NOD32 2.5 BETA FP During SpySweeper 4.0 Beta Install

Discussion in 'NOD32 version 2 Forum' started by tazdevl, May 9, 2005.

Thread Status:
Not open for further replies.
  1. tazdevl

    tazdevl Registered Member

    Joined:
    May 17, 2004
    Posts:
    837
    Location:
    AZ, USA
    Tried to install newest beta of spysweeper 4.0. Got a FP during the install process.

    Time Module Object Name Virus Action User Information
    5/9/2005 15:36:22 PM AMON file C:\Program Files\Webroot\Spy Sweeper\is-FOJH1.tmp probably unknown NewHeur_PE virus quarantined - deleted Event occurred on a new file created by the application: C:\DOCUME~1\Brett\LOCALS~1\Temp\is-NGUMN.tmp\is-V6U3O.tmp. The file was moved to quarantine. You may close this window.

    http://www.webroot.com/beta/download.php
     
    Last edited: May 10, 2005
  2. Mike415

    Mike415 Registered Member

    Joined:
    Mar 13, 2005
    Posts:
    42
    Re: NOD32 2.5 BETA FP with SpySweeper 4.0 Beta

    Hmm, where did you download the beta from? Because I installed it and didnt get anything.
     
  3. tazdevl

    tazdevl Registered Member

    Joined:
    May 17, 2004
    Posts:
    837
    Location:
    AZ, USA
  4. Mike415

    Mike415 Registered Member

    Joined:
    Mar 13, 2005
    Posts:
    42
    Re: NOD32 2.5 BETA FP with SpySweeper 4.0 Beta

    Well if its from their site its prob just a false positive.
     
  5. tazdevl

    tazdevl Registered Member

    Joined:
    May 17, 2004
    Posts:
    837
    Location:
    AZ, USA
    Ummm, as I said in the title, it's a FP. Just putting the issue up for anyone else that comes across it.
     
  6. Blackspear

    Blackspear Global Moderator

    Joined:
    Dec 2, 2002
    Posts:
    15,115
    Location:
    Gold Coast, Queensland, Australia
    Thanks Taz, appreciated.

    Cheers :D
     
  7. FanJ

    FanJ Guest

    Hi Tazdevl,

    I don't have SpySweeper, and I only run W98SE.
    So my remark might be completely wrong:

    But I understood from your posting that you had NOD32 resident while doing an installation of another program.
    I always understood that you have to disable all running apps during an installation.
    Could that perhaps have been the cullprit here (just only a guess) ?

    Cheers, Jan.
     
  8. Blackspear

    Blackspear Global Moderator

    Joined:
    Dec 2, 2002
    Posts:
    15,115
    Location:
    Gold Coast, Queensland, Australia
    I'm too used to Nod32 staying silent during an install, I have never disabled it while installing another application, as it has behaved very well to date.

    My 2 cents.

    Cheers :D
     
  9. FanJ

    FanJ Guest

    Hi there BS,

    From the man who is always wrong:
    Then:
    - Make a backup-image;
    - do an install of that SpySweeper while you have NOD32 resident and see what happens, reboot, do a full scan with NOD32, and report about all its findings;
    - put your backup-image back;
    - and install now that SpySweeper while you do the installation the way it should be done: every running program disabled. Then reboot, and do again a full scan with NOD32 and report back.

    Cheers, Jan.
     
  10. tazdevl

    tazdevl Registered Member

    Joined:
    May 17, 2004
    Posts:
    837
    Location:
    AZ, USA
    I don't know if this is a beta specific issue or 2.13.x. Since the heuristic package is different with 2.5.x, I figured it might be worth mentioning.

    Disabling apps is a last resort when you are having install issues. I have never run into a problem.

    FYI bit easier to just exclude the Webroot folder from AMON instead of doing all that work reimaging.
     
  11. SSK

    SSK Registered Member

    Joined:
    Nov 28, 2004
    Posts:
    976
    Location:
    Amsterdam
    OK, seeing the same thing. NOD flags a tmp-file.
     
  12. Stephanos G.

    Stephanos G. Registered Member

    Joined:
    Mar 29, 2005
    Posts:
    720
    Location:
    Cyprus
    No prob here
     
  13. Blackspear

    Blackspear Global Moderator

    Joined:
    Dec 2, 2002
    Posts:
    15,115
    Location:
    Gold Coast, Queensland, Australia
    Not at all Jan, the method you spoke of is traditional and with most(?) anti-viruses it would be the method of choice. It is only with Nod32 that I have not had to do this...

    Cheers :D
     
  14. tazdevl

    tazdevl Registered Member

    Joined:
    May 17, 2004
    Posts:
    837
    Location:
    AZ, USA
    If you run a scan via NOD32, WRSSSDK in the SpySweeper program file folder will be caught as well. Same thing.
     
  15. tazdevl

    tazdevl Registered Member

    Joined:
    May 17, 2004
    Posts:
    837
    Location:
    AZ, USA
    1.092 defs have not corrected the issue. Actually made it worse. 4 files caught instead of 2. Sent links and logs to beta and samples.

    Time Module Object Name Virus Action User Information
    5/10/2005 9:35:22 AM AMON file C:\Program Files\Webroot\Spy Sweeper\is-9GULV.tmp probably unknown NewHeur_PE virus quarantined - deleted Event occurred on a new file created by the application: C:\DOCUME~1\Brett\LOCALS~1\Temp\is-3G5U0.tmp\is-94Q2U.tmp. The file was moved to quarantine. You may close this window.

    Time Module Object Name Virus Action User Information
    5/10/2005 9:34:48 AM AMON file C:\Program Files\Webroot\Spy Sweeper\is-GRC4T.tmp probably unknown NewHeur_PE virus quarantined - deleted Event occurred on a new file created by the application: C:\DOCUME~1\Brett\LOCALS~1\Temp\is-3G5U0.tmp\is-94Q2U.tmp. The file was moved to quarantine. You may close this window.

    Time Module Object Name Virus Action User Information
    5/10/2005 9:33:29 AM AMON file C:\Program Files\Webroot\Spy Sweeper\is-VNI6H.tmp probably unknown NewHeur_PE virus quarantined - deleted Event occurred on a new file created by the application: C:\DOCUME~1\Brett\LOCALS~1\Temp\is-3G5U0.tmp\is-94Q2U.tmp. The file was moved to quarantine. You may close this window.

    Time Module Object Name Virus Action User Information
    5/10/2005 9:23:16 AM Kernel file c:\program files\webroot\spy sweeper\wrsssdk.exe probably unknown NewHeur_PE virus Alert was generated during the system startup file check.
     
  16. kjempen

    kjempen Registered Member

    Joined:
    May 6, 2004
    Posts:
    379
    How can this be possible (that it suddenly catches more "unknown" viruses) unless the heuristics module has been updated? It still shows "1.013 (20050303)" on my NOD32 2.50.9 beta?
     
  17. tazdevl

    tazdevl Registered Member

    Joined:
    May 17, 2004
    Posts:
    837
    Location:
    AZ, USA
    Dunno, I'm just reporting what I found. Caught 2 yesterday, 4 today. Only thing that has changed is the signatures.
     
    Last edited: May 10, 2005
  18. BG

    BG Registered Member

    Joined:
    Jun 14, 2003
    Posts:
    214
    Taz ...I had the samething happen when I installed Spysweeper 4.0 beta with Kaspersky 5.0 Personel running. I use the new Nod32 beta on my wife's computer & will check it out.
     
  19. BG

    BG Registered Member

    Joined:
    Jun 14, 2003
    Posts:
    214
    Yep ... I happened on hers too.
     

    Attached Files:

    • FP.JPG
      FP.JPG
      File size:
      52.4 KB
      Views:
      921
  20. tazdevl

    tazdevl Registered Member

    Joined:
    May 17, 2004
    Posts:
    837
    Location:
    AZ, USA
    We're coming on 48 hours, no response from Eset and no fix.
     
  21. rdsu

    rdsu Registered Member

    Joined:
    Jun 28, 2003
    Posts:
    4,456
    :(

    I had to put the SpySweeper folder in the AMON exclude list...
     
  22. BG

    BG Registered Member

    Joined:
    Jun 14, 2003
    Posts:
    214
    I just uninstalled SpySweeper. :)
     
  23. tazdevl

    tazdevl Registered Member

    Joined:
    May 17, 2004
    Posts:
    837
    Location:
    AZ, USA
    They need to establish some form of service standard for FPs, where they investigate and turn them around within 24 hours.
     
  24. rdsu

    rdsu Registered Member

    Joined:
    Jun 28, 2003
    Posts:
    4,456
  25. SSK

    SSK Registered Member

    Joined:
    Nov 28, 2004
    Posts:
    976
    Location:
    Amsterdam
    Yep, seeing the same (again :rolleyes: ).
     
Thread Status:
Not open for further replies.