Win32/Delf.NRP false positive

Discussion in 'ESET NOD32 Antivirus' started by Baj1936, Nov 7, 2008.

Thread Status:
Not open for further replies.
  1. Baj1936

    Baj1936 Registered Member

    Joined:
    Nov 2, 2008
    Posts:
    9
    Hi, new to NOD.

    update to 3954 has found Win32/Delf in a programme that I've been running for years; the virus is in mmm.dll of Hace's Mmm software that cleans up the windows context-menu.

    This must be a false positive.

    http://hace-software.com/programs.shtml

    What do I do now please?
     
  2. Marcos

    Marcos Eset Staff Account

    Joined:
    Nov 22, 2002
    Posts:
    14,376
    I've downloaded MMM free from http://hace-software.com/download.shtml, installed it and scanned it with an up-to-date version of EAV, but no threat was reported. Did I actually install the right file?
     
  3. Baj1936

    Baj1936 Registered Member

    Joined:
    Nov 2, 2008
    Posts:
    9

    Attached Files:

    Last edited: Nov 7, 2008
  4. Marcos

    Marcos Eset Staff Account

    Joined:
    Nov 22, 2002
    Posts:
    14,376
    Could you send just mmm.dll with "False positive" and this thread's url in the subject to samples[at]eset.com?
     
  5. Baj1936

    Baj1936 Registered Member

    Joined:
    Nov 2, 2008
    Posts:
    9
    Sent one minute ago
     
  6. BigRedPK

    BigRedPK Registered Member

    Joined:
    Nov 7, 2008
    Posts:
    1
    I can confirm that I am getting the same message using the free version of Mmm.
     
  7. al92lt1

    al92lt1 Registered Member

    Joined:
    Dec 19, 2003
    Posts:
    50
    I have the paid version of MMM+ and I am getting the same detection. I contacted HACE and was told it is a false positive. I downloaded a fresh copy of MMM+ but installation is blocked by NOD32.
     
  8. Marcos

    Marcos Eset Staff Account

    Joined:
    Nov 22, 2002
    Posts:
    14,376
    I've uploaded mmm.dll from the free version to VirusTotal, NOD32 reported it as clean. Could you please do the same with your mmm.dll and compare MD5? Mine was 69047a6aaf1d8c8e670c1d1e01a92744
     
  9. Baj1936

    Baj1936 Registered Member

    Joined:
    Nov 2, 2008
    Posts:
    9
    Done (though I don't know what this means).

    MD5 = 6132cbf0705227585b5d339d5f2c9bd3
     
  10. Baj1936

    Baj1936 Registered Member

    Joined:
    Nov 2, 2008
    Posts:
    9
    Did it again and got a different value:-

    c464fee5a2ffe71e9a25d8ebe3d43ac4
     
  11. funkydude

    funkydude Registered Member

    Joined:
    Apr 5, 2004
    Posts:
    6,856
    I wonder if it's possible something else is modifying the file? Not necessarily viral.
     
  12. Baj1936

    Baj1936 Registered Member

    Joined:
    Nov 2, 2008
    Posts:
    9
    More info:-~Virus Total screenshot removed per Policy. - Ron~
     
    Last edited by a moderator: Nov 10, 2008
  13. microbe

    microbe Registered Member

    Joined:
    Nov 10, 2008
    Posts:
    1
    Hello,

    I'm also having the same problem with Mmm+ (paid version) and NOD32.
    I uploaded mmm.dll to VirusTotal and got 6 detections. These are the detections I got:

    ~VirusTotal results removed per Policy. - Ron~

    MD5: 6132cbf0705227585b5d339d5f2c9bd3

    I still think it's a false positive, because NOD won't even let me install Mmm.
     
    Last edited by a moderator: Nov 10, 2008
  14. Baj1936

    Baj1936 Registered Member

    Joined:
    Nov 2, 2008
    Posts:
    9
    Sorry - I'm new to this forum; I've now read the rules.

    Two AV programmes (including NOD32), on Virustotal, reported Delf.NRP; another four reported "suspicious".
     
  15. Chris Dixon

    Chris Dixon Registered Member

    Joined:
    Apr 24, 2006
    Posts:
    3
    I've also been caught with this False Positive. It's been going on for ten days or so now - how long does it take ESET to sort this out?
     
  16. Marcos

    Marcos Eset Staff Account

    Joined:
    Nov 22, 2002
    Posts:
    14,376
    We're yet to receive a sample of that file. Could someone please send it to samples[at]eset.com in an archive protected with the password "infected" and "False positive" in the subject? Baj1936, what was the subject of the email you sent us? I couldn't find any with the file in question attached.
     
  17. al92lt1

    al92lt1 Registered Member

    Joined:
    Dec 19, 2003
    Posts:
    50
    I sent a sample 2 weeks ago from within the Nod32 program.
    I just sent an email as per the instructions in the above post.
     
  18. al92lt1

    al92lt1 Registered Member

    Joined:
    Dec 19, 2003
    Posts:
    50
    From the quarantine window in NOD32, you can right click a file and select SUBMIT FILE FOR ANALYSIS. I have done this several times is the past 2 weeks with no response. This time I sent the file in an email as per Marcos' instructions.
     
  19. Baj1936

    Baj1936 Registered Member

    Joined:
    Nov 2, 2008
    Posts:
    9
    To Marcos,

    This was the subject -- "False Positive "http://www.wilderssecurity.com/showthread.php?p=1344628#post1344628". This URL differs slightly from the present URL but it is the one I used on November 7 (I store all my copies for a month or two).

    The mmm.dll file was not compressed.
     
    Last edited: Nov 13, 2008
  20. Marcos

    Marcos Eset Staff Account

    Joined:
    Nov 22, 2002
    Posts:
    14,376
    Could you please send just the file that is detected? The installer requires a serial number to continue installation.
     
  21. al92lt1

    al92lt1 Registered Member

    Joined:
    Dec 19, 2003
    Posts:
    50
    I just sent the dll file
     
  22. Baj1936

    Baj1936 Registered Member

    Joined:
    Nov 2, 2008
    Posts:
    9
    All OK now.

    Update 3613.

    At last.

    Thanks.
     
  23. Chris Dixon

    Chris Dixon Registered Member

    Joined:
    Apr 24, 2006
    Posts:
    3
    Additional copy sent, titled and passworded as per Marcos' instructions above.
    Email subject line: "False Positive - mmm.dll Attn:Marcos"

    <edit>
    Seems this may be fixed according to latest post above from Baj1936. Let's hope so! Major wrist-slap to ESET for taking so absurdly long, though.

    Marcos - two questions:
    1. surely dealing directly and properly with HACE would have got you a full copy to test?
    2. there's clearly something wrong with ESET's internal systems if you said yesterday that "We've yet to receive a sample of that file", but Al92lt1 says he sent the file several times over the previous two weeks via Nod32's own "submit file for analysis" reporting system. Would have thought those submissions would have priority investigation, rather than being totally ignored as appears the case. Don't they get investigated at all?
     
    Last edited: Nov 14, 2008
  24. Marcos

    Marcos Eset Staff Account

    Joined:
    Nov 22, 2002
    Posts:
    14,376
    Samples must be submitted by email to samples[at]eset.com with a clear subject (e.g. "False positive" if you suspect a file to be detected incorrectly). ThreatSense.Net serves mainly for statistical purposes, we receive several thousands of new unique files through it on a daily basis. Files submitted manually are in 99% garbage (e.g. text files, photos, etc.).
     
  25. ASpace

    ASpace Guest

    But as it is present , I think you must adjust it so that the samples manually sent from users via ThreatSense.NET also come to your attention .

    It seems that samples received from ThreatSense.NET rarely get any special attention apart from the mainly statistical function.
     
Thread Status:
Not open for further replies.