Nod32 update introduces false positives and delete core system files


Recommended Posts

+warwagon

Nod32 Win32/Kryptik.JX false positive

This morning a recent definition update to the popular Nod32 Antivirus introduced a false positive causing the Antivirus to prompt users to remove core system files, or in some cases delete the files automatically. The system files in question are msdtc.exe, winlogon.exe and dllhost.exe. Most are located in the System32 folder while other are in the c:\windows folder. They were being detected as Win32/Kryptik.JX. You may want to check your logs to make sure you are not affected. If those system files have been automatically deleted on your system you can follow the instructions in the link below to resolve the problem. 10 mins after the problem was discovered nod32 released an update to the Antivirus definitions which corrected the issue. If you reboot the system with those files deleted windows may no longer boot until the files in question are restored.

http://kb.eset.com/esetkb/index?page=conte...ctp=LIST_RECENT

Link to post
Share on other sites
Sethos

This is the second time NOD32 is having issues with a botched update triggering false positives, coupled with the fact it's barely in the top 5 any more according to AV-test, I doubt I'll be renewing my sub.

Link to post
Share on other sites
AgEnTsMiTh

Did not have a problem here.

Link to post
Share on other sites
Bhav

stopped using NOD32 in favour of comodo's entirely free package that seems just as light on resources :)

Link to post
Share on other sites
idk_

Oops, lucky I changed to Kaspersky after my Nod license expired. :p

Link to post
Share on other sites
Scirwode
Oops, lucky I changed to Kaspersky after my Nod license expired. :p

Lucky I changed to NIS2009 after my ESS license expired :p .

Scirwode

Link to post
Share on other sites
+Mystic

Didn't have any issue and NOD32 has been great for me since I got it last October.

Link to post
Share on other sites
Reacon

And thus we see the downfall of NOD32... And the rising of Kapersky and Norton :D

Link to post
Share on other sites
tsupersonic
stopped using NOD32 in favour of comodo's entirely free package that seems just as light on resources :)
Nod32 is known not just for its light system usage, but its fantastic job in detection rates. I doubt comodo can match nod32 in terms of that.
Link to post
Share on other sites
fix-this!

im using nod32 version 4 with no issues on vista.

Link to post
Share on other sites
goretsky

Hello,

There is a message on ESET's web site here with additional information about what happened and how they responded. Interesting reading.

Regards,

Aryeh Goretsky

Link to post
Share on other sites
Srugie

I love NOD32 and I've never had any problems with it.

Link to post
Share on other sites
+warwagon

My questing is why don't these antivirus companies have a machine with a clean install of windows that has the latest updates. Then do a full system scan with the current virus database before you push the update. That would eliminate these bad updates which delete core system files.

Link to post
Share on other sites
Smigit

They probably do test them. Whether they can test over a wide enough range of hardware and whether issues like this are necessarily visible immediately are another thing but. Sure those files are pretty obvious, but in the future it could be one that's more obscure that's only needed during a weekly scheduled event or whatever that gets wiped.

Not that it's right of course...but I highly doubt they throw these out without some testing.

Link to post
Share on other sites
Denholm

Checked our Media Center PC and Laptop - both unaffected. Thanks for the update anyway.

Link to post
Share on other sites
Fubar

just checked all my machines and nothing happened here , not according to the logs on all of them anyway , thanks for the heads up though

just noticed this bit on that link that was posted

The update downloads were stopped within ten minutes of the update release, and the update was reverted to its previous version. Due to this immediate response, less than 5% of our users were affected.

caught pretty much straight away , would explain a lot lol

Link to post
Share on other sites
jamesVault

This is another evidence of how an antivirus is often useless and more dangerous than a virus :crazy:

The facts:

- the antivirus programs always introduce a lot of incompatibilities and problems in Windows and slow down your machine

- the antivirus programs cover only a very small % of malware in the wild

- the users have an antivirus installed (kaspersky, avg, nod32, norton, avira, etc), it doesn't matter what they have, but they still continue to get infected by a virus

- the antivirus vendors still continue to release new virus definitions without even testing them on a Windows machine

===> the antivirus marked has completely failed!

Edited by jamesVault
Link to post
Share on other sites
+shift.
This is another evidence of how an antivirus is often useless and more dangerous than a virus :crazy:

And what are you implying with that? That we shouldn't use anti-virus 'cause it does more bad than good? :rolleyes:

Link to post
Share on other sites
Smigit
- the users have an antivirus installed (kaspersky, avg, nod32, norton, avira, etc), it doesn't matter what they have, but they still continue to get infected by a virus

Sure, just as people wearing seat belts still die in cars and people wearing condoms still parent kids. Antivirus is not and never should be seen as a means of complete protection. Thats not to say they can't help.

- the antivirus vendors still continue to release new virus definitions without even testing them on a Windows machine

How many definitions do anti virus companies release? Thousands? One causes an issue and within 10 minutes of being discovered it has been corrected. I'm sorry but the ratio of definitions that don't screw the machine over to the ones that do is absolutely immense and would probably imply that they do go through some testing.

Again, it certainly is disconcerting this got through but to make blanket statements like Antivirus is useless and that they don't do any testing is pretty ridiculous.

Link to post
Share on other sites
ViperAFK

This is the second time nod32 has done this.

Link to post
Share on other sites
+Mystic

At least 10 computers out of (probably at least a hundred) at part time ITS job were affected, but it wasn't anything too serious.

Link to post
Share on other sites
(Spork)
And thus we see the downfall of NOD32... And the rising of Kapersky and Norton :D

Bloatware !

ill stick to my Avira .... i was a big time NOD32 fan

Link to post
Share on other sites
goretsky

Hello,

My understanding is that all anti-virus companies do this, but from the description of the problem, it sounds like they were doing unit testing of virus signature databases and module updates, and both passed separately. It was some sort of interaction between the two that caused a problem. It looks like they learned from it, though: http://www.eset.com/joomla/index.php?optio...39&Itemid=2

Regards,

Aryeh Goretsky

My questing is why don't these antivirus companies have a machine with a clean install of windows that has the latest updates. Then do a full system scan with the current virus database before you push the update. That would eliminate these bad updates which delete core system files.
Link to post
Share on other sites
This topic is now closed to further replies.
  • Recently Browsing   0 members

    No registered users viewing this page.