Tcpip.sys wrongly identified!!!!

Discussion in 'ESET NOD32 Antivirus' started by laxduke, Aug 5, 2009.

Thread Status:
Not open for further replies.
  1. laxduke

    laxduke Registered Member

    Joined:
    Aug 5, 2009
    Posts:
    2
    File tcpip.sys has been wrongly identified as as threat.
    It's a patched file from nlite program (www.nliteos.com), and is not a virus.
    Please update your virus definitions to stop further marking of this file as a virus, because when nod/ess deletes a file, all the network traffic is disabled.
     
  2. Marcos

    Marcos Eset Staff Account

    Joined:
    Nov 22, 2002
    Posts:
    14,374
    Patched system files are classified correctly as a virus. If they were classified as trojans, they would be removed automatically which would most likely render the OS unstable or certain network functionalities would not work at all.
     
  3. Brummelchen

    Brummelchen Registered Member

    Joined:
    Jan 3, 2009
    Posts:
    1,732
    Be serious with that message - i patched my tcpip.sys too (myself) - and: none.
    Eset moans less about false positives - but if - you should not ignore it.
    Test the file yourself -> http://www.virustotal.com/

    PS have you created the new ISO yourself? Or just downloaded?
    You should think about that some of those images are infected with purpose!
     
  4. laxduke

    laxduke Registered Member

    Joined:
    Aug 5, 2009
    Posts:
    2
    Everything was working fine until some 10 days ago when nod was starting to complain about patched.bg virus in tcpip.sys.
    System was stable, no anomalies, no hangups, everything is fine.
    I scanned the file via www.virustotal.com and says nothing, except for :

    ~Virus Total results removed per Policy.~


    everything else is clear!

    I made the windows xp + sp2 instalation myself, and it's in revision 5 by now, some 3 years have passed with no problems at all.
    Everything is done by me, manual and analog methods only, I'm in it/network business for 12 years now.
    For me it's false alarm and it should be removed from threat list.
     
    Last edited by a moderator: Aug 6, 2009
  5. Brummelchen

    Brummelchen Registered Member

    Joined:
    Jan 3, 2009
    Posts:
    1,732
    Ok - i'm using SP3 - the update to SP3 is strongly recommend...

    to the scan - i have several files here patched - but a2 doesn not moan any
    (a2 uses ikarus engine so the result is same)

    so i think your file is infected and there is no other reason to change my mind.
    although you cannot find other infections there may other you cannot find.
    or the infection is so specific - and you have no knowledge how to sniff
    additional traffic you dont see.

    finally recommend - save important data, format and reinstall windows

    PS the result was found before:~Virus Total results removed per Policy.~

    the latest know tcpip.sys (SP2) for me has this checksum (unpatched)
    b2220c618b42a2212a59d91ebd6fc4b4|tcpip.bak
    as on SP3 there may an update after that build (5.1.2600.2892, (xpsp.060420-0256), 12. Oktober 2006)
     
    Last edited by a moderator: Aug 6, 2009
  6. agoretsky

    agoretsky Eset Staff Account

    Joined:
    Apr 4, 2006
    Posts:
    4,031
    Location:
    California
    Hello,

    I did not see a complete message from a log file or screen shot showing how the threat was found and categorized, but ESET has a knowledgebase which contains several articles explaining how to exclude certain objects from being scanned by ESET's software:

    ESET KB #0139, How do I exclude certain files or folders from the On-demand scanner? (3.0)
    ESET KB #0560, How do I exclude certain files or folders from real-time scanning? (3.0)
    ESET KB #2152, How do I exclude certain files or folders from the On-demand scanner? (4.0)
    ESET KB #2153, How do I exclude certain files or folders from real-time scanning? (4.0)

    Depending upon how the threat was categorized, this may allow you to prevent further messages from being displayed about it.

    Regards,

    Aryeh Goretsky
     
Thread Status:
Not open for further replies.