NOD32 False Positive - Anyway to solve that?

Discussion in 'ESET NOD32 Antivirus' started by lirips, Jun 30, 2009.

Thread Status:
Not open for further replies.
  1. lirips

    lirips Registered Member

    Joined:
    Jun 30, 2009
    Posts:
    3
    Hi

    We've developed a legit software application which is proctected by Themida from Oreans.

    Everytime we make a new release, we get tons of mails from users, reporting that ESET alerts when installing, claiming that our application contains a "variant of Win32/Packed.Themida".

    Recommending our potential customers not to install our legit application, claiming it is harmful, because it happens to be protected by a system which is also used by various malware apps cannot be the right way to go.

    Is there anyway to make ESET *stop* doing that, without having to submit every single release we make to ESET for validation? ... It is causing business loss for both our company and for Oreans :/

    Would it help if the installer for our application is digitally signed?

    Regards
     
  2. Marcos

    Marcos Eset Staff Account

    Joined:
    Nov 22, 2002
    Posts:
    14,374
    Before you release a newer version, send it to samples[at]eset.com for whitelisting. Make sure to sign your application digitally which might reduce the number of false detections. By enabling potentially unwanted applications, the users agree with detection of files packed with highly suspicious protectors and packers.
     
  3. lirips

    lirips Registered Member

    Joined:
    Jun 30, 2009
    Posts:
    3
    Why is it highly suspicious? It's a perfectly legal software application.

    I'd guess you call Themida "highly suspicious", because it has been developed by a very skilled programmer, and therefor causing you problems when trying to peel-off the Themida shell to detect / test the application it's really protecting (?)

    In the future there will be more protectors like Themida. And tons of legit apps using those protectors. What is your plan to fight that problem? Will you just mark all those apps 'possibly malware' and recommend users not to install them, like you currently do with all Themida protected apps? Just curious, as I see that as a major problem :/

    Is there no way you can cooperate with the author of Themida and the likes, to get this problem solved in a proper way?
     
  4. Marcos

    Marcos Eset Staff Account

    Joined:
    Nov 22, 2002
    Posts:
    14,374
    It should be in the interest of application developers to evade detection by using protectors not mainly misused by malware and also provide information about the file and the vendor within the file and sign it digitally. If you use various antiemulation and protection mechanisms your application will gain extra points when assesed by heuristics and thus make it more suspicious to antivirus scanners (I mean all, not just ESET).
     
  5. lirips

    lirips Registered Member

    Joined:
    Jun 30, 2009
    Posts:
    3
    I don't think it's *mainly* used by malware. It's a very popular product among legit software authors.

    Also, IMO, recommending software devs not to use a specific protector (themida in this case) because it is doing such a good job at protecting, that some malware devs also decide to use it, doesn't seem fair to the protector authors.

    Anyway, I hope you will find a better solution for this issue in the future.

    Regards
     
  6. pinjoa

    pinjoa Registered Member

    Joined:
    Jan 10, 2008
    Posts:
    74
    Location:
    Braga, Portugal
    At this time almost all protection and/or installer tools are used to pack or "protect" malware to difficult the detection...
     
  7. danieln

    danieln Eset Staff

    Joined:
    Jan 7, 2009
    Posts:
    112
  8. pinjoa

    pinjoa Registered Member

    Joined:
    Jan 10, 2008
    Posts:
    74
    Location:
    Braga, Portugal
    the URL don't work:

    Error establishing a database connection

    :D
     
    Last edited: Jul 2, 2009
Thread Status:
Not open for further replies.