NOD32 False Positive

Discussion in 'NOD32 Early v2 Beta' started by MegaHertz, May 29, 2003.

Thread Status:
Not open for further replies.
  1. MegaHertz

    MegaHertz Registered Member

    Joined:
    Nov 28, 2002
    Posts:
    69
    Location:
    U.S.A.
    I updated Outpost firewall this morning to the latest beta and after the update was complete AMON notifies me that a file (opst_ui.dll) is infected with an unknown variant of CRYPT.WIN32 virus. This prevents Outpost from loading at start up and the only way I can use it is to add the file to my exclusion list for AMON.

    NOD32 Antivirus System information
    Virus signature database version:***1.419 (2003052:cool:
    Dated:***Wednesday, May 28, 2003
    Virus signature database build:***3677

    Information on other scanner support parts
    Extended heuristic module version:***1.001 (20030430)
    Extended heuristic module build:***1024
    Archive support module version:***1.001 (20030430)
    Archive support module build version:***1031

    Information on installed components
    NOD32 For Windows NT/2000/XP - base
    Version:***2.000.1
    NOD32 For Windows NT/2000/XP - Internet support
    Version:***2.000.1
    NOD32 for Windows NT/2000/XP - standard component
    Version:***2.000.1

    Operating system information
    Platform:***Windows 2000
    Version:***5.0.2195 Service Pack 3
    Version of common control components:***5.81.4916
    RAM:***1024 MB
    Processor:***Intel(R) Pentium(R) III CPU family 1400MHz (1396 MHz)

    Time***Module***Object***Name***Virus***Action***User***Info
    5/29/2003 7:33:58 AM***AMON***file***D:\Agnitum\Outpost Firewall\opst_ui.dll***probably unknown CRYPT.WIN32 virus*********
    5/29/2003 7:20:28 AM***AMON***file***D:\Agnitum\Outpost Firewall\opst_ui.dll***probably unknown CRYPT.WIN32 virus******HOME-19737A4***\**********
    5/29/2003 7:13:07 AM***AMON***file***D:\Agnitum\Outpost Firewall\opst_ui.dll***probably unknown CRYPT.WIN32 virus******HOME-19737A4***\*******
    5/29/2003 7:00:03 AM***AMON***file***D:\Agnitum\Outpost Firewall\opst_ui.dll***probably unknown CRYPT.WIN32 virus*********
    5/29/2003 6:58:11 AM***AMON***file***D:\Agnitum\Outpost Firewall\opst_ui.dll***probably unknown CRYPT.WIN32 virus******NT AUTHORITY\SYSTEM***
    5/29/2003 6:55:54 AM***AMON***file***D:\AGNITUM\OUTPOS~1\opst_ui.dll***probably unknown CRYPT.WIN32 virus******HOME-19737A4***\**********


    P.S. - I have sent a bug report to Agnitum.
     

    Attached Files:

  2. jan

    jan Former Eset Moderator

    Joined:
    Oct 25, 2002
    Posts:
    804
    Hi MegaHertz,

    pls. send the sample to samples@eset.com with cc to support@eset.com with a subject "FA opst", if possible.

    Thanks, :)

    jan
     
  3. MegaHertz

    MegaHertz Registered Member

    Joined:
    Nov 28, 2002
    Posts:
    69
    Location:
    U.S.A.
    Will do as soon as I get home for lunch. :)
     
  4. jan

    jan Former Eset Moderator

    Joined:
    Oct 25, 2002
    Posts:
    804
    Thanks for your fast feedback. :) It'll be fixed in the next virus signatures dbase update (scheduled today).

    Cheers, :cool:

    jan
     
  5. MegaHertz

    MegaHertz Registered Member

    Joined:
    Nov 28, 2002
    Posts:
    69
    Location:
    U.S.A.
    And thanks to you and all the fine folks at Eset for your outstanding support.
     
  6. hayc59

    hayc59 Guest

    now that i have my Nod32 back(yea)
    i am getting the same "alert"
    and it shuts down OutPost??
     
  7. LowWaterMark

    LowWaterMark Administrator

    Joined:
    Aug 10, 2002
    Posts:
    17,878
    Location:
    New England
    Hi hayc,

    Until Jan comes back and confirms whether the f/p was fixed yet or not, have you tried adding the file to the exclusions list as noted in the first post? (Just to get Outpost back up until this is fixed.)

    Best Wishes,
    LowWaterMark
     
  8. hayc59

    hayc59 Guest

    will try that thanks for your help. did not see that :eek:
     
  9. hayc59

    hayc59 Guest

    well for some reason it will not let me do it??
    must be doing something wrong..
    Mega if your out there a little help please.
    thank you :D
     
  10. MegaHertz

    MegaHertz Registered Member

    Joined:
    Nov 28, 2002
    Posts:
    69
    Location:
    U.S.A.
    The defs released today (see below) fixed it for me I have now removed opst_ui.dll from AMON's exclusion list and so far no problems. :) Kudos to the folks at Eset for getting things sorted out so quickly.

    NOD32 Antivirus System information
    Virus signature database version:   1.422 (20030531)
    Dated:   Saturday, May 31, 2003
    Virus signature database build:   3687
     
  11. hayc59

    hayc59 Guest

    i have the same .def file as you but am getting the same
    Virus alert on the same file. how do i get it to exclude this one??
    thanks i am now wondering what is going on? o_O
     
  12. hayc59

    hayc59 Guest

    this is what i am getting in the log file.

    Time   Module   Object   Name   Virus   Action   User   Info
    5/31/03 13:21:09 PM   AMON   file   C:\Program Files\Agnitum\Outpost Firewall\opst_ui.dll   probably unknown CRYPT.WIN32 virus      Unknown User   
    5/31/03 13:20:14 PM   AMON   file   C:\PROGRAM FILES\AGNITUM\OUTPOST FIREWALL\OPST_UI.DLL   probably unknown CRYPT.WIN32 virus      Unknown User   
    5/31/03 13:19:25 PM   AMON   file   C:\PROGRAM FILES\AGNITUM\OUTPOST FIREWALL\OPST_UI.DLL   probably unknown CRYPT.WIN32 virus      Unknown User   
    5/31/03 13:18:36 PM   AMON   file   C:\Program Files\Agnitum\Outpost Firewall\opst_ui.dll   probably unknown CRYPT.WIN32 virus      Unknown User   
    5/31/03 13:17:57 PM   AMON   file   C:\Program Files\Agnitum\Outpost Firewall\opst_ui.dll   probably unknown CRYPT.WIN32 virus      Unknown User   
    5/31/03 13:17:36 PM   AMON   file   C:\Program Files\Agnitum\Outpost Firewall\opst_ui.dll   probably unknown CRYPT.WIN32 virus      Unknown User   
    5/31/03 13:15:33 PM   AMON   file   C:\PROGRAM FILES\AGNITUM\OUTPOST FIREWALL\OPST_UI.DLL   probably unknown CRYPT.WIN32 virus      Unknown User   
    5/31/03 13:12:05 PM   AMON   file   C:\PROGRAM FILES\AGNITUM\OUTPOST FIREWALL\OPST_UI.DLL   probably unknown CRYPT.WIN32 virus      Unknown User   
    5/31/03 12:59:07 PM   AMON   file   C:\PROGRAM FILES\AGNITUM\OUTPOST FIREWALL\OPST_UI.DLL   probably unknown CRYPT.WIN32 virus      Unknown User   
    5/31/03 12:57:06 PM   AMON   file   C:\PROGRAM FILES\AGNITUM\OUTPOST FIREWALL\OPST_UI.DLL   probably unknown CRYPT.WIN32 virus      Unknown User
       
     
  13. LowWaterMark

    LowWaterMark Administrator

    Joined:
    Aug 10, 2002
    Posts:
    17,878
    Location:
    New England
    hayc, you are using NOD32 v2 (beta) right? I don't know, but, perhaps the false positive is still in that for some reason versus NOD32 v1, which I think MegaHertz is running?

    Edit: Okay, this maybe relevent perhaps.
     
  14. hayc59

    hayc59 Guest

    i am using Nod32V2 beta yes??
     
  15. MegaHertz

    MegaHertz Registered Member

    Joined:
    Nov 28, 2002
    Posts:
    69
    Location:
    U.S.A.
    Hayc59,

    Did you read the PM I sent you over here? In case you didn't and also in case it may be helpful for someone else I will provide the instructions here. First you must shut down AMON only and then add the file to AMON's exclusion list. Restart AMON and you should be good to go.
     
  16. hayc59

    hayc59 Guest

    yes i got it. :D
    and its in excluded folder, just wondering why its not happening to you but is doing it to me?
    are you using the V2beta version?
     
  17. MegaHertz

    MegaHertz Registered Member

    Joined:
    Nov 28, 2002
    Posts:
    69
    Location:
    U.S.A.
    I don't think so my beta flag is missing from the control center (see screenshot).
     

    Attached Files:

  18. hayc59

    hayc59 Guest

    ok i think that is whats going on?? hasn't been updated on the beta version. you have an e-mail!! and thanks for your help!! :D
     

    Attached Files:

    • Beta.jpg
      Beta.jpg
      File size:
      25.7 KB
      Views:
      1,630
  19. DavidH

    DavidH Registered Member

    Joined:
    Nov 1, 2002
    Posts:
    40
    Location:
    Fort Worth, TX USA
    Hello,

    I'd put this in the Beta Forum, but for some reason this thread was started in this forum even though it seems that I am still using NOD32 Beta 5. First of all, I am not sure how some people seem to be using a final release as I have not been able to download a final release from any of the Eset or NOD32 sites or find the stand-alone executable for the final official version. At this point, I am using NOD32 Beta 5 and have updated my definitions to 1.423 dated June 1 and still have the problem with NOD32 falsely calling opst_ui.dll a virus or possible virus. Just what is the situation? Here are the specifications for my installation of NOD32. I should also note that I am a licensed user and am using the username and password for my paid license. That username and password are good until about March of 2004. So, the issue is not that I was using the temporary Beta Tester username and password.

    NOD32 Antivirus System information
    Virus signature database version:   1.423 (20030601)
    Dated:   Sunday, June 01, 2003
    Virus signature database build:   3689

    Information on other scanner support parts
    Extended heuristic module version:   1.01
    Extended heuristic module build:   1048866423
    Archive support module version:   1.001 (20030430)
    Archive support module build version:   1031

    Information on installed components
    NOD32 For Windows NT/2000/XP - base
    Version:   1.199.16
    NOD32 For Windows NT/2000/XP - Internet support
    Version:   1.199.17
    NOD32 For Windows NT/2000/XP - NOD32 On-demand Scanner
    Version:   1.199.16

    Operating system information
    Platform:   Windows XP
    Version:   5.1.2600 Service Pack 1
    Version of common control components:   5.82.2800
    RAM:   512 MB
    Processor:   AMD Athlon(tm) processor (1200 MHz)

    Thanks for your attention to this matter.

    Have a good day. :)
     
  20. jan

    jan Former Eset Moderator

    Joined:
    Oct 25, 2002
    Posts:
    804
    Hi all,

    pls. wait for the today's NOD update (1.424) - check for the NOD conflict with Outpost after updating NOD to that version and give feedback.

    Comment to the "Beta5" label:

    The NOD32 will be released in a couple of days - consider the version without the "Beta" label as a Release candidate for getting more taste for v2. ;)

    Thks. :)

    jan
     
  21. hayc59

    hayc59 Guest

    NOD32 Antivirus System information
    Virus signature database version:   1.424 (20030602)
    Dated:   Monday, June 02, 2003
    Virus signature database build:   3695

    updated to new version this morning and all is well
    update fixed the Amon alert. thanks Jan and Co. for all your hard work!! bravo to you. :D :D
     
  22. jan

    jan Former Eset Moderator

    Joined:
    Oct 25, 2002
    Posts:
    804
    Hey Gordon,

    >updated to new version this morning and all is well
    update fixed the Amon alert. thanks Jan and Co. for all your hard work!! bravo to you.

    Nice to hear you've got rid of it now :cool:. Thanks goes to our virus and heuristics expert. :)

    Enjoy NOD with Outpost! :D

    jan
     
Thread Status:
Not open for further replies.