Possible false positives

Discussion in 'NOD32 version 2 Forum' started by Bob Coleman, Jun 2, 2007.

Thread Status:
Not open for further replies.
  1. Bob Coleman

    Bob Coleman Registered Member

    Joined:
    May 30, 2007
    Posts:
    18
    I'm running the trial version. I get several things flagged as threats. These things had not been flagged by Norton. Maybe this means NOD32 is doing a better job than Norton did or maybe it means these are NOD32 false positives. Is there any good way to find out which?
     
  2. Blackspear

    Blackspear Global Moderator

    Joined:
    Dec 2, 2002
    Posts:
    15,115
    Location:
    Gold Coast, Queensland, Australia
    Please post some examples and we can take a look.

    Cheers :D
     
  3. Bob Coleman

    Bob Coleman Registered Member

    Joined:
    May 30, 2007
    Posts:
    18
    Post here?

    Not sure how I would do that.

    One is an exe file about 4 MB in in size.

    Another is an rtf file about 50 MB in size.
     
  4. Blackspear

    Blackspear Global Moderator

    Joined:
    Dec 2, 2002
    Posts:
    15,115
    Location:
    Gold Coast, Queensland, Australia
    No, the actual line that NOD32 is detecting, as in C:\....

    Cheers :D
     
  5. Bob Coleman

    Bob Coleman Registered Member

    Joined:
    May 30, 2007
    Posts:
    18
    You mean lines from the log?

    OK, here's a couple:

    H:\IBM CD Contents\Install Files\AOLInstantMessenger\v5.5\Install_AIM.exe »WISE »WxBug.EXE »WISE »MiniBugTransporter.dll - Win32/Adware.WBug.A application

    H:\IBM CD Contents\References (Docs & Notes)\uni-SPF\uni-SPF Reference - Chapter 06 - Utilities.rtf - probably a variant of BAT/ServU.F trojan
     
  6. Blackspear

    Blackspear Global Moderator

    Joined:
    Dec 2, 2002
    Posts:
    15,115
    Location:
    Gold Coast, Queensland, Australia
    These appear to be on a CD or from a CD, so they would be in a "read only" state, thus not removable.

    Cheers :D
     
  7. Seer

    Seer Registered Member

    Joined:
    Feb 12, 2007
    Posts:
    1,596
    Location:
    Singidunum
    If I may put my 2c... :)

    Most (if not all) AVs flag instant messengers as bundled with adware. I find this normal, as they are indeed bundled with all kind of adds, animated gifs and whatnot. I have seen such detections from NOD (and Avira and avast!) with MSN messenger and ICQ as well. So this is not a false positive in a technical sense, but I don't think that adds pose any real threat if any at all. You could download a fresh copy of AOL messenger and then manually scan it to see if it's flagged. If it is, that should give you a clearer picture.
    As for the RTF file, it was heuristically detected. That raises some questions whether RTF file can be a carrier of any kind of malware. It is very simple text format, although it supports embedding of objects, so it is possible to call a malware exe from inside the rtf. In any case, I would look for a second (and third) opinion of several online scanners... And maybe even submit the rtf file to ESET for analysis.

    Cheers.
     
  8. Bob Coleman

    Bob Coleman Registered Member

    Joined:
    May 30, 2007
    Posts:
    18
    No, they are not on a CD despite being in (subfolders of a) folder called IBM CD Contents. The contents of that folder was once copied from a CD, but the files in question are now on a hard disk.

    Though I have another thread going about inability to delete files, my focus here is whether or not these files should actually be flagged as threats.
     
  9. ASpace

    ASpace Guest

    Me , too .

    As for the first one
    MiniBugTransporter.dll - Win32/Adware.WBug.A application
    it seems it is not a false positive but an adware embedded in an AOL application - common practise nowadays

    As for the second , yes , it seems suspicious for a RTF file to be a BAT trojan , but ... who knows . ESET Technical support will know better . Submit that file (the second one) via email to support[at]eset.com (where [at] means @) along with a link to this thread ;)
     
  10. Bob Coleman

    Bob Coleman Registered Member

    Joined:
    May 30, 2007
    Posts:
    18
    Yes, I don't doubt that analysis of the first one. What "worries" me about this is that Norton never complained. I'm trying to get some feel for whether NOD32 is doing a better detection job or falsely indentifying the file (a worse detection job).

    As for the second file, I might try to submit it, but I wonder if it will be possible to submit a file of approximately 50 KB.

    Edit: As I suspected, the file is too large to submit. I suppose, if I care enough, I'll have to see if I can extract a smaller piece which is still "suspicious".
     
    Last edited: Jun 4, 2007
  11. FanJ

    FanJ Updates Team

    Joined:
    Feb 9, 2002
    Posts:
    2,564
    Hi,

    Just a general remark, if I'm allowed (I don't want to go off topic):
    RTF files can indeed have embedded objects that can be dangerous
    http://www.dslreports.com/forum/remark,18398146
    http://isc.sans.org/diary.html?storyid=2528
     
  12. ASpace

    ASpace Guest

    NOD32 is much better than Norton - in many places of comparison including detection rate . Read this:
    http://www.eset.com/products/NOD32 vs Symantec.pdf

    No , it is real , not a false positive :thumb:

    Actually 50 KB file is small one and all mail clients/web mails should be able to deal with it .
     
  13. Bob Coleman

    Bob Coleman Registered Member

    Joined:
    May 30, 2007
    Posts:
    18
    I read it. Two things occur to me.

    First, it's published by Eset, so, obviously its going to present NOD32 in the best possible light.

    Second, I note that supposedly according to PC World April 2007, NOD32 causes a 4% slowdown while Norton causes a 13% slowdown. This may be correctly quoted and the main reason I'm looking at NOD32 is because I do believe it to be less of a drain on the system.

    However, I have the June 2007 PC World which contains reviews and comparisons of AntiVirus Applications. In that review the corresponding fugures are 5% and 10%. At least that's still a significant advantage for NOD32, but overall Norton is rated number 2 and NOD32 number 4.

    Here are two brief quotes from the magazine:

    What does all this mean? I don't know. Probably that there are pros and cons for each and that one can find reviews favoring almost anything if one looks hard enough.
     
  14. Bob Coleman

    Bob Coleman Registered Member

    Joined:
    May 30, 2007
    Posts:
    18
    Sorry, my mistake. It's 50 MB.
     
  15. kjempen

    kjempen Registered Member

    Joined:
    May 6, 2004
    Posts:
    379
    Just feeling like commenting the document in your link. I find it to have a good comparison chart, and it is relatively objective and not too subjective, in the way that it shows numbers and statistics and features present and not present, instead of just saying "we are best". It was a nice overview, even though I'm not as "fanatic" about NOD32 as I used to be. Two things I reacted to in the overview/comparison chart:
    1. It says Norton Antivirus' Proactive Detection Methods are through "Code Analysis" only; it doesn't mention "Generic Signatures" or "Emulation" like under NOD32. I was under the impression that Norton does have generic signatures? Correct me if I am wrong.
    2. Under "Detection and Remediation" it is stated that Norton Antivirus has "Poor remediation of spyware". Does this mean disinfection? I would like to see some facts backing that up rather than just stating it. See "System disinfection" in the comparison chart here. From what I've witnessed on some systems, Norton usually cleans up good/repairs the systems where it finds something.
     
Thread Status:
Not open for further replies.