Weird False Positive Issue

Discussion in 'ESET NOD32 Antivirus' started by Capp, Aug 22, 2008.

Thread Status:
Not open for further replies.
  1. Capp

    Capp Registered Member

    Joined:
    Oct 16, 2004
    Posts:
    2,125
    Location:
    United States
    Alright this is odd and makes no sense to me.

    I am working on a program that is throwing up false positive issues. The program contacts an outside website for a small string of information (not related to the user) and displays it for the user. The user has the option to email this from within the program. Nothing malicious about it.

    I have the .exe file compiled.

    I upload it to Jotti and VirusTotal. Both of them have DrWeb and VBA32 catch it as a possible backdoor worm, but all the others find nothing.
    When I scan the file with NOD32, it finds nothing.
    But, if I copy and paste the .exe from 1 place to another, NOD32 catches it and marks it as:
    But, if I compile the program and have it save the .exe to the same folder I tried to copy it to, it leaves it alone.

    Also, I submitted this FP to Eset a week or so ago.

    I can't figure out what in the program could be triggering a FP to start with. is it the fact that it grabs a string from an outside website or that it has email capabilities.

    Initially, while working on the program, I had to exclude the entire directory from NOD32, because it would flag it everytime I did anything with it, so maybe that is why it is not catching it on creation.

    I dunno, but its irritating to say the least.

    Any ideas?
     
  2. Kayracc

    Kayracc Registered Member

    Joined:
    Jul 5, 2008
    Posts:
    96
    different modules in eset detect more or less stuff, the regular scan module(when you right click and scan) detects less, to help prevent false positives(as was explained to me once), but for instance the web module will detect more(seen this myself, web module detects a virus, but regular scan does not) as would the module that checks it before it executes :)

    that explains part of your problem :p

    -Brian
     
  3. ASpace

    ASpace Guest

    @Capp

    You should try to understand yourself but I doubt ESET will tell you because this should be internal virus lab information . If they share such information , this would possibly open risk for hackers/mal writers understand the AH better.


    I would insist more on ESET fixing the issue faster
     
  4. Marcos

    Marcos Eset Staff Account

    Joined:
    Nov 22, 2002
    Posts:
    14,374
    Please PM me your email address. False positives are treated with high priority so I'd need to make sure we have actually received it at sampes[at]eset.com.
     
  5. Bensec

    Bensec Registered Member

    Joined:
    Aug 4, 2008
    Posts:
    177
    Location:
    China Changsha
    I guess its about the combination of the functions you imported.
    and the sequence you triger them.
    some of my colleages tell me there are topological stuff involved in the combination analysis. very sophisticated.
     
  6. The Hammer

    The Hammer Registered Member

    Joined:
    May 12, 2005
    Posts:
    5,619
    Location:
    Toronto Canada
    So what's the scoup Capp?
     
Thread Status:
Not open for further replies.