NOD32 finds infections during free-space wipe

spy1

Member
Can't figure this one out. It only happens rarely.

When running an Eraser free space wipe on C drive (which is the only drive on here, BTW, other than the CD, floppy and DVD drives, of course) un-attended (I run it nightly), NOD32 will sometimes alert on something found in Eraser's "temp" folder.

Please see this thread: http://www.wilderssecurity.com/showthre ... post601404 for details.

Does Eraser "un-pack" the things it finds in one's free-space?

Or, do you have any other theories/explanations for what I'm seeing here?

Running XP Pro here, totally updated. TIA. Pete
 
If Eraser is using the temp folder to write GBs of random strings, could it be doing the "given enough time, a chimpanzee at a typewriter could produce the works of Shakespeare" bit and managing to occasionally create a string that resembles a virus?
 
Nothing would surprise me, Glenn.

Other than Eraser "un-packing" something before over-writing it, I simply don't know what else could be causing the alert (I already know there's nothing bad within Eraser itself - hell, I've been using it for years).

Thanks for your response. I'm not hearing anything from the other thread I've got going on this in the NOD32 forum, either.

Such is life.

Happy Thanksgiving! Pete
 
Still happening, BTW:

1/21/2006 8:27:24 AM - AMON - File system monitor Threat Alert triggered on STEVEN-KDHP68D1: F:\~ERAFSWD.TMP\7AG1PA8F.HTT is infected with probably a variant of BAT/Bomgen.G virus.
 
Are you using a custom pattern? If not try creating one this should improve things. If you are then perhaps you have created a 'valid' virus pattern?

We use NOD here and it is quite prone to give false positives. Saying that I think it is the best one out there.

Garrett
 
No, I'm not using a custom pattern, just a simple "Pseudorandom Data" (1 pass) with all three "Overwrite" options checked. I've only gotten two "Alerts" so far this year:

Time Module Object Name Threat Action User Information
1/14/2006 8:17:41 AM AMON file F:\~ERAFSWD.TMP\8RI0IC91.REG probably a variant of VBS/RotsPort.A trojan quarantined - deleted STEVEN-KDHP68D1\spy1 Event occurred on a new file created by the application: F:\Program Files\Eraser\eraser.exe. The file was moved to quarantine. You may close this window.

Time Module Object Name Threat Action User Information
1/21/2006 8:27:24 AM AMON file F:\~ERAFSWD.TMP\7AG1PA8F.HTT probably a variant of BAT/Bomgen.G virus quarantined - deleted STEVEN-KDHP68D1\spy1 Event occurred on a new file created by the application: F:\Program Files\Eraser\eraser.exe. The file was moved to quarantine. You may close this window.


I'm positive it really doesn't have anything to do with Eraser itself - I'm basically making these posts to alert other NOD32 users' to the F/P issue. It would be nice if they could at least explain to me why it's happening (although getting whatever it is fixed would be nice, too). Pete
 
Back
Top