the 89 line executable that demos a NOD32 bug

Discussion in 'ESET NOD32 Antivirus' started by musikit, Oct 22, 2008.

Thread Status:
Not open for further replies.
  1. musikit

    musikit Registered Member

    Joined:
    Oct 8, 2008
    Posts:
    140
    Marcos,

    1. so which tools similiar to madcodehook are not detected as viruses?
    2. what is madcodehook doing that those are doing that makes it a virus?
    3. why do you refuse to answer the question of why isnt MS Detours flagged as a virus even though it has been "misused by malware"?

    following your suggestion is fine with us. we just want to use a toolkit you arent going to flag as a virus.
     
  2. The Hammer

    The Hammer Registered Member

    Joined:
    May 12, 2005
    Posts:
    5,751
    Location:
    Toronto Canada
    I see the situation is now resolved to your liking.;) As to the use of a toolkit that won't be flagged; easily done if you know what your doing.:p
     
  3. GAN

    GAN Registered Member

    Joined:
    Mar 3, 2007
    Posts:
    355
    Ok, that was a bit hard to understand after reading your posts.

    You obviously don't understand how the detection works. If one tool is detected it doesn't mean that all other similar tools is detected as a threat. The detection doesn't check based on what category the program fit into. Like programs packed with UPX many antivirus solutions detect as a threat even if it can be any kind of program. If the other tools you are talking about where blocked as well would that make you happy and then you would stop spamming this forum?

    This is like asking if one virus is blocked why isn't all other blocked as well which would give the software a 100% detection rate.

    Come on....let's not make this into a childish discussion.


    You have already been given an answer. What part is it that you don't understand. Eset told you that Madcodehook is often used by malware so they decided it should be blocked. You don't have to accept the answer, but there is no need to keep nagging since that's the final answer. That's the answer you can give to your users. To block madcodehook will give you better protection, but unfortunately it can give some false positives as well in rare cases. Would it be better to let a lot of malware pass just to make you happy?
     
  4. musikit

    musikit Registered Member

    Joined:
    Oct 8, 2008
    Posts:
    140
    ok fine they listed it as a positive. where is this list of toolkits that will give a positive? where is this list of toolkits that give a negative? what makes them different?

    the end goal is that our software isnt a virus and should be flagged as a virus. we chose a tool that nod32 has a problem with. which toolkits doesnt nod32 have a problem with? whats to stop those from being "misused by malware" and start being flagged? what does madcodehook do that those dont?

    why can no one answer these questions?
     
  5. GAN

    GAN Registered Member

    Joined:
    Mar 3, 2007
    Posts:
    355
    Eset is a professional company and i'm sure they don't block madcodehook just to annoy you. I'm sure they know what they are talking about without the need to provide you with futher any proof.

    You still don't get it. Madcodehook by it self doesn't do anything.

    No offence, but it seems like you are the only one that doesn't understand the answer that have already been given.

    Marcos also told you that the final answer is given so why do you keep asking?
     
  6. musikit

    musikit Registered Member

    Joined:
    Oct 8, 2008
    Posts:
    140
    then why is it being picked up as virus?

    i've asked here the following...

    1. where is this list of toolkits that will give a positive?
    2. where is this list of toolkits that give a negative?
    3. what makes them different?
    4. whats to stop those from being "misused by malware" and start being flagged?
    5. what does madcodehook do that those dont?

    i havent seen an answer to those. if there were answered i would very much appreciate a link to where they were answered.
     
  7. GAN

    GAN Registered Member

    Joined:
    Mar 3, 2007
    Posts:
    355
    Like i said you don't get it. It have been said a lot of times already it's often used by malware. So i guess it's hard to create an exception for your program only that doesn't do anything and still block the malware that use madcodehook.

    Such a list is impossible to create.....i find it very surprising that you cannot understand that.
    The detection is not based on the category of the tools, but signatures. So a program that is not detected as a threat could be detected as a threat when a new version is released even if the new version do exactly the same thing....there is no guarantee. Nod32 is known to have few false positives, but like any other AV software there are some.

    If you keep nagging you might end up on everyones ignore list and then you will probably not get a lot of answers in the future. Seems like there is no way to end this discussion with you so i'm done here.

    Anyway as already said by the eset staff they will not give you any further explanation so why do you keep posting when you know the only result is that you annoy the forum members? Please do not repeat the "give me a list of tools....." you said that too many times already.
     
  8. musikit

    musikit Registered Member

    Joined:
    Oct 8, 2008
    Posts:
    140
    bombs are used by terrorist does that mean that everyone who has bombs are terrorist? i could come up with 50 other examples like this if you'd like. for example.. MS Detours is used by malware. why isnt MS Detours get picked up?
     
  9. doktornotor

    doktornotor Registered Member

    Joined:
    Jul 19, 2008
    Posts:
    2,047
    You are kidding, right? No reputable security vendor will give you a guarantee something's not going to be detected as malware; we don't live in a static world. Once a tool starts to get massively abused by malware authors, it will end up on blacklists of AV and antimalware companies.

    You've already got your answer, stop asking over again.

    See answer to #1.

    See answer to #1.
     
  10. GAN

    GAN Registered Member

    Joined:
    Mar 3, 2007
    Posts:
    355
    So bombs should be allowed to bring on airplanes if you are not a terrorist? And how should anyone know which one that are terrorists?
    Like antivirus software might stop a certain behavior even if not a virus because that kind of behavior of a program could be dangerous.....and the result a program that is not a virus might be blocked as well. That why you are not allowed to bring a knife on a airplane because no one know why you brought the knife.

    Yes, i'm sure everyone could come up with a lot of silly examples, but this discussion is turning into a silly endless discussion. Good luck with your program.
     
  11. musikit

    musikit Registered Member

    Joined:
    Oct 8, 2008
    Posts:
    140
    can any moderator answer these questions?

    1. where is this list of toolkits that will give a positive?
    2. where is this list of toolkits that give a negative?
    3. what makes them different?
    4. whats to stop those from being "misused by malware" and start being flagged?
    5. what does madcodehook do that those dont?
     
  12. Dark Shadow

    Dark Shadow Registered Member

    Joined:
    Oct 11, 2007
    Posts:
    4,553
    Location:
    USA
    The bomb and terrorist analogy is creeping me out.:blink: IMO marcos gave a acceptable answer and if you do not use nod32 why bother with the thread at all.:thumbd:
     
  13. spelunk

    spelunk Registered Member

    Joined:
    May 19, 2008
    Posts:
    15
    I have to admit that this thread should get a prize for the Thread with th greatest amusement value.
     
  14. musikit

    musikit Registered Member

    Joined:
    Oct 8, 2008
    Posts:
    140
    im glad its acceptable to you since it doesnt effect you, your project or your users. however since it effects me, my project, and my users again i am going to ask..

    can any moderator answer these questions?

    1. where is this list of toolkits that will give a positive?
    2. where is this list of toolkits that give a negative?
    3. what makes them different?
    4. whats to stop those from being "misused by malware" and start being flagged?
    5. what does madcodehook do that those dont?
     
  15. thegoose

    thegoose Registered Member

    Joined:
    Oct 25, 2008
    Posts:
    1
    While not being a moderator, let's see if I can answer your questions in a way you'd accept.

    First, as far as I'm aware, your program was detected by heuristics ("NewHeur_PE", as opposed to a specific name). In most cases, the heuristics works by seeing if a program has certain "suspicious" properties, and if enough of those are present, the file itself is flagged as "possibly malicious".

    Apparently, certain functionality provided by MadCodeHook is deemed to be suspicious and contributes to the total "evilness" of the program. This is not MCH-specific -- any library or tool doing that would get some "bad points". It can also be seen that MCH by itself is NOT sufficient to raise the "evilness" high enough, because if it was, the examples provided by Madshi on the homepage would also be detected. Some of the other features of your program are likely to be contributing too.

    For example, if I take the set of executables having property P, I have ever encountered, slightly more than 92% of them were malicious, about 6% were of questionable type (cracks and patches) and 2% were "clean". The malicious ones are growing in number, while the "clean" ones are mostly stagnating. Would you find it unreasonable to declare programs having property P guilty-unless-proven-innocent and add specific exceptions for the clean ones?

    Obviously, differentating between "good" programs with property P and "bad" programs with property P can only be made based on something specific to them -- so if one distills just the "essence" of property P into a program, there would be nothing useful to differentiate it from the others.

    Perhaps this is why your program is not going to be excluded from detection by ESET? I've seen a different program (GSC or something like that) mentioned on the Madshi forum and it seems they (ESET) have fixed the misdetection already. So, asking them to fix their misdetection of the actual program, rather than a minimalistic example would be the right approach to take?
     
  16. musikit

    musikit Registered Member

    Joined:
    Oct 8, 2008
    Posts:
    140
    well i dont know what country ESET operates in however in the USA everyone is innocent until proven guilty.

    if a program is doing suspicious things then ESET should automatically send that program to ESET and have it inspected. it is determined to be a virus then i can accept that it be flagged as a virus. however my program nor the example code i have provided is doing anything virus like. hence we are innocent. so we should not be flagged guilty.

    it you look at the example code provided here, you will see it does the following

    1. initialize madcodehook.
    2. create an object.
    3. initialize openssl.
    4. shutdown.

    funny. those things arent virus like. so why is it flagged as a virus?

    so again we come back to the same questions.

    can any moderator answer these questions?

    1. where is this list of toolkits that will give a positive?
    2. where is this list of toolkits that give a negative?
    3. what makes them different?
    4. whats to stop those from being "misused by malware" and start being flagged?
    5. what does madcodehook do that those dont?
     
  17. bigc73542

    bigc73542 Retired Moderator

    Joined:
    Sep 21, 2003
    Posts:
    23,928
    Location:
    SW. Oklahoma
    The way you have bad mouthed Eset in this thread It is a wonder they responded to you at all. You should have addressed this issue by pm or email to their support not posting it in an open forum and ranting on and on trying to get sympathy for yourself. They would probably be much more receptive to you if you would have done it through their support channels instead of running amuck here.

    bigc
     
  18. musikit

    musikit Registered Member

    Joined:
    Oct 8, 2008
    Posts:
    140
    so again we come back to the same questions.

    can any moderator answer these questions?

    1. where is this list of toolkits that will give a positive?
    2. where is this list of toolkits that give a negative?
    3. what makes them different?
    4. whats to stop those from being "misused by malware" and start being flagged?
    5. what does madcodehook do that those dont?
     
  19. rollers

    rollers Registered Member

    Joined:
    Sep 13, 2004
    Posts:
    501
    Location:
    UK
    give it a rest please..........
     
  20. The Hammer

    The Hammer Registered Member

    Joined:
    May 12, 2005
    Posts:
    5,751
    Location:
    Toronto Canada
    Two responses by Eset Staff should suffice. They have no intention of changing their detection. That should even be obvious to the OP by now.:rolleyes:
     
  21. GAN

    GAN Registered Member

    Joined:
    Mar 3, 2007
    Posts:
    355
    The Eset staff already said there will no further explanation and also that the detection will not be changed so at this point posting the same list of questions once a day is just spam. Musikit also clearly stated that he have no respect for the other members of this board or the mods/admins by saying that he will register a new account if banned so he/she can continue to spam the forum.

    I suggest that no one post a reply and let Musikit run this thread on his own posting the same questions once a day until he realize how pointless that kind of behavior is....or getting banned which is more likely to happen before he run out of steam.
     
  22. musikit

    musikit Registered Member

    Joined:
    Oct 8, 2008
    Posts:
    140
    so again we come back to the same questions.

    can any moderator answer these questions?

    1. where is this list of toolkits that will give a positive?
    2. where is this list of toolkits that give a negative?
    3. what makes them different?
    4. whats to stop those from being "misused by malware" and start being flagged?
    5. what does madcodehook do that those dont?
     
  23. jrmhng

    jrmhng Registered Member

    Joined:
    Nov 4, 2007
    Posts:
    1,268
    Location:
    Australia
    Agreed. Dont feed the troll.
     
  24. musikit

    musikit Registered Member

    Joined:
    Oct 8, 2008
    Posts:
    140
    this bug is closing in on its second month since reported and no moderator has answered the questions below. does eset even care about bug fixes or detecting viruses?

     
  25. NOD32 user

    NOD32 user Registered Member

    Joined:
    Jan 23, 2005
    Posts:
    1,766
    Location:
    Australia
    Hi musikit,

    It seems a dire situation.

    Hopefully this post by Marcos may be of assistance to you: --> here
    And similarly this post by anton may also be helpful: --> here

    Cheers :)
     
Thread Status:
Not open for further replies.
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.