NOD32 thinks my program is a virus!

Discussion in 'ESET NOD32 Antivirus' started by R1CH, Sep 14, 2009.

Thread Status:
Not open for further replies.
  1. R1CH

    R1CH Registered Member

    Joined:
    Sep 14, 2009
    Posts:
    3
    And not just a heuristic detection either. For some reason, NOD32 detects my IP binding program, ForceBindIP, as "Win32/ForceBindIP". The software is legitimate program that uses an injected DLL to help bind programs to IPs / interfaces when the program itself does not support such a feature. The executable is even digitally signed.

    The software is available from http://www.r1ch.net/stuff/forcebindip/

    I would love to know the reasoning behind this, especially considering the first I hear of this is my users complaining of false positives. I myself am a big fan of NOD32 and have recommended it to several business users due to its very low false positive rate, but this incident has left me with a lot of questions. I looked at the Virustotal results for my program with great dismay at the number of anti virus vendors that generate false positives. I almost wonder if this detection was added solely based on the fact that other AV vendors have ridiculously high false positive rates.

    I did submit to samples@eset (twice now I believe), but I received no response. What's my next step to get this fixed?
     
  2. IBK

    IBK AV Expert

    Joined:
    Dec 22, 2003
    Posts:
    1,819
    Location:
    Innsbruck (Austria)
    It will detect it as "Win32/ForceBindIP application" only if the user wants NOD32 to report such applications (by enabling such detection in the options). From the help file:
    "Potentially unsafe applications - Potentially unsafe applications is the classification used for commercial, legitimate software. It includes programs such as remote access tools, which is why this option is disabled by default."
     
  3. R1CH

    R1CH Registered Member

    Joined:
    Sep 14, 2009
    Posts:
    3
    How is it potentially unsafe? I would disagree that this program deserves to be in the same classification as password crackers, SAM dumpers and remote control apps. I don't see how there could be any security threat from binding a program to an IP.

    Whether PUA detections are off by default or not, it is clear from my feedback that many people turn it on either by choice or not knowing what the feature means.
     
  4. YeOldeStonecat

    YeOldeStonecat Registered Member

    Joined:
    Apr 25, 2005
    Posts:
    2,345
    Location:
    Along the Shorelines somewhere in New England
    Considering a HUUUUGE amount of malware poisons the winsock files, and other things done to TCP/IP stack such as DNS redirects....I would expect good antivirus programs to be a little extra hypersensitive in this area.

    "Better to be safe than sorry" to use an analogy.

    Difficult recourse for you, probably the only avenue is to attempt to contact each AV vendor directly...but as a "relatively known" small software manufacturer....I imagine it's a long and difficult line to be standing in, just imagine how many malware writers are also attempting this approach to have their bug whiteflagged.
     
  5. R1CH

    R1CH Registered Member

    Joined:
    Sep 14, 2009
    Posts:
    3
    I wish this were true, but all the false positives generated by anti virus software are detecting the loader (forcebindip.exe) as malicious, when in fact it does nothing but load the program and the DLL (bindip.dll). The DLL is the one that intercepts winsock requests and does the main work of the program, yet virustotal gives it a 100% clean score.

    I develop another program that uses a runtime packer and every single time I release an update I have to go through the process of whitelisting it as generic detections pick it up. Every vendor has their own process, some want it emailed, some want it passworded with x, some with y, some want it uploaded, some want a link to the download... it really is very frustrating as a small developer to try and resolve false positives. I've had great difficulty in finding where to even report false positives with some vendors.

    The prevalence of heuristics and sites like virustotal do not help either. As an experiment, I uploaded a legitimate packed file to virustotal. A few of the popular AVs picked it up, the rest did not. I scanned the same file a week later and found the number of false positives had more than doubled. Many vendors simply trust the heuristics of their associates and blindly add detections without even doing any confirmation which only exasperates the problem.
     
Thread Status:
Not open for further replies.