Jeroen1000 0 Posted January 29, 2014 Share Posted January 29, 2014 (edited) Dear Marcos Dear support, Since we are going around in circles with the ticket, I was wondering whether you could offer a more in depth explanation / analysis on the matter and also a solution. I'm using Radmin (hxxp://www.radmin.com/), a remote control utility, that NOD32 keeps detecting as a potentially unwanted program. It states the threat is in the Operating Memory (which is correct, the executable is loaded as a service on start-up). I've excluded the detected exe at disk level but that does not help as it keeps detecting it in memory. Support is suggesting disabling detection for unwanted programs as a whole and even adding the system folder to the exclusions list. Neither is satisfactory and bluntly put just bad advice from a security perspective. There has been a time the manufacturer got Eset to remove this false detection but apparently it is back. I've been a paying customer for a very long time. Surely, you can remove this "threat" from being detected or fix the virus defintions? Many thanks, Jeroen Edited January 29, 2014 by Jeroen1000 Link to comment Share on other sites More sharing options...
Arakasi 549 Posted January 29, 2014 Share Posted January 29, 2014 Hi Jeroen, I am taking a look at your software as a courtesy. First thing i have noticed up to bat ! This application was just flagged as a Potentially Unsafe Application, not a Potentially Unwanted Application, while i was downloading. From security perspective, un-checking 'unsafe' applications is not that much of a risk factor as you may think. Unsafe applications database contains a plethora of IT tools and Admin tools, that are not necessarily a threat , but possibly unsafe to the inexperienced user, if they do not understand what they are doing. I would agree with not disabling unwanted apps, because they are classified as toolbars, advertisements, and bloatware; but i can understand removing unsafe. Unsafe is not enabled by default and the user is not asked to use it at all, however a user is prompted for unwanted at the time of install, also not on by default. After disabling unsafe applications, i was able to download the file with no errors, prompts, or flags from ESET at all, NO exclusions set by web on domain etc. I will analyze installation and operation from my perspective. Link to comment Share on other sites More sharing options...
Arakasi 549 Posted January 29, 2014 Share Posted January 29, 2014 I just installed the client in a sandbox, and i see NO true malicious activity. I will take a look at the server side later on. ESET gave no warnings or issues during client install. I have potentially unsafe applications allowed in ESET software. Link to comment Share on other sites More sharing options...
Jeroen1000 0 Posted January 29, 2014 Author Share Posted January 29, 2014 (edited) Thank you Arakasi. I'll check what exactly it is being flagged as, as I thought it was being flagged as "unwanted" rather than as "unsafe". Do note it is flagged in Operating Memory and not whilst downloading although I can easily try downloading it again and see what happens. The application is quite safe, I've been using it for many years. The offending executable is called "rserver3.exe" with the file path in the "SysWOW64/rserver30/" folder (don't know why there is a path when the exe is in operating memory). So you need radmin server and not the client application. It might, and I say might, be flagged because I have a version that does NOT display a tray icon (not for the wrong reasons:-)) edit: flagged as unsafe indeed, not unwanted! You were right Edited January 29, 2014 by Jeroen1000 Link to comment Share on other sites More sharing options...
Administrators Marcos 5,234 Posted January 29, 2014 Administrators Share Posted January 29, 2014 Make sure the application is properly excluded from scanning. Link to comment Share on other sites More sharing options...
Jeroen1000 0 Posted January 29, 2014 Author Share Posted January 29, 2014 I think it is properly excluded however, I cannot exclude things from operating memory. I can give you remote access to check for yourself in case I missed something. Link to comment Share on other sites More sharing options...
Administrators Marcos 5,234 Posted January 29, 2014 Administrators Share Posted January 29, 2014 Check out this demonstration video. Radmin_mem_detection.mp4 Link to comment Share on other sites More sharing options...
Jeroen1000 0 Posted January 29, 2014 Author Share Posted January 29, 2014 (edited) Hi Marcos, I've excluded a whole bunch:-) see the 2nd screenshot. But the startup-scanner keeps complaining (see the 1st screenshot). Edited January 29, 2014 by Jeroen1000 Link to comment Share on other sites More sharing options...
Jeroen1000 0 Posted February 6, 2014 Author Share Posted February 6, 2014 Any more ideas? I'm not looking forward to using other software for this small issue. Can't the virus definitions be corrected? Link to comment Share on other sites More sharing options...
Administrators Solution Marcos 5,234 Posted February 6, 2014 Administrators Solution Share Posted February 6, 2014 Excluding "C:\Windows\SysWOW64\rserver30\rserver3.exe" without the detection name should do the trick. We're investigating why it doesn't work with the detection name specified. Link to comment Share on other sites More sharing options...
Jeroen1000 0 Posted February 17, 2014 Author Share Posted February 17, 2014 Hi Marcos any idea as to when you can expect news on this topic? Link to comment Share on other sites More sharing options...
Administrators Marcos 5,234 Posted February 18, 2014 Administrators Share Posted February 18, 2014 I have already provided a solution to your issue. Don't wait for a fix as this will take some time but remove the exclusions with the detection name and add them manually, ie. not from the yellow window shown when a potentially unwanted / unsafe application is detected. Link to comment Share on other sites More sharing options...
Jeroen1000 0 Posted March 5, 2014 Author Share Posted March 5, 2014 Sorry, I had missed that solution! I've tried it and gave it a test run and it looks like the dectections are no longer happening. Many thanks! Link to comment Share on other sites More sharing options...
Recommended Posts