NOD32 *still* consider "daemount.exe" being a threat

Discussion in 'NOD32 version 2 Forum' started by Xophile, Mar 20, 2006.

Thread Status:
Not open for further replies.
  1. Xophile

    Xophile Registered Member

    Joined:
    Feb 9, 2004
    Posts:
    161
    Hi!

    I use a little application called "Daemount" very often. If you are running Dameon Tools together with daemount you can mount and unmount .iso/.img/.cue without opening Daemoun Tools, it only adds a right click menu item and I really enjoy that feature. Over one year ago NOD32 warned me that daemount.exe could be a dangerous file. I submitted it to Eset with a very detailed description and nothing happened. I submitted the file again, still nothing. Today I ran a full system scan and once again NOD warned me about this application.

    Is there anything else I can do to make NOD and Eset aware that this application is not dangerous?

    Thanks!
     
  2. IcePanther

    IcePanther Registered Member

    Joined:
    May 28, 2005
    Posts:
    308
    Location:
    (nearby) Paris, France
    Maybe this is an heuristic warning, due to a possible malware-like behavior of Daemount.exe, like injecting into explorer.exe to create its context menu entry, or whatever. If you're sure it is no malware you still can ignore the warning (I guess if detected 'on demand', that you have it excluded from AMON) ...

    Could you be more specific about what is the error returned by Nod ? I may not be able to help, but more comptent users can :D
     
  3. Xophile

    Xophile Registered Member

    Joined:
    Feb 9, 2004
    Posts:
    161
    Yeah, it probably is. But isnät there a way to make it disappear?
     
  4. IcePanther

    IcePanther Registered Member

    Joined:
    May 28, 2005
    Posts:
    308
    Location:
    (nearby) Paris, France
    Well, if it is excluded from AMON but still detected by Nod32 when doing a full system scan, there's really nothing to do from your part : Nod32 scanner doesn't have for now (mayeb in v3 it will be implemented :rolleyes: ) an exclude feature, and it's a pain to include all folders and files except the one that's maybe a FP / heuristic warning on a legit app.

    So I'd suggest either you send again the sample to ESET, or PM one of the EST moderators out there (Marcos, Happy Bytes...), maybe they'll know if it is indeed a dangerous application or not, or look closer on this problem...
     
  5. Joliet Jake

    Joliet Jake Registered Member

    Joined:
    Mar 1, 2005
    Posts:
    911
    Location:
    Scotland
    I have Daemount 1.61 and NOD32 and NOD doesn't flag it.
     
  6. Xophile

    Xophile Registered Member

    Joined:
    Feb 9, 2004
    Posts:
    161
    Jake:

    Even if you run a in-depth-scan? Because here NOD only flags when I'm running the deep scan.
     
  7. Joliet Jake

    Joliet Jake Registered Member

    Joined:
    Mar 1, 2005
    Posts:
    911
    Location:
    Scotland
    Doing one now and will let you know what happens.
     
  8. Joliet Jake

    Joliet Jake Registered Member

    Joined:
    Mar 1, 2005
    Posts:
    911
    Location:
    Scotland
    Did an in depth scan which came up with nothing. Do you have the latest version of Daemount?
     
  9. Xophile

    Xophile Registered Member

    Joined:
    Feb 9, 2004
    Posts:
    161
    This still happens!

    Deamount was updated a few days ago and I had trouble installing it because of NOD32.

    What should I do?
     
  10. mrtwolman

    mrtwolman Eset Staff Account

    Joined:
    Dec 5, 2002
    Posts:
    613
    Just wild guess: some time ago there was a discussin Deamon Tools will be shipped with adware included. Maybe this was the cause of your issue.

    Did you get some specific alert ?
     
  11. Joliet Jake

    Joliet Jake Registered Member

    Joined:
    Mar 1, 2005
    Posts:
    911
    Location:
    Scotland
    Is this the arniworx tool? It has adware included but you can choose not to install that part. With that in mind, try installing it with NOD switched off.
     
  12. Xophile

    Xophile Registered Member

    Joined:
    Feb 9, 2004
    Posts:
    161
    No, this is *not* arniwox.
    "Daemount" simply adds a "right-click-menu" to .img & .cue files with which you can "mount" and "unmount" images.

    Mrtwolman:
    I only get "unknown NewHeur_PE virus"
     
  13. NOD32 user

    NOD32 user Registered Member

    Joined:
    Jan 23, 2005
    Posts:
    1,766
    Location:
    Australia
    Tried downloading it myself.
    IMON picks it up instantly, as does AMON and an on demand scan pings it as well.
    ESET have recieved a copy of the file via ThreatSense.Net.

    It might be worth reviewing your NOD32 settings, and making sure you're right up to date ??

    As for it being a FP - we will have to wait for word on this from ESET I suppose - depends why AH has picked it up.

    24/05/2006 1:25:41 AM IMON archive hxxp://www.aldostools.com/daemount.zip probably unknown NewHeur_PE virus Connection terminated

    Cheers :)
     

    Attached Files:

    • IMON.jpg
      IMON.jpg
      File size:
      27.9 KB
      Views:
      377
  14. kjempen

    kjempen Registered Member

    Joined:
    May 6, 2004
    Posts:
    379
    On a sidenote, Panda also labels this file as "suspicious".

    Edit: Possibly something to do with the runtime packers used on the .exe?
     
  15. NOD32 user

    NOD32 user Registered Member

    Joined:
    Jan 23, 2005
    Posts:
    1,766
    Location:
    Australia
    I think not in this case :-

    Date: 24.5.2006 Time: 01:23:49
    Scanned disks, folders and files: C:\WINDOWS\Temp\daemount.zip
    C:\WINDOWS\Temp\daemount.zip »ZIP »daemount_setup.exe »RAR »readme.txt - is OK
    C:\WINDOWS\Temp\daemount.zip »ZIP »daemount_setup.exe »RAR »daemount-lang.ini - is OK
    C:\WINDOWS\Temp\daemount.zip »ZIP »daemount_setup.exe »RAR »daemount.ini - is OK
    C:\WINDOWS\Temp\daemount.zip »ZIP »daemount_setup.exe »RAR »DAEMount.exe - probably unknown NewHeur_PE virus [7] - was a part of the deleted object
    C:\WINDOWS\Temp\daemount.zip »ZIP »daemount_setup.exe »RAR »cd.ico - is OK
    C:\WINDOWS\Temp\daemount.zip »ZIP »daemount_setup.exe »UPX v12_m2 - is OK
    Number of scanned files: 7
    Number of threats found: 1
    Number of files cleaned: 1
    Time of completion: 01:23:49 Total scanning time: 0 sec (00:00:00)
     
  16. kjempen

    kjempen Registered Member

    Joined:
    May 6, 2004
    Posts:
    379
    File: DAEMount.exe
    Status: POSSIBLY INFECTED/MALWARE (Note: this file was only flagged as malware by heuristic detection(s). This might be a false positive. Therefore, results of this scan will not be stored in the database)
    MD5 26e0d70ac9b2134160367500a43e8d19
    Packers detected: PE_PATCH.UPX, UPX

    I'm wondering what PE_PATCH.UPX is? And how can you say it is not because of runtime packers used in this case that 2 antiviruses finds this file suspicious?

    I could be wrong though, if so, I'm sorry.
     
  17. NOD32 user

    NOD32 user Registered Member

    Joined:
    Jan 23, 2005
    Posts:
    1,766
    Location:
    Australia
    I only say that because NOD32 did not indicate packers for DAEMount.exe as per the scan log in my previous post above, although you have evidence from elsewhere suggesting that they are in fact in use on this file, so it may well be the specific packer used that is triggering off AH, but we will see soon :)

    Cheers :)
     
    Last edited: May 24, 2006
  18. Xophile

    Xophile Registered Member

    Joined:
    Feb 9, 2004
    Posts:
    161
    Please get back to us when you have heard from Eset!

    Thanks
     
  19. NOD32 user

    NOD32 user Registered Member

    Joined:
    Jan 23, 2005
    Posts:
    1,766
    Location:
    Australia
    This is issue is resolved - Aparently a FP as many suspected, also looks like it may have been packer related.

    C:\Documents and Settings\Damian\Desktop\daemount.zip »ZIP »daemount_setup.exe »RAR »DAEMount.exe »UPX v12_m2 - is OK

    Cheers :)
     
    Last edited: May 25, 2006
  20. Xophile

    Xophile Registered Member

    Joined:
    Feb 9, 2004
    Posts:
    161
    Thank you kindly for your reply!

    NOD32 updated itself right away this morning and now it does not flag daemount.exe.
     
Thread Status:
Not open for further replies.