NOD32 reporting trojan in Ad-aware SE

Discussion in 'NOD32 version 2 Forum' started by OzBoz, Jan 26, 2006.

Thread Status:
Not open for further replies.
  1. OzBoz

    OzBoz Registered Member

    Joined:
    Jan 26, 2006
    Posts:
    32
    Location:
    Queensland Australia
    I recently updated Ad-aware SE to the latest version, downloaded the latest file definitions, and ran a full system scan as per LavaSoft's advice. About half way through the scan, the AMON module of NOD32 reports that Ad-aware is trying to load a dummy trojan, and quarantines the file. (details below)
    This happens each and every time I run Ad-aware. I have turned off heuristics in NOD32 to check in case it was a false positive, with no change.
    I have also submitted this enquiry to Lavasoft. Has anyone experienced anything similar?

    OzBoz

    Time Module Object Name Threat Action User Information
    26/01/2006 11:08:18 AM AMON file C:\DOCUME~1\BRIANB~1\LOCALS~1\Temp\AAWTMP\C8981921\20D5C8\Dummy.class Java/Dummy trojan quarantined - deleted 5JYNC1S\Brian Bosley Event occurred on a new file created by the application: C:\Program Files\Lavasoft\Ad-Aware SE Personal\Ad-Aware.exe. The file was moved to quarantine. You may close this window.
     
  2. Axel

    Axel Guest

    never heard a AV have so muxh fale positive like nod32.
    Hope they will fix it.
     
  3. zashita

    zashita Registered Member

    Joined:
    May 17, 2005
    Posts:
    309
    Very constructive post, Axel :blink:

    Well ... about the threat detected by Nod32, when you perform a scan with Adaware, it use temporary files to extract some archives it scans, and then in those files extracted, Nod32 (AMON) will catch something.
    Nod32 say it is Adaware which create the file because it is Adaware which perform a full scan of your sytem.
    Hope it makes sense ...
     
  4. Upasaka

    Upasaka Guest

    What false positives are you talking about?

    I have used NOD32 on 2 machines for the last 2 1/2 years and am yet to see this happen.
    I also run Ad Aware SE,have the latest version and latest definitions,again on 2 machines and without any false positives.
    -------------------------------------------------

    OzBoz, can you send the quarantined files to Eset and ask their opinion?
     
  5. YeOldeStonecat

    YeOldeStonecat Registered Member

    Joined:
    Apr 25, 2005
    Posts:
    2,345
    Location:
    Along the Shorelines somewhere in New England
    Yeah no kidding. We have thousands of installs out there (many many Enterprise Edition networks)...the ONLY time I've seen it hiccup on a legit file was with Webroots SpySweeper...and that was only during a couple of weeks and fixed quickly with an update.
     
  6. OzBoz

    OzBoz Registered Member

    Joined:
    Jan 26, 2006
    Posts:
    32
    Location:
    Queensland Australia
    Zashita, thank you for the explanation. The quarantine entry now makes sense. I take it that I am still secure, and there has been no compromise. But did NOD allow Ad-aware to do it's job properly, and not just quarantine something I need? I am still unfamiliar with the expression "dummy" when applied to trojans. The next question is, How do I prevent this happening every time I use Ad-aware? Will I have to disable NOD each time?

    Upasaka, thanks for your response. I have emailed eset with a copy of the file quarantine attached, but I thought maybe someone here had come across the problem before, and I could maybe get a quick answer.

    Cheers

    OzBoz
     
  7. dvk01

    dvk01 Global Moderator

    Joined:
    Oct 9, 2003
    Posts:
    3,131
    Location:
    Loughton, Essex. UK
    It is not a FP but a legitimate detection of an exploit in the java VM that can potentially infect the machine
    the file that was deleted was a copy of a java applet not teh original applet

    do this
    Removing Java trojans That your antivirus has found
    If you still are using JAVA 1.4 or earlier
    open control panel, select java plug in control panel, select cache and then press clear cache

    That gets rid of the trojans
    If you are using 1.5 version it's slightly different so read here

    http://www.java.com/en/download/help/5000020300.xml

    Then if you haven't got the latest version of JAVA
    go to www.java.com & download the latest version of java 1.5.0.6

    install it & then go to add/remove programs and UNINSTALL ALL previous versions of sun java
     
  8. ejr

    ejr Registered Member

    Joined:
    Nov 19, 2005
    Posts:
    538
    I don't think NOD gets a lot of false positives. But even if it did, wouldn't you rather err on the side of caution? I would much rather flag something as a virus that is not then not flag something as a virus that is.
     
  9. Upasaka

    Upasaka Guest



    Thank you for that information,very helpful,something else learnt!
     
  10. Notti

    Notti Guest

    well no thanks, because if it is a very important -program or file that i really need it to be installed, and nod32 shows its a virus, but its a false positive, then i dont know what to do, because i can not wait one minut and think i will send it to them and it can take weeks.
    And dont say that nod32 dont show's false positive, just take a look at the nod32 topic's in this forum only, and you will see...
     
  11. ejr

    ejr Registered Member

    Joined:
    Nov 19, 2005
    Posts:
    538
    I can only speak from my experience. I haven't had a single false positive. I see that others have. But what is to say that they wouldn't have the same false positive with other AV products?

    But the solution is very easy. If you aren't pleased with NOD, then switch to an AV that does please you. I have had Norton, PC Cillin, and NOD32. Of those 3, I am most pleased with NOD.
     
  12. Elwood

    Elwood Registered Member

    Joined:
    Sep 12, 2005
    Posts:
    205
    Location:
    Mis'sippi
    Never seen a false positive with NOD32 since I've been using it.

    I think whoever this is that calls himself axel, Notti or whatever name that comes into his mind is nothing but a troll and has been trolling this forum for quite some time.

    I see this type of thing at several forums, security forums are plagued by people that have nothing better to do than spread FUD.
     
  13. i_kenefick

    i_kenefick Registered Member

    Joined:
    Nov 29, 2005
    Posts:
    135
    Location:
    Cork, Ireland.
    This is NOT a false positive. The file is indeed malware.
     
  14. Marcos

    Marcos Eset Staff Account

    Joined:
    Nov 22, 2002
    Posts:
    14,374
    There's no room for trolling here, please stop this or the thread will be closed.

    False positives have always been remedied quickly, usually with the next update after they'd been reported. And frankly, the number was really not that large. I'd say not more than 4-5 per week.
     
  15. ejr

    ejr Registered Member

    Joined:
    Nov 19, 2005
    Posts:
    538
    I don't really understand your comment. My main point is that there really is no reason to complain. Why not just let your actions speak for themselves?

    If you are happy with NOD32, stick with it. If you aren't happy with NOD32, then find an AV that makes you happy. I simply don't see the purpose of complaining about it.
     
  16. ronjor

    ronjor Global Moderator

    Joined:
    Jul 21, 2003
    Posts:
    57,728
    Location:
    Texas
    Best not to feed the trolls. Simply ignore them. This is a support forum, not an opinion forum.

    https://www.wilderssecurity.com/showthread.php?t=4383
     
    Last edited: Jan 26, 2006
Thread Status:
Not open for further replies.