Nod32 update introduces false positives and delete core system files

[+Warwagon MVC]

Nod32 Win32/Kryptik.JX false positive

This morning a recent definition update to the popular Nod32 Antivirus introduced a false positive causing the Antivirus to prompt users to remove core system files, or in some cases delete the files automatically. The system files in question are msdtc.exe, winlogon.exe and dllhost.exe. Most are located in the System32 folder while other are in the c:\windows folder. They were being detected as Win32/Kryptik.JX. You may want to check your logs to make sure you are not affected. If those system files have been automatically deleted on your system you can follow the instructions in the link below to resolve the problem. 10 mins after the problem was discovered nod32 released an update to the Antivirus definitions which corrected the issue. If you reboot the system with those files deleted windows may no longer boot until the files in question are restored.

http://kb.eset.com/esetkb/index?page=conte...ctp=LIST_RECENT

[Sethos]

This is the second time NOD32 is having issues with a botched update triggering false positives, coupled with the fact it's barely in the top 5 any more according to AV-test, I doubt I'll be renewing my sub.

[AgEnTsMiTh]

Did not have a problem here.

[Bhav]

stopped using NOD32 in favour of comodo's entirely free package that seems just as light on resources :)

[Argi]

Oops, lucky I changed to Kaspersky after my Nod license expired. :p

[Scirwode]

Oops, lucky I changed to Kaspersky after my Nod license expired. :p

Lucky I changed to NIS2009 after my ESS license expired :p .

Scirwode

[+Mystic MVC]

Didn't have any issue and NOD32 has been great for me since I got it last October.

[Reacon]

And thus we see the downfall of NOD32... And the rising of Kapersky and Norton :D

[tsupersonic]

stopped using NOD32 in favour of comodo's entirely free package that seems just as light on resources :)

Nod32 is known not just for its light system usage, but its fantastic job in detection rates. I doubt comodo can match nod32 in terms of that.

[fix-this!]

im using nod32 version 4 with no issues on vista.

[goretsky Supervisor]

Hello,

There is a message on ESET's web site here with additional information about what happened and how they responded. Interesting reading.

Regards,

Aryeh Goretsky

[Srugie Veteran]

I love NOD32 and I've never had any problems with it.

[+Warwagon MVC]

My questing is why don't these antivirus companies have a machine with a clean install of windows that has the latest updates. Then do a full system scan with the current virus database before you push the update. That would eliminate these bad updates which delete core system files.

[Smigit]

They probably do test them. Whether they can test over a wide enough range of hardware and whether issues like this are necessarily visible immediately are another thing but. Sure those files are pretty obvious, but in the future it could be one that's more obscure that's only needed during a weekly scheduled event or whatever that gets wiped.

Not that it's right of course...but I highly doubt they throw these out without some testing.

[Denholm]

Checked our Media Center PC and Laptop - both unaffected. Thanks for the update anyway.

[Fubar]

just checked all my machines and nothing happened here , not according to the logs on all of them anyway , thanks for the heads up though

just noticed this bit on that link that was posted

The update downloads were stopped within ten minutes of the update release, and the update was reverted to its previous version. Due to this immediate response, less than 5% of our users were affected.

caught pretty much straight away , would explain a lot lol

[jamesVault]

This is another evidence of how an antivirus is often useless and more dangerous than a virus :crazy:

The facts:

- the antivirus programs always introduce a lot of incompatibilities and problems in Windows and slow down your machine

- the antivirus programs cover only a very small % of malware in the wild

- the users have an antivirus installed (kaspersky, avg, nod32, norton, avira, etc), it doesn't matter what they have, but they still continue to get infected by a virus

- the antivirus vendors still continue to release new virus definitions without even testing them on a Windows machine

===> the antivirus marked has completely failed!

Edited March 10, 2009 by jamesVault

[+shift. MVC]

This is another evidence of how an antivirus is often useless and more dangerous than a virus :crazy:

And what are you implying with that? That we shouldn't use anti-virus 'cause it does more bad than good? :rolleyes:

[Smigit]

- the users have an antivirus installed (kaspersky, avg, nod32, norton, avira, etc), it doesn't matter what they have, but they still continue to get infected by a virus

Sure, just as people wearing seat belts still die in cars and people wearing condoms still parent kids. Antivirus is not and never should be seen as a means of complete protection. Thats not to say they can't help.

- the antivirus vendors still continue to release new virus definitions without even testing them on a Windows machine

How many definitions do anti virus companies release? Thousands? One causes an issue and within 10 minutes of being discovered it has been corrected. I'm sorry but the ratio of definitions that don't screw the machine over to the ones that do is absolutely immense and would probably imply that they do go through some testing.

Again, it certainly is disconcerting this got through but to make blanket statements like Antivirus is useless and that they don't do any testing is pretty ridiculous.

[ViperAFK]

This is the second time nod32 has done this.

[+Mystic MVC]

At least 10 computers out of (probably at least a hundred) at part time ITS job were affected, but it wasn't anything too serious.

[(Spork)]

And thus we see the downfall of NOD32... And the rising of Kapersky and Norton :D

Bloatware !

ill stick to my Avira .... i was a big time NOD32 fan

[goretsky Supervisor]

Hello,

My understanding is that all anti-virus companies do this, but from the description of the problem, it sounds like they were doing unit testing of virus signature databases and module updates, and both passed separately. It was some sort of interaction between the two that caused a problem. It looks like they learned from it, though: http://www.eset.com/joomla/index.php?optio...39&Itemid=2

Regards,

Aryeh Goretsky

My questing is why don't these antivirus companies have a machine with a clean install of windows that has the latest updates. Then do a full system scan with the current virus database before you push the update. That would eliminate these bad updates which delete core system files.