False Positive Strangeness + Question

Discussion in 'ESET NOD32 Antivirus' started by KFBeaker, Nov 25, 2007.

Thread Status:
Not open for further replies.
  1. KFBeaker

    KFBeaker Registered Member

    Joined:
    Nov 9, 2007
    Posts:
    33
    Original file name thcl.exe
    Location C:\Program Files\TrojanHunter 5.0

    During an automated trojan scan, (and likely part of how Trojanhunter operates) thlc.exe created C:\Windows\TEMP\vzw.exe. Vzw.exe then triggered NOD32 v3 Real time Protection module.

    NOD32 v3 indicated - Detected as "probably unknown STEALTH.POLY.CRYPT.TSR.DRIVER virus"

    IMPORTANT: Each time Trojanhunter's automated / scheduled scan is run thlc.exe creates a file OF A DIFFERENT NAME in the C:\Windows\TEMP folder.
    As such the flagged file in the above report, vzw.exe, was simply one possibly randomly generated file name created by Trojanhunter during it's scan process.
    To clarify, ESET may want to focus more on the thlc.exe automated Trojan scan application and not focus so much on the file name being created in the TEMP folder as it seems Trojanhunter is creating files of random names. And it is those random named files that are setting off NOD32 v3

    As the flagged file, vzw.exe was submitted to ESET for analysis. But I fear it will turn up nothing and be useless in adding the file to a FP database since thlc.exe (Trojanhunter) is the source of the problem / FP bug.



    How should I report this to ESET?

    Where do I send the report to?
     
  2. SteveBlanchard

    SteveBlanchard Registered Member

    Joined:
    Nov 4, 2007
    Posts:
    312
    Location:
    ENGLAND
    https://www.wilderssecurity.com/archive/index.php/t-65214.html that will give you the work around, as it is a FP. You could also see if excluding TrojanHunter has any effect.
     
  3. KFBeaker

    KFBeaker Registered Member

    Joined:
    Nov 9, 2007
    Posts:
    33
    Thanks you SB!
     
    Last edited: Nov 25, 2007
  4. KFBeaker

    KFBeaker Registered Member

    Joined:
    Nov 9, 2007
    Posts:
    33
    One thing I think may be significant for someone at ESET to know.

    A manual scan by TH uses the file Trojanhunter.exe
    An automated scheduled scan by TH uses the file thlc.exe

    A manual scan by TH never sets off a NOD32 FP.
    An automated / scheduled scan by TH does set off a NOD32 FP.

    TH v5.0 was just released in September. It was the first version of TH that offered scheduled scans as part of the application (no need to manually set from Windows Task Scheduler.)

    Thus, it seems to me possible that NOD32 "definitions" know trojanhunter.exe as a major application and it is allowed. But this new thlc.exe TH scanning module is as of yet unknown to the guys at ESET. Maybe?
     
  5. KFBeaker

    KFBeaker Registered Member

    Joined:
    Nov 9, 2007
    Posts:
    33
    Excluding thlc.exe is ineffective. ESET real time protection still throwing up the red flag. Again, I think it's because it is not TH that is being flagged, but rather NOD32 is flagging the randomly named .exe files TH is creating. And of course it is not possible to exclude every possible randomly generated file name.

    I have to say I am not happy about being stuck with manual scans only for TH, but if that's what has to be done - so be it.

    One last thing I want to try. Will report back.
     
  6. SteveBlanchard

    SteveBlanchard Registered Member

    Joined:
    Nov 4, 2007
    Posts:
    312
    Location:
    ENGLAND
    Could you add Nod to TH's Excluded list?
     
  7. dgosling

    dgosling Registered Member

    Joined:
    Feb 12, 2004
    Posts:
    7
    I added thcl.exe to the exclusion list in nod32 for AMON the file system monitor and it has stopped the false positives. Hope this helps.
     
  8. KFBeaker

    KFBeaker Registered Member

    Joined:
    Nov 9, 2007
    Posts:
    33
    I haven't seen AMON since v2.7. Can you tell me step by step what you do so I can give it a try?
     
Thread Status:
Not open for further replies.