false positive over and over again

Discussion in 'ESET NOD32 Antivirus' started by emailaya, Sep 20, 2008.

Thread Status:
Not open for further replies.
  1. emailaya

    emailaya Registered Member

    Joined:
    Sep 20, 2008
    Posts:
    33
    hi

    2 days ago i sent a sample file which NOD detects as a virus. it is an application im developing so I know it is not a virus. it seems that an update from 2-3 days ago made NOD to detect it as a virus even though it is NOT.

    it is a really urgent issue for me and for some of my users. i sent an email as described but i got no reply for 2 days now. how can i know the stats of this submission?

    please advice
     
  2. krypton_harsh

    krypton_harsh Registered Member

    Joined:
    Apr 14, 2008
    Posts:
    84
    Re: false positive

    send the sample 2 samples[at]eset.com in a zipped archieve
    and Subject it as, FALSE POSITIVE DETECTION

    and if u can, upload it to rapidshare, and send the link to marcos,
    with the same subject

    regards
     
  3. emailaya

    emailaya Registered Member

    Joined:
    Sep 20, 2008
    Posts:
    33
    Re: false positive

    hi
    thank you for your quick reply

    i sent the email to the address u wrote here with the subject: "false positive - please check" exactly as described (zipped file with a certain password which i mentioned in the content of the email along with a description of the problem).

    about the other action u told me: PM is currently unavailable. any other way i can contact him?

    thanks
     
  4. emailaya

    emailaya Registered Member

    Joined:
    Sep 20, 2008
    Posts:
    33
    Re: false positive

    Hi
    this really become urgent as more and more users of my application cant use it. please let me know what can be done

    thanks.
     
  5. emailaya

    emailaya Registered Member

    Joined:
    Sep 20, 2008
    Posts:
    33
    Re: false positive

    i must add that other anti viruses DID NOT detect this file as a threat. currently all my users that also use NOD32 CAN NOT use my application. some even lose data after NOD32 deleted the application exe file. not to mention the bad reputation im getting since people think im spreading viruses (the explanation that this is a false positive doesnt really affects them, justifiably i must add). i sent the sample last wednesday and got no reply about it.

    i think this is absurd.

    FYI: over 6 months ago i had the same problem with a different anti virus and they fixed it in 2 days.
     
  6. emailaya

    emailaya Registered Member

    Joined:
    Sep 20, 2008
    Posts:
    33
    Re: false positive

    as i suspected: the "problem" is im using UPX to compress my exe. the regular one is ok while the compressed one is a "virus". because this is for sure a false positive and i need to keep compressing my exe before releasing my application i plead u to start taking repsonsiblity for your false positive and take care of this problems. understand that some of my users cant work now!!!!!
    what r u waiting for exactly?

    i now sent the file again using the tools inside NOD32 itself. i clicked send, the window closed and nothing more happened. how can i be sure this action actually did something?
     
    Last edited: Sep 21, 2008
  7. krypton_harsh

    krypton_harsh Registered Member

    Joined:
    Apr 14, 2008
    Posts:
    84
    Re: false positive

    pm me with the rapidshare link, hey temporarily wht u can do is

    just exclude the file / whole software folder from NOD32 engine,

    will run file until the update occurs.
     
  8. emailaya

    emailaya Registered Member

    Joined:
    Sep 20, 2008
    Posts:
    33
    Re: false positive

    just so u know, only yesterday, the PM was available again so i PM to marcos.
    now i PM to u the same thing.

    as i wrote before: the problem is not me, but my users, i cant tell all of them to do that, specially not new users who stumble upon it and when they want to try it it tells them it is a virus.

    i hope this problem will be over soon
     
  9. emailaya

    emailaya Registered Member

    Joined:
    Sep 20, 2008
    Posts:
    33
    false positive - AGAIN

    hi

    few days ago i sent an email about a false positive one of my users reported to me. im talking about the file that can be downloaded from here: http://www.emailaya.com/downloads.php

    im the developer of this application and there is no virus there. this is not the first time NOD32 recognize it as a false positive. last time ESET people fixed this but it seems that now they didnt.

    im using UPX to compress the exe and i guess this is the reason of the false positive detection. this is very urgent so please fix it. thanks.
     
  10. danieln

    danieln Eset Staff

    Joined:
    Jan 7, 2009
    Posts:
    112
    Re: false positive - AGAIN

    I donwnloaded it without problems, it is not detected.
    md5sum emailaya.exe
    356d595459ca402d5fa6301d2c10588f *emailaya.exe
     
  11. Marcos

    Marcos Eset Staff Account

    Joined:
    Nov 22, 2002
    Posts:
    14,374
    Re: false positive - AGAIN

    Not detected at VT:
    NOD32 4010 2009.04.15 -
     
  12. emailaya

    emailaya Registered Member

    Joined:
    Sep 20, 2008
    Posts:
    33
    Re: false positive - AGAIN

    he said he tested it this morning and it didnt work for him. i will tell him to check again and tell me his signature date

    thanks
     
  13. emailaya

    emailaya Registered Member

    Joined:
    Sep 20, 2008
    Posts:
    33
    Re: false positive - AGAIN

    so after this issue was solved with 20090415 it is back. see attached image, he is using the most updated signature file and still the file is detected as a virus (false positive, needless to say).

    how can this thing be fixed FOR GOOD?
     

    Attached Files:

  14. stackz

    stackz Registered Member

    Joined:
    Dec 27, 2007
    Posts:
    619
    Location:
    Sydney Australia
    Re: false positive - AGAIN

    Virus signature database: 4033 (20090424)
    Update module: 1028 (20090302)
    Antivirus and antispyware scanner module: 1210 (20090423)
    Advanced heuristics module: 1092 (20090309)
    Archive support module: 1093 (20090415)
    Cleaner module: 1040 (20090401)
    Anti-Stealth support module: 1010 (20090302)
    Personal firewall module: 1045 (20090325)
    Antispam module: 1011 (20090114)
    SysInspector module: 1212 (20090414)
    Self-defense support module : 1005 (20081105)

    24/04/2009 11:53:59 PM Real-time file system protection file C:\emailaya.exe.part probably unknown NewHeur_PE virus deleted - quarantined Event occurred on a file modified by the application: C:\Program Files\Mozilla Firefox\firefox.exe.

    24/04/2009 11:53:18 PM Real-time file system protection file C:\xxxx probably unknown NewHeur_PE virus cleaned by deleting - quarantined Event occurred on a new file created by the application: C:\Program Files\Mozilla Firefox\firefox.exe.

    24/04/2009 11:53:06 PM HTTP filter file http://www.emailaya.com/emailaya.exe probably unknown NewHeur_PE virus connection terminated - quarantined Threat was detected upon access to web by the application: C:\Program Files\Mozilla Firefox\firefox.exe.
     
  15. emailaya

    emailaya Registered Member

    Joined:
    Sep 20, 2008
    Posts:
    33
    Re: false positive - AGAIN

    so even 4033 is not good....

    eset fixes this and then it reappears... isnt it time to fix it for good? i can't chase you all the time and users keep thinking this is a virus while it is not and can't use it until eset releases a new fix - this is really not a serious way to handle this problem.

    thank you
     
  16. Marcos

    Marcos Eset Staff Account

    Joined:
    Nov 22, 2002
    Posts:
    14,374
    Re: false positive - AGAIN

    The file I've downloaded was not detected. If you have a new version of the application, submit it in a ZIP/RAR archive protected with the password "infected" to samples[at]eset.com. Also enclose the download url and provide as much information about the program and its purpose.
     
  17. emailaya

    emailaya Registered Member

    Joined:
    Sep 20, 2008
    Posts:
    33
    Re: false positive - AGAIN

    stackz just posted a log of his tests that shows nod32 does recognize it as a virus (he is not the user im talking about but he is not the only one to report me about this).

    i keep doing this, send u the file as u request, u fix it and after a week/month/etc... again it detects it as a false positive, can u give me a solution that will work for good?

    the file in question is the one that can be downloaded here: http://www.emailaya.com/downloads.php. it's an email application, nothing more. im using UPX to compress the exe file, i guess this is the reason for all this but eset should handle such cases... no? it's about time it will.

    sorry about my aggressive response here but believe me that getting reports that my application is a virus every time is not nice (understatement)
     
  18. Marcos

    Marcos Eset Staff Account

    Joined:
    Nov 22, 2002
    Posts:
    14,374
    Re: false positive - AGAIN

    It's alredy fixed in the update that is currently being distributed to the update servers. I'm not sure if detection can be fixed for future variants, but I'll drop a message to my colleague dealing with samples. If not, just send any newer versions that is detected to samples[at]eset.com with "FP" in the subject and we'll whitelist it.
     
  19. emailaya

    emailaya Registered Member

    Joined:
    Sep 20, 2008
    Posts:
    33
    hi

    im developing an application that is constantly detected as a virus (only) by NOD32. as a result, i saw several posts on several forums on the net warning other people from using my application because of that. needless to say this is a false positive that keeps coming back, but telling that to the users doesnt really sounds convincing, even though ESET support confirmed this is the case.

    the solution i was given is to send the new file to them everytime i release a new version (before major releases it can be even 1-2 releases in a week) so this solution is not acceptable. a more problematic issue with this, is that sometimes after ESET fixes this issue and new updates of the sig file are released, again, the file is falsely detected as a virus. i can't know about it until someone tells me about it, then i need to re-send the file, support examines the file and re-distribute a fix for that. all this procedure takes time and in the meantime these users can't work on it, moreover, other people (new users) that download the file and use NOD32, are warned of a virus and doesnt want to use it anymore, some of them, posts topics on forums warning others users about it and i dont need to write the consequence of this issue.

    i think that a more elegant solution should be proposed from ESET specially when ESET admits that this is the engine problem and the file is clean. i expect that a serious company like ESET will solve the problem on their side instead of me needing to update you everytime when a new version is out (and as explained, even that is not enough).

    Amos
     
  20. Marcos

    Marcos Eset Staff Account

    Joined:
    Nov 22, 2002
    Posts:
    14,374
    As you've been told, your application gains a lot of points for suspicious activity when assesed by advanced heuristics. You were given advice that using a different packer would lower the number of these points so it would be undetected then. Alternatively you can send every newer version to ESET for whitelisting before you release it. That's all we can say on this subject.
     
  21. emailaya

    emailaya Registered Member

    Joined:
    Sep 20, 2008
    Posts:
    33
    i was told not to use a packer at all and i surely want/need to use it. i was also told that the packer im using is considered the most clean/safe packer so using a different one wont get me where i want.

    2 things:
    1) if your engine has a problem with this packer, fix the problem. u admit that this packer is ok, u admit my application is ok and still you have a problem with it and the problem is ONLY with NOD32.

    2) i asked for information to know what causes those extra points you wrote here and u refused to tell me. so u dont even give ME a chance to try to fix the problem. you consider your solutions serious? i dont.

    your 2 solutions sounds to me as: you are ok, we think you are bad but we wont tell u why, deal with it. NOT serious.

    bugs and problems should be fixed by the developers of the application itself. specially when we are talking about antiviruses that needs to be extra careful. reading on forums that a clean application should not be used because it contains a virus is not a nice thing to read when u r the developer of such application.
     
  22. Marcos

    Marcos Eset Staff Account

    Joined:
    Nov 22, 2002
    Posts:
    14,374
    In such case, the only solution is to send every newer version to ESET as you've been instructed. This is my last answer on this subject as everything has been said and explained and you were given all options how to solve the problem. Amen.
     
  23. CivilTaz

    CivilTaz Registered Member

    Joined:
    Nov 19, 2008
    Posts:
    146
    That's why I love Eset support, u really care about ur customers. It's not the first time that a developer makes an application that is only detected by NOD32, funny thing is when it comes to a real virus, nod32 fails many times, or it detects it after a long time. If u say that its a problem with the packer, then why other AV's dont detect it, and for sure u'll never answer that.

    Hey emailaya, they will never help u here, this remembers me an old thread with the same problem as you, sadly to say that it didn't have a happy end, just like here. If u wanna see it here it is https://www.wilderssecurity.com/showthread.php?t=223391

    And don't forget to say thx to Marcos for the "great" help he gives u. :thumbd:
     
  24. emailaya

    emailaya Registered Member

    Joined:
    Sep 20, 2008
    Posts:
    33
    yet another email i got....

    here is an email i got to show that this method doesnt prove itself, i sent the file over 24 hours ago and still it detects it as a virus (false positive), so can i have a better solution to handle YOUR problem?

    i can tell him its a false positive, do you think he will believe me? i dont think so, maybe you can tell him that?

    i can tell him to wait for you to fix it (as i told him previously) but it just means that the next version i will release will again be blocked for no good reason...

    i just lost another potential customer that could have bought my application, will you pay me a compensation for that?

    {Email contents snipped - Blue}
     
    Last edited by a moderator: Jun 14, 2009
  25. Cudni

    Cudni Global Moderator

    Joined:
    May 24, 2009
    Posts:
    6,956
    Location:
    Somethingshire
Thread Status:
Not open for further replies.