False positive
We’re quite proud of our record of low false positive rates, despite the occasional slip-up (all AV scanners have them: it’s an unfortunate fact of life, but we like to think that our usefulness in detecting real malware outweighs them in the long term).
However, I’ve just been advised by our friends at Sophos (yes, AV researchers do talk to each other, very amicably sometimes…) that NOD32 is generating a false positive when it scans one of their executable files. (I just checked: it does trip that heuristic.) The problem is being looked at, and I’ll post a note here when it’s fixed. In the meantime, you may be surprised to learn that I’m not going to tell you which file it is. That’s because if I tell you that namelessbinary.exe is actually not infected, some cleverclogs malware author may decide to generate a malicious file with the same name.
So, in the meantime, if you find yourself using NOD32 to scan a machine with Sophos installed, and it tells you one of the files is infected, be aware that it might be a false alarm, but don’t assume it is. I’m sure our user support team will be happy to advise you further.
David Harley
Malware Intelligence Team
Leave a Reply
- David Harley (770)
- Randy Abrams (437)
- Cameron Camp (102)
- ESET Research (61)
- Pierre-Marc Bureau (50)
- Stephen Cobb (47)
- Aryeh Goretsky (30)
- Paul Laudanski (17)
- Jeff Debrosse (14)
- Andrew Lee (14)
- Robert Lipovsky (10)
- Sebastian Bortnik (9)
- Dan Clark (8)
- Sébastien Duquette (5)
- Tasneem Patanwala (3)
- Peter Stancik (2)
- Andrea Kokavcova (1)
- David Carnevale (1)
- C. Nicholas Burnett (1)
RSS
