nvusmb.exe (NVIDIA product) is detected as a virus.
Name of Detection : Heur.Suspicious@19764987
CIS database number : 1192
I am wondering if it is a virus. If it is a virus what should I do?
Hi Rexdoron,
We will get back to you after investigation
Regards
-Chandra Mohan
Ok. Thanks.
Hi Rexdoron,
We have fixed mentioned FP.
Please verify with DB 1210.
Regards,
-Chandra Mohan
I just got the same false positive on the same file:
C:\windows\system32\nvusmb.exe
File size: 176,128 bytes
File mod datetime: 9/28/2005 07:08:08 AM
Detected as: Heur.Suspicious@24965913
My AV definitions are current as of today (6/25/2009) as of 10 minutes ago.
Windows Defender found no problems in a full system scan with current (as of today) definitions. Combined with the FP history above, this is almost certainly an FP, so I told Comodo AV to permanently ignore this file. Does that sounds reasonable?
Can someone fix these heuristics? I’ve been getting other false positives too. Should I just shut off “heuristics” entirely until its problems are eventually fixed?
Thanks.
Now Comodo is finding “Heur.Suspicious” files in the form of Axxxxxxx.exe (where x’s are digits) in my C:\System Volume Information restore directories. It’s done this before a few times.
Right now it’s finding all this stuff in On-Access mode, while another product is scanning the system (and thus causing accesses).
I’m really tempted to turn off Comodo AV’s heuristics, and just let it rely on definitions, to avoid these problems. It’s been a reasonable number of FP’s up till now, but I’ve had a half-dozen today alone.
Actually, I reviewed my logs and my system, and it turns out that ALL the detections of Axxxxxxx.exe files (where x’s are digits) in my C:\System Volume Information restore directories were actually just copies of C:\windows\system32\nvusmb.exe with different names. Same bytecount, same description (NVIDIA Uninstaller, etc.)
So, there’s really only one issue, the rest are copies.
I ran the file through camas.comodo.com and it came back saying SUSPICIOUS ACTIONS DETECTED, and listed them as:
Copies self to other locations
Creates files in windows system directory
It shows FILES CREATED as:
C:\WINDOWS\system32\sample.exe
and also shows a Windows API call that uses C:\TEST\sample.exe.
This may all be normal for this file, though… perhaps NVIDIA made it that way.
Anyway, hope this info helps. I can post the camas.comodo.com full details if that’ll help. Thanks.
I just ran this file through www.virscan.org and out of 38 virus scanning engines, only 1, Comodo AV, found anything wrong with it (and only Heur.Suspicious).
Therefore, I think I’m safe in concluding that it’s certainly a false positive. I’ve added it (and its restore copies) to my Comodo AV permanent exclude list. Hope this info helps fix the FP in near-future engine updates.
Hi,puddingpants
We are going to have a look at it and will get back to you after investigation.
Btw,the other FPS,you can uploade the link:Comodo Firewall | Get Best Personal Firewall Software for $29.99 A Year
Thanks
Shaogang.He
Hi,puddingpants
This false-positive has been fixed. Please check in virus signature database 1425
Thanks
Shaogang.He
I have virus signature database 1448 now. I just re-scanned that file, and now it comes out clean.
Thanks for the fast fix! Much appreciated!
I just got the same false positive on the same file this morning
heur.suspicious C:\windows\system32\nvusmb.exe
My system has flagged this up as a virus Heur.Suspicious
but my signature database is 2294
comodo also detects Heur.Suspicious on a backup of the file made from a backup of the system which had not connected to the Internet and was a clean install.
Other virus checkers say that the file is clean
Should I submit this file to see whether it is a false positive or do I need to update my signatures.
However comodo says that no fresher updates are available.
Hi ,
This sample was not detected by CIS 3.11.108364.552 DB 2298.If you can find the FP file,you can submit through this link:Comodo Firewall | Get Best Personal Firewall Software for $29.99 A Year we can go to have a look at it.
Thanks and regards,
hailong.■■■■