Why NOD32 not verify the existence of the Code Signing certificate ?

Discussion in 'ESET NOD32 Antivirus' started by Eugene Lachinov, Oct 15, 2008.

Thread Status:
Not open for further replies.
  1. Eugene Lachinov

    Eugene Lachinov Registered Member

    Joined:
    Oct 15, 2008
    Posts:
    21
    Alert "probably unknown NewHeur_PE virus"
     
  2. Eugene Lachinov

    Eugene Lachinov Registered Member

    Joined:
    Oct 15, 2008
    Posts:
    21
    "Virus" body:

    <trustInfo xmlns="urn:schemas-microsoft-com:asm.v3">
    <security>
    <requestedPrivileges>
    <requestedExecutionLevel level="highestAvailable" uiAccess="False"/>
    </requestedPrivileges>
    </security>
    </trustInfo>
     
  3. Marcos

    Marcos Eset Staff Account

    Joined:
    Nov 22, 2002
    Posts:
    14,374
    Advanced heuristics does not scan other than PE executables so it could not report a probably NewHeur_PE virus on an xml-structured file. Please compress the file in question with WinRAR or another ordinary packer, protect the archive with the password "infected" and send it to samples[at]eset.com with this thread's url in the subject.
     
  4. Eugene Lachinov

    Eugene Lachinov Registered Member

    Joined:
    Oct 15, 2008
    Posts:
    21
  5. Eugene Lachinov

    Eugene Lachinov Registered Member

    Joined:
    Oct 15, 2008
    Posts:
    21
    What's news on this issue?
     
  6. BlueZannetti

    BlueZannetti Administrator

    Joined:
    Oct 19, 2003
    Posts:
    6,590
    A number of thread bumping posts have been removed. A flood of them will not hasten the answer.

    If a formal offline support request is in process, the answer should emerge through that venue.

    Blue
     
  7. Eugene Lachinov

    Eugene Lachinov Registered Member

    Joined:
    Oct 15, 2008
    Posts:
    21
    Anybody can announce dates rectify the false message?
    I can help with the answer: ASSIGNED (Version: o_O), RESOLVED FIXED (Version: o_O) or any other.
     
  8. Eugene Lachinov

    Eugene Lachinov Registered Member

    Joined:
    Oct 15, 2008
    Posts:
    21
    Again Alert "probably unknown NewHeur_PE virus" o_O
     
  9. Marcos

    Marcos Eset Staff Account

    Joined:
    Nov 22, 2002
    Posts:
    14,374
    Please send the new version to samples[at]eset.com with "False positive" in the subject. Also enclose a link to the website where the file can be downloaded from and where we can read more information about its purpose.
     
  10. Eugene Lachinov

    Eugene Lachinov Registered Member

    Joined:
    Oct 15, 2008
    Posts:
    21
    Sent the file to samples@eset.com. I am the author - UPnP Media Server - Windows Service Module (Windows 95-2008 ).

    More information: copy "infected" file from network drive to local drive with NOD32 - Alert, execute "infected" file from network drive - no alert.
     
  11. funkydude

    funkydude Registered Member

    Joined:
    Apr 5, 2004
    Posts:
    6,855
    Since you are the author I will tell you here, when it comes to creating programs VirusTotal is a great resource to finding and fixing False Positives before releasing software, it's a great way to avoid headaches for both you, and the anti-virus company. I have encouraged fellow dev's to use this method and it has solved much pain. :)
     
  12. Eugene Lachinov

    Eugene Lachinov Registered Member

    Joined:
    Oct 15, 2008
    Posts:
    21
    Сopy "infected" file from network drive to local drive with NOD32 - Alert, execute "infected" file from network drive - no alert.

    Antivirus ?
    In my opinion - Antitrust. I signed program my Code Signing certificate.
     
  13. funkydude

    funkydude Registered Member

    Joined:
    Apr 5, 2004
    Posts:
    6,855
    I think you misunderstood me, upload your files to VirusTotal.com to see if any Anti-Virus detects it as False Positive.

    If yes, tell Anti-Virus, they fix it, you release file.
    If no, you release file.

    Understand?
     
  14. Eugene Lachinov

    Eugene Lachinov Registered Member

    Joined:
    Oct 15, 2008
    Posts:
    21
    Antivirus should check the existence of the Code Signing certificate.

    Understand?
     
  15. funkydude

    funkydude Registered Member

    Joined:
    Apr 5, 2004
    Posts:
    6,855
    Assuming a file is safe because of a certificate is not the right thing to do.
     
  16. Eugene Lachinov

    Eugene Lachinov Registered Member

    Joined:
    Oct 15, 2008
    Posts:
    21
    If it can be run from a network drive without warning, then, yes, it is safe. When he signed, yes, he did not "probably unknown NewHeur_PE virus".
     
  17. Eugene Lachinov

    Eugene Lachinov Registered Member

    Joined:
    Oct 15, 2008
    Posts:
    21
    Guys, why so long working with the False positive? What is the problem?
     
  18. funkydude

    funkydude Registered Member

    Joined:
    Apr 5, 2004
    Posts:
    6,855
    If you use "False Positive" in the subject it will be fixed faster.
     
  19. Eugene Lachinov

    Eugene Lachinov Registered Member

    Joined:
    Oct 15, 2008
    Posts:
    21
    o_O o_O o_O
     
  20. Marcos

    Marcos Eset Staff Account

    Joined:
    Nov 22, 2002
    Posts:
    14,374
    If you have already sent the file to samples[at]eset.com as instructed, please PM me the email address you sent it from. I've tracked down all email wilth "False positive" in the subject, but couldn't find any that seems to be related to your file.
     
  21. Eugene Lachinov

    Eugene Lachinov Registered Member

    Joined:
    Oct 15, 2008
    Posts:
    21
  22. Eugene Lachinov

    Eugene Lachinov Registered Member

    Joined:
    Oct 15, 2008
    Posts:
    21
    Guys, why so long working with the False positive? What is the problem?
     
  23. funkydude

    funkydude Registered Member

    Joined:
    Apr 5, 2004
    Posts:
    6,855
    Do this again.

     
  24. Eugene Lachinov

    Eugene Lachinov Registered Member

    Joined:
    Oct 15, 2008
    Posts:
    21
    2009/02/02
     
  25. Eugene Lachinov

    Eugene Lachinov Registered Member

    Joined:
    Oct 15, 2008
    Posts:
    21
Thread Status:
Not open for further replies.