1 user browsing this thread: (0 members, and 1 guest).
|
False Positive Fixes
|
|
05-31-2009, 07:16 PM
(This post was last modified: 05-31-2009 08:18 PM by Chappy.)
Post: #1
|
|||
|
|||
|
False Positive Fixes
Hi Shark & Forum members
NOTE - This thread is ONLY to help our members with their current Eset and/or Norton issues with the AV product flagging Shark's Codec pack as a "Possible" problem app. We do not wish this thread to start into an AV Product comparison post so please, let's keep this dedicated to helping those with this False Positive issue and not try to get members to switch to your favorite AV instead. (McAfee users may find this similar to your fix as well. Sorry I don't have exact steps for McAfee but this may help you find whatever option steps you need too I hope) (These solutions are for both Win7 & Vista codec pack users) I would like to help with the Nod32 "False Positive" situation that some of our members are having. I've used Nod32 for several years, and Shark's codec pack since it' inception, and while I have never had the Win7 codec pack flagged as "Potentially Malware", I know why it's happening and can help the members that are experiencing this problem. First tho, I'd like to give you a bit of my background in the AV/Malware field so that you know I can be trusted with this advice. I was an Independent tester of New & Unknown varients for many of the major AV companies for almost 9 years. This was before they all became big enough to employ their own teams of analyzers, at which time the "Independents" moved to other projects. I did all this on my own time since I had a full time job as a Firefighter, but my background in reverse engineering & decompiling and extensive experience with computers (since 1972), along with the desire to help other users, I was soon testing new files for about 11 different companies as were many others like me. After we found ourselves with not much to do, I started helping with Lavasoft Adaware, Spybot S&D, and helped with HijackThis developer and became a HJT teacher. I've been a member of ASAP (Alliance of Security Analysis Professionals) since almost it's inception and have helped set up numerous Tech/Security Help sites with HJT analyzers and other trained helpers. Basically I've been "Fighting the Good Fight" for well over a decade now, and all without any compensation except for the satisfaction of helping other users keep out of Malware trouble, and just help fix any other issues they have. So, with that out of the way I have 2 solutions for those using Eset Nod32 or Eset Security Suite, to eliminate this False Positive issue. I feel that changing your AV product is far too extreme a solution for this rather minor annoyance, and while AVG and Avira have certainly improved their product over the years, they simply don't come close enough to Eset's reputation to warrant a change over. I also do NOT want to start an argument with members over any competing AV products with that statement, but the records do speak for themselves. Let's get to fixing this issue... There are 2 ways this can be accomplished, one is to simply Uncheck an option that most users will have no problems with, and the other is to use the Exclusions list. First option: The "Threatsense" parameters that Eset use is more or less the culprit in these false positives being flagged. This option when checked assumes (we all know THAT one...) that the user is requesting that ANY program that may have similar function or similarity to how any Malware program does it's nefarious deeds, is unwanted by the user. The problem today though is that many programs use similar techniques or modules that malware may use, except for perfectly Legitimate use, and that's where users can face many potential problems with certain types of legitimate software, such as we see here with the UPX compression used by Shark's pack. Almost ALL users can run safely with this option disabled if they wish, I do and that's why I've never had this pack flagged as Potential Malware. For anyone who wishes to keep that added layer of protection, it's very simple to enable again after the pack is installed as it''s ONLY the installation of the pack that is flagged, during the decompression stage. I'm going to assume (there's that word again...) that most users are not familiar with the Advanced setup in Nod32 so I'm walking thru all the steps with screenshots for clarity. I don't use the ESS suite as I use another firewall (another story) but the AV is what we want anyway and that is pretty much the same for both products. Step 1 - Open Nod32 or ESS by dbl-clicking the icon in the system tray Click Setup on the left & Toggle to Advanced Mode (only if in Standard mode) Enter Advanced Setup Options Highlight "Real Time File System Protection" and click the Setup button Click "Options" and then Uncheck the "Potentially Unwanted applications" checkbox. Now you can run the Win7 codec installer without interference. Since the installation of the pack is what is flagged, this option can be Rechecked after installation is complete, for those who wish to keep this option enabled. Be aware though that this will cause some legit applications to be flagged as potential malware simply because they use similar methods. It is a bit overkill in some situations but if you KNOW the app you're installing to be "clean" then you can use this in future installations. (Continued in next post due to apparent Attachment Limitations of 5 per post) Continued.... The other option is to add the folder where Shark's pack is uncompressed into the exclusions list. Again, open the Eset app as above and enter Setup, Entire advanced setup tree. Now click "Exclusions", and click the Add button. A popup will show where you can navigate to the folder you want excluded. It's not enough to simply add the Win7codec executable because it's the Program Files folder that is being flagged when the pack is uncompressed into it and not the exe itself. Navigate to (note: "X" is your system drive, usually C: but may differ for some) X:\Program Files (for 32 bit users) or X:\Program Files (x86) (64 bit) & click on that folder to enter it into the line at the top of the popup. Since the folder is not yet created, we need to finish this line manually. Click in the line to add your cursor and add this after Program Files \Win7codecs\*.* The entire line should look like this (copy paste if you wish): for 64bit users - C:\Program Files (x86)\Win7codecs\*.* for 32bit users - C:\Program Files\Win7codecs\*.* This simply tells the AV scanner to ignore everything inside the Win7codecs folder, and by keeping this as it is you will not see the problem again. For those using the x64 addon, you need to add the C:\Program Files\Win7codecs\*.* exclusion as well. NOTE - Eset products will STILL flag the Uninstallation of Shark's codec pack! Leaving the "Potentially Unwanted Applications" option unchecked will stop this from happening but if you want that option to remain checked, this is more difficult to stop as it's a temporary file name that's (randomly) created during uninstall and can't be added to the Exclusions List, so simply ignore these. If I find another way to eliminate this I'll post for you here. Thanx to Shark for allowing me to help you other members with this issue, and as always THANK YOU Shark for this exceptional pack!! Dave |
|||
|
|
« Next Oldest | Next Newest »
|
Powered By MyBB, © 2002-2010 MyBB Group- Corporate by MyBBThemes - Webspace provided by MajorGeeks.com
All trademarks mentioned on this site are the property of their respective owners.
Privacy Policy - © 2008-2010 Shark007 - Legal Disclaimer