False positive?

Discussion in 'NOD32 version 2 Forum' started by Edwin024, Oct 7, 2005.

Thread Status:
Not open for further replies.
  1. Edwin024

    Edwin024 Registered Member

    Joined:
    Nov 14, 2004
    Posts:
    1,000
    Time Module Object Name Threat Action User Information
    7-10-2005 9:26:51 Kernel file C:\Program Files\Tall Emu\Online Armor\OnlineArmor.exe probably unknown NewHeur_PE virus


    This is what NOD is saying about the latest build (287) of Online Armor. I guess that is false.
     
  2. pykko

    pykko Registered Member

    Joined:
    Apr 27, 2005
    Posts:
    2,236
    Location:
    Romania...and walking to heaven
    Scan the file on Jotti's and see the result. ;)
     
  3. Blackspear

    Blackspear Global Moderator

    Joined:
    Dec 2, 2002
    Posts:
    15,115
    Location:
    Gold Coast, Queensland, Australia
    Indeed it is, please submit this file to Eset so they can fix this FP.

    Cheers :D
     
  4. GuruGuy

    GuruGuy Registered Member

    Joined:
    Jun 18, 2005
    Posts:
    48
    I thought when NOD said "probably unknown new......" that it was a detection by the heuristics....not by signatures.

    So how do you go about fixing a false positive heuristic detectiono_O
     
  5. Edwin024

    Edwin024 Registered Member

    Joined:
    Nov 14, 2004
    Posts:
    1,000
    That's a good question :)

    Blackspear: I have the netsence on, so they should already have it...
     
  6. berng

    berng Registered Member

    Joined:
    Sep 11, 2005
    Posts:
    246
    Location:
    NJ, USA
    Maybe, signatures also includes a false positive list.
     
  7. fosius

    fosius Registered Member

    Joined:
    Oct 14, 2004
    Posts:
    479
    Location:
    Partizanske, Slovakia
    Not maybe, but signatures DO contain false positives, too..
     
  8. Blackspear

    Blackspear Global Moderator

    Joined:
    Dec 2, 2002
    Posts:
    15,115
    Location:
    Gold Coast, Queensland, Australia
    Excellent to see :D

    Cheers :D
     
  9. Edwin024

    Edwin024 Registered Member

    Joined:
    Nov 14, 2004
    Posts:
    1,000
    The maker of OA has sent Eset mail about this too, a few days ago. He is still waiting for an answer. I find that amazing.
     
  10. Marcos

    Marcos Eset Staff Account

    Joined:
    Nov 22, 2002
    Posts:
    14,374
    Strange, I tested the latest version from the vendor's website and this is the result:
     

    Attached Files:

    • oa.JPG
      oa.JPG
      File size:
      16.5 KB
      Views:
      243
  11. spm

    spm Registered Member

    Joined:
    Dec 9, 2002
    Posts:
    437
    Location:
    U.K.
    No, the builds that NOD32 incorrectly heuristically identify as a virus are the latest (non-public) beta builds of Online Armor.

    In any case, since the actual files mis-identified by NOD32 have been sent to Eset via ThreatSense.Net (my copy of NOD32 has done this, and I know of others' that have also done so), I am somewhat surprised by Marcos' claim about him downloading 'the latest version' from the vendor's website. This is quite unnecessary, and a waste of time.

    I sincerely hope that this is not a case of Eset dragging its feet in fixing the false positive on a competitor's product.
     
  12. Blackspear

    Blackspear Global Moderator

    Joined:
    Dec 2, 2002
    Posts:
    15,115
    Location:
    Gold Coast, Queensland, Australia
    Well that's what his screenshot substantiates.


    Not if you want the problem fixed, and no doubt that Marcos is now aware that it is TE's Beta that is the issue it should be resolved very quickly.

    Cheers :D
     
  13. spm

    spm Registered Member

    Joined:
    Dec 9, 2002
    Posts:
    437
    Location:
    U.K.
    I know that, but I obviously wan't clear - I am questioning why he did that. The whole point of Eset's ThreatSense.net is that the files necessary are sent automatically to Eset. There was no need for Marcos to download anything (especially the wrong file, as he did), as he (Eset) already have the correct files.

    I hope you're right. It looks like you might not be, however. We'll see.
     
  14. Stan999

    Stan999 Registered Member

    Joined:
    Sep 27, 2002
    Posts:
    566
    Location:
    Fort Worth, TX USA
    I think it was good that Marcos noted the latest public version didn't have a problem.

    It wasn't at all clear to me, from the first posts, that this was only a problem with a "non-public beta build"
     
  15. Edwin024

    Edwin024 Registered Member

    Joined:
    Nov 14, 2004
    Posts:
    1,000
    I did not include the build number for nothing ;)
     
Thread Status:
Not open for further replies.