Jump to content


ESET Staff
  • Posts

  • Joined

  • Last visited

About researcher

  • Rank

Profile Information

  • Gender
  • Location

Recent Profile Visitors

The recent visitors block is disabled and is not being shown to other users.

  1. False positive reports To submit a possible False Positive see Submit a suspicious website / potential false positive / potential miscategorization by Parental control to ESET for analysis when you wish to submit via email or use Submit sample for analysis function from the program GUI of ESET product installed on your computer. Whitelisting ESET does provide a whitelisting service for software vendors by which you can submit your software to minimize the chances of false positives, e.g., when your software is being downloaded. This service is intended as preventive measure for trusted and undetected applications to minimize risk of future false positives. Whitelisting service is not a channel for removing existing detections, disputes or solving other unrelated problems. If you want to register your software for whitelisting, please follow the instructions in the KB article How do I whitelist my software with ESET? Requirement for False positive submissions When submitting false positive file(s) via email or via program GUI, it is necessary to send copy of falsely detected file(s) as well as description of the file. I will explain what information is needed and why it is important. 1) Name of the legitimate application the file belongs to. When submitting false positives you must be able to identify what is the name of application that is being falsely detected. No-name false positive reports (when information about the application name is missing) are harder/slower to examine and in many cases indicate correctly detected malware rather then false positive. Example of correctly provided information: “This file belongs to VLC media player 3.0.6.” When you provide the specific version number, it helps. Example how not to submit false positives: “I don’t know what it is and why I have it on my computer but I think it is a false positive.” If you don’t know what the file is, don’t report it as false positive. 2) Name of the application’s author, developer, vendor or website where you downloaded the software Each legitimate software have known author or there is known company who developed it. There is known source/origin where the software can be obtained and you can learn information about it. This information is needed in investigation process. Researchers need to verify whether the software is safe and they may need the full installer to evaluate the software properly. Researchers may need to investigate whether other versions of the same software were affected by false positive or not. It is important to know the source/website where you downloaded the software because some download websites provide different installers than original vendors. 3) Application's purpose Let the researchers know what the application is supposed to do, what value does it offer to you. This information is usually available on vendor’s website but there are many old applications where the website is no longer available, or software was distributed only on CD-ROM/DVD, or the software is custom/in-house developed and the description is not generally available. Examples how of application’s purpose: This is a picture viewer, video convertor, movie player, communication software, printing program, database program, web browser, accounting software, computer game, tool I use for programming, etc. Don’t hesitate to provide any additional information you deem important. You may add the specific detection name you saw when detection occurred. In case some specific circumstances are needed to reproduce the problem, tell it to the researchers how (For example it may happen that the file itself is not detected but it downloads/creates other files that trigger detection). You may submit false positives via email or directly from ESET product via Submit sample for analysis function. In order to use the function open GUI of ESET Internet Security, you will find following icon in Tools and clicking More Tools: Please select “False positive file” option and attach the file you want to submit. Please provide all necessary information (as described above) researchers need to process your false positive submission. Information you provide indeed significantly helps ESET laboratories in the identification and processing of samples. Thank you for your submission!
  2. ESET Research Lab can receive samples sent by users via email and also sent via installed product running on user’s computer. I will try to explain how the submission via our program works, what is recommended to do or what is advised to avoid. When you open GUI of ESET Internet Security, you will find following icon in Tools and clicking More Tools: After clicking the icon you will see the first window called Select sample for analysis. 1) It is recommended to read the Online Help before submitting a file for a first time. 2) Selection “Suspicious file” means that you are about to report an undetected file and you wish ESET Lab to add detection. 3) Attach the suspicious file you wish to send to the ESET Lab. The attached file should be typically an executable program or script you found on your devices or you received via spammed emails. Submitting of your own private files (like your photos, movies, music, documents and other data types) should be generally avoided expect rare situations when you believe that some malicious code was added into these files. 4) You may provide your contact email. Researchers from ESET Lab may contact you if they need further information about submitted sample. 5) After clicking the Next button, you will see the second window called Add file description where you are asked to input additional information about submitted suspicious file. These additional information about the submitted file are significantly important for ESET Lab. Researchers need to understand why do you think the submitted file should be detected by ESET, how did you find/encountered the file, what problems are you experiencing. You can add any other information you consider relevant. Submissions without any additional information are usually not useful. 6) Observed signs and symptoms of malware infection. Researchers ask you to provide this information so they understand whether you submit malware actively running on your computer or not. Describe how the malware infection manifested on your computer. Signs and symptoms of malware infection could be following (including but not limited to: excessive CPU usage, excessive network usage, firewall reported unexpected network connections, unexpected browser setting changes, new ads being displayed, file copies automatically via network shares/removable drives, documents gets encrypted, program asks for ransom, application is hard to close, etc. - when you explain symptoms like these examples, you help researchers to finish analysis of the malware more quickly. There are situations when you don’t know the symptoms (because you did not run the file yet, it just appeared in your inbox) or you don’t observe any signs or symptoms. In such situation you can write: “I do not know the behavior because I did not want to open it when it arrived to my inbox.” or “I do not observe any visible signs but this file is running on my computer and I do not know how it got there and to which application it belongs.” or “I do not know what it is, but this file suddenly appeared on our server, so I suspect it was uploaded by hackers.” 7) File origin Information where and how did you find the suspicious file is also important for researchers. If you found the file when browsing Internet, include the website you were visiting. If you known the exact download URL the better. If you received the file via spammed message make sure you include this information. If you find the file on other computer, tell us about it. 8) Notes and additional information You can add any information or clarification you deem important. You may also express what do you expect ESET Labs to do with the sample (While the “Suspicious file” selection in Step 2 suggests that you wish to add detection, it is not bad to re-affirm using your own words). Information you provide indeed significantly helps ESET laboratories in the identification and processing of samples. Thank you for your submission! 9) Click Send and the submission is finished:
  3. When you see name of detection signature / threat name, then the web-page is not blocked by blacklist but by specific detection. The website was infected and following code was inserted to the website by hackers: When the website was infected, WordPress 4.5.3 was used. I am glad that the admin not only removed the malicious script but WordPress was updated to recent 4.6.1 version. That's my recommendation for other owners of infected websites. It is not enough to clean the bad code, the site must be secured to prevent future reinfections. At least older versions of CMS must be updated to recent versions.
  4. It seems the companies were parts of the same holding. Searches returned following results in some public CVs: "Fularo Holdings (Imesh/Bearshare/Viber/Bandoo)" "Polmont Ventures Ltd: iMesh / Bearshare / iLivid / Jzip / Bandoo / People Roulette / Ftalk"
  5. Rugk, try to compare submission from Viber's Reputation team in our forum and submission from iLivid's Reputation and Compliance Team in Symantec forum [ https://aka-community.symantec.com/en/forums/false-positive-ilivid ] Same people working for Viber and iLivid?
  6. OK, you have to... The main software package is available here hxxp://download.cdn.viber.com/cdn/packs/1/pack.exe (SHA1: 120a8e0c67fc82d6350f7a3d47158dc76bf25a5b *pack.exe 38 MB) This package is not detected by ESET, the classified 3rd party PUA components are not here. The file is 7Zip self extracting executable, it will extract necessary Viber program files in the folder where you run it.
  7. Interesting observation rugk about the possible Israeli origin. BTW, there are many advertising companies in Israel, that's probably why the Download Valley term was established. hxxp://blogs.wsj.com/digits/2014/06/04/hate-pop-up-ads-microsoft-tries-drawing-line-in-the-sand/
  8. The software vendor's website promises: "It's the right tool to protect your PC from hardware failures, conflicts, and system crashes." This is how the software behaves during our testing: And the license for the madExcept can be bought here: madshi.net/madExceptShop.htm
  • Create New...