SAS - all/nearly all FPs, I think?

Discussion in 'other anti-malware software' started by SG1, Aug 13, 2006.

Thread Status:
Not open for further replies.
  1. SG1

    SG1 Registered Member

    Joined:
    Jan 16, 2003
    Posts:
    430
    One of two screencaps:
     

    Attached Files:

  2. SG1

    SG1 Registered Member

    Joined:
    Jan 16, 2003
    Posts:
    430
    Second of two screencaps:
     

    Attached Files:

  3. Bubba

    Bubba Updates Team

    Joined:
    Apr 15, 2002
    Posts:
    11,271
    Would I assume correctly that SAS stands for SUPERAntiSpyware :doubt:

    As you may know....the 2 imrworldwide entries are associated with Red Sheriff/RedMeasure badware and the 2 diamondcs entries are associated with the Official home site of DiamondCS products....makers of Process Guard, Port Explorer....etc. Whether they are FP's would hinge on what other info could be shared in regards to how the finds were labeled ?

    If you have the DiamondCS entries in your Trusted Zone then yes I would say they are FP's.

    In regards to the imrworldwide entries....if one uses IE-Spyad, Spywareblasters Restricted Site protection, manually added that entry to IE's Restricted Zone etc,....then I would have to say yes they are FP's in regards to valid entries placed in the appropriate Internet Explorer location for Restricted Zone entries.

    Bubba
     
    Last edited: Aug 13, 2006
  4. SUPERAntiSpy

    SUPERAntiSpy Developer

    Joined:
    Mar 21, 2006
    Posts:
    1,088
    Hello - we are aware of a rare issue with ZoneMap Domains such as .com.au being detecting incorrectly and this will be resolved in our next release which will occur shortly.

    I am sorry for any inconvenience this may have caused.

    Nick Skrepetos
    SUPERAntiSpyware.com
    http://www.superantispyware.com
     
  5. Bubba

    Bubba Updates Team

    Joined:
    Apr 15, 2002
    Posts:
    11,271
    An additional question would be what Definition Database Version are you showing via the program :doubt:

    As a test and to make doubly sure....I have now added imrworldwide.com.au as an IE Restricted Zone entry for the CurrentUser and the item was not flagged in either the HKCU nor it's associated HKU registry key....with the latest database update of Core Definitions 3050\Trace Definitions 1098

    However....on a hunch I then changed the HKUser imrworldwide.com.au entry from a 4 to a Dword value of 2 which then signifies a Trusted Zone entry and SAS did then flag that entry.

    Long way round the barn....I would suggest looking real close at what is or was the 4th user on that machine for possible malware infiltration :doubt:

    I would also suggest doing a registry search for ALL imrworldwide entries and verify none of the Dword values that will be showing in the right hand section for those entries do not have a 0x00000002 Trusted Zone value entry.

    Bubba
     
    Last edited: Aug 13, 2006
  6. SUPERAntiSpy

    SUPERAntiSpy Developer

    Joined:
    Mar 21, 2006
    Posts:
    1,088
    If you update to defintions Core : 3052 and Trace : 1099 or higher, those items won't be incorrectly detected.

    Please let me know if you have any problems, and thank you for taking the time to report the situtation.

    Nick Skrepetos
    SUPERAntiSpyware.com
    http://www.superantispyware.com
     
Loading...
Thread Status:
Not open for further replies.