Programmers Question: Nod32 thread my code as virus

Discussion in 'NOD32 version 2 Forum' started by softtouch, Aug 1, 2006.

Thread Status:
Not open for further replies.
  1. softtouch

    softtouch Registered Member

    Joined:
    Jan 31, 2006
    Posts:
    415
    Why does the use of the functions

    WriteProcessMemory
    CreateRemoteThread

    trigger "Probably unknown NewHeur_PE virus"?

    I am a programmer and use this functions to run my own to the main program attached exe files from memory, without saving them to disk (preventing that user just copy and use them for something else). Since the last nod32 update, I cant compile my projects any longer, if they use this 2 functions in the code.
    Thats not a virus, I am not writing a virus.

    I think, nod32 believe based on this 2 functions that something weird is going on and block it.

    What can I do about it? I currently do not know another way of running an exe from memory without processing "by hand" what the exe loader of windows does.
     
    Last edited: Aug 1, 2006
  2. Marcos

    Marcos Eset Staff Account

    Joined:
    Nov 22, 2002
    Posts:
    14,374
    Hello,

    please submit the program to support @ eset.com with a link to this thread provided its size is less than 3 MB. If you've created more versions of it, attach at least 2 or 3 of them.
     
  3. softtouch

    softtouch Registered Member

    Joined:
    Jan 31, 2006
    Posts:
    415
    I can not submit it, because I can not compile it, cant create the exe. I could only post here the 2 lines of code which triggers nod32.
     
  4. Marcos

    Marcos Eset Staff Account

    Joined:
    Nov 22, 2002
    Posts:
    14,374
    Disable AMON, compile it and then submit it for analysis.
     
  5. softtouch

    softtouch Registered Member

    Joined:
    Jan 31, 2006
    Posts:
    415
    There is nothing to analyse. I figured just out that if you use BOTH functions in one program, it triggers nod32. If you use one of them only, nothing happen.
    Mean, amon check for the existance of WriteProcessMemory and CreateRemoteThread. If both are found, it is triggered. I also know that this functions can be used to inject something in other executables or dll's and believe thats the reason why they are blocked. So there is nothing to analyze and I can not do anything about it, because I can barely tell my clients "Please switch your amon off if you want to use my program". Solution: Finding other ways to prevent unauthorized use of in my main program embedded tools.
    Just close/delete this topic. Thanks.
     
  6. NOD32 user

    NOD32 user Registered Member

    Joined:
    Jan 23, 2005
    Posts:
    1,766
    Location:
    Australia
    If you can submit them for analysis ESET could mark them for no detection because of FP after analysis.

    As Marcos said, 2 or 3 at least would be better if you have different versions compiled.

    Cheers :)
     
  7. softtouch

    softtouch Registered Member

    Joined:
    Jan 31, 2006
    Posts:
    415
    Problem here would be that I compile almost 100 versions a day, until the project is complete in a month or so and I CAN NOT submit everytime I compile it. However, there is not way around it. Its correct that nod will make alarm, because this 2 functions can be also used to inject any exe into a running process, which is not a good idea and should be blocked by nod, so I just find other ways around it to protect my tools.
    Maybe this topic should be closed or deleted, it will not lead to a solution.
     
  8. dog

    dog Guest

    Done :)
     
Thread Status:
Not open for further replies.