MW-Blog

I was troubleshooting a weird positive signature hit that AllapleRemover detected.

The weird thing was the signature was found inside the nod32krn.exe process, which is the kernel process belonging to NOD32 antivirus scanner(www.eset.com).

After checking out some dumps on the process memory it was quite easy to see what was causing the hits. The signatures themselves are solid and working. The problem was that NOD32 copies files into memory a new process is starting, and scans the process-to-be before letting it run. NOD32 didn’t flush the copied memory fast enough if at all which caused the AllapleRemover to effectively detect itself inside the nod32krn.exe process :)

Even though I could build a kludge to bypass this, I won’t. I don’t feel any burning need to make the program complicated by fixing these kind of mishaps. Allaple does _not_ inject itself anywhere, so if you get a hit on an anti-virus application, just let it drop :)

This entry was posted on Monday, June 18th, 2007 at 9:58 pm and is filed under Tools. You can follow any responses to this entry through the RSS 2.0 feed. You can leave a response, or trackback from your own site.