Author Topic: ESET NOD32 False Positive on 353 byte GIF file.  (Read 6772 times)

hutch--

  • Administrator
  • Member
  • ******
  • Posts: 4814
  • Mnemonic Driven API Grinder
    • The MASM32 SDK
ESET NOD32 False Positive on 353 byte GIF file.
« on: October 13, 2012, 02:49:17 PM »
It appears to be a worrying trend that ESET AV scanners are starting to report comletely safe old files as infected. The following file, "cool.gif" is an antique smiley from the UK forum yet I have recently received reports that ESET are flagging it as an infected file.

This is the HEX notation for the 353 byte gif smiley. Note that I have copied the file directly from the current server that contains the old masm forum files.

; *******\cool_smiley\cool.gif  353 bytes

00000000 :47 49 46 38 39 61 0F 00 - 0F 00 D5 39 00 FF E6 0E
00000010 :FE A1 01 FE BD 06 FF D2 - 0A FE A6 02 FF C4 08 FF
00000020 :C8 09 FE 9E 00 FE B0 04 - FF C5 08 FF FF FF FE B7
00000030 :05 FF D9 0C FF BC 06 FE - D2 0A FF AA 03 FE BB 06
00000040 :FF B7 05 FE AA 02 FE E6 - 0F FE C9 09 FF CA 09 FF
00000050 :AE 03 FE CC 09 FE CA 09 - FE A4 01 FE A7 01 FE B1
00000060 :04 FE D2 0B FF DD 0D FF - B3 04 FF CC 09 FF B1 04
00000070 :FE DD 0D FF D8 0C FE BD - 07 FE C8 09 FF DB 0C FF
00000080 :B3 05 FE C4 08 FE AB 03 - FE A2 01 FE D1 0A FE D9
00000090 :0C FE BC 06 FE DB 0D FE - A3 01 FF DD 0C FF AA 02
000000A0 :FF D2 0B FF E9 0F FF CA - 08 FE CB 09 FE B4 04 FE
000000B0 :A1 00 FE 9D 00 00 00 00 - FF FF FF 00 00 00 00 00
000000C0 :00 00 00 00 00 00 00 00 - 00 00 00 00 00 21 F9 04
000000D0 :01 00 00 39 00 2C 00 00 - 00 00 0F 00 0F 00 00 06
000000E0 :7E C0 9C 50 88 2B 16 87 - C8 5C 91 46 29 08 4C 47
000000F0 :24 CE C1 28 AD 38 06 01 - 88 80 1B E2 06 9D 89 0C
00000100 :F0 8A 25 16 A8 40 57 69 - 2C 02 DA 47 DC 07 4E BF
00000110 :15 2B 46 05 EE 5D D4 DB - 71 09 2A 46 00 21 0E 46
00000120 :01 7F 0D 24 03 0C 2D 22 - 03 59 08 04 07 7F 35 2C
00000130 :27 18 17 33 05 23 1E 30 - 88 76 4A 1B 0B 38 0D 10
00000140 :11 08 12 38 37 A1 4A 1A - 0F 16 70 AC AD 4A 01 29
00000150 :19 2E 36 94 AC 6B 5E AB - B3 7F 49 BE 46 49 41 00
00000160 :3B


I would hope this is only a temporary blunder from ESET as I have long recommended their scanners for people who must use this type of software. In the mean time it appears safe to keep recommending the Microsoft Essentials which don't flag perfectly safe antique files as infected. The file dates 2006 and has been a component of the old UK forum for the last 6 years.
« Last Edit: October 13, 2012, 04:45:35 PM by hutch-- »
hutch at movsd dot com
http://www.masm32.com    :biggrin:  :biggrin:

Vortex

  • Member
  • *****
  • Posts: 1704
Re: ESET NOD32 False Positive on 353 byte GIF file.
« Reply #1 on: October 13, 2012, 09:36:44 PM »
Hi Hutch,

This is a false positive. What's the report of Jotti?

hutch--

  • Administrator
  • Member
  • ******
  • Posts: 4814
  • Mnemonic Driven API Grinder
    • The MASM32 SDK
Re: ESET NOD32 False Positive on 353 byte GIF file.
« Reply #2 on: October 14, 2012, 12:05:49 AM »
Must be a strange report.

Quote
Filename:   cool.gif
Status:   
Scan finished. 0 out of 19 scanners reported malware.
Scan taken on:     Sat 13 Oct 2012 15:03:38 (CET) Permalink

No problems here.

hutch at movsd dot com
http://www.masm32.com    :biggrin:  :biggrin:

jj2007

  • Member
  • *****
  • Posts: 7559
  • Assembler is fun ;-)
    • MasmBasic
Re: ESET NOD32 False Positive on 353 byte GIF file.
« Reply #3 on: October 14, 2012, 12:17:09 AM »
And yet, a long series of zerobytes in a file that claims to be highly compressed... suspicious ::)

Hutch, has your puter been running a bit slow the last 6 years?

hutch--

  • Administrator
  • Member
  • ******
  • Posts: 4814
  • Mnemonic Driven API Grinder
    • The MASM32 SDK
Re: ESET NOD32 False Positive on 353 byte GIF file.
« Reply #4 on: October 14, 2012, 12:31:11 AM »
JJ,

I posted the HEX to show what was in the file. Where are you getting the extra zero bytes from ?
hutch at movsd dot com
http://www.masm32.com    :biggrin:  :biggrin:

jj2007

  • Member
  • *****
  • Posts: 7559
  • Assembler is fun ;-)
    • MasmBasic
Re: ESET NOD32 False Positive on 353 byte GIF file.
« Reply #5 on: October 14, 2012, 12:55:24 AM »
000000B0 :A1 00 FE 9D 00 00 00 00 - FF FF FF 00 00 00 00 00
000000C0 :00 00 00 00 00 00 00 00 - 00 00 00 00 00 21 F9 04


But hey, I was just joking ;)

Greenhorn

  • Member
  • **
  • Posts: 93
Re: ESET NOD32 False Positive on 353 byte GIF file.
« Reply #6 on: October 14, 2012, 08:52:34 AM »
Hi,

ESET blocks the complete old archive forum.
Also the smileys here in the current forum.
I made a support request.


Greenhorn

hutch--

  • Administrator
  • Member
  • ******
  • Posts: 4814
  • Mnemonic Driven API Grinder
    • The MASM32 SDK
Re: ESET NOD32 False Positive on 353 byte GIF file.
« Reply #7 on: October 14, 2012, 12:13:46 PM »
Greenhorn,

Gratsie.
hutch at movsd dot com
http://www.masm32.com    :biggrin:  :biggrin:

MichaelW

  • Global Moderator
  • Member
  • *****
  • Posts: 1209
Re: ESET NOD32 False Positive on 353 byte GIF file.
« Reply #8 on: October 14, 2012, 07:32:42 PM »
I guess they’re trying to avoid a scenario where the worm that destroyed the world was hiding in a smiley :biggrin:
Well Microsoft, here’s another nice mess you’ve gotten us into.

shankle

  • Member
  • ****
  • Posts: 752
Re: ESET NOD32 False Positive on 353 byte GIF file.
« Reply #9 on: October 14, 2012, 10:22:59 PM »
When I posted this message the smilies were in a row and not distorted like they were a
few days ago. No messages appeared from ESET so I guess they finally got their
act together. :greenclp:
Thanks ESET if you see this.

Greenhorn

  • Member
  • **
  • Posts: 93
Re: ESET NOD32 False Positive on 353 byte GIF file.
« Reply #10 on: October 15, 2012, 01:46:00 AM »
Yepp, nothing is blocked anymore.

The old forum archive is browsable and the smileys are happy again.
NOD32 complains about nothing.

Thanks ESET.   :t


Greenhorn

Siekmanski

  • Member
  • *****
  • Posts: 1094
Re: ESET NOD32 False Positive on 353 byte GIF file.
« Reply #11 on: October 15, 2012, 05:59:11 PM »
 :biggrin: Yeah, I can browse the forum again without being blocked by ESET NOD32.