the 89 line executable that demos a NOD32 bug

i have spoken with people at my company who have been watching my thread and they have agreed that as long as we can get some clarification on how long we should expect to go from notification of a false positive to a whitelisting so we can adjust our release schedules and testing schedules accordingly they are willing to drop the subject of the madcodehook bug. that way we can all move on with our lives. weather that be 1 day 2 days 1 week. etc. turn around time.

 

False positives are dealt with almost immediately. However, sometimes an additional in-depth testing may be necessary which will affect the reaction time. Basicly you can count on with 0-2 business days for an FP to get fixed.

 

while ive made my personal opinion well know on this issue. my superiors are satisfied with that result so we can close out this issue.

however on a personal note i will never be recommending your software to anyone on a business or personal level and when they ask why i will show them this thread and explain to them why. also if i meet anyone who actively uses your software i will notify them that they are basically unprotected as long as they use your software and will show them this thread and explain to them why.

also on a personal note i am quite frankly surprised that it seems that no one in the security community sees it as out right wrong for a scanner to detect any software that uses a particular library as a virus.

 

This is probably why they are your superiors. To be honest, if I ever saw one of my employees abuse a forum like this I'd have very strong words with them and possibly dismiss them.

If that employee were a programmer, they'd be out on their ass immediately due to a clear lack of logic.

For anyone reading this thread - and I doubt many will, except for amusement at this person's rantings: I'm a COMPETITOR of ESET'S, and ESET software has also detected my software occasionally as a false positive. They fix it quickly, and there is nothing wrong with that.

"Musikit", however, is clueless, at least about computer security. Don't take advice from him.

That's because the security community understands security and you do not.

Let me give you an analagy, and then I'm going to go back to lurking:

Each time you go into a bank with a weapon , Bad Things Happen. The reaction of the bank is to think that you are a robber, and that you are present to steal money.

This could be called a simple Heuristic rule. Guy in bank with Gun = Robber.

Now, what do you suppose happens when you go into a bank with a gun? Immediately the security procudure would spring into place - alarm, cops, anti robbery barriers, bowel evacuation...

This is probably the simplest rules analagy I can think of which you may understand (bearing in mind that in Australia, people don't carry personal weapons).

Now; there may well be a whitelist of "people who carry guns but will not set off the robbery procedure". These could be security companies (adjust the rule - if in security company uniform, don't panic) or police officers (also visible uniform and sidearm).

There might also be plain clothes security. The bank does not require plain clothes security guards to advertise the fact with some kind of T Shirt; Nor does it require everyone who is NOT plain clothes security to be so labelled. This could be said to give them a "competitive advantage" over the possible bank robber: Come in here and there might be security, there might not be.

All of these people are on the "whitelist".

In the case of your program, what ESET has said to you is very very simple:

NOD32 has a set of proprietary heuristic rules (all AV's have them, and they are trade secrets because of the competition in the industry. Everyone wants to have the best and fastest detection of new threats).

Your program (and mine!) triggers these rules because of a library it uses. This means it is possibly a malicious piece of code, based on these rules.

Your TEST program in particular is small, and I am guessing that NOD32 will possibly give some weight to the fact that tiny program+known grey library = likely virus.

This simple heuristic rule would likely provide massive protection to users who inadvertently get the latest virus written using the MadCode hook.

The solution offered - get your application on the whitelist is sensible - because the "bad guys" don't send Antivirus labs samples of their latest virus and say "Hey, we want to make sure you catch this"... they just release.


I'm glad anyway your issue (coding one at least) seems to be solved.



Mike

 

mike you are the freaking clueless one.

your analogy makes sense isnt what is happening here.

in this case what ESET is saying is that any library that contains the book "moby dick" is a library run by terriorist.

im sorry you dont see that way. maybe you should seek a new career.