False Positive - WikidPad Software

Discussion in 'ESET NOD32 Antivirus' started by Snarkers, Aug 29, 2008.

Thread Status:
Not open for further replies.
  1. Snarkers

    Snarkers Registered Member

    Joined:
    Aug 27, 2008
    Posts:
    7
    False Positive Notification - Software at the location --

    ~Link removed. No links to possible malware please. ESET has access to the link for perusal. - Ron~

    -- is being flagged as a variant of Win32/Adware.Antivirus2008.

    I'm very glad that ESET is trying to target this particular malodorous malware, but the software at that site is a truly outstanding Open Source contribution and is in no way malware. I notified the author and told him that I was also notifying ESET. (The software was submitted to ESET through the AV interface.)
     
    Last edited by a moderator: Aug 29, 2008
  2. Snarkers

    Snarkers Registered Member

    Joined:
    Aug 27, 2008
    Posts:
    7
    I understand. I forgot the proscription. The link, however, was to the home page rather than directly to the files.

    Believe me, the stuff at that location is NOT malware.

    But I do understand. Sorry.
     
  3. Marcos

    Marcos Eset Staff Account

    Joined:
    Nov 22, 2002
    Posts:
    14,411
    I've just installed it, but my ESS remained silent and didn't alert me on any files. If you suspect a particular file to be FP, compress it with WinRAR, protect the archive with the password "infected" and send it to samples[at]eset.com with "False positive" in the subject and further information, such as the url to the file enclosed as well.
     
  4. Snarkers

    Snarkers Registered Member

    Joined:
    Aug 27, 2008
    Posts:
    7
    Hi, Marcos.

    That's very interesting. I got the response I mentioned on every ...exe.zip file I downloaded from that site. They were quarantined before I could open and examine them.

    I contacted Michael Butscher, the current maintainer of the project, and he suggested downloading a non-zipped version that he maintains for download at another location. The beta and rc versions (same as at the main site) that I downloaded there were not archived in a ZIP file, and they did NOT trigger NOD32.

    I have my settings maxed out for real-time protection and Web access. Perhaps something in there is causing NOD32 to be paranoid about executables contained within ZIP archives?

    I had already deleted the files from quarantine. I'll go collect them again and send them to ESET as you suggested.

    Thank you.
     
  5. Snarkers

    Snarkers Registered Member

    Joined:
    Aug 27, 2008
    Posts:
    7
    Sorry, but I tried removing these two files from quarantine. I turned off real-time protection, tried to unzip it so that I would archive with WinRAR, but I couldn't unarchive it. It is apparently a damaged archive -- whether it is damaged at the download source or gets damaged during the download / quarantine processes I cannot determine.

    ronjor said that the location was available to ESET foro perusal. I can't send it. If ESET is interested, I guess they'll get the files.

    Did you download WikidPad from the location I posted (and which ronjor removed), or from some other location? Today I go there with a Vista SP1 system, and NOD32 won't let the file get saved to the system at all -- not even in quarantine. Yesterday I was using a WinXP SP3 system from work.
     
  6. Snarkers

    Snarkers Registered Member

    Joined:
    Aug 27, 2008
    Posts:
    7
    I removed version 3.0.672.0 from my wife's personal system, and from mine. It was still showing WikidPad links as being malware. Version 3.70.39 of NOD32 does not. Back to version 2 for us. I've tried version 3 more times than I care to remember. I can't see any reason to bother with it any more.
     
Thread Status:
Not open for further replies.
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.