SAS false positives?

Discussion in 'other anti-malware software' started by MikeBCda, Apr 18, 2010.

Thread Status:
Not open for further replies.
  1. MikeBCda

    MikeBCda Registered Member

    Joined:
    Jan 5, 2004
    Posts:
    1,627
    Location:
    southern Ont. Canada
    This seemed to be the most appropriate home for this -- if the mods feel otherwise, by all means feel free to move it wherever appropriate.

    Is it just me, or is SAS (I've got the free version) starting to get heavy on FP's? I usually do a quick scan over the weekend, and on 2 of the last 3 it flagged supposed trojans in a number of files relating to two apps that have been on my system for years. Different trojans each time, but the same one for all such files in each case.

    Neither avast nor MBAM found anything, and (the first time, anyway) I even submitted all such files to both Jotti and VirusTotal, and both came back totally "nothing found". So I submitted a FP report to SAS along with a zipped set of the files, and they obviously agreed because updated defs last weekend found nothing. But they're supposedly back again with yesterday's defs.

    I'm seriously considering ditching SAS and keeping just avast and MBAM, under the circumstances, especially considering SAS includes a rather huge database of OK (I presume) apps which I'd just as soon get rid of. Any thoughts as to whether I'd still have reasonably good protection?
     
  2. MikeBCda

    MikeBCda Registered Member

    Joined:
    Jan 5, 2004
    Posts:
    1,627
    Location:
    southern Ont. Canada
    As a follow-up ... I'd also posted this over at avast, and one regular there said he's never had any problem with FPs from SAS in years. Incidentally, what SAS supposedly found was Trojan.Agent/Gen-Krpytik in two files.

    Next step was to google the trojan's name, and interestingly, most of the top hits were from the SAS forums. Apparently this particular one was already reported by others as a FP, and today's def updates corrected that.

    Even more interesting, in the same topic there was also at least one post commenting on the unusual number of SAS FPs over the last 2 or 3 weeks, the same time period as I encountered this. So that seems to answer my first question, and leaves open the second one, about how much I'd risk if I decided to drop SAS from my defenses. MBAM seems to be widely believed to offer better and broader protection anyway.
     
  3. Watasha

    Watasha Registered Member

    Joined:
    Feb 27, 2010
    Posts:
    233
    Location:
    United States
    First off Avast and SAS are a bit like apples & oranges. Secondly, you're basing this FP thing on the assumption that MBAM is the be-all end-all malware scanner. I use both SAS & MBAM and believe in the layered approach that they provide.

    Third, you posted this at Avast and Wilders.....why not here?:

    http://forums.superantispyware.com/
     
  4. BoerenkoolMetWorst

    BoerenkoolMetWorst Registered Member

    Joined:
    Dec 22, 2009
    Posts:
    3,764
    Location:
    Outer space
    So the last few weeks they have a lot of FP's, big deal, in a few weeks it'll probably also be over. Also are you using SAS realtime or on demand? If realtime you could just disable it for a while and if on demand, just don't use it for a while, or ignore the FP's.
     
  5. MikeBCda

    MikeBCda Registered Member

    Joined:
    Jan 5, 2004
    Posts:
    1,627
    Location:
    southern Ont. Canada
    As noted in my original post, I've got the free version of SAS, no resident protection (same for MBAM). Typically I'll do a quick scan with each once a week, and without resident protection there's no need to update defs daily (hopefully someday they'll figure out incremental updates), so I do that just before scanning.

    (Edit) @ Watasha: I don't understand your apples-and-oranges comment ... I didn't bring up avast's protection at all, just the fact that I'd also posted there because (like here) many members use SAS and might have run into the same problem. I didn't post at SAS because by the time I got there, it was clear that there'd already been a fair bit of discussion about this, including the specific FP, so I didn;t really have anything to add.
     
    Last edited: Apr 20, 2010
Loading...
Thread Status:
Not open for further replies.