SuperAntiSpyware Process in Memory Test - False Positive?

[jsk]

Hi, and thanks in advance for any help.

I'm using Avast 5.0.545 and SuperAntiSpyware 4.37.1000 on a Windows Vista Home Premium x64 system.  I am getting positives for some trojans/worms when testing memory with Avast, and the only process associated is SAS.  No files are detected as being infected, nor are rootkits, etc.  When I exit SAS, the memory detections also disappear.

I've looked throught the forums and it seems that there have been false positives before with SAS.  The general idea I have gleaned is that Avast is finding signatures that SAS, itself, uses to test my system.  However, there does not seem to be an authoritative and complete explanation.

Is there any way to be certain about that these are false positives?  That is, is there any way to be sure that I do not have some hidden infection that is set to use SAS as a vector for attack?

[Milos]

I've looked throught the forums and it seems that there have been false positives before with SAS.  The general idea I have gleaned is that Avast is finding signatures that SAS, itself, uses to test my system.  However, there does not seem to be an authoritative and complete explanation.

Hello

However, there does not seem to be an authoritative and complete explanation.

Why do you think that?

Milos

[Lisandro]

If any security program does not encrypt their signatures, they will be detected by other security programs in the memory...

[Hermite15]

I've had an FP with SAS (from an avast scan) a while ago, was solved with an SAS update. I can't check now, don't have SAS installed anymore.

[jsk]

I've looked throught the forums and it seems that there have been false positives before with SAS.  The general idea I have gleaned is that Avast is finding signatures that SAS, itself, uses to test my system.  However, there does not seem to be an authoritative and complete explanation.

Hello

However, there does not seem to be an authoritative and complete explanation.

Why do you think that?

Milos

Hi Milos,

I think that because there does not seem to be a post from an Avast team member that says something along the lines of, "Yes. These are confirmed false positives and well known for SAS version 4.37.1000 [or SAS versions after X.XX.XXXX].  This can be independently confirmed here: [other thread on the subject, perhaps at the SAS support forum]."  That would be both authoritative (Avast team) and somewhat complete (more than just "Yes").

I don't expect a white paper, but I hope for something that would make a user comfortable in ignoring these particular Avast results.  Each program is popular enough that there should be many systems that have both installed, and since I don't see too many recent posts on the matter (Avast finding things only in memory for SAS) it remains a concern that my system might be compromised.

[jsk]

If any security program does not encrypt their signatures, they will be detected by other security programs in the memory...

Hi, Tech.

Encryption (and lack of it) would make sense.  I wonder why SAS might encrypt the signatures on the disk but not in memory.  Can this be confirmed for the most recent version of SAS so that users of both Avast and SAS could know they might safely ignore the detections?

[DavidR]

You haven't said what scan found them or if you have made any changes to those default scan settings ?

I use SAS Pro and none of my scans detect and malware in memory associated with superantispyware.exe; presumably you are also using the SAS Pro version ?

-- Ignore Virus Targeting

In general, any security application can load some signatures (fragments of malicious code used to detect the real threats) into memory - they are located in data segments (instead of executable code). With "Ignore virus targeting" option enabled avast! can detect these harmless fragments.

These items in scan results are not the files but the virus is detected in memory allocated to security_program_name.exe process - because of this no action is available.

I don't have the option Ignore virus targeting selected (it isn't by default) and have just run a QuickStartupMem (startup items and memory) scan and no detections, image2. I just ran a second QuickStartupMem this time with the Ignore Virus targeting option checked and still no detections.

[jsk]

Thanks, DavidR.

Here's what I was running from Avast user interface/Scan Now:

test (name of scan)
Scan Areas: Memory
File Types: Scan all files checked
Sensitivity: High
Use code emulation: No
Test whole files: Yes
Ignore virus targeting: Yes
Scan for PUPs: Yes
Follow links: Yes
All packers: Yes
Automatically apply actions: No
If necessary, ... at next system restart: Yes
Try to remove from archive; otherwise do nothing
Priority: High
Persistent Cache: No/No
No exclusions

Some of this might not matter, I know.  I left out reporting/scheduling, presuming these have no impact.

The results I get are:

*PROCESS\4d8\superantispyware.exe\5230000\990000 | High | Threat: Win32:Vundo-gen61 [Adw]
*PROCESS\4d8\superantispyware.exe\17140000\400000 | High | Threat: Win32:Wimpixo [Trj]
*PROCESS\4d8\superantispyware.exe\18910000\800000 | High | Threat: Win32:Autorun-AKO [Wrm]
*PROCESS\4d8\superantispyware.exe\1a0e0000\8f5000 | High | Threat: Win32:Cutwail-T [Trj]

If I uncheck "Ignore virus targeting," then these threats are not reported.

[DavidR]

I'm still not sure what scan you did to have applied all those changes
All of the default scans have names which one did you use and modify (or did you create a custom scan) as many of those settings are not enabled

As I said I ran QuickStartupMem scans with the sensitivity set High and Ignore Virus targeting set, yet I didn't get any alerts, so whilst the Ignore virus targeting has the side effect of finding virus signature files in memory, there must in this case be other options that you have set to have got an alert when I didn't.

I really don't know where to start as the changes you have made are many and I don't know what combination with the Ignore virus targeting would have triggered it. Since there is no restore defaults I'm loath to go playing with all the combinations to get to the bottom of it and then try to set everything back as it was.

[jsk]

DavidR,

This was a custom scan -- thus the name "test."  If one creates a custom scan, one can alter the settings for that scan as I described above without worrying about interfering with the settings of the standard scans.  Thanks for the input.  I still wonder why SAS would hold these signatures in memory in an unencrypted form.  Perhaps they represent threats that SAS considers the most active on the net, and the program keeps the associated signatures "at the ready" to combat them.

[DavidR]

Some other security applications also do, windows defender is one and I'm not sure if MBAM also does, effectively by loading the signature files into memory it speeds up any scan although it can cause some concern where resident AV scan memory.

The Ignore Virus Targeting discloses this particular bad habit. For me the actual naming of this option is very poor as many would think that it would actually ignore something when in fact it scans more deeply.

Ignore virus targeting - if this box is checked, all files will be tested against all of the current virus definitions. If it is not checked, files will be tested only against those viruses that target the particular type of file, for example, the program will not look for viruses that normally affect files with a ".exe" extension, in files with a ".com" extension.