Is vnchooks.dll a FP in def ver 3755?

Discussion in 'NOD32 version 2 Forum' started by jftuga, Jan 9, 2009.

Thread Status:
Not open for further replies.
  1. jftuga

    jftuga Registered Member

    Joined:
    Mar 9, 2007
    Posts:
    64
    Location:
    Athens, GA
    Is anyone else seeing this false positive?

    vnchooks.dll is infected with Win32/WinVNC application

    Thanks,
    -John
     
  2. Rmuffler

    Rmuffler Former Eset Moderator

    Joined:
    Jun 26, 2008
    Posts:
    995
    Location:
    San Diego, CA USA
  3. danieln

    danieln Eset Staff

    Joined:
    Jan 7, 2009
    Posts:
    112
    My opinion just from the reading the post:
    vnchooks.dll is from some VNC server so when it is identified as Win32/WinVNC application it is indentified exactly.
    It is detected as "application" - it is a detection not enabled by default, so the file is undetected with default setting.
    When someting is detected as application, it doesn't mean it is always a threat.
    If you installed the application (the VNC server), disable detection of Potentially unsafe applications (if you enable it) in real-time protection and you can run it safely.

    I don't know, probably the file got detected, because it was installed by some backdoor which is silently installing the VNC server on a victim's PC.
     
  4. Capp

    Capp Registered Member

    Joined:
    Oct 16, 2004
    Posts:
    2,125
    Location:
    United States
    I submitted it as a FP for my network.

    After the update hit, all of my systems and servers started finding it in the same application. Ours is a single-click VNC setup for our software company to do updates to the systems. Been using it for years. It also flagged all the .tmp files associated with it. I have added it to our exclusions list to prevent further detections.
     
  5. jftuga

    jftuga Registered Member

    Joined:
    Mar 9, 2007
    Posts:
    64
    Location:
    Athens, GA
    We use single-click as well and this is the culprit. How do you add it to the exclusion list? Did you add vnchooks.dll or did you do it another way?

    I can update the main package on the server and then push it out to the clients that may or may not be powered on (330 machines). I have to keep track (by hand) which systems have the new package. We use nod 32 v2.70.39. Is there a better way to do this?

    Thanks,
    -John
     
  6. Capp

    Capp Registered Member

    Joined:
    Oct 16, 2004
    Posts:
    2,125
    Location:
    United States
    Go under Amon, click the Exclusions Tab, Add a "File" and choose the vnchooks.dll and the name of the .exe that is being used.
     
  7. jftuga

    jftuga Registered Member

    Joined:
    Mar 9, 2007
    Posts:
    64
    Location:
    Athens, GA
    I don't think this will work for us as the vnchooks.dll file is installed in a randomly named directory, something like:

    c:\Doc & Settings\<user>\Local Settings\Temp\7zo_O.tmp

    Within this directory resides the vnchooks.dll.

    Any suggestions? Right now I have our kixtart logon script removing these kind of directories.

    -John
     
  8. Capp

    Capp Registered Member

    Joined:
    Oct 16, 2004
    Posts:
    2,125
    Location:
    United States
    I believe that as long as you have the .exe excluded, you should be fine. The .tmp files are created at random so having them excluded will be rather difficult.

    As I said, I submitted the file as FP, so it should be corrected shortly.
     
  9. funkydude

    funkydude Registered Member

    Joined:
    Apr 5, 2004
    Posts:
    6,853
    Is it not fixed yet? FP's are usually fixed within a day when they have the source file. I'd resubmit it.
     
  10. Capp

    Capp Registered Member

    Joined:
    Oct 16, 2004
    Posts:
    2,125
    Location:
    United States
    I just sent it in 3 hours ago
     
  11. NOD32 user

    NOD32 user Registered Member

    Joined:
    Jan 23, 2005
    Posts:
    1,766
    Location:
    Australia
    I don't think it's a F.P. - it's certainly P.U.A. of one sort or another even if that's inconvenient.

    Cheers :)
     
Thread Status:
Not open for further replies.