False positive?

Time Module Object Name Threat Action User Information
7-10-2005 9:26:51 Kernel file C:\Program Files\Tall Emu\Online Armor\OnlineArmor.exe probably unknown NewHeur_PE virus


This is what NOD is saying about the latest build (287) of Online Armor. I guess that is false.

 

Scan the file on Jotti's and see the result.

 

Indeed it is, please submit this file to Eset so they can fix this FP.

Cheers

 

I thought when NOD said "probably unknown new......" that it was a detection by the heuristics....not by signatures.

So how do you go about fixing a false positive heuristic detection

 

That's a good question

Blackspear: I have the netsence on, so they should already have it...

 

Maybe, signatures also includes a false positive list.

 

Not maybe, but signatures DO contain false positives, too..

 

Excellent to see

Cheers

 

The maker of OA has sent Eset mail about this too, a few days ago. He is still waiting for an answer. I find that amazing.

 

Strange, I tested the latest version from the vendor's website and this is the result:

 

No, the builds that NOD32 incorrectly heuristically identify as a virus are the latest (non-public) beta builds of Online Armor.

In any case, since the actual files mis-identified by NOD32 have been sent to Eset via ThreatSense.Net (my copy of NOD32 has done this, and I know of others' that have also done so), I am somewhat surprised by Marcos' claim about him downloading 'the latest version' from the vendor's website. This is quite unnecessary, and a waste of time.

I sincerely hope that this is not a case of Eset dragging its feet in fixing the false positive on a competitor's product.

 

Well that's what his screenshot substantiates.

Not if you want the problem fixed, and no doubt that Marcos is now aware that it is TE's Beta that is the issue it should be resolved very quickly.

Cheers

 

I know that, but I obviously wan't clear - I am questioning why he did that. The whole point of Eset's ThreatSense.net is that the files necessary are sent automatically to Eset. There was no need for Marcos to download anything (especially the wrong file, as he did), as he (Eset) already have the correct files.

I hope you're right. It looks like you might not be, however. We'll see.

 

I think it was good that Marcos noted the latest public version didn't have a problem.

It wasn't at all clear to me, from the first posts, that this was only a problem with a "non-public beta build"

 

I did not include the build number for nothing