We’re quite proud of our record of low false positive rates, despite the occasional slip-up (all AV scanners have them: it’s an unfortunate fact of life, but we like to think that our usefulness in detecting real malware outweighs them in the long term).
However, I’ve just been advised by our friends at Sophos (yes, AV researchers do talk to each other, very amicably sometimes…) that NOD32 is generating a false positive when it scans one of their executable files. (I just checked: it does trip that heuristic.) The problem is being looked at, and I’ll post a note here when it’s fixed. In the meantime, you may be surprised to learn that I’m not going to tell you which file it is. That’s because if I tell you that namelessbinary.exe is actually not infected, some cleverclogs malware author may decide to generate a malicious file with the same name.
So, in the meantime, if you find yourself using NOD32 to scan a machine with Sophos installed, and it tells you one of the files is infected, be aware that it might be a false alarm, but don’t assume it is. I’m sure our user support team will be happy to advise you further.
Malware Intelligence Team
Author David Harley, ESET