KNOWLEDGEBASE - ARTICLE #1433

The NOD32 virus scanner briefly said that Prism 5.02 was infected, but it was a false positive report.

The "problem"

Using the wonderful VirusTotal service, we tested Prism 5.02 with 39 virus scanners on Feb 3, 2009. Of these, 38 said prism.exe was clean. These included up-to-date versions of Norton, McAfee, Microsoft and AVG. But one reported  a problem. 

Here is the full report from VirustTotal.The NOD32 antivirus program (version 3821 2009.02.03) reports that Prism.exe   (5.02, full program and demo) is probably infected with a variant of Win32/Genetik. According to NOD:

"The label Win32/Genetik is used to indicate files that have been detected as being malicious by a technique implemented in NOD32 and ESET Smart Security, using advanced heuristics to take advantage of the knowledge accumulated over years in our database of generic signatures. Files flagged by this name are detected proactively: once they have been analyzed by our virus lab, labeling may be updated to a more specific name."

In plain language, the file doesn't match any virus they know of, but it sort of kind of seems like it might be a bit similar... This kind of detection is essential to detect against viruses that don't yet exist, but can also lead to false positives.

Why we are 100% sure this is a false positive report

We are quite sure Prism is virus free for three reasons:

  • The report of "Win32/Genetik" is a common false positive (Google for it).
  • All other  anti-virus scanners found the files to be clean, including Norton and McAfee.
  • The programmers were able to modify Prism to prevent the 'virus' report, and then modify it again to bring back the report. The relevant part of the program is where GraphPad Prism 'talks' to GraphPad StatMate (this code was updated in Prism 5.02). This code has been carefully reviewed, and it is trouble-free. The messages (Win API calls) between  programs must have triggered the false alarm in the NOD scanner.

Update!!

One day after we reported this problem, ESET (the company that makes the NOD32 system) acknowledged the issue, and by the second day had fixed their scanner (version 3831) so it no longer detects Prism.exe as infected. On Feb 5, 2009, all 39 scanners used by VirusTotal report that prism.exe is clean. 
 

 

 

 

 

 

 

Explore the Knowledgebase

Analyze, graph and present your scientific work easily with GraphPad Prism. No coding required.

Try for Free