Nod32 and TightVNC

Discussion in 'NOD32 version 2 Forum' started by peterjames, Apr 26, 2006.

Thread Status:
Not open for further replies.
  1. peterjames

    peterjames Registered Member

    Joined:
    Oct 11, 2005
    Posts:
    10
    i have noticed in the latest def. updates TightVNC is classified as a virus? this isnt great news for us we have 1000's of computers running tightvnc and this means we will not be able to connect to any of our remote clients?

    why??

    and for the buffs.. ipsec tunnelling always comes first
     
  2. Bandicoot

    Bandicoot Eset Staff

    Joined:
    Mar 23, 2004
    Posts:
    297
    Location:
    California
    Hello,

    You should find the issue fixed with update version 1.1508.

    Bandicoot.
     
  3. Marcos

    Marcos Eset Staff Account

    Joined:
    Nov 22, 2002
    Posts:
    14,374
    It's not a false positive. It was classified as a potentially dangerous application as it poses a potential security risk. PDA is disabled in all modules by default and you must have enabled it manually at your risk. We cannot guarantee that it will remain undetected forever.

    WARNING:
    Enabling PDA in a network environment will always lead to detection of remote administration tools.
     
  4. peterjames

    peterjames Registered Member

    Joined:
    Oct 11, 2005
    Posts:
    10
    what exact Potentially Dangerous Application tick box should i untick to make sure TightVNC doesnt del in the future?
     
  5. Marcos

    Marcos Eset Staff Account

    Joined:
    Nov 22, 2002
    Posts:
    14,374
    If you are using tools for remote administration (such as VNC), you must leave PDA disabled, otherwise NOD32 will detect and remove them.

    The PDA group covers remote administration tools and other commercial software that is potentially dangerous (e.g. parental control tools, commercial keyloggers, etc.)
     
  6. NOD32 user

    NOD32 user Registered Member

    Joined:
    Jan 23, 2005
    Posts:
    1,766
    Location:
    Australia
    All of them - there's one in each module and also the on-demand scanner. HTH

    Cheers :)
     
  7. anotherjack

    anotherjack Registered Member

    Joined:
    Jun 13, 2003
    Posts:
    224
    Location:
    Louisiana
    I would still like some sort of process to "certify" a set of files or an application as "I know it's there - it's supposed to be, but kill any other PDAs you find." We also use a Remote Administration tool here, and I can't run an On Demand Scan to remove certain malware because the PDA flag will remove the software that we want on there, along with the malware I was originally targeting.

    Could Eset PLEASE give that some serious thought? Some sort of "vault" that we can use to protect stuff that network admins NEED on the client PCs, while still allowing a highly aggressive scan on the clients? Maybe under a "So advanced, you'll get in trouble" button? :D

    Jack
     
  8. peterjames

    peterjames Registered Member

    Joined:
    Oct 11, 2005
    Posts:
    10
    the problem is with a vault it leaves open to exploits...

    ive seen other AV products fail because of this

    despite if it can be done... it would be great
     
  9. anotherjack

    anotherjack Registered Member

    Joined:
    Jun 13, 2003
    Posts:
    224
    Location:
    Louisiana
    MD5 or otherwise "fingerprint" any files that are in there and watch 'em really closely. Needless to say, the admin would have to be careful as to determining the files that would go in the "vault" for performance reasons. The ability of NOD to do a Remote Scan is severely limited at this point, since there are some other malware applications that fall under the classification of PDA, and won't be removed unless the flag is set (which removes our preferred app).

    Jack
     
  10. Think-eDesign

    Think-eDesign Registered Member

    Joined:
    Mar 26, 2006
    Posts:
    29
    Location:
    Logan City
    Yes that is an excellent idea & one that I have hoped to have had for a while now.

    Another program that NOD32 returns a "false positive" on (if you have "Potentially Dangerous Application" selected is "Magic Jellybean Keyfinder"
     
  11. Marcos

    Marcos Eset Staff Account

    Joined:
    Nov 22, 2002
    Posts:
    14,374
    It's not actually a false positive. A quote from their website:
    The Magical Jelly Bean Keyfinder is a freeware utility that retrieves your Product Key (cd key) used to install windows from your registry.

    I for one do not think this is something administrators would like to have in their network.
     
  12. beenthereb4

    beenthereb4 Registered Member

    Joined:
    Jun 29, 2004
    Posts:
    568
    I'll have to agree with this, this would be the ideal way to handle it.
     
  13. winmail

    winmail Registered Member

    Joined:
    May 3, 2006
    Posts:
    4
    Marking VNC as a threat is not wise. If you find winvnc.exe modified from it's original size, then sure, mark it, but it is a commercial application that is used to manage workstations in major companies all across the globe.

    Without question, the default action should be to warn only and not do anything else.

    If you start marking useful programs like VNC as maleware and break their functionality, people will stop using your product.
     
  14. NOD32 user

    NOD32 user Registered Member

    Joined:
    Jan 23, 2005
    Posts:
    1,766
    Location:
    Australia
    It's not marked as malware - it's detected as a potentially dangerous application for which detection of is by default disabled... what's the big deal here?
     
  15. anotherjack

    anotherjack Registered Member

    Joined:
    Jun 13, 2003
    Posts:
    224
    Location:
    Louisiana
    The big deal is that if you run NOD in an enterprise environment and use the On Demand Scan feature of RA, there's no way to kill off all of the undesirable PDAs that may exist on a machine without the potential of also killing off software that is relied on for day-to-day support or maintenance of the PC. Remote control software (VNC, etc.), for instance. Without this ability, I only have two choices - leave the malware there so I have my remote control software, or kill both the malware and my RC software on the machine, then wait until the user reinstalls the RC software so I can work on his/her machine the next time they have a problem.

    Jack
     
  16. NOD32 user

    NOD32 user Registered Member

    Joined:
    Jan 23, 2005
    Posts:
    1,766
    Location:
    Australia
    The things you have mentioned are indeed two options and whilst it is possible that in your situation they are the only two available to you, I can easily think of several other simple solutions so that you could have your cake and eat it too :thumb:

    Cheers :)
     
  17. winmail

    winmail Registered Member

    Joined:
    May 3, 2006
    Posts:
    4
    Don't forget the third option of switching to another product that isn't broken in this way such as Symantec or McAffee :cool:
     
  18. winmail

    winmail Registered Member

    Joined:
    May 3, 2006
    Posts:
    4

    That's like saying "I'm not calling you a criminal, I'm just locking you up". Who cares what NOD32 is calling it - it's the fact that NOD32 chooses to destroy the functionality of credible and unversally accepted network administration software that is the big deal here.

    I downloaded a trial but now that I see what damage it will do to our networks, I'm sorry to say that we're going with someone else. If they introduce functionality that excludes programs that we use here, I'll give it another look.

    :thumbd:
     
  19. Marcos

    Marcos Eset Staff Account

    Joined:
    Nov 22, 2002
    Posts:
    14,374
    I don't understand what the fuss is all about. The point is:

    1. Potentially dangerous applications (PDA) cover mainly commercial software for remote administration.

    2. PDA are disabled in all modules by default just for the reason mentioned above (unfortunately, not in the In-depth analysis profile, but this will change shortly). If you want to detect PDA, you must enable them INTENTIONALLY.

    3. many other AV detect VNC and other admin tools as potentially dangerous applications
     
  20. WolfeTone

    WolfeTone Registered Member

    Joined:
    May 3, 2006
    Posts:
    3
    Location:
    Ireland
    Have you tried installing UltraVNC, which is similar to tightvnc but not detected as often as a PDA?
     
  21. windstrings

    windstrings Registered Member

    Joined:
    Oct 20, 2004
    Posts:
    337

    I agree.... the main problem is that it gives the impression its a virus rather than educating the user that "its a poteintially dangerous program" and ask whether it would be removed or not.

    I have already have people think it was a virus as they trust NOD without question..... many people are not so savy to know and understand what the administrator has on thier computer they use, nor is it thier business necessarily.
     
  22. Marcos

    Marcos Eset Staff Account

    Joined:
    Nov 22, 2002
    Posts:
    14,374
    If it would be a real threat (a virus, trojan, worm, etc.), NOD32 would not call it application in the alert window.
     
  23. anotherjack

    anotherjack Registered Member

    Joined:
    Jun 13, 2003
    Posts:
    224
    Location:
    Louisiana
    OK, I had to wait a bit before I got an example of what I've been trying to get across. Here's the log from my RA Console of a scan I did with PDA turned off (so it wouldn't delete my RC software). I've removed entries that don't matter:

    Log Details
    Scanning Log
    NOD32 version 1.1523 (20060505) NT
    Operating memory - is OK

    Date: 8.5.2006 Time: 08:36:48
    Scanned disks, folders and files: C:
    C:
    C:\pagefile.sys - error opening (File locked)
    C:\web.exe - Win32/TrojanClicker.Small.HN trojan
    C:\web.exe »NSIS »Updater.exe - Win32/TrojanClicker.Small.HN trojan
    C:\web.exe »NSIS »rld.exe - Win32/TrojanClicker.Small.HN trojan

    C:\Documents and Settings\xxxxx\Local Settings\Temporary Internet Files\Content.IE5\KT2JG567\minibuginstaller[1].exe - is OK
    C:\Documents and Settings\xxxxx\Local Settings\Temporary Internet Files\Content.IE5\KT2JG567\minibuginstaller[1].exe »WISE »file_00000000.bin - archive damaged - the file could not be extracted.
    C:\Documents and Settings\xxxxx\Local Settings\Temporary Internet Files\Content.IE5\CD6Z0P2R\spamblockerutility[1].cab - a variant of Win32/Adware.HotBar application - quarantined - deleted
    C:\Documents and Settings\xxxxx\Local Settings\Temporary Internet Files\Content.IE5\CD6Z0P2R\spamblockerutility[1].cab »CAB »hbinstie.dll - a variant of Win32/Adware.HotBar application
    .
    .
    .
    C:\Documents and Settings\xxxxx\Local Settings\Temporary Internet Files\Content.IE5\7GDM1N9Z\init[1].js - JS/TrojanDownloader.IstBar.AF trojan - unable to clean - quarantined - deleted
    .
    .
    .
    C:\Program Files\RAdmin\AdmDll.dll - Win32/RemoteAdmin application
    C:\Program Files\RAdmin\raddrv.dll - Win32/RemoteAdmin application
    C:\Program Files\RAdmin\Radmin.exe - Win32/RemoteAdmin application
    C:\Program Files\RAdmin\R_server.exe - Win32/RemoteAdmin application

    .
    .
    .
    C:\Documents and Settings\xxxxx\ntuser.dat - error opening (File locked)
    C:\Documents and Settings\xxxxx\NTUSER.DAT.LOG - error opening (File locked)
    C:\Documents and Settings\xxxxx\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat - error opening (File locked)
    C:\Documents and Settings\xxxxx\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG - error opening (File locked)
    .
    .
    .
    C:\WINNT\system32\admdll.dll - Win32/RemoteAdmin application
    C:\WINNT\system32\raddrv.dll - Win32/RemoteAdmin application
    C:\WINNT\system32\r_server.exe - Win32/RemoteAdmin application

    .
    .
    .
    C:\WINNT\system32\config\default - error opening (File locked)
    C:\WINNT\system32\config\default.LOG - error opening (File locked)
    C:\WINNT\system32\config\SAM - error opening (File locked)
    C:\WINNT\system32\config\SAM.LOG - error opening (File locked)
    C:\WINNT\system32\config\SECURITY - error opening (File locked)
    C:\WINNT\system32\config\SECURITY.LOG - error opening (File locked)
    C:\WINNT\system32\config\software - error opening (File locked)
    C:\WINNT\system32\config\software.LOG - error opening (File locked)
    C:\WINNT\system32\config\system - error opening (File locked)
    C:\WINNT\system32\config\SYSTEM.ALT - error opening (File locked)
    Number of scanned files: 192891
    Number of threats found: 4
    Number of files cleaned: 2
    Number of active threats: 1
    Time of completion: 09:17:46 Total scanning time: 2458 sec (00:40:58 )

    Notes:
    [4] File cannot be opened. It may be in use by another application or operating system.


    From what I can see, if I decide to enable PDA intentionally for a scan, then I will get rid of ALL of the RED entries, including both the undesirable PDAs, as well as my PC software (RAdmin). I KNOW that RAdmin's on there, I PUT it there. I want to get rid of the Win32/TrojanClicker.Small.HN trojan and Win32/Adware.HotBar application files, but cannot via the On Demand Scan feature of RA, since that would require me to turn on PDA, etc., etc., and around we go again...

    That's why I want some sort of a vault / checksum / "trusted PDA" function available, so I can hammer everything that's NOT approved.

    Jack
     
  24. cheeseandham

    cheeseandham Registered Member

    Joined:
    Jul 25, 2006
    Posts:
    12
    We've had this problem with a few people, but we moved to Tightvnc Release Candidate 1.3dev7 on most machines and is stable- Interestingly the it isn't detected as a PDA. Strange huh?
     
  25. Marcos

    Marcos Eset Staff Account

    Joined:
    Nov 22, 2002
    Posts:
    14,374
    TrojanClicker ain't classified as a PDA. Please submit it to support @ eset.com with a link to this thread if you have come across one that is detected as a PDA.
     
Thread Status:
Not open for further replies.