Quick question about possible False Positive.

Discussion in 'NOD32 version 2 Forum' started by Tetranitrocubane, Dec 12, 2008.

Thread Status:
Not open for further replies.
  1. Tetranitrocubane

    Tetranitrocubane Registered Member

    Joined:
    Nov 29, 2007
    Posts:
    11
    Hi everyone. Please bear with me if this is a stupid question, but I'm a little uncertain as to what to do.

    In the way of background, a while ago I used to play a game (Phantasy Star Online) on a private server. NOD never had a problem with the game at all, over a course of months. It's been about 8 or so since I even ran the game, but it was still on my computer this evening. When NOD did a weekly scan, suddenly a file associated with this game (PsoBB.exe) was detected as a threat for some reason (Variant of Win32/Kryptik.CR trojan). Just to be safe I uninstalled the game (wasn't playing it anyway) and did another system scan that came up clean the second time through. At the time I think NOD sent a sample of the file in to Eset, but oddly the threat log is empty, even if the scanner log shows the threat.

    I'm just curious because of the odd behavior of just now declaring this file a threat, particularly after months of thinking it was fine. Is this indicative of a false positive? I only ask because, if it actually was a virus, it's time to reformat!

    Thanks for any help.

    EDIT: Forgot to mention. I'm using NOD 2.70.39 and virus definitions 3688 as of posting this.
     
  2. ASpace

    ASpace Guest

    It could be detected now no matter how long has it been staying on your PC . The reason is ESET/NOD32 is constantly being updated , detection improved and this could have been added soon .

    Nobody can tell you . Details and further examination are needed . You can temporary disable real-time file system protection , restore the file from the Quarantine and send it to ESET samples@eset.com . It's not time to format , why ? Because of single file that got detected?



    If (and only if) your machine is not a productive one and you are not scared of mistakes/errors , you can try ESET NOD32 Antivirus v4 beta :thumb:
    http://beta.eset.com/eav
     
  3. Tetranitrocubane

    Tetranitrocubane Registered Member

    Joined:
    Nov 29, 2007
    Posts:
    11
    Thanks for the input. I would certainly and totally submit the file for analysis, but after NOD told me that it submitted it automatically, I uninstalled the program and it's no longer available. I would consider it time to reformat if a Trojan got in, because that's the only way to be sure there's nothing there. Rootkits can be dropped after Trojans compromise a system, after all.

    However, I do have an UPDATE. I deleted that threat, but this morning for some reason while my computer was idle, NOD came up with this threat:

    File:
    C:\System Volume Information\_restore{620C87CB-71F6-4074-8232-90F..\A0071163.exe

    Threat: a variant of Win32/Kryptik.CR trojan

    Comment:
    Event occured on a file modified by the application C:\Windows\System32\svchost.exe. The file was moved to quarantine. You may close this window.

    There are no options at all except to close the window. I can't clean or delete. And I can't navigate to the choosen directory because it looks like access is denied to System Volume Information. Can anyone provide me with help, please?
     
  4. Fixer

    Fixer Registered Member

    Joined:
    Aug 13, 2007
    Posts:
    141
    Location:
    Bulgaria, EU
  5. Tetranitrocubane

    Tetranitrocubane Registered Member

    Joined:
    Nov 29, 2007
    Posts:
    11
    I have stopped system restore, purged the restore points, and done a system scan. NOD32 found nothing at all after doing so.

    I have also found a way to locate these files again, and send them to samples@eset.com along with a full explanation - as per their submission instructions. Can I expect a reply back from them, or do sample submissions typically go unanswered?

    Thanks to you both for the assistance.
     
  6. Fixer

    Fixer Registered Member

    Joined:
    Aug 13, 2007
    Posts:
    141
    Location:
    Bulgaria, EU
    Depends. Sometimes they respond, but sometimes not. When NOD32 update, scanning files and see if they are added or not. For each case, I recommend you follow a regular mailbox.
     
Thread Status:
Not open for further replies.