NOD32 False Positives

Discussion in 'NOD32 version 2 Forum' started by ekerazha, Jul 22, 2004.

Thread Status:
Not open for further replies.
  1. ekerazha

    ekerazha Registered Member

    Joined:
    Jul 22, 2004
    Posts:
    28
    I'm developing a software which contains cryptography ruotines that I'd want to mask (I know... everything is crackable, but it's always better than nothing). I've searched for a pe-protector which is freeware and that offers a good protection, and I've found PESpin http://pespin.w.interia.pl. The problem is that NOD32 Antivirus is obstinate to consider it as a virus (W32.Crypt) for the simple reason that the executable file has been compressed (I verified this with others pe-packer and this is the reason for which, personally, I don't use NOD32 Antivirus). The approach of this antivirus is mistaken for me: while antiviruses like Kaspersky contains advanced unpacking functions which truly assess the presence or not of a virus in a packed file, NOD32 prematurely considers as a virus whichever it recognizes compressed with a great number of run-time packers, and this generates a great number of false positives, much annoying above all for who will have to write in the download page of it's own software "Warning! NOD32 gives a false positive...".
    Excuse me for my English but it isn't my native language ;)
     
  2. Blackspear

    Blackspear Global Moderator

    Joined:
    Dec 2, 2002
    Posts:
    15,115
    Location:
    Gold Coast, Queensland, Australia
    Please send a sample of the file with a detailed explanation as you have in this thread to:

    samples@eset.sk

    Cheers :D
     
  3. ekerazha

    ekerazha Registered Member

    Joined:
    Jul 22, 2004
    Posts:
    28
    Good. The program is still under heavy development... i'll send something in the next days.
     
    Last edited: Jul 22, 2004
  4. Arin

    Arin Registered Member

    Joined:
    May 1, 2004
    Posts:
    997
    Location:
    India
    welcome to the forum ekerazha, its a known problem with NOD32 and heuristics in general. sometimes even weak encryption sets the alarm as WIN32.CRYPT.
     
  5. sard

    sard Registered Member

    Joined:
    Apr 18, 2004
    Posts:
    175
    Location:
    UK
    Yep, NOD32 detected some copy protection in the PC Game Perimeter as an unknown virus too. Didn't keep the demo installed long enough to find out if ESET fixed it though after I sent them the sample.
     
  6. ekerazha

    ekerazha Registered Member

    Joined:
    Jul 22, 2004
    Posts:
    28
    Yeah but... they would not have to white-list single applications (if I make great changes in the structure of my programs?), this is to work around the problem and not to resolve it, they have to truly improve the heuristic engine under this point of view. My 2 cents :)
     
  7. Arin

    Arin Registered Member

    Joined:
    May 1, 2004
    Posts:
    997
    Location:
    India
    NOD32 has some pretty good heuristics and more tweaking might cause it to mellow down. yes an ideal heuristics enabled engine will detect ALL with NO false positives. but the task is impossible and everyone is trying to get as close as they can. regarding the present situation i see NOD32 being the leader.
     
  8. ekerazha

    ekerazha Registered Member

    Joined:
    Jul 22, 2004
    Posts:
    28
    The solution can be to have unpacking routines (like KAV), and not to grab all the packed executables under the "super denomination" of W32.Crypto.Virus (infected AND not).
     
  9. Arin

    Arin Registered Member

    Joined:
    May 1, 2004
    Posts:
    997
    Location:
    India
    the problem is not with unpacking. NOD32 has great unpacking ability second only to KAV. the problem is with cryptographic routines those protectors adds to your program.
     
  10. ekerazha

    ekerazha Registered Member

    Joined:
    Jul 22, 2004
    Posts:
    28
    The problem isn't the cryptography... NOD is an antivirus not an anti-cryptography.
    For me the problem is that some viruses use packing to hide himself, so NOD prefers to mark packed executables as potentially infects, and this behavior is really really excessive.
     
  11. ekerazha

    ekerazha Registered Member

    Joined:
    Jul 22, 2004
    Posts:
    28
    So why it doensn't unpack my executable to see that the are NO viruses?
    :doubt:
     
  12. Arin

    Arin Registered Member

    Joined:
    May 1, 2004
    Posts:
    997
    Location:
    India
    well i don't know how to put it. NOD32 has unpackers and it unpacks all popular formats. i don't know where you got the false information about the packed executables and NOD32 but i had WIN32.CRYPT trouble only with encryption. so if you think its the other way around then please submit your file or ask the ESET guys. i'm sure Marcos or some other kind soul will help you out. i'm out of this, bye bye.
     
  13. ekerazha

    ekerazha Registered Member

    Joined:
    Jul 22, 2004
    Posts:
    28
    You haven't understood. NOD32 seems to unpack some popular packers (less than what Kaspersky or McAfee do, anyway). NOD32 heuristic capabilities are very sensible and it is induced to classify as Win32.Crypto.Virus all the files (infected AND not) that it detects as encrypted but it can't unpack. This is a misleading behavior and I'm saying that It would be better if this NOD32 abilities were reviews in order to detect less false positives, even improving the unpacking functionalities ulteriorly.
     
  14. ekerazha

    ekerazha Registered Member

    Joined:
    Jul 22, 2004
    Posts:
    28
    Of course... *not* ALL the packed executables... BUT the encrypted executables it can't unpack ;)

    So Marcos... what do you think?
     
  15. ekerazha

    ekerazha Registered Member

    Joined:
    Jul 22, 2004
    Posts:
    28
    I'm came back from my holidays...... Marcos?
     
  16. Arin

    Arin Registered Member

    Joined:
    May 1, 2004
    Posts:
    997
    Location:
    India
    so what did you bring for me? the reason why i fail to understand and get confused is that you are using encryption and packing as same process. decyption and unpacking these are different things as you probably know. anyway send the file flagged as suspicious to ESET and lets keep our finger crossed.
     
  17. ekerazha

    ekerazha Registered Member

    Joined:
    Jul 22, 2004
    Posts:
    28
    Sure... the fact is that many packers use cryptographic ruotines. The issue is not simple like you making it to appear... like i've already said, it's not a solution to insert my file in a "white-list", but ESET has to review the mechanism according to which NOD32 classifies files as "potentially W32.Crypt".
     
Thread Status:
Not open for further replies.