unknown macro virus

Discussion in 'NOD32 version 2 Forum' started by rothko, Mar 29, 2005.

Thread Status:
Not open for further replies.
  1. rothko

    rothko Registered Member

    Joined:
    Jan 12, 2005
    Posts:
    579
    Location:
    UK
    hi all,
    i have some Word docs that are self installing macros that are part of a software suite that allows mail merges to take place between the software and Word. these macros are detected by Nod32 as unknown macro viruses, which they arent but are obviously codes such that nod32 isnt taking any chances! Thats fine as better safe than sorry.
    I have submitted the files to Eset (to the sample address) to see if anything could be done about it. Admittedly I only did this last week and havent heard back yet, but was wondering if I am likely to hear back or whether Eset will be able to do anything about it anway....would they change the software just to stop my little problem?!

    If they cant is there anything else I can do to stop these files from being flagged as possible viruses? I have the settings recommended in BlackSpear's thread and have also tried reducing heauristic sensitivty to normal and low.

    thanks, Lee
     
  2. Blackspear

    Blackspear Global Moderator

    Joined:
    Dec 2, 2002
    Posts:
    15,115
    Location:
    Gold Coast, Queensland, Australia
    You could try excluding the files in AMON:

    Control Centre> AMON> Setup> Exclude (Tab)

    Hope this helps.

    Let us know how you go.

    Cheers :D
     
  3. rothko

    rothko Registered Member

    Joined:
    Jan 12, 2005
    Posts:
    579
    Location:
    UK
    thanks Blackspead, I'll give that a go and post back.

    Just out of interest, and not sure whether you'd know this, when files are submitted to Eset as being genuine files that are flagged as viruses, is it something that they would fix and put out in the usual signature updates?
     
  4. Marcos

    Marcos Eset Staff Account

    Joined:
    Nov 22, 2002
    Posts:
    14,374
    Yep, it's possible to fix a false positive, if confirmed. Also, I'd suggest to make sure the heuristics sensitivity is not set to deep.
     
  5. RejZoR

    RejZoR Registered Member

    Joined:
    May 31, 2004
    Posts:
    6,426
    I wonder hwy not using Deep heuristics and AH for real-time.
    Then it's the same as AV without any heuristics.
    Also AH is disabled by default. And then everyone is talking how great AH is. Yes it is if you enable it. I wonder how many users except us here actually enable them. Funny thing... I hope it's not too offtopic for this thread...
     
  6. rothko

    rothko Registered Member

    Joined:
    Jan 12, 2005
    Posts:
    579
    Location:
    UK
    thanks Marcos, yes I've tried reducing the heuristic sensitivity but it still finds it! I'll try Blackspears suggestion and wait to see if my submitted files are picked up at eset, bet you have lots to get through!
     
  7. Stan999

    Stan999 Registered Member

    Joined:
    Sep 27, 2002
    Posts:
    566
    Location:
    Fort Worth, TX USA
    Advanced heuristics is enabled by default for the IMON POP3 email and HTTP scanner which is part of the real-time protection. That would cover a lot of the sources for infection for users.

    However, I would also like to see AH enabled by default in AMON.
     
  8. RejZoR

    RejZoR Registered Member

    Joined:
    May 31, 2004
    Posts:
    6,426
    Same here. Performance wise there is no difference. I also never had any false positive with Max heuristics.
     
  9. NOD32 user

    NOD32 user Registered Member

    Joined:
    Jan 23, 2005
    Posts:
    1,766
    Location:
    Australia
    Same here but I fear we digress.
     
  10. rothko

    rothko Registered Member

    Joined:
    Jan 12, 2005
    Posts:
    579
    Location:
    UK
    sorry for the delay, with all the 2.5beta excitement I forgot I posted this problem.
    Blackspear I did as you suggested and it worked, the only problem is if you move the files/folder of files to a different part of the hard disk it detects them again and i have to redo the exclusions to take into account where they are now.
    To be honest, its not a big deal, and when the new beta found them earlier this week I let the new feature (name escapes me) bundle them off to Eset, so they have them again now.
    Thanks to all who took time to reply, back to your beta playing testing!
     
  11. Blackspear

    Blackspear Global Moderator

    Joined:
    Dec 2, 2002
    Posts:
    15,115
    Location:
    Gold Coast, Queensland, Australia
    Good to see lee1276, and thanks for getting back to us, as we all learn this way...

    Cheers :D
     
  12. NOD32 user

    NOD32 user Registered Member

    Joined:
    Jan 23, 2005
    Posts:
    1,766
    Location:
    Australia
    Yes thats in interesting point - with the automatic submission feature ESET automatically get copies even if they are false positives.
     
Thread Status:
Not open for further replies.