FindOnClick 1.4.0.31 - NOD32 Antivirus alert

DeleteOnClick, EncryptOnClick, FindOnClick, HashOnClick, PatchOnClick, ScrambleOnClick, UndeleteOnClick

FindOnClick 1.4.0.31 - NOD32 Antivirus alert

Postby Robin Keir » Sun Apr 22, 2007 5:55 pm

FYI - this is most likely a false positive but when I just went to install FindOnClick version 1.4.0.31 my NOD32 anti virus (database version 2210, Apr 22nd) kicked in claiming that a temporary file being handled by C:\Program Files\2BrightSparks\FindOnClick\is-JES80.tmp was "probably unknown NewHeur_PE virus".

I have advanced heuristics enabled in the AV.

Here are the details of the file I attempted to install. It was downloaded from the official site and I renamed it for clarity of version number.


File: FindOnClick_Setup-1.4.0.31.exe
Size: 1451952 bytes
File Version: FindOnClick V1.4.0.3
Modified: Sunday, April 22, 2007, 10:28:22 AM
MD5: ECE0E58BB0810833F3F31583CD4C7D45
SHA1: FE7A2999B11AE78218E44A4A9A150D5F803444BF
CRC32: 5CB529B8

I submitted the installer EXE to VirusTotal for checking and it came out clean for all products, so the alert is only actually seen when the installer attempts to extract and move the files.
Robin Keir
Enthusiastic
Enthusiastic
 
Posts: 12
Joined: Thu Feb 03, 2005 3:50 am

Postby mickyj » Mon Apr 23, 2007 9:37 am

Hi, thanks for reporting this false positive. My guess is it will give the same warning if you install UndeleteOnClick or any of the other OnClick utilities because it's probably incorrect flagging the installer (InnoSetup) as a virus. We'll update our "No Nasties" page:

http://www.2brightsparks.com/nonasties.html
User avatar
mickyj
2BrightSparks Staff
2BrightSparks Staff
 
Posts: 7965
Joined: Mon Jan 05, 2004 6:51 pm
Location: In front of computer

Actually, this bears further looking into

Postby woolly » Wed Apr 25, 2007 3:01 pm

mickyj wrote "...thanks for reporting this false positive. My guess is it will give the same warning if you install UndeleteOnClick or any of the other OnClick utilities because it's probably incorrect flagging the installer (InnoSetup) as a virus."

I just downloaded and tried installing ALL of the OnClick utiltities. Only FindOnClick is flagged by NOD32 (vers 2.7 with latest defs) as containing a virus payload. If InnoSetup were the problem then ALL OnClick utilties should presumably raise the suspicions of NOD32 AntiVirus. And I am NOT using advanced heuristics to scan files, as was the initial reporter. So my threshold of threat detection is presumably lower.

Just for kicks I tried repeated installs, uninstall, reinstall of various OnClick utilties. For what it is worth the name of the file or files that FindOnClick installs and that NOD32 flags as a virus continually changes, e.g. C:\DOCUME~1\COMPUTERNAME\LOCALS~1\Temp
\is-MR8ET.tmp\is-7TQUG.tmp... is-CC84N.tmp... is-J9UTI.tmp... is-M1FP1.tmp... is-R6LRH.tmp. Sure, it appears that InnoSetup is creating all these files but why the inconsistent naming convention? And why is only FindOnClick causing such a fuss?

As much as I admire and respect the developers of 2BrightSparks software I think the report should not be so lightly dismissed. Even the major players in the software business have accidentally released code with embedded viruses (Apple's recent release of iPod software with a PC virus is but one example that comes to mind).
woolly
Newbie
Newbie
 
Posts: 4
Joined: Sat Nov 04, 2006 9:14 pm

Postby mickyj » Thu Apr 26, 2007 4:56 am

Hi, as my colleague stated in your support ticket:
I have personally checked FindOnClick using Avast AntiVirus, Comodo AntiVirus, Norton AntiVirus, and McAfee AntiVirus, and all give FindOnClick a clean bill of health.

If you believe NOD32 is correct and everyone else is wrong, then that is your choice. If you really believe there are never any false positives and that anti-virus companies are infallible, then that is your choice. We know there is no virus and you can believe us or not. There is nothing else we can do except submit the file to NOD32 for analysis and inform them they've made a mistake (which we've already done) and repeat once again that we are 100% absolutely positive that there is no virus.

As for the inconsistent naming convention, that is perfectly normal. It's simply a temporary filename given to the file by the installer. The installer moves the file to the correct folder and renames it once it's copied all the files to the drive (so you can rollback the installation if it fails because it hasn't yet replaced the files). The file itself is FindOnClick.exe. There is nothing suspicious going on here.

Why is FindOnClick causing a fuss? It's not, NOD32 is. My guess is that FindOnClick is using a technique they believe some viruses use (or may use). What technique? I don't know and it doesn't provide details. All I know for sure is we don't write or spread viruses, FindOnClick is not a virus, and it does not contain a virus.
User avatar
mickyj
2BrightSparks Staff
2BrightSparks Staff
 
Posts: 7965
Joined: Mon Jan 05, 2004 6:51 pm
Location: In front of computer

Postby skipper » Fri Aug 31, 2007 10:34 am

I'm using NOD32 for years now and it protects my machine perfectly. This surely is a false positive. I do have the same problems during install. This is not the first software I install that triggers a false warning from NOD32. The problem is they don't seem to care, because even after a long period the problems remain the same.
I fully trust that your software is not infected by any virus. The thing is: how do we convince NOD32 to take this seriously.

Frans
skipper
Newbie
Newbie
 
Posts: 4
Joined: Sun Sep 11, 2005 1:22 am


Return to OnClick Utilities

Who is online

Users browsing this forum: No registered users and 1 guest

User Control Panel

Login

Who is online

In total there is 1 user online :: 0 registered, 0 hidden and 1 guest (based on users active over the past 5 minutes)
Most users ever online was 725 on Thu Feb 20, 2014 2:37 pm

Users browsing this forum: No registered users and 1 guest