect the option to detect Potentially Dangerous Applications. That would of course mean other such apps would go undetected, but that would be your choice.

    lee
     
  9. auriell

    auriell Registered Member

    Joined:
    Feb 9, 2005
    Posts:
    105
    Location:
    Warsaw, Poland
    I don't know what you mean, but this is an option which you can select in this tool. It is not a tool to hack, or destroy anything. This tool is a mix of Process Guard, RegDefend, Rootkit Revealer (with deleting capabilities), Process Explorer and simple outbond only firewall (with app filtering), it can also log many system events. For sure it was not developed to harm, but to protect systems and remove nasties.

    If you go to this site and look at screenshots, you will know what I mean:

    http://www.gmer.net/index.php
     
  10. Detox

    Detox Retired Moderator

    Joined:
    Feb 9, 2002
    Posts:
    8,507
    Location:
    Texas, USA
    Well I don't understand b/c I can't read a word of it lol... But assuming you mean file system monitoring or system integrity monitoring then I would understand. System monitoring brought to mind (my mind anyway) spyware.
     
  11. auriell

    auriell Registered Member

    Joined:
    Feb 9, 2005
    Posts:
    105
    Location:
    Warsaw, Poland
    I know you don't understand a word in Polish, but screenshots speak for themselves. I hope it would be translated into English soon, as it is a briliant and FREE tool.

    My English is far from being perfect, so sometimes I might be misunderstood.
     
  12. auriell

    auriell Registered Member

    Joined:
    Feb 9, 2005
    Posts:
    105
    Location:
    Warsaw, Poland
    Thank you very much ESET, it is fixed now!!! Great work!!!
     
  13. Detox

    Detox Retired Moderator

    Joined:
    Feb 9, 2002
    Posts:
    8,507
    Location:
    Texas, USA
    Misunderstandings are commonplace on the www - that's for sure. Glad to see it's the right kind of ssytem monitor and sorry I misunderstood; also glad things are fixed. :cool:
     
  14. blipblop

    blipblop Registered Member

    Joined:
    Jan 24, 2006
    Posts:
    15
    I think this thread is a suitable one to express "my" case as well...

    I was looking for Soulseek plugins the other day and I stumbled upon Soulseek Stats. As explained in the link it just gathers into .csv files some information regarding your uploads/downloads (who downloaded what etc) to keep tracks of what's going on with your Soulseek times.

    At first it didn't even allow me to install it...got a message about "probably unknown NewHeur_PE virus". I decided to take the risk anyway (for a reason I can't explain, the quarantine was empty and couldn't send the file to you guys), so I disabled nod32 for a moment, installed the plugin and enabled my precious antivirus again. Doing its file scanning in the background it did alert me again about the possibility of NewHeur_PE virus, so I decided to upload the SoulseekStats.exe (not the .exe of installation) to jotti, virustotal and virus.org. Here are the results for the first two:

    Jotti
    Code:
    AntiVir  	Found nothing
    ArcaVir 	Found nothing
    Avast 	Found nothing
    AVG Antivirus 	Found nothing
    BitDefender 	Found nothing
    ClamAV 	Found nothing
    Dr.Web 	Found nothing
    F-Prot Antivirus 	Found nothing
    Fortinet 	Found nothing
    Kaspersky Anti-Virus 	Found nothing
    [B]NOD32 	Found probably unknown NewHeur_PE (probable variant)[/B]
    Norman Virus Control 	Found nothing
    UNA 	Found nothing
    VirusBuster 	Found nothing
    VBA32 	Found nothing


    VirusTotal
    Code:
    AntiVir	6.34.0.24	04.20.2006	no virus found
    Avast	4.6.695.0	04.26.2006	no virus found
    AVG	386	04.27.2006	no virus found
    Avira	6.34.1.58	04.27.2006	no virus found
    BitDefender	7.2	04.28.2006	no virus found
    CAT-QuickHeal	8.00	04.26.2006	no virus found
    ClamA[B][/B]V	devel-20060202	04.27.2006	no virus found
    DrWeb	4.33	04.27.2006	no virus found
    eTrust-InoculateIT	23.71.141	04.28.2006	no virus found
    eTrust-Vet	12.4.2181	04.27.2006	no virus found
    Ewido	3.5	04.27.2006	no virus found
    [B]Fortinet	2.71.0.0	04.27.2006	suspicious[/B]
    F-Prot	3.16c	04.26.2006	no virus found
    Ikarus	0.2.59.0	04.27.2006	no virus found
    Kaspersky	4.0.2.24	04.28.2006	no virus found
    McAfee	4750	04.27.2006	no virus found
    Microsoft	1.1372	04.28.2006	no virus found
    [B]NOD32v2	1.1510	04.27.2006	probably unknown NewHeur_PE virus[/B]
    Norman	5.90.17	04.27.2006	no virus found
    Panda	9.0.0.4	04.27.2006	no virus found
    Sophos	4.05.0	04.27.2006	no virus found
    Symantec	8.0	04.28.2006	no virus found
    TheHacker	5.9.7.135	04.25.2006	no virus found
    UNA	1.83	04.27.2006	no virus found
    VBA32	3.11.0	04.27.2006	no virus found


    Should I worry?
     
  15. i_kenefick

    i_kenefick Registered Member

    Joined:
    Nov 29, 2005
    Posts:
    135
    Location:
    Cork, Ireland.
    Send it to samples [at] eset [dot] com for analysis. This is the fastest way to determine weather the detection is true or not.
     
  16. 32767

    32767 Registered Member

    Joined:
    Nov 3, 2006
    Posts:
    1
    I wrote Soulseek Stats, and I do make sure I scan new versions with an up-to-date Anti-Vir before I upload them. I did however, compress the EXE with UpX, and I imagine this is what might have triggered what is quite possibly a false positive.

    Cheers, Threetwosevensixseven
     
  17. Marcos

    Marcos Eset Staff Account

    Joined:
    Nov 22, 2002
    Posts:
    14,374
    Nope, NOD32 does not use packer detection as some other AVs unfortunately do.
     
Thread Status:
Not open for further replies.