Themida issue revisited. Would it be logical for me to ignore THIS particular threat?

Discussion in 'ESET NOD32 Antivirus' started by Supersnake, Jul 16, 2008.

Thread Status:
Not open for further replies.
  1. Supersnake

    Supersnake Registered Member

    Joined:
    Jul 12, 2003
    Posts:
    121
    Received a brand new high end gaming computer, only two days ago. The builder had pre-installed "ArcSoft TotalMedia Extreme" so that I can play Blu-Ray discs. I installed and ran NOD for it's first scan, two threat detected:

    C:\Program Files\ArcSoft\TotalMedia Extreme\Digital Theatre\Plugins\VideoModule\PlayDVD\UI\Media_01.aui –probably a variant of Win32/Packed.Themida-unable to clean

    C:\Program Files\ArcSoft\TotalMedia Extreme\Digital Theatre\Plugins\VideoModule\PlayDVD\UI\Media_02.aui –probably a variant of Win32/Packed.Themida-unable to clean


    This Forum discussed the issue of "Themida" packing and how it can be used to pack legitimate executables as well as malware. Legitimate makers of software have posted their pleas for NOD32 and other AV manufacturers to
    recognize their plight of seeing NOD32 flag their legitimate Themida packed files as threats when in fact they were not threats. At the same time NOD has been taking the stance that since Themida packing can also be used for illegitimate purposes that NOD scans and flags Themida packed files.
    (See http://www.arcsoft.com/forum/forum_posts.asp?TID=447 and https://www.wilderssecurity.com/showthread.php?t=184840&highlight=themida

    Wouldn't it logical then for me to ignore THIS particular instance of a "Themida" based threat? When offered the options to 1) Leave 2)Rename 3)Delete - I chose Leave.
     
  2. Marcos

    Marcos Eset Staff Account

    Joined:
    Nov 22, 2002
    Posts:
    14,374
    Please send those files in a password protected archive to samples[at]eset.com with "False positive" in the subject and we'll fix it. If you don't want to have highly suspicious packers detected, simply disable potentially unsafe application (they are by default).
     
  3. Supersnake

    Supersnake Registered Member

    Joined:
    Jul 12, 2003
    Posts:
    121
    Thanks Marcos, I wish I could simply carry out what you advise but complex problems now arise.

    1. I did a Search for Media_01.aui and Media_02.aui and got no hits.
    However, within NOD I accidentally found an option to "Restore" these two files from Quarantine - so I selected "Restore". Then I performed another Search and still didn't find them. I then ran another NOD scan and got a Threat Alert on the two files again - I then chose NOD Advanced Options in the Threat Alert Window.
    NOD offered three check boxes in addition to the "Clean" "Delete" "Leave" tabs. These advanced options are:

    "Show window"
    "Copy to Quarantine"
    "Submit for analysis"

    But there is no way to activate the "Submit for analysis" without hitting the Clean, Delete, or Leave tabs. So, I again chose "Leave". (Making me wonder if the "Submit for analysis" function even works?)

    2. My OS is Vista Ultimate, pressed F1 for Windows Help asking how to password protect a file and got this reply.

    Can I protect files or folders with a password?

    No, you can't use a password to protect files and folders in Windows. However, some programs that run on Windows do allow you to protect individual files by using a password. For more information, check the Help for the program you are using.


    This is a complex mess, first I can't locate the file and second even if I could it looks like I have to obtain some 3rd party software just to password protect a file? And lastly the matter of NOD not offering some user friendly automated method to submit a file for analysis has been mentioned in the past by other members.

    Any suggestions at this point? It's midnight where I am, will get some sleep and followup tomorrow on whatever you reply,

    Thanks,
    Supersnake
     
    Last edited: Jul 16, 2008
  4. Marcos

    Marcos Eset Staff Account

    Joined:
    Nov 22, 2002
    Posts:
    14,374
    1, When a threat is detected, you must always select an action to be performed. File submission is just an additional action that will be performed when you select what to do with the file that has been detected. For instance, you can submit a file from Quarantine or the explorer context menu directly. If you submit a false positive through the program, send me a PM with its name so that I can easily look it up.

    2, I meant WinRAR/ZIP to use for compressing files, I didn't mean disk encryption. If you are not familiar with any of the compression software, just submit the file through the program and let me know when done (check the Event log to make sure the file has been submitted).

    Update: We have not received the files with these names through ThreatSense.Net yet.
     
    Last edited: Jul 16, 2008
  5. Supersnake

    Supersnake Registered Member

    Joined:
    Jul 12, 2003
    Posts:
    121
    Marcos, thank you for your assistance.
    Am happy to report that I easily located the two files in question by simply following the path to the address where the two files are residing, i.e.
    C:\Program Files\ArcSoft\TotalMedia Extreme\Digital Theatre\Plugins\VideoModule\PlayDVD\UI . Why the Vista Search function didn't locate them is beyond me, this is either some oddity in Vista Search or maybe it is because this is my first day in using Vista and I have to learn how to perform a search? (I had no such problems performing a search using XP)

    I tried copying the two files to my desktop so I could later "zip" archive them (I understood that you meant compress the files not encrypt them) but NOD detected my attempt to copy and paste them onto my desktop and stopped me :D
    Next time I attempt handling the files I will disable NOD. Then there is still the matter of Vista Help informing me that Vista is incapable of natively password protecting files. I checked the NOD event log like you requested and it said that the two files were deleted - but there was no mention of them being submitted for analysis despite my having that option enabled as I previously described and repeating the Restore/Scan/Leave + Submit for Analysis process.

    Have to get some sleep like now and continue the matter tomorrow.

    Thank you,
    Supersnake
     
    Last edited: Jul 16, 2008
  6. Supersnake

    Supersnake Registered Member

    Joined:
    Jul 12, 2003
    Posts:
    121
    Marcos,
    After much searching I came to the same conclusion, there is no way anyone can "password protect" a zipped archive in Vista without the use of some advertised costly 3rd party software. And even then I still doubt it can be done because I installed the trial version of Winzip's latest Vista compatible version (11.2) and it too cannot "password protect" it's own archive in Vista! (All it does is allow you to encrypt the archive then gives you an option to password protect access to the encryption.)
    XP can password protect a compressed archive but Vista can't and there are posts all over the net acknowledging this.

    So...
    Per your recommendation I have submitted the Media_01.aui and Media_02.aui for file analysis through the NOD program. Please see my PM for details.

    The NOD Event Log for some reason is still not recording that I have submitted the files for analysis.

    In the mean time I have added the names of the two files to my NOD exclusion list.

    Hopefully my submitted files will make it to the ESET server and after being reviewed they can be excluded via a future definition upgrade?

    Thanks for you assistance,
    Supersnake
    =======================================================
     
    Last edited: Jul 17, 2008
  7. Marcos

    Marcos Eset Staff Account

    Joined:
    Nov 22, 2002
    Posts:
    14,374
    Unfortunately, no *.aui file has been submitted to us today.

    I'm gonna drop you a PM.
     
  8. Supersnake

    Supersnake Registered Member

    Joined:
    Jul 12, 2003
    Posts:
    121
    Have responded to the PM. Thank you.
     
  9. cerBer

    cerBer Registered Member

    Joined:
    Jul 29, 2006
    Posts:
    81
    Re: Themida issue revisited. Would it be logical for me to ignore THIS particular thr

    What a strange logic. Of course, If I have selected so, I WANT to have highly suspicious packers detected.

    BUT - as they are only suspicious, I want a warning that I could ignore in case of legitimate program, not not an action that would require me to disable antivirus (or, certain functionality of it) to continue my work normally.

    Thanks.
     
Thread Status:
Not open for further replies.