Is vnchooks.dll a FP in def ver 3755?

Discussion in 'NOD32 version 2 Forum' started by jftuga, Jan 9, 2009.

Thread Status:
Not open for further replies.
  1. jftuga

    jftuga Registered Member

    Joined:
    Mar 9, 2007
    Posts:
    64
    Location:
    Athens, GA
    Is anyone else seeing this false positive?

    vnchooks.dll is infected with Win32/WinVNC application

    Thanks,
    -John
     
  2. Rmuffler

    Rmuffler Former Eset Moderator

    Joined:
    Jun 26, 2008
    Posts:
    995
    Location:
    San Diego, CA USA
  3. danieln

    danieln Eset Staff

    Joined:
    Jan 7, 2009
    Posts:
    112
    My opinion just from the reading the post:
    vnchooks.dll is from some VNC server so when it is identified as Win32/WinVNC application it is indentified exactly.
    It is detected as "application" - it is a detection not enabled by default, so the file is undetected with default setting.
    When someting is detected as application, it doesn't mean it is always a threat.
    If you installed the application (the VNC server), disable detection of Potentially unsafe applications (if you enable it) in real-time protection and you can run it safely.

    I don't know, probably the file got detected, because it was installed by some backdoor which is silently installing the VNC server on a victim's PC.
     
  4. Capp

    Capp Registered Member

    Joined:
    Oct 16, 2004
    Posts:
    2,125
    Location:
    United States
    I submitted it as a FP for my network.

    After the update hit, all of my systems and servers started finding it in the same application. Ours is a single-click VNC setup for our software company to do updates to the systems. Been using it for years. It also flagged all the .tmp files associated with it. I have added it to our exclusions list to prevent further detections.
     
  5. jftuga

    jftuga Registered Member

    Joined:
    Mar 9, 2007
    Posts:
    64
    Location:
    Athens, GA
    We use single-click as well and this is the culprit. How do you add it to the exclusion list? Did you add vnchooks.dll or did you do it another way?

    I can update the main package on the server and then push it out to the clients that may or may not be powered on (330 machines). I have to keep track (by hand) which systems have the new package. We use nod 32 v2.70.39. Is there a better way to do this?

    Thanks,
    -John
     
  6. Capp

    Capp Registered Member

    Joined:
    Oct 16, 2004
    Posts:
    2,125
    Location:
    United States
    Go under Amon, click the Exclusions Tab, Add a "File" and choose the vnchooks.dll and the name of the .exe that is being used.
     
  7. jftuga

    jftuga Registered Member

    Joined:
    Mar 9, 2007
    Posts:
    64
    Location:
    Athens, GA
    I don't think this will work for us as the vnchooks.dll file is installed in a randomly named directory, something like:

    c:\Doc & Settings\<user>\Local Settings\Temp\7zo_O.tmp

    Within this directory resides the vnchooks.dll.

    Any suggestions? Right now I have our kixtart logon script removing these kind of directories.

    -John
     
  8. Capp

    Capp Registered Member

    Joined:
    Oct 16, 2004
    Posts:
    2,125
    Location:
    United States
    I believe that as long as you have the .exe excluded, you should be fine. The .tmp files are created at random so having them excluded will be rather difficult.

    As I said, I submitted the file as FP, so it should be corrected shortly.
     
  9. elapsed

    elapsed Registered Member

    Joined:
    Apr 5, 2004
    Posts:
    7,027
    Is it not fixed yet? FP's are usually fixed within a day when they have the source file. I'd resubmit it.
     
  10. Capp

    Capp Registered Member

    Joined:
    Oct 16, 2004
    Posts:
    2,125
    Location:
    United States
    I just sent it in 3 hours ago
     
  11. NOD32 user

    NOD32 user Registered Member

    Joined:
    Jan 23, 2005
    Posts:
    1,766
    Location:
    Australia
    I don't think it's a F.P. - it's certainly P.U.A. of one sort or another even if that's inconvenient.

    Cheers :)
     
Thread Status:
Not open for further replies.
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.