FalsePositive?

Discussion in 'ESET NOD32 Antivirus' started by acooldozen, Jul 1, 2009.

Thread Status:
Not open for further replies.
  1. acooldozen

    acooldozen Registered Member

    Joined:
    Oct 16, 2005
    Posts:
    218
    Location:
    White Rock, BC, Canada
    Eset is coming up with the following.............

    01/07/2009 1:53:41 PM Real-time file system protection file D:\autorun.inf INF/Autorun virus PAIROFHEARTS\Compaq_Administrator Event occurred during an attempt to access the file by the application: C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe.

    01/07/2009 3:02:21 PM Real-time file system protection file D:\autorun.inf INF/Autorun virus deleted - quarantined PAIROFHEARTS\Compaq_Administrator Event occurred during an attempt to access the file by the application: C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe.
     

    Attached Files:

  2. agoretsky

    agoretsky Eset Staff Account

    Joined:
    Apr 4, 2006
    Posts:
    4,032
    Location:
    California
    Hello,

    Why do you suspect this is a false positive alarm?

    From looking at the report, it appears that MalwareBytes Anti Malware is attempting to access D:\AUTORUN.INF and ESET NOD32 Antivirus is blocking the access because it has detected a threat in it.

    If the D: drive does indeed contain an AUTORUN.INF-deployed piece of malware then this is the correct, expected behavior from ESET NOD32 Antivirus.

    Regards,

    Aryeh Goretsky
     
  3. acooldozen

    acooldozen Registered Member

    Joined:
    Oct 16, 2005
    Posts:
    218
    Location:
    White Rock, BC, Canada
    I don't suspect it is a false positive, but rather asking if it might be a false positive. Here is what MBAM has to offer.......

    I think I know what is going on here , but it is complicated to explain .
    The file C:\autorun.inf was part of a previously removed infection on this system (it is just a load point , it is not actually malware) .
    Malwarebytes reads the file contents as part of our scan .
    As the file contents are read ESET sees them as well and a protection alert is triggered .

    In any event I would simply delete C:\autorun.inf and this should solve all problems .

    --------------------
    Bruce Harrison
    Malwarebytes Lead Researcher


    et tu Brute??
     
    Last edited: Jul 1, 2009
  4. agoretsky

    agoretsky Eset Staff Account

    Joined:
    Apr 4, 2006
    Posts:
    4,032
    Location:
    California
    Hello,

    It could be a remnant that is left over from an already removed infection.

    Regards,

    Aryeh Goretsky
     
Thread Status:
Not open for further replies.