False Positive - WikidPad Software

Discussion in 'ESET NOD32 Antivirus' started by Snarkers, Aug 29, 2008.

Thread Status:
Not open for further replies.
  1. Snarkers

    Snarkers Registered Member

    Joined:
    Aug 27, 2008
    Posts:
    7
    False Positive Notification - Software at the location --

    ~Link removed. No links to possible malware please. ESET has access to the link for perusal. - Ron~

    -- is being flagged as a variant of Win32/Adware.Antivirus2008.

    I'm very glad that ESET is trying to target this particular malodorous malware, but the software at that site is a truly outstanding Open Source contribution and is in no way malware. I notified the author and told him that I was also notifying ESET. (The software was submitted to ESET through the AV interface.)
     
    Last edited by a moderator: Aug 29, 2008
  2. Snarkers

    Snarkers Registered Member

    Joined:
    Aug 27, 2008
    Posts:
    7
    I understand. I forgot the proscription. The link, however, was to the home page rather than directly to the files.

    Believe me, the stuff at that location is NOT malware.

    But I do understand. Sorry.
     
  3. Marcos

    Marcos Eset Staff Account

    Joined:
    Nov 22, 2002
    Posts:
    14,374
    I've just installed it, but my ESS remained silent and didn't alert me on any files. If you suspect a particular file to be FP, compress it with WinRAR, protect the archive with the password "infected" and send it to samples[at]eset.com with "False positive" in the subject and further information, such as the url to the file enclosed as well.
     
  4. Snarkers

    Snarkers Registered Member

    Joined:
    Aug 27, 2008
    Posts:
    7
    Hi, Marcos.

    That's very interesting. I got the response I mentioned on every ...exe.zip file I downloaded from that site. They were quarantined before I could open and examine them.

    I contacted Michael Butscher, the current maintainer of the project, and he suggested downloading a non-zipped version that he maintains for download at another location. The beta and rc versions (same as at the main site) that I downloaded there were not archived in a ZIP file, and they did NOT trigger NOD32.

    I have my settings maxed out for real-time protection and Web access. Perhaps something in there is causing NOD32 to be paranoid about executables contained within ZIP archives?

    I had already deleted the files from quarantine. I'll go collect them again and send them to ESET as you suggested.

    Thank you.
     
  5. Snarkers

    Snarkers Registered Member

    Joined:
    Aug 27, 2008
    Posts:
    7
    Sorry, but I tried removing these two files from quarantine. I turned off real-time protection, tried to unzip it so that I would archive with WinRAR, but I couldn't unarchive it. It is apparently a damaged archive -- whether it is damaged at the download source or gets damaged during the download / quarantine processes I cannot determine.

    ronjor said that the location was available to ESET foro perusal. I can't send it. If ESET is interested, I guess they'll get the files.

    Did you download WikidPad from the location I posted (and which ronjor removed), or from some other location? Today I go there with a Vista SP1 system, and NOD32 won't let the file get saved to the system at all -- not even in quarantine. Yesterday I was using a WinXP SP3 system from work.
     
  6. Snarkers

    Snarkers Registered Member

    Joined:
    Aug 27, 2008
    Posts:
    7
    I removed version 3.0.672.0 from my wife's personal system, and from mine. It was still showing WikidPad links as being malware. Version 3.70.39 of NOD32 does not. Back to version 2 for us. I've tried version 3 more times than I care to remember. I can't see any reason to bother with it any more.
     
Thread Status:
Not open for further replies.