Nod32 false positive

hi guys! i have run a full scan today...it was long time ago since doing a full scan...and Nod found a security programa that i have for months like a new virus based upon its heuristic tecnich...its name: KILL2ME.EXE...i guess some of you are familiar with this one....It seems that the new update that improved heuristic fails a little bit....anyway i stick with NOd.

 

With a False Positive can you please send an email to support@nod32.com and place a link to this thread. If you do not hear from Eset within 3 days (allows for weekends), please advise us here...

Cheers

 

hi blackspear!! ...always with the quick help...should i send the file?

 

Sorry, I gave you the wrong email address, can you zip the file and send it with a detailed explanation as you have in this thread to: samples@eset.sk

Cheers

 

i already did...i will tell you how it goes.

btw taking profit that you are online...is it normal that nod32 reports in a full scan a lot of blocked files that cannot be check?

 

Thank you, as we all learn that way

Don’t forget to share when it comes time, the more helpers around here the better

If you are talking about [4}Locked File, then yes, these are password protected or Windows System Swap Files, and as such are locked.

Hope this helps…

Cheers

 

oh ok...but i got more besides (4)locked files...i can see that there blocked files from ad-aware and spybot of this kind: .bmp, .ini, .reg ...This ones are protected by password.

Tx a lot for the help.

 

You answered your own question, these are password protected files and can not be scanned by Nod32, no worries there, it is normal.

My pleasure.

All the best...

Cheers

 

I had often thought that a fairly easy way to "hide" a virus code would be to secrete itself within a password protected zip or rar file, generating the password using some randomizer and using a similar method to randomize the filenames, and to some extent, a code obfusticator to mix up the code of the virus itself... at least this method would generate a moving target, which would certainly create some nice fun and games for the virus hunters!

just musing...

 

Upon extraction AMON would pounce, it awaits such tasties like a hungry Lion

Cheers

 

You might be interested in this solution from some time back.

Submitted by John Smith (on Nov 23rd).

And it works. Lots less blue on scan.

 

I know that defeating the virus engine already running is a totally different ball game, but I wasn't attempting to lay out a plan to write a better virus from a-z!

regards

Greg Hewitt-Long

ps - where on the Gold Coast are you? I spent quite a long time living and working in Cairns... time in Sydney, Melbourne... vacationed off the coast of Bundaberg... never made it to the Gold Coast region though...

 

No worries, was just clarifying for those that would start questioning about zipped files.

I'm on the northern end of the Gold Coast, 45min from Brisbane, why you coming to visit Just kidding

Cheers

 

The last update has solved this FP. I havent been answered yet but
i check it out by myself.

 

Good to see, and many thanks for sharing.

All the best.

Cheers