False positive ? Win32/RAdmin.22 application

Discussion in 'NOD32 version 2 Forum' started by dsi-ap, Mar 7, 2007.

Thread Status:
Not open for further replies.
  1. dsi-ap

    dsi-ap Registered Member

    Joined:
    Jul 4, 2005
    Posts:
    118
    Location:
    UK
    HI all,

    Any way to avoid this from happening.

    This is a false positive, rAdmin is used on the PC to remote onto servers.
     
  2. Blackspear

    Blackspear Global Moderator

    Joined:
    Dec 2, 2002
    Posts:
    15,115
    Location:
    Gold Coast, Queensland, Australia
    Exclude that application in AMON

    or

    AMON> Setup> Options

    Remove the tick from "Potentially unsafe applications".

    Cheers :D
     
  3. kjempen

    kjempen Registered Member

    Joined:
    May 6, 2004
    Posts:
    379
    This is not a false positive. In these days, antiviruses protect you from a lot more than just viruses (file-infectors). Antiviruses may protection from the following (including viruses/file-infectors): trojans, worms, spyware, adware and potentially harmful applications or applications that may be used in a harmful way (such as rAdmin in your case), which NOD32 is telling you that it is an application and not a virus or trojan or anything like that.
     
  4. mrtwolman

    mrtwolman Eset Staff Account

    Joined:
    Dec 5, 2002
    Posts:
    613
    Potentially unsafe applications are commercial programs which might be exploited for malicious purposes, etc. (e.g. tools for remote access and administration). It could be legitimate applications with dual use capability.
     
  5. RushB

    RushB Registered Member

    Joined:
    Jul 28, 2006
    Posts:
    10
    Ok,

    I have tried everything I know of to keep Radmin from being deleted. I have r_server.exe in \Windows\system32 I have added it to the exclusion list in Amon, pushed that out, still it catches it and removes it ever time. So I added the filename without he path, same thing. Potentially unsafe is unchecked in Amon.

    How can I stop NOD32 from removing r_server.exeo_O

    Just used Remote Administrator Console to check it one last time, it's set right, but it continually removes that file.

    Thanks,
    RushB
     
  6. Blackspear

    Blackspear Global Moderator

    Joined:
    Dec 2, 2002
    Posts:
    15,115
    Location:
    Gold Coast, Queensland, Australia
    Hi RushB, what version are you using, and do you have "potentially unsafe applications" ticked in the profile, as this needs to be unticked.

    Cheers :D
     
  7. RushB

    RushB Registered Member

    Joined:
    Jul 28, 2006
    Posts:
    10
    Nope, it's not ticked. I am running 2.70.32 throughout our school district.
     

    Attached Files:

    • Log.txt
      File size:
      52.3 KB
      Views:
      21
    Last edited by a moderator: Mar 23, 2007
  8. Greg Jones

    Greg Jones Registered Member

    Joined:
    Aug 15, 2005
    Posts:
    3
    We have the same problem. Radmin is excluded but I get the following detected:

    C:\WINDOWS\SYSTEM32\r_server.exe::$DATA
    C:\WINDOWS\SYSTEM32\admdll.dll::$DATA

    Sounds like the NTFS alternate stream to me.

    I tried to add it to the exclude list but it didnt like it. :)

    I really do not want to disable the "Potentially unsafe apps" option and we use RADMIN throughout our business.

    Any ideas?

    Greg.
     
  9. Marcos

    Marcos Eset Staff Account

    Joined:
    Nov 22, 2002
    Posts:
    14,374
    Potentially unsafe applications cover ONLY commercial programs (mostly remote administration tools) that might be exploited. Theoretically we should also detect ftp.exe which is a part of Windows :) Potentially unsafe app should remain disabled in a network environment.
     
Thread Status:
Not open for further replies.