Nod32 update introduces false positives and delete core system files

By +Warwagon
in Back Page News

 Share

Recommended Posts

Grand Master

+Warwagon MVC

Posted
  • MVC
Posted

Nod32 Win32/Kryptik.JX false positive

This morning a recent definition update to the popular Nod32 Antivirus introduced a false positive causing the Antivirus to prompt users to remove core system files, or in some cases delete the files automatically. The system files in question are msdtc.exe, winlogon.exe and dllhost.exe. Most are located in the System32 folder while other are in the c:\windows folder. They were being detected as Win32/Kryptik.JX. You may want to check your logs to make sure you are not affected. If those system files have been automatically deleted on your system you can follow the instructions in the link below to resolve the problem. 10 mins after the problem was discovered nod32 released an update to the Antivirus definitions which corrected the issue. If you reboot the system with those files deleted windows may no longer boot until the files in question are restored.

http://kb.eset.com/esetkb/index?page=conte...ctp=LIST_RECENT

Grand Master

Scirwode

Posted
Posted
Oops, lucky I changed to Kaspersky after my Nod license expired. :p

Lucky I changed to NIS2009 after my ESS license expired :p .

Scirwode

Grand Master

tsupersonic

Posted
Posted
stopped using NOD32 in favour of comodo's entirely free package that seems just as light on resources :)
Nod32 is known not just for its light system usage, but its fantastic job in detection rates. I doubt comodo can match nod32 in terms of that.
Grand Master

goretsky Supervisor

Posted
  • Supervisor
Posted

Hello,

There is a message on ESET's web site here with additional information about what happened and how they responded. Interesting reading.

Regards,

Aryeh Goretsky

Grand Master

+Warwagon MVC

Posted
  • Author
  • MVC
Posted

My questing is why don't these antivirus companies have a machine with a clean install of windows that has the latest updates. Then do a full system scan with the current virus database before you push the update. That would eliminate these bad updates which delete core system files.

Grand Master

Smigit

Posted
Posted

They probably do test them. Whether they can test over a wide enough range of hardware and whether issues like this are necessarily visible immediately are another thing but. Sure those files are pretty obvious, but in the future it could be one that's more obscure that's only needed during a weekly scheduled event or whatever that gets wiped.

Not that it's right of course...but I highly doubt they throw these out without some testing.

Experienced

Fubar

Posted
Posted

just checked all my machines and nothing happened here , not according to the logs on all of them anyway , thanks for the heads up though

just noticed this bit on that link that was posted

The update downloads were stopped within ten minutes of the update release, and the update was reverted to its previous version. Due to this immediate response, less than 5% of our users were affected.

caught pretty much straight away , would explain a lot lol

Proficient

jamesVault

Posted
Posted (edited)

This is another evidence of how an antivirus is often useless and more dangerous than a virus :crazy:

The facts:

- the antivirus programs always introduce a lot of incompatibilities and problems in Windows and slow down your machine

- the antivirus programs cover only a very small % of malware in the wild

- the users have an antivirus installed (kaspersky, avg, nod32, norton, avira, etc), it doesn't matter what they have, but they still continue to get infected by a virus

- the antivirus vendors still continue to release new virus definitions without even testing them on a Windows machine

===> the antivirus marked has completely failed!

Edited by jamesVault
Grand Master

+shift. MVC

Posted
  • MVC
Posted
This is another evidence of how an antivirus is often useless and more dangerous than a virus :crazy:

And what are you implying with that? That we shouldn't use anti-virus 'cause it does more bad than good? :rolleyes:

Grand Master

Smigit

Posted
Posted
- the users have an antivirus installed (kaspersky, avg, nod32, norton, avira, etc), it doesn't matter what they have, but they still continue to get infected by a virus

Sure, just as people wearing seat belts still die in cars and people wearing condoms still parent kids. Antivirus is not and never should be seen as a means of complete protection. Thats not to say they can't help.

- the antivirus vendors still continue to release new virus definitions without even testing them on a Windows machine

How many definitions do anti virus companies release? Thousands? One causes an issue and within 10 minutes of being discovered it has been corrected. I'm sorry but the ratio of definitions that don't screw the machine over to the ones that do is absolutely immense and would probably imply that they do go through some testing.

Again, it certainly is disconcerting this got through but to make blanket statements like Antivirus is useless and that they don't do any testing is pretty ridiculous.

Grand Master

goretsky Supervisor

Posted
  • Supervisor
Posted

Hello,

My understanding is that all anti-virus companies do this, but from the description of the problem, it sounds like they were doing unit testing of virus signature databases and module updates, and both passed separately. It was some sort of interaction between the two that caused a problem. It looks like they learned from it, though: http://www.eset.com/joomla/index.php?optio...39&Itemid=2

Regards,

Aryeh Goretsky

My questing is why don't these antivirus companies have a machine with a clean install of windows that has the latest updates. Then do a full system scan with the current virus database before you push the update. That would eliminate these bad updates which delete core system files.
This topic is now closed to further replies.
 Share
Go to topic listing

  • Recently Browsing   0 members

    • No registered users viewing this page.

  • Posts

    • HWMonitor 1.64

      By Copernic · Posted

      HWMonitor 1.64 by Razvan Serea HWMonitor is a hardware monitoring program that reads PC systems main health sensors : voltages, temperatures, fans speed. The program handles the most common sensor chips, like ITE® IT87 series, most Winbond® ICs, and others. In addition, it can read modern CPUs on-die core thermal sensors, as well has hard drives temperature via S.M.A.R.T, and video card GPU temperature. Special hardware monitors such as abit® uGuru and Gigabyte® ODIN™ power supplies serie are supported too. HWMonitor 1.64 changelog: Intel Arc G3 & G3 Extreme (Panther Lake). Intel Core Ultra 5 250KF Plus (Arrow Lake Refresh). AMD Ryzen 7 7700X3D (Raphael). AMD Ryzen AI Max+ 495, 492, 488 (Gorgon Halo). AMD Ryzen AI Max 490, 485 (Gorgon Halo). AMD Ryzen AI Max PRO 495, 490, 485, 480 (Gorgon Halo). AMD Ryzen 9 9950X3D2 (Granite Ridge). AMD Ryzen 9 PRO 9965X3D, PRO 9945 (Granite Ridge). AMD Ryzen 7 PRO 9755, PRO 9745 (Granite Ridge). AMD Ryzen 5 PRO 9645 (Granite Ridge). AMD Ryzen AI 7/PRO 450G/GE (Gorgon Point 2). AMD Ryzen AI 5/PRO 440G/GE (Gorgon Point 2). AMD Ryzen AI 5/PRO 435G/GE (Gorgon Point 3). Support of HUDIMM and HSODIMM memory modules. New themes. New real-time graphs. Download: HWMonitor 1.64 | 3.4 MB (Freeware) Download: Portable HWMonitor 1.64 | 2.7 MB View: HWMonitor Homepage | Screenshot Get alerted to all of our Software updates on Twitter at @NeowinSoftware
    • Visual Studio finally gets long-awaited feature that developers will love

      By SoylentGreenIP · Posted

      I have had a request since 2017 and so have many others that requested too and nothing has been done about it except its on our list to do.
    • Politically funny images of the World

      By PsYcHoKiLLa · Posted

      I think it might be behind the trailer park amusements?
    • Microsoft about to radically change how often your Edge browser updates

      By Accuphase · Posted

      Some people don’t like them but plenty more enjoy what they have to offer. Check the value of the company.
    • Nvidia's GeForce NOW summer sale drops prices for Ultimate and Premium memberships

      By AndrewSteel · Posted

      Not such a great deal, Ultimate, which gives you full 5080 features is $181.99 CAD per month, that's $2183.88 per year, I can buy the 5080 for $1809.99 CAD, then it goes up to $279.99 per month after the first billing cycle. Typical cloud rental, costs more than buying the hardware.

  • Recent Achievements

    • One Month Later
      Clizby earned a badge
      One Month Later
    • One Month Later
      Timaximus earned a badge
      One Month Later
    • Week One Done
      Timaximus earned a badge
      Week One Done
    • Rookie
      FBSPL went up a rank
      Rookie
    • First Post
      davidbazooked earned a badge
      First Post

  • Popular Contributors

    1. 1
      +primortal
      501
    2. 2
      PsYcHoKiLLa
      172
    3. 3
      +Edouard
      163
    4. 4
      Steven P.
      86
    5. 5
      ATLien_0
      77
    Show More

  • Tell a friend

    Love Neowin? Tell a friend!