How accurate is NOD32 AH?

Discussion in 'NOD32 version 2 Forum' started by rerun2, Jun 16, 2004.

Thread Status:
Not open for further replies.
  1. rerun2

    rerun2 Registered Member

    Joined:
    Aug 27, 2003
    Posts:
    338
    I have heard a lot about NOD32 detecting new/unknown malware through its Advanced Heuristics feature. Does it cause many false positives?
     
  2. Mele20

    Mele20 Former Poster

    Joined:
    Apr 29, 2002
    Posts:
    2,495
    Location:
    Hilo, Hawaii
    It's been giving me a headache. AMON thinks a program I have is infected. It is a false positive. Last night I noticed, just as I was falling asleep at 3:30AM, that there was a light on in my living room. It was my monitor which had been in "active off" that had turned itself on because AMON found a "virus" in system restore and was alerting me and waiting for me to indicate what action to take. It was alerting to this program which does NOT have a virus in it!

    I am using the beta and I may not have it set up in the best manner yet, plus, this is a beta and therefore is bound to have problems. (I got warnings in setting up for AMON to use AH and for AH use in scanning using the context menu profile so the way I set it may not be optimal and if I set it differently perhaps this problem will not occur). I was not running a scheduled scan when this occurred. AMON alerted and AMON, in the beta, is using AH. Eset knows this is a false positive and told me a couple of weeks ago that it would be fixed in the beta...but I just got this beta last night and it is still alerting to this program and identifying it as:
    6/16/2004 3:35:02 AM AMON file C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP277\A0039744.exe probably unknown NewHeur_PE virus quarantined NT AUTHORITY\SYSTEM

    This is not the only false positive I am seeing with the beta and the use of AH by AMON. I don’t use IMON so I don’t know if it produces a lot of false positives or not in email scanning. I haven't seen any posts here though complaining about that so I would think that IMON doesn't produce many false positives. As for HTTP scanning, it is new (in the beta) and I used it briefly only.

    My NOD32 on demand scanner is also seeing false positives now that it scans using AH if you set it to do so. I don’t mind some false positives as long as the number is fairly low. What I do mind though is AMON popping up an alert box on my monitor which made it turn on in the middle of night! If I had not seen the light before I fell asleep, the monitor would have never gone back to active off because the AMON box would keep it from going into power saving mode. That is bad! Why AMON was looking at that folder, in system restore, at that time is a mystery to me. I thought perhaps XP was making a restore point and AMON caught it but there was no restore point made at the time AMON alerted.

    I think we will have to wait and see how the beta performs (and if different settings make a real difference in alerts for false positives) and wait for the final version before we can draw any useful conclusions about false positives and AH. As I said, my experience may be because I don't have the settings optimal.
     
  3. Marcos

    Marcos Eset Staff Account

    Joined:
    Nov 22, 2002
    Posts:
    14,374
    Mele, please submit any files you think they are false positives to samples@nod32.com. We will certainly remedy them ASAP and your monitor will not wake you up in the midnight any more :-]
     
  4. Mele20

    Mele20 Former Poster

    Joined:
    Apr 29, 2002
    Posts:
    2,495
    Location:
    Hilo, Hawaii
    Marcos, I submitted a sample on May 30 and got this reply on May 31 (very fast response which was nice):

    Hello Mele,

    the file "fdiag.exe" doesn't cointain any virus or malware. Don't worry,
    this is just a false alarm. We'll fix it in the next update.

    Thank you for your cooperation.

    Best regards,

    Juraj Mikula
    ESET s. r. o.

    ----- Original Message -----
    From: "Melelina" <MelelinaW@hawaii.rr.com>
    To: "Eset" <samples@nod32.com>
    Sent: Sunday, May 30, 2004 11:55 AM
    Subject: virus [TRACK#40B9B1D433CD]


    > Password is "pass" without the quotes.
    >
    > Scan performed at: 5/29/2004 23:24:30 PM
    > Scanning Log
    > NOD32 version 1.777 (2004052:cool: NT
    > Command line: /ah /all /shext C:\Program Files\FreshDevices\FreshDiagnose
    > Operating memory - is OK
    >
    > date: 29.5.2004 time: 23:24:32
    > Scanned disks, directories and files: C:\Program
    > Files\FreshDevices\FreshDiagnose\
    > C:\Program Files\FreshDevices\FreshDiagnose\fdiag.exe »ASPack v2.12 -
    > probably unknown NewHeur_PE virus
    > number of files scanned: 18
    > number of viruses found: 1
    > time of completion: 23:24:33 total scanning time: 1 sec (00:00:01)
    >
    > Mele

    This was more than two weeks ago and Juaraj said it would be fixed in the next update. Well it still being seen as a virus and now that I have the beta, not only does the NOD32 on demand scanner alert on this but now AMON is alerting too. I solved the problem temporarily by excluding fdiag.exe in AMON.

    This should be fixed though as I have had this program for six months or more and it is a fairly popular application. When the beta goes public, there may be others with this program who will suddenly have AMON alerting in the middle of the night.

    I just sent a follow-up email to Juaraj.

    Could you explain why AMON alerted on a file in system restore at a time when I was asleep (or almost asleep), no one was using the computer, XP was not making a restore point. Why did AMON suddenly notice the file?
     
  5. Eliot

    Eliot Registered Member

    Joined:
    Aug 8, 2003
    Posts:
    854
    Location:
    Arkansas, USA
    If AMON has the AH in it for the on access scanner, Im coming back to NOD32 when its released. Chop chop on the beta progress Eset :p
     
  6. sir_carew

    sir_carew Registered Member

    Joined:
    Sep 2, 2003
    Posts:
    884
    Location:
    Santiago, Chile
    Hello,
    Advanced Heuristic produces some FP however detect most new trojans and worms.
    In my collection, many worms are detected using AH and most trojans too. AH is effective against new backdoors servers.
     
  7. Marcos

    Marcos Eset Staff Account

    Joined:
    Nov 22, 2002
    Posts:
    14,374
    Mele,
    this particular instance of false positive was quite specific and could not be remedied in the next update as my colleague assumed first. However, we are going to release a new update of the AH module, which will have the fp eventually fixed, within 1-2 weeks.
     
  8. Mele20

    Mele20 Former Poster

    Joined:
    Apr 29, 2002
    Posts:
    2,495
    Location:
    Hilo, Hawaii
    Thank you for the update on this issue, Marcos. I don't mind waiting if there is a good reason as you have so indicated. I just wanted to know what was going on with this issue as I have heard nothing further in an email since I submitted the false positive back in the end of May and got a fast response saying it would be fixed by the next update. A short email telling me just what you have said would have been great. Then I would have been satisfied and would not have mentioned it here at all.

    Anyhow, thanks again for the updated information! I appreciate your bringing me up to date on this. :)
     
  9. Blackspear

    Blackspear Global Moderator

    Joined:
    Dec 2, 2002
    Posts:
    15,115
    Location:
    Gold Coast, Queensland, Australia
    LMAO :D :D :D
     
  10. Dazed_and_Confused

    Dazed_and_Confused Registered Member

    Joined:
    Mar 4, 2004
    Posts:
    1,831
    Location:
    USA
    Agreed.

    Regarding the false positives, personally I would rather have a more agressive hueristic scanner that may occassionaly produce an FP if it makes it more likely to catch malware. But a more aggressive scanner might be good reason not to have AH turned on by defaut.
     
Thread Status:
Not open for further replies.