NOD Incorrectly Detecting (and deleting) files

Discussion in 'ESET NOD32 Antivirus' started by Adam H, Feb 1, 2009.

Thread Status:
Not open for further replies.
  1. Adam H

    Adam H Registered Member

    Joined:
    Jan 3, 2008
    Posts:
    23
    Hi,

    We're having a number of customers with one of the latest updates in Eset Antivirus having problems where applications that have been made for them using Delphi 2007 are being detected as virus threats and deleted off their system.

    We don't want to disable their antivirus software, but don't know what to do regarding NOD wanting to disallow access or delete these programs.

    Firstly, is there a way to tell NOD/EAV to ignore a particular file?

    Secondly, what should I do about reporting this problem? (Is this the right spot, or should I be sending an email somewhere)?

    This is not just happening to newly compiled applications, but older applications too since an EAV update.

    We have advised our clients to turn off Advanced Heuristics to avoid this problem.

    Nod detects these files as:

    Probably a variant of Win32/Agent trojan

    A copy of one of our smaller applications to reproduce the problem can be found at http://www.wsdsites.net/temp/Startup.zip

    Thanks & Regards

    Adam.
     
    Last edited: Feb 1, 2009
  2. Adam H

    Adam H Registered Member

    Joined:
    Jan 3, 2008
    Posts:
    23
    Additional information:

    - There are multiple applications being incorrectly detected

    - I have tested BOTH Delphi 2007, and Delphi 7 and both are raising incorrectly (so problem appears not to be isolated to Delphi 2007)

    - NOD is incorrectly detecting files compiled on Windows XP and Windows Vista (Business)

    - This only seems to be a problem with v3.x. v2.7 does not appear to falsely detect.

    Thanks & Regards

    Adam.
     
    Last edited: Feb 1, 2009
  3. funkydude

    funkydude Registered Member

    Joined:
    Apr 5, 2004
    Posts:
    6,852
    This is seems to be a False Positive with the packager. An ESET representative should be in contact with you tomorrow, as this will need further communication to fix.
     
  4. Adam H

    Adam H Registered Member

    Joined:
    Jan 3, 2008
    Posts:
    23
    Hi,

    Thanks for your reply. Unfortunately I haven't received a reply here, nor on the emails I sent through to eset yet. Sorry for the impatience, but I've waited a day, and this problem is becoming a real headache trying to maintain numerous sites and customers.

    I have sent 2 emails to samples@eset.com with detailed descriptions, and links to download 4 different applications (executables) that all contain the same problem to try and help out.

    Is there somewhere else I should be sending the emails to? Do they get 'lost' at this email address?

    Cheers

    Adam.
     
  5. funkydude

    funkydude Registered Member

    Joined:
    Apr 5, 2004
    Posts:
    6,852
    Send a PM to Marcos :D Did you attach this threads URL in the emails?
     
  6. Zuik

    Zuik Registered Member

    Joined:
    Sep 16, 2004
    Posts:
    14
    I also have Eset deleting part of my Subversion repository database files causing me to have to recover the database from backups after turning Off Eset protection. There must be a better way to create exclusions. It is highly unlikely a database file will ever be used as a VB script file.

    Real-time file system protection file C:\dev\repos\db\revs\0\9 VBS/Solow.A worm cleaned by deleting - quarantined NT AUTHORITY\SYSTEM Event occurred during an attempt to access the file by the application: C:\WINDOWS\Explorer.EXE.
     
  7. Adam H

    Adam H Registered Member

    Joined:
    Jan 3, 2008
    Posts:
    23
    Hi Funkydude - No, I haven't attacked this threads URL in my email (the email states the same and more).

    Marcos - is that the users full name that I should PM?

    Thanks & Regards

    Adam.
     
  8. funkydude

    funkydude Registered Member

    Joined:
    Apr 5, 2004
    Posts:
    6,852
    Yes he is an ESET moderator here.

    Zuik I already gave you an answer in the other thread, your double post is unnecessary and rude.
     
  9. The Hammer

    The Hammer Registered Member

    Joined:
    May 12, 2005
    Posts:
    5,619
    Location:
    Toronto Canada
    Well handled funkydude!:cool:
     
  10. Adam H

    Adam H Registered Member

    Joined:
    Jan 3, 2008
    Posts:
    23
    OK - it's now thursday. I haven't had any correspondense from Nod at all yet (first sent email on Monday).

    Have tried here, PM'ing Marcos and sending emails. I'm trying to be patient and can understand how from time to time Antivirus software can raise incorrect detections - all part of software, and I accept this.

    However - not being able to get a single reply from eset after 4 days via 3 different methods is a bit much.

    Is there any other way I can try and get onto eset support to notify them of this issue? Just a response to know they've received my emails would be a start.

    :(
     
  11. Marcos

    Marcos Eset Staff Account

    Joined:
    Nov 22, 2002
    Posts:
    14,374
    As far as I know, the FP was fixed about 2 days ago. Make sure that you have updated to the latest version (currently 3824).
     
  12. The Hammer

    The Hammer Registered Member

    Joined:
    May 12, 2005
    Posts:
    5,619
    Location:
    Toronto Canada
    Looks like this one's a wrap.
     
  13. Adam H

    Adam H Registered Member

    Joined:
    Jan 3, 2008
    Posts:
    23
    Hi Marcos

    Thanks for your reply. Have done an update, re-enabled advanced heuristics and so far looks good.

    In future if something like this happens again, can you please tell me where is the best place to send and email to communicate with regarding these issues?

    Best Regards

    Adam.
     
  14. Marcos

    Marcos Eset Staff Account

    Joined:
    Nov 22, 2002
    Posts:
    14,374
    Do you mean you enabled advanced heuristics in the on-demand scanner setup? Real-time protection wouldn't normally catch that file at all unless it's copied elsewhere or modified.

    The recommended way of reporting FPs is to email them to samples[at]eset.com in a ZIP/RAR archive protected with the password "infected" and "False positive" in the subject. It's important to enclose further information about the file, such as the program name, version or better the exact url where the file can be downloaded from.
    If it's not fixed in the upcoming updates (let's say withing 1-2 days), you can escalate it to customer care of your local distributor.
     
  15. Adam H

    Adam H Registered Member

    Joined:
    Jan 3, 2008
    Posts:
    23
    Hi Marcos,

    Correct and correct. We had clients updating their software and were having files deleted once the 'update' occurred.

    We also started experiencing problems ourselves when the file was created (on a compile).

    Thanks for that. I thought that was the case, but wanted to confirm as I haven't received a reply since I emailed a couple of emails through (with different /additional details) at the start of the week.

    Not urgent now, as it looks like the problem is resolved, but it would have been nice to have received some sort of confirmation that the emails were received / were being looked into or were being fixed.

    Thanks for your replies. Have been greatly appreciated.

    Adam.
     
  16. Zuik

    Zuik Registered Member

    Joined:
    Sep 16, 2004
    Posts:
    14
    Sorry for the double post, not my intent to be rude.

     
Thread Status:
Not open for further replies.