Nod32 false positive

Discussion in 'NOD32 version 2 Forum' started by Labrie, Dec 2, 2004.

Thread Status:
Not open for further replies.
  1. Labrie

    Labrie Registered Member

    Joined:
    Oct 15, 2004
    Posts:
    135
    Location:
    Valencia, Spain
    hi guys! i have run a full scan today...it was long time ago since doing a full scan...and Nod found a security programa that i have for months like a new virus based upon its heuristic tecnich...its name: KILL2ME.EXE...i guess some of you are familiar with this one....It seems that the new update that improved heuristic fails a little bit....anyway i stick with NOd.

    :D
     
  2. Blackspear

    Blackspear Global Moderator

    Joined:
    Dec 2, 2002
    Posts:
    15,115
    Location:
    Gold Coast, Queensland, Australia
    With a False Positive can you please send an email to support@nod32.com and place a link to this thread. If you do not hear from Eset within 3 days (allows for weekends), please advise us here...

    Cheers :D
     
  3. Labrie

    Labrie Registered Member

    Joined:
    Oct 15, 2004
    Posts:
    135
    Location:
    Valencia, Spain
    hi blackspear!! ;)...always with the quick help...should i send the file?
     
  4. Blackspear

    Blackspear Global Moderator

    Joined:
    Dec 2, 2002
    Posts:
    15,115
    Location:
    Gold Coast, Queensland, Australia
    Sorry, I gave you the wrong email address, can you zip the file and send it with a detailed explanation as you have in this thread to: samples@eset.sk

    Cheers :D
     
  5. Labrie

    Labrie Registered Member

    Joined:
    Oct 15, 2004
    Posts:
    135
    Location:
    Valencia, Spain
    i already did...i will tell you how it goes. ;)

    btw taking profit that you are online...is it normal that nod32 reports in a full scan a lot of blocked files that cannot be check? o_O
     
  6. Blackspear

    Blackspear Global Moderator

    Joined:
    Dec 2, 2002
    Posts:
    15,115
    Location:
    Gold Coast, Queensland, Australia
    Thank you, as we all learn that way :D


    Don’t forget to share when it comes time, the more helpers around here the better ;) :D


    If you are talking about [4}Locked File, then yes, these are password protected or Windows System Swap Files, and as such are locked.

    Hope this helps…

    Cheers :D
     
  7. Labrie

    Labrie Registered Member

    Joined:
    Oct 15, 2004
    Posts:
    135
    Location:
    Valencia, Spain
    oh ok...but i got more besides (4)locked files...i can see that there blocked files from ad-aware and spybot of this kind: .bmp, .ini, .reg ...This ones are protected by password.

    Tx a lot for the help. :D
     
  8. Blackspear

    Blackspear Global Moderator

    Joined:
    Dec 2, 2002
    Posts:
    15,115
    Location:
    Gold Coast, Queensland, Australia
    You answered your own question, these are password protected files and can not be scanned by Nod32, no worries there, it is normal.


    My pleasure.

    All the best...

    Cheers :D
     
  9. webyourbusiness

    webyourbusiness Registered Member

    Joined:
    Nov 16, 2004
    Posts:
    2,656
    Location:
    Throughout the USA and Canada
    I had often thought that a fairly easy way to "hide" a virus code would be to secrete itself within a password protected zip or rar file, generating the password using some randomizer and using a similar method to randomize the filenames, and to some extent, a code obfusticator to mix up the code of the virus itself... at least this method would generate a moving target, which would certainly create some nice fun and games for the virus hunters!

    just musing...
     
  10. Blackspear

    Blackspear Global Moderator

    Joined:
    Dec 2, 2002
    Posts:
    15,115
    Location:
    Gold Coast, Queensland, Australia
    Upon extraction AMON would pounce, it awaits such tasties like a hungry Lion ;) :D

    Cheers :D
     
  11. jayt

    jayt Registered Member

    Joined:
    Aug 30, 2004
    Posts:
    345
    Location:
    PA - USA
    You might be interested in this solution from some time back.

    Submitted by John Smith (on Nov 23rd).

    And it works. Lots less blue on scan. :p
     
  12. webyourbusiness

    webyourbusiness Registered Member

    Joined:
    Nov 16, 2004
    Posts:
    2,656
    Location:
    Throughout the USA and Canada
    I know that defeating the virus engine already running is a totally different ball game, but I wasn't attempting to lay out a plan to write a better virus from a-z! ;)

    regards

    Greg Hewitt-Long

    ps - where on the Gold Coast are you? I spent quite a long time living and working in Cairns... time in Sydney, Melbourne... vacationed off the coast of Bundaberg... never made it to the Gold Coast region though...
     
  13. Blackspear

    Blackspear Global Moderator

    Joined:
    Dec 2, 2002
    Posts:
    15,115
    Location:
    Gold Coast, Queensland, Australia
    No worries, was just clarifying for those that would start questioning about zipped files.

    I'm on the northern end of the Gold Coast, 45min from Brisbane, why you coming to visit ;) :D Just kidding :D

    Cheers :D
     
  14. Labrie

    Labrie Registered Member

    Joined:
    Oct 15, 2004
    Posts:
    135
    Location:
    Valencia, Spain
    The last update has solved this FP. I havent been answered yet but
    i check it out by myself. :D
     
    Last edited: Dec 5, 2004
  15. Blackspear

    Blackspear Global Moderator

    Joined:
    Dec 2, 2002
    Posts:
    15,115
    Location:
    Gold Coast, Queensland, Australia
    Good to see, and many thanks for sharing.

    All the best.

    Cheers :D
     
Thread Status:
Not open for further replies.