false postives at Ecoustics.com

Discussion in 'NOD32 version 2 Forum' started by alglove, Sep 20, 2006.

Thread Status:
Not open for further replies.
  1. alglove

    alglove Registered Member

    Joined:
    Jan 17, 2005
    Posts:
    904
    Location:
    Houston, Texas, USA
    I have encountered problems when reading certain reviews posted at the Ecoustics.com website. In particular, whenever I try to read any review that comes to Ecoustics from "Secrets of Home Theater and High Fidelity" magazine ( http://www.hometheaterhifi.com ), I am bomarded with JS/TrojanDropper.Tivso.gen and TrojanDownloader.Tivso.gen messages, and I am unable to read the review.

    I am pretty sure this is a false positive, because I uploaded copies of the webpages to Jotti's and VirusTotal, and they came out clean with all the other scanners. Also, if I look at the reviews directly from http://www.hometheaterhifi.com , they are fine. It seems to be the combination of the Hometheaterhifi.com review embedded within the Ecoustics.com webpage that causes the problem.

    In accordance with forum policy, I have not posted a link to one of these reviews (though I will do so at a moderator's request). I have submitted a quarantined sample to Eset for review, with a link in the description. If anyone could look into this, that would be great.
     
  2. Brian N

    Brian N Registered Member

    Joined:
    Jul 7, 2005
    Posts:
    2,148
    Location:
    Denmark
    Because it has something to do with a support/analysis request, you may post a non-clickable link (hxxp://).
     
    Last edited: Sep 20, 2006
  3. alglove

    alglove Registered Member

    Joined:
    Jan 17, 2005
    Posts:
    904
    Location:
    Houston, Texas, USA
    Thanks, Brian! Here are a couple of non-clickable links. I have problems with the first link, but not the second. See if anyone else has the same problem...

    hxxp://www.ecoustics.com/secrets/volume_13_3/arcam-solo-8-2006.html
    hxxp://www.hometheaterhifi.com/volume_13_3/arcam-solo-8-2006.html
     
  4. Blackspear

    Blackspear Global Moderator

    Joined:
    Dec 2, 2002
    Posts:
    15,115
    Location:
    Gold Coast, Queensland, Australia
    Yeah NOD32 lights up like a Christmas tree :blink: ;) :D

    Will have to wait for Marcos to come along and analyse it.

    Cheers :D
     

    Attached Files:

  5. Brian N

    Brian N Registered Member

    Joined:
    Jul 7, 2005
    Posts:
    2,148
    Location:
    Denmark
    And here's a virustotal scan of the file. As you can see, only NOD32 detects it.
    Guess we'll have to wait for Marcos :)

    And I also forgot you already did that, my bad :p
     

    Attached Files:

    • asd.JPG
      asd.JPG
      File size:
      91.2 KB
      Views:
      281
  6. pykko

    pykko Registered Member

    Joined:
    Apr 27, 2005
    Posts:
    2,236
    Location:
    Romania...and walking to heaven
    mmm.... I've seen the fireworks too. :D It's an heuristic detection as I see (.gen) and I think it will be fixed soon.
     
  7. ASpace

    ASpace Guest

    Don't be so sure , pykko !
    I have seen lots of examples (real and screenshots from VirusTotal) with real malware which only NOD32 (or NOD32 + few others) detect . This can be just one example .

    By the way , already submitted to ESET labs and Support ! :thumb:
     
  8. pykko

    pykko Registered Member

    Joined:
    Apr 27, 2005
    Posts:
    2,236
    Location:
    Romania...and walking to heaven
    it has been fixed. NO warning here. :)

    EDIT: It seems not. ON the first page I still get the warning. :(
     
  9. ASpace

    ASpace Guest


    Buddy , as I said , they are already submitted and they will decide if it is real threat :D :D ;) Will inform you if I receive any reply :)
     
  10. NOD32 user

    NOD32 user Registered Member

    Joined:
    Jan 23, 2005
    Posts:
    1,766
    Location:
    Australia
    It seems to be triggered because the first 19 characters are <html><head><title> and there is .com before the </title> tag.

    Looks like a probable FP IMHO since nothing else in the document causes detection but it is not my place here to say that it is or isn't actually safe.

    Cheers :)
     
  11. alglove

    alglove Registered Member

    Joined:
    Jan 17, 2005
    Posts:
    904
    Location:
    Houston, Texas, USA
    That's OK. I was just thinking, "Maybe I should have put up some screenshots," but then you did them all for me. Thanks! :D
     
Thread Status:
Not open for further replies.