topbanner_forum
  *

avatar image

Welcome, Guest. Please login or register.
Did you miss your activation email?

Login with username, password and session length
  • Thursday March 28, 2024, 4:19 am
  • Proudly celebrating 15+ years online.
  • Donate now to become a lifetime supporting member of the site and get a non-expiring license key for all of our programs.
  • donate

Author Topic: NOD32 False Positive  (Read 18793 times)

cthorpe

  • Discount Coordinator
  • Supporting Member
  • Joined in 2006
  • **
  • Posts: 738
  • c++thorpe
    • View Profile
    • Donate to Member
NOD32 False Positive
« on: July 28, 2009, 05:54 PM »
NOD32 3.0.672.0 with database update 4286 (20090728)

7/28/2009 5:52:10 PM   Real-time file system protection   file   M:\Downloads\ScreenshotCaptorSetup\DcMouseHk.dll   a variant of Win32/KeyLogger.BitLogic.AA application   cleaned by deleting - quarantined      Event occurred on a new file created by the application: C:\Program Files\WinRAR\WinRAR.exe.

7/28/2009 5:52:09 PM   Real-time file system protection   file   M:\Downloads\ScreenshotCaptorSetup\DcKeyHk.dll   a variant of Win32/KeyLogger.BitLogic.AA application   cleaned by deleting - quarantined      Event occurred on a new file created by the application: C:\Program Files\WinRAR\WinRAR.exe.


Sending files to ESET as false positives.

mouser

  • First Author
  • Administrator
  • Joined in 2005
  • *****
  • Posts: 40,896
    • View Profile
    • Mouser's Software Zone on DonationCoder.com
    • Read more about this member.
    • Donate to Member
Re: NOD32 False Positive
« Reply #1 on: July 28, 2009, 06:23 PM »
thanks carl.

in case anyone else is reading this -- it's a false positive -- there is no virus.  it's just another case of an antivirus program over reacting and mistakingly marking something as a virus.

eset is usually good about not giving these false positives  :down:

jazid

  • Supporting Member
  • Joined in 2006
  • **
  • default avatar
  • Posts: 2
    • View Profile
    • Donate to Member
Re: NOD32 False Positive
« Reply #2 on: August 27, 2009, 05:28 PM »
But unfortunately not good about learning, I've had 4 false positives on different .dlls from screenshot captor today, whereas only one before, and I ditched the last upgrade because of the 'virus threat' I was presented with by eset. Ah well. Are you up to something...you naughty mouser you...?

jazid

  • Supporting Member
  • Joined in 2006
  • **
  • default avatar
  • Posts: 2
    • View Profile
    • Donate to Member
Re: NOD32 False Positive
« Reply #3 on: August 27, 2009, 05:29 PM »
Should have added this... ;D

mouser

  • First Author
  • Administrator
  • Joined in 2005
  • *****
  • Posts: 40,896
    • View Profile
    • Mouser's Software Zone on DonationCoder.com
    • Read more about this member.
    • Donate to Member
Re: NOD32 False Positive
« Reply #4 on: August 27, 2009, 05:54 PM »
i use nod32 as well (really like it), but i never get any alerts. you must have it set to warn you on heuristic guesses.

tranglos

  • Supporting Member
  • Joined in 2006
  • **
  • Posts: 1,081
    • View Profile
    • Donate to Member
Re: NOD32 False Positive
« Reply #5 on: August 27, 2009, 06:23 PM »
Not related to SC, but Eset has been bugging me lately for another reason. All of a sudden Backup4All cannot complete certain mirroring tasks - it hangs onto a file it's trying to copy and stays at n% forever until I kill it. I thought it was a bug in the latest version of Backup4All (and it kind-of is a bug, since they should implement a timeout in case it gets stuck on a file that might reside on a network drive, say), but no - the problem went away as soon as I disabled real-time filesystem protection in Eset. So it seems like Eset is intercepting a file access and never stops scanning the file. I've seen this happen on a 120-byte text file, go figure.

Time to kiss and make up with Avira, I think.

superboyac

  • Charter Member
  • Joined in 2005
  • ***
  • Posts: 6,347
    • View Profile
    • Donate to Member
Re: NOD32 False Positive
« Reply #6 on: August 27, 2009, 07:09 PM »
Not related to SC, but Eset has been bugging me lately for another reason. All of a sudden Backup4All cannot complete certain mirroring tasks - it hangs onto a file it's trying to copy and stays at n% forever until I kill it. I thought it was a bug in the latest version of Backup4All (and it kind-of is a bug, since they should implement a timeout in case it gets stuck on a file that might reside on a network drive, say), but no - the problem went away as soon as I disabled real-time filesystem protection in Eset. So it seems like Eset is intercepting a file access and never stops scanning the file. I've seen this happen on a 120-byte text file, go figure.

Time to kiss and make up with Avira, I think.

Wouldn't you want to try kaspersky before going to Avira?

tranglos

  • Supporting Member
  • Joined in 2006
  • **
  • Posts: 1,081
    • View Profile
    • Donate to Member
Re: NOD32 False Positive
« Reply #7 on: August 27, 2009, 07:40 PM »
Wouldn't you want to try kaspersky before going to Avira?

I've never tried Kaspersky, but had great results with the free edition of Avira. For one thing, its real-time scanning was much faster than Eset's, especially on larger files.

The reason I bought Eset Smart Security was I wanted a package with a firewall, and the Avira suite was giving me blue screns at the time. Then again, Eset consumes ungodly amounts of RAM, and behind a router I can probably live without a firewall. Now it's breaking my daily backup process, so I'm planning to go back to the basic Avira AV and see how that works out.


superboyac

  • Charter Member
  • Joined in 2005
  • ***
  • Posts: 6,347
    • View Profile
    • Donate to Member
Re: NOD32 False Positive
« Reply #8 on: August 27, 2009, 11:24 PM »
Wouldn't you want to try kaspersky before going to Avira?

I've never tried Kaspersky, but had great results with the free edition of Avira. For one thing, its real-time scanning was much faster than Eset's, especially on larger files.

The reason I bought Eset Smart Security was I wanted a package with a firewall, and the Avira suite was giving me blue screns at the time. Then again, Eset consumes ungodly amounts of RAM, and behind a router I can probably live without a firewall. Now it's breaking my daily backup process, so I'm planning to go back to the basic Avira AV and see how that works out.


I see, interesting.  I'm always curious about the antivirus programs.  I've always stuck with kaspersky.  I thought ESet was very light on resources, so I'm surprised to hear you say that about the RAM.  I like Kaspersky because it is highly customizeable and has a lot of details.  But sometimes, it slows things down.  They seem to get better with each version, though.  I've never tried Avira.  All the free ones always seem to be lacking in a feature or two, and I just go back to kaspersky.  Anyway, didn't mean to turn this into an antivirus thread.

Carol Haynes

  • Waffles for England (patent pending)
  • Global Moderator
  • Joined in 2005
  • *****
  • Posts: 8,066
    • View Profile
    • Donate to Member
Re: NOD32 False Positive
« Reply #9 on: August 28, 2009, 04:36 PM »
I like AVAST too (the free version) - seems very light on resources to and haven't had any false positives from it.

I also use NOD32 on my work PC and am getting frustrated with long pauses again on archives. This used to be an issue a long time back in version 2 but it recently seems to have reappeared in the latest build. Annoying - sometimes it can lock the browser for 20 seconds or more at the end of a download.

lanux128

  • Global Moderator
  • Joined in 2005
  • *****
  • Posts: 6,277
    • View Profile
    • Donate to Member
Re: NOD32 False Positive
« Reply #10 on: August 28, 2009, 05:11 PM »
does Avast or Avira has the option to turn off heuristic scanning? i want to recommend either one of them to a colleague, for whom i wrote some customized AHK scripts. i hate it when the AVs trip up on the AHK scripts.

Carol Haynes

  • Waffles for England (patent pending)
  • Global Moderator
  • Joined in 2005
  • *****
  • Posts: 8,066
    • View Profile
    • Donate to Member
Re: NOD32 False Positive
« Reply #11 on: August 28, 2009, 06:12 PM »
In AVAST the default setting for how aggressive the resident scanner is is 'Normal' if you set it to High heuristics are enabled so yes you can switch of heuristics.

lanux128

  • Global Moderator
  • Joined in 2005
  • *****
  • Posts: 6,277
    • View Profile
    • Donate to Member
Re: NOD32 False Positive
« Reply #12 on: August 28, 2009, 09:28 PM »
thanks for the info. it's a good thing that they allow turning off the heuristic scans, at least the users have a choice.

joby_toss

  • Supporting Member
  • Joined in 2008
  • **
  • Posts: 114
    • View Profile
    • Donate to Member
Re: NOD32 False Positive
« Reply #13 on: August 29, 2009, 12:15 AM »
You can disable it for Avira also:
http://img194.imageshack.us/img194/9084/20090829081423.png
NOD32 False Positive
I am a 3D body trapping a single dimension soul.

tranglos

  • Supporting Member
  • Joined in 2006
  • **
  • Posts: 1,081
    • View Profile
    • Donate to Member
Re: NOD32 False Positive
« Reply #14 on: August 31, 2009, 11:28 AM »
OMG. So I've uninstalled Eset, since my two-year license expires in November and I'll have to pay someone again anyway - and am now running the trial of Avira AntiVir Premium. (By the way, Avira AntiVir Premium will be available on Bits du Jour on September 5). The first thing I'm seeing after restarting the computer is a whole barrage of notifications for many apps in my NirSoft folder.

Are these false positives? Or did I download an infected package from NirSoft's own site? Or does Avira think this is all malware? The strangest thing though, Avira seemed to scan that folder all on its own, on startup. Otherwise how could it have picked on those apps? Unless they are indeed all infected and they self-execute when the system starts. Not very likely, though! And no amount of unchecking the various options in Avira would convince it to ignore those tools, so much so I've had to zip up the whole folder to stop the multiple warnings.

Maybe I should try Kaspersky...


Carol Haynes

  • Waffles for England (patent pending)
  • Global Moderator
  • Joined in 2005
  • *****
  • Posts: 8,066
    • View Profile
    • Donate to Member
Re: NOD32 False Positive
« Reply #15 on: August 31, 2009, 05:39 PM »
Nirsoft stuff often causes false positives simply because of the utilities' functions. If you have an app that recovers passwords it can be used for password stealing if you are so inclined. Just shove all your Nirsoft stuff in a folder somewhere and tell your AV to ignore the folder.

tranglos

  • Supporting Member
  • Joined in 2006
  • **
  • Posts: 1,081
    • View Profile
    • Donate to Member
Re: NOD32 False Positive
« Reply #16 on: September 01, 2009, 04:39 PM »
Nirsoft stuff often causes false positives simply because of the utilities' functions. If you have an app that recovers passwords it can be used for password stealing if you are so inclined. Just shove all your Nirsoft stuff in a folder somewhere and tell your AV to ignore the folder.

Thanks, Carol, that makes sense.

Kaspersky tags these tools too, but it describes them better - as "hacking tools", while Avira displays some obscure name suggesting a virus or a trojan, and the link to more information always comes up empty. +1 for Kaspersky.

It's the first time I've tried Kaspersky and I like it a lot. I like the interface and the configurability. It's not exactly stingy when it comes to RAM usage (though better than Eset), and when performing a full scan, Kaspersky puts a bit of strain on the system. It seems to take 100% of one CPU core. Once mouse movement becomes shaky, it's not too good! I've looked for a process priority setting but can't find one.

Avira comes up on Bits du Jour in four days (looks like a 2 year license), while Kaspersky isn't cheap at all.

Decisions, decisions...

superboyac

  • Charter Member
  • Joined in 2005
  • ***
  • Posts: 6,347
    • View Profile
    • Donate to Member
Re: NOD32 False Positive
« Reply #17 on: September 01, 2009, 05:04 PM »
It's the first time I've tried Kaspersky and I like it a lot. I like the interface and the configurability. It's not exactly stingy when it comes to RAM usage (though better than Eset), and when performing a full scan, Kaspersky puts a bit of strain on the system. It seems to take 100% of one CPU core. Once mouse movement becomes shaky, it's not too good! I've looked for a process priority setting but can't find one.
I've only done a full scan once.  Here's a question: what's the point of doing regularly scheduled full scans?  if you scan once and then have the program running a live scan afterwards, could something actually infect your computer withohut the live scanner catching it?  How could it go undetected by the live scanner and then be picked up by a full scan?  I've always wondered about that.  Also, when I did do scheduled scans, I obviously had them scheduled during times when I'd be sleeping.

Carol Haynes

  • Waffles for England (patent pending)
  • Global Moderator
  • Joined in 2005
  • *****
  • Posts: 8,066
    • View Profile
    • Donate to Member
Re: NOD32 False Positive
« Reply #18 on: September 01, 2009, 06:37 PM »
could something actually infect your computer withohut the live scanner catching it?

Yes - if it is a new virus infiltrates your system before the AV vendor updates their virus database is updated. Future scans would detect it.

Trouble is it is a cat and mouse game.

It is unlikely that you will get a virus with decent AV software without regular full scans but not impossible - somebody has to be the one to identify a new virus! That is where heuristics are important - just a shame they aren't generally bright enough to be foolproof when it comes to false positive.

If you are looking for a free antivirus (i.e. for non-commercial use) the three I would choose in order of preferences are:

AVAST
Avira
AVG

I went off AVG a bit when the nag screens started and also had some clients with problems with network connections from AVG 8 upgrade from 7. I come across people who use it and they seem generally happy but I don't recommend it any more because of the number of issues I have encountered.

Avira is a good AV but I didn't really like the interface for the free version and it suffers from lots of false positives.

Avast hasn't caused me any problems so far on my laptop - light on resources and doesn't seem to to have bad false positives stats. There are no nag screen and it is pretty transparent in use.  I have recommended this to many home user clients and so far have not come across any issues or complaints. Avast is also very frequently updated (often 2 or 3 times a day).

tranglos

  • Supporting Member
  • Joined in 2006
  • **
  • Posts: 1,081
    • View Profile
    • Donate to Member
Re: NOD32 False Positive
« Reply #19 on: September 02, 2009, 06:45 AM »
I've only done a full scan once.  Here's a question: what's the point of doing regularly scheduled full scans?

I always run a full scan after installing a new AV package, just to see if it comes up with anything. But you're right, there's not much point in doing it later, unless you expect an infection missed earlier.

The shaky mouse movement during full scan worries me somewhat, because it may reflect on the performance of real-time scan as well. And even when I selected "Objects scan" and "By extension", Kaspersky still seemed to be scanning *.pas files - that's weird, and I couldn't find a way to customize the list of extensions.

That said, with Kaspersky I see no perceptible delay when viewing or executing large apps, while with Eset there was always a small pause. I like it a lot so far.

superboyac

  • Charter Member
  • Joined in 2005
  • ***
  • Posts: 6,347
    • View Profile
    • Donate to Member
Re: NOD32 False Positive
« Reply #20 on: September 02, 2009, 12:46 PM »
I've only done a full scan once.  Here's a question: what's the point of doing regularly scheduled full scans?

I always run a full scan after installing a new AV package, just to see if it comes up with anything. But you're right, there's not much point in doing it later, unless you expect an infection missed earlier.

The shaky mouse movement during full scan worries me somewhat, because it may reflect on the performance of real-time scan as well. And even when I selected "Objects scan" and "By extension", Kaspersky still seemed to be scanning *.pas files - that's weird, and I couldn't find a way to customize the list of extensions.

That said, with Kaspersky I see no perceptible delay when viewing or executing large apps, while with Eset there was always a small pause. I like it a lot so far.
I'm not sure if I've experienced the shaky mouse movement.  I know during full scans my computer has slowed down somewhat noticeably, but nothing as far as mouse movement.  The only other nuisance I've experienced with kaspersky is that there is a pretty long pause sometimes when running an executable for the first time while it figures out what level of trust to assign to it.  Especially for a new, fast computer like mine, I felt the long pause was unnecessary.  But it's only the first time it runs, after that it's fine.

I've tried other programs also, like you have, including the free ones.  I always go back to kaspersky because of the extensive configuration options.  Just in the last month, i even put it on my mom's and sister's computers because they both got some pretty horrible virus/malware just recently.  My mom's computer was destroyed, I had to reinstall Windows.  I just happened to be at my sister's house at the time, so I made her buy Kaspersky and installed it quickly to clean it, and it did.  i think both viruses (or malware) came from Facebook.  My mom had an old version of F-secure running, which is usually pretty good, but it didn't catch it (it was the antivirus version, not the "internet security" version and the definitions were updated).  My sister had AVG Free running and it did not catch it.  Kaspersky Internet Security caught them all.

This wave of attacks from Facebook recently has been pretty bad.  I think someone at my work also got a similar virus.  All within the past month.  I searched google, but didn't find any news about it, so maybe it's not as big as I'm imagining.  But I've never seen so many computers around me get infected at the same time like this.  The one on my mom's computer was especially bad:  it disabled Windows safe mode, it disabled any kind of entry into Task Manager, and it prevented any exe's to run.  There was nothing you could do.  I eventually cleaned it by using a special Linux boot CD, but after it was cleaned, the OS was just in shambles.  I'm very surprised F-Secure didn't catch it, but again, it was an old version.

superboyac

  • Charter Member
  • Joined in 2005
  • ***
  • Posts: 6,347
    • View Profile
    • Donate to Member
Re: NOD32 False Positive
« Reply #21 on: September 15, 2009, 11:34 AM »
I always run a full scan after installing a new AV package, just to see if it comes up with anything. But you're right, there's not much point in doing it later, unless you expect an infection missed earlier.

The shaky mouse movement during full scan worries me somewhat, because it may reflect on the performance of real-time scan as well. And even when I selected "Objects scan" and "By extension", Kaspersky still seemed to be scanning *.pas files - that's weird, and I couldn't find a way to customize the list of extensions.

That said, with Kaspersky I see no perceptible delay when viewing or executing large apps, while with Eset there was always a small pause. I like it a lot so far.

Tranglos, I'm curious, did you ever settle on an antivirus suite?  I ran a full scan again this past weekend, and there was no mouse jumping, but it does hamper the performance of my pc pretty significantly.  That's annoying because my pc is very new and pretty powerful.  But other than that, I have no problems with kaspersky.

tranglos

  • Supporting Member
  • Joined in 2006
  • **
  • Posts: 1,081
    • View Profile
    • Donate to Member
Re: NOD32 False Positive
« Reply #22 on: September 15, 2009, 12:19 PM »
Tranglos, I'm curious, did you ever settle on an antivirus suite? 

Yeah, I did go with Kaspersky, thanks for the suggestion. I chose the AV, not the firewall (which I liked, but decided to go without). I really like the UI (I'm a sucker for nice UI's, so that was easy), and I see no delays when opening/viewing large files. I had that problem with ESET, where the real-time AV would cause perceptible delays e.g. when viewing files in Total Commander's lister, or copying various installers between folders. Kaspersky seems faster here, and I'm quite satisfied with it.

I've discovered how to exclude files by extension, which wasn't immediately obvious to me: in Settings -> File Anti-Virus -> Threats and exclusions -> Settings again. I needed this because after installing the AV I started getting strange crashes from an application that often updates a large MS Jet database. It was throwing unlikely errors like "disk or network resource is no longer available", then crashing and taking some of my work with it. It suppose Kaspersky was scanning the DB in real time (on every access?) and maybe was locking the file, who knows. It seems to have stopped after I excluded the specific extensions from scanning.

I've already found a likely false negative too. I received a piece of spam with a typical come-on message and a zip file containing a randomly named .exe file. No idea exactly how harmful it was, but definitely not something you'd want to run. I unpacked the zip file, but Kaspersky gave no peep when viewing the exe file, copyng it, or scanning that specific file. Of course in the past on occasion I did the same kind of experiment with ESET, and it didn't flash the red light at me, either. Maybe I should turn on heuristics, after all :)

superboyac

  • Charter Member
  • Joined in 2005
  • ***
  • Posts: 6,347
    • View Profile
    • Donate to Member
Re: NOD32 False Positive
« Reply #23 on: September 15, 2009, 01:02 PM »
Tranglos, I'm curious, did you ever settle on an antivirus suite? 

Yeah, I did go with Kaspersky, thanks for the suggestion. I chose the AV, not the firewall (which I liked, but decided to go without). I really like the UI (I'm a sucker for nice UI's, so that was easy), and I see no delays when opening/viewing large files. I had that problem with ESET, where the real-time AV would cause perceptible delays e.g. when viewing files in Total Commander's lister, or copying various installers between folders. Kaspersky seems faster here, and I'm quite satisfied with it.

I've discovered how to exclude files by extension, which wasn't immediately obvious to me: in Settings -> File Anti-Virus -> Threats and exclusions -> Settings again. I needed this because after installing the AV I started getting strange crashes from an application that often updates a large MS Jet database. It was throwing unlikely errors like "disk or network resource is no longer available", then crashing and taking some of my work with it. It suppose Kaspersky was scanning the DB in real time (on every access?) and maybe was locking the file, who knows. It seems to have stopped after I excluded the specific extensions from scanning.

I've already found a likely false negative too. I received a piece of spam with a typical come-on message and a zip file containing a randomly named .exe file. No idea exactly how harmful it was, but definitely not something you'd want to run. I unpacked the zip file, but Kaspersky gave no peep when viewing the exe file, copyng it, or scanning that specific file. Of course in the past on occasion I did the same kind of experiment with ESET, and it didn't flash the red light at me, either. Maybe I should turn on heuristics, after all :)

Interesting information, thanks.  I've been recommending Kaspersky a lot the last couple of months to people.  It seems like there have been a lot of virus related issues lately.  In the past, i've been hesitant to recommend it because there are so many settings and I was afraid people would look at that and freak out.  But the last couple of years, they've really cleaned up their interface and it works pretty well right out of the box.

yeah, I don't know about the firewall.  I used to leave it turned off, but I turned it back on recently, i don't remember why.  I think I had some problems that seemed suspicious, and i thought i was running some harmful software.  Something like that, anyway, I turned it back on and I've been okay.

Well, I'm glad you like Kaspersky.  That's encouraging.  I always like to know if the software I recommend is helpful to others and not just a quirky choice of mine.

superboyac

  • Charter Member
  • Joined in 2005
  • ***
  • Posts: 6,347
    • View Profile
    • Donate to Member
Re: NOD32 False Positive
« Reply #24 on: November 09, 2009, 12:45 PM »

I've discovered how to exclude files by extension, which wasn't immediately obvious to me: in Settings -> File Anti-Virus -> Threats and exclusions -> Settings again. I needed this because after installing the AV I started getting strange crashes from an application that often updates a large MS Jet database. It was throwing unlikely errors like "disk or network resource is no longer available", then crashing and taking some of my work with it. It suppose Kaspersky was scanning the DB in real time (on every access?) and maybe was locking the file, who knows. It seems to have stopped after I excluded the specific extensions from scanning.

You know, I just remembered a situation a few years ago when I used newsgroups more.  I was using forte agent, and I remember that kaspersky would do the same thing for the database files that agent used.  I tried to figure out how to make kaspersky exclude it, but could never figure it out.  I'm glad you did.  I'm going to have to bookmark this solution for the future.  Thanks!