False Positives W32.generic.ethos

[Richard1Mosse]

I have had this problem with suspected false positives (W32.Generic.Ethos) before a few times, but it did not affect my computer and I have little time so I left them alone. I now have had 7 in the past 3 days, I would like to upload them via the false positive page but zipping them, then uploading takes time and effort. I will get round to it eventually.

 

I would like to make a suggestion to enhance the interface of the Immunet application. It would be great to have an automatic way of uploading and zipping items in the quarantine area that are likely to be false positives - this would make everything so much easier. It would also be nice to be able to copy (and paste) the string in the quarantine file.

 

I have a feeling that the likely false positives I have had over the past few days are something to do with libre office (open office). What is more the strings are non existent and have an illogical structure.

[alfred]

I have had this problem with suspected false positives (W32.Generic.Ethos) before a few times, but it did not affect my computer and I have little time so I left them alone. I now have had 7 in the past 3 days, I would like to upload them via the false positive page but zipping them, then uploading takes time and effort. I will get round to it eventually.

 

I would like to make a suggestion to enhance the interface of the Immunet application. It would be great to have an automatic way of uploading and zipping items in the quarantine area that are likely to be false positives - this would make everything so much easier.

I have a feeling that the likely false positives I have had over the past few days are something to do with libre office (open office).

 

It would also be nice to be able to copy (and paste) the string in the quarantine file.

 

 

Rich,

 

We do need to improve this. If you give me a the app names and the OS you are installing on and even better, the URL you got them from I will grab them and fix the issues. If it's Open Office I would concur it's likely an FP. You can also send me a support snapshot which is fairly painless:

 

http://support.immunet.com/tiki-read_article.php?articleId=10

 

From that snapshot I will be able to review the FP's. You can send them to alfred@immunet.com

 

Best,

al

[Guest Tom]

I am having the same issue, a suspected false positive W32 Generic Ethos, with Mind Manager, a mind mapping program from Mind Jet.

 

This is built on a .net framework, and I suspect this is the issue.

 

I have never had any other anti-virus/malware/etc. program flag anything from Mind Jet.

 

This is frustrating and unnecessary.

[Guest Adrian]

I have had the same issue every time I open Outlook 2010 on Windows 7 professional.

 

It just started happening int he past few days since I upgraded to the new version.

[dariovolaric]

I work a lot with FlashDevelop (3.3.0), and every time I start it, I get a W32.Generic.ETHOS warning. FlashDevelop seems to create a random named dll file in the temp directory on every startup and ETHOS detects this as malware. I have tried to exclude the threat name, but no luck. So far the only thing that makes this stop is to disable the ETHOS engine.

[Guest Kurt Thomas]

Same here. I have Microsoft Office Labs Forgotten Attachment Detector installed (http://www.officelabs.com/projects/forgottenattachmentdetector/Pages/default.aspx), which is an addin to Outlook. When Outlook is started, or the addin dis-, then reenabled, a DLL with a random name is created in the ...AppData/Local/Temp directory, because .NET dynamically compiles it. This DLL is then classified by Immunet Protect as W32.generic.ethos. NOD32 says the file is fine. OS is Vista.

 

I would also support Rich M's suggestion of a more direct way to send suspected false positives to Immunet.

[alfred]

Same here. I have Microsoft Office Labs Forgotten Attachment Detector installed (http://www.officelabs.com/projects/forgottenattachmentdetector/Pages/default.aspx), which is an addin to Outlook. When Outlook is started, or the addin dis-, then reenabled, a DLL with a random name is created in the ...AppData/Local/Temp directory, because .NET dynamically compiles it. This DLL is then classified by Immunet Protect as W32.generic.ethos. NOD32 says the file is fine. OS is Vista.

 

I would also support Rich M's suggestion of a more direct way to send suspected false positives to Immunet.

 

 

Hmm, something to keep in mind here guys (other than the detection is obviously being too aggressive) is that if you roll it our of Quarantine we do get a report of it. We do work to try to fix them. if it does not get fixed post the URL here and we will fix it ASAP.

 

al

[Guest Jimmy Jenkins]

The W32.Generic.Ethos detection notice started appearing on Nov 17th and continues everytime I connect to the internet. The notice also says the quarintine was successful. Well, if it is successful why is it showing up as a detection everytime I connect? What exactly is W32.Generic.Ethos?

Each time the only thing that changes in the File Path is the last part: c:\users\clarion47\AppData\Temp\(fill in below files)--these are the last 4 I have received at connection time:

 

b1womckq.dll

or

vj0-zqn7.dll

or

2dnw-qpy.dll

or

6vecudff.dll

 

Please advise.

[dariovolaric]

I believe it has something to do with the .NET framework. It creates random named .dll files for certain applications that use the .NET framework.

[alfred]

The W32.Generic.Ethos detection notice started appearing on Nov 17th and continues everytime I connect to the internet. The notice also says the quarintine was successful. Well, if it is successful why is it showing up as a detection everytime I connect? What exactly is W32.Generic.Ethos?

Each time the only thing that changes in the File Path is the last part: c:\users\clarion47\AppData\Temp\(fill in below files)--these are the last 4 I have received at connection time:

 

b1womckq.dll

or

vj0-zqn7.dll

or

2dnw-qpy.dll

or

6vecudff.dll

 

Please advise.

 

It certainly looks like one of the ETHOS detections is broadly colliding with whatever .NET app is generating those temp files. If you can get one (by rolling it out of Quarantine) and post it here I can have a closer look at it.

 

al

[dariovolaric]

Oddly enough the false positives on the random .NET dll files seem to have stopped for me. I have enable the ETHOS engine again and no warnings when I run FlashDevelop. Wohoo! Anyone else still having problems? The only issue I have left with Immunet Pro (Tetra engine activated) is that is tends to scan huge files as well (example when renaming movies). Excluding movie files did not seem to help. Also the shutdown of my machine seems to be slower than usual. Would be better if you could set it not to scan huge files or scan only code executable files and perhaps something that prevents re-scanning the same file again if it was scanned before.

[Richard1Mosse]

Rich,

 

We do need to improve this. If you give me a the app names and the OS you are installing on and even better, the URL you got them from I will grab them and fix the issues. If it's Open Office I would concur it's likely an FP. You can also send me a support snapshot which is fairly painless:

 

http://support.immunet.com/tiki-read_article.php?articleId=10

 

From that snapshot I will be able to review the FP's. You can send them to alfred@immunet.com

 

Best,

al

[Richard1Mosse]

Thank you,

Since this happened, I installed Comodo Disk Encryption, a BIG mistake (it seems to freeze all Windows 7 (64bit?) computers), so ironically, I do not have the problems any more as I am back using the disk image I made in October. I am 90% sure it was Libre Office though as I can not think of any installations I made after the disk image was made!!