Possible false positive

Discussion in 'NOD32 version 2 Forum' started by Anth-Unit, Oct 13, 2006.

Thread Status:
Not open for further replies.
  1. Anth-Unit

    Anth-Unit Registered Member

    Joined:
    Oct 13, 2006
    Posts:
    108
    I just dug up an old file I had in my quarantine that was listed as "probably unknown STEALTH.POLY.CRYPT.TSR.DRIVER virus." I recently discovered these forums as well as the virus total website. This is what it came up with:

    http://img.photobucket.com/albums/v602/anthunit/virus.jpg

    I remember telling NOD32 to submit it to ESET probably about a month ago. I'm not sure exactly what the protocol is but I imagine if it was a false positive or a genuine virus and they actually received it from me there would have been some kind of definition update or something. Can someone please clarify how the process works for me and what I can do to get the file analyzed? From the description NOD32 gave me of the infection it sounds pretty nasty.
     
  2. ASpace

    ASpace Guest

    Hello and Welcome to Wilders ! :thumb:


    Let me start with the fact that your NOD32 icon in the system tray is red which means NOD32 not working , protection disabled . I assume you manually disabled AMON to submit the file , anyway , you should enable it again to stay protected

    So , about the malware . Submit the file to ESET Labs via email , write to [B]samples@eset.com[/B] and attach the suspected file .

    If there is something (fp , for example) it will be corrected as soon as possible ;) By the way , I have seen many examples where only NOD32 and no other security software detects a particular malware , especially heuristically , so your case might be real threat , as well ,but checking by human is required in order to be sure

    :cool:
     
  3. Anth-Unit

    Anth-Unit Registered Member

    Joined:
    Oct 13, 2006
    Posts:
    108
    I also submitted it by email around the time of the infection however I'm not sure if it went through because I use gmail as my primary email account and it might not have sent it to ESET. I'm also in the process of changing ISP's so I'm going to have to wait a few days before I can set up an email account with them unless someone has a free alternative that will allow me to send the file. Should I expect to get a response from ESET detailing what they found? I'd like some assurance that the file I submitted actually got through as I've had trouble with this in the past.
     
  4. ASpace

    ASpace Guest

    Google doesn't allow exe and com files to be sent . If you want to send this file using Gmail , you need to pack this exe into password-protected ZIP . This way Gmail won't be able to detect the exe inside and will send , don't forget to include the password .

    No , the ESET policy is so that they don't reply to emails with malware submitted . May be this will change soon .
     
  5. Anth-Unit

    Anth-Unit Registered Member

    Joined:
    Oct 13, 2006
    Posts:
    108
    I sent them the files in my quarantine (the .nqf and .nqi files to sample@eset.com) but under a different non-gmail account as per the instructions in the faq section of the nod32 website. How long does it usually take them to process these files? I'm wondering cause I put the .nqf and .nqi files in the email I sent to eset with gmail (in a password protected zip file) a while ago. I was able to dig up the old email in my sent folder (sent out on Sep 1, 2006) and so far nothing has changed in terms of NOD32 detecting the file. I also verified that I didn't mess up the password in the zip file so there should have been no problem extracting it. The only thing I can think of is that it either didn't get to them or I'm not supposed to be sending them the files in my quarantine folder. How long should I wait before trying to contact them again? Or should I just send them the executable?
     
  6. ASpace

    ASpace Guest

    The address is samples@eset.com (note the "S" of samples ; plural)


    When they receive a sample they deal with it on priority bases , I cannot tell you further details . It was detected proactively , you are protected .

    Also, since it was detected proactively , you can submit it not by email but by NOD32's Threat Sense . Just open Control Center -> NOD32 Systemm Tools-> Quarantine -> find the suspected file , right click on it and press Submit for analysis and follow the instructions .

    When ESET receive the sample , they will deal with it when and how they decide. I am sorry , I can't comment it because I am not from ESET , not I am not ESET staff :thumb:
     
  7. Anth-Unit

    Anth-Unit Registered Member

    Joined:
    Oct 13, 2006
    Posts:
    108
    Oh ok, ill send another email to that address. I was just going off of what they said in the FAQ on their websites: "If a file is reported as infected with a probable unknown virus, we recommend to submit it to sample@eset.com" Thanks for everything. You've been a great help. I've also told NOD32 around the day it was discovered to send it via threatsense and still no dice.
     
    Last edited: Oct 15, 2006
  8. Marcos

    Marcos Eset Staff Account

    Joined:
    Nov 22, 2002
    Posts:
    14,374
    Is this old com file so crucial for you? Does it even run on your current system that you need to fix this heuristic FP?
     
  9. ASpace

    ASpace Guest

    Me also thank you . You are welcome ! :thumb:
     
  10. rayoflight

    rayoflight Registered Member

    Joined:
    Jun 8, 2006
    Posts:
    180
    I don't understand,why so difficult to Eset to allow to submit a samples via web form?Is it too hard to do for them?
     
    Last edited: Oct 18, 2006
  11. pykko

    pykko Registered Member

    Joined:
    Apr 27, 2005
    Posts:
    2,236
    Location:
    Romania...and walking to heaven
    perhaps they will do it some day. I think it's not a priority for them right now.
     
  12. Marcos

    Marcos Eset Staff Account

    Joined:
    Nov 22, 2002
    Posts:
    14,374
    It only requires some refinements (hopefully), but it's almost ready
     

    Attached Files:

  13. pykko

    pykko Registered Member

    Joined:
    Apr 27, 2005
    Posts:
    2,236
    Location:
    Romania...and walking to heaven
    wow...this is cool. Thx Marcos! Can you give us the link ? :D
     
  14. Blackspear

    Blackspear Global Moderator

    Joined:
    Dec 2, 2002
    Posts:
    15,115
    Location:
    Gold Coast, Queensland, Australia
    I'd say when it's ready he'll certainly do that ;) :D

    Cheers :D
     
  15. pykko

    pykko Registered Member

    Joined:
    Apr 27, 2005
    Posts:
    2,236
    Location:
    Romania...and walking to heaven
    I can't wait...my dream comes true finally :D :p
     
  16. SSK

    SSK Registered Member

    Joined:
    Nov 28, 2004
    Posts:
    976
    Location:
    Amsterdam
    Yes! Thanks! :D
     
Thread Status:
Not open for further replies.