32 replies to this topic

[mikew_nt]

This morning I woke up to find that SAS had detected 3 registry threats. The only thing going on yesterday was I updated SAS to 4.36.1006.

The indication is System.BrokenFileAssociation, but there isn't much detail.

Just for background, this is a fairly new Windows7 system, and I have not installed or run anything like CCleaner or anything.

I've never seen SAS pick up anything like System.BrokenFileAssociation.


Is this a false positive or did I get malware somewhere?

If this is a false positive, should I restore these from quarantine?



SUPERAntiSpyware Scan Log
http://www.superantispyware.com

Generated 04/30/2010 at 00:25 AM

Application Version : 4.36.1006

Core Rules Database Version : 4870
Trace Rules Database Version: 2682

Scan type : Quick Scan
Total Scan Time : 00:25:39

Memory items scanned : 569
Memory threats detected : 0
Registry items scanned : 592
Registry threats detected : 3
File items scanned : 41812
File threats detected : 0

System.BrokenFileAssociation
HKCR\.exe
HKCR\.com
HKCR\exefile\shell\open\command

[mikew_nt]

Updates:

I restored once, and re-ran the scan. It found the same three items, so I did the false positive report while I was there.

Here is something interesting in that I opened regedit before and after the restore, and if we are talking about HKEY_CLASSES_ROOT, I saw no difference before or after in the registry keys.

Here is the other interesting thing. When I re-ran the quick scan, it immediately flagged 3 registry items while it was still scanning memory items. I hit Next rather than waiting for the scan, and quaranteened them. Just as additional information, SAS is not requesting to reboot after quaranteed.

Then I ran it again with the items quaranteened, and it gave me the exact same result! I can quaranteen again, rescan and it will give me the same 3 items again. I can probably do this to infinity and it will keep detecting and quaranteening.

I've already checked out my Event Viewer and I have no Errors or Warnings, I installed no other software yesterday, and the machine appears to be operating fine.

Is this a bug in the new engine?

[sparkler]

im getting the same as well after restoring windows and updating superspyware

[JMH]

Same result here on a Vista 64-bit system -
Have not quarantined as yet.

SAS Admin - Advice please!

[mikew_nt]

I have fully updated to 4874-2686 and this problem is still there.

Those registry values appear to be fairly important (!), and it is unclear to me what might happen if the machine were to reboot right now.

SAS Admin, can you please let us know what is up?

Can you also let us know if we need to restore those keys, or do anything special?

[geoff]

Thank you for taking the time to report this issue and the details surrounding it. We have disabled the detection of "System.BrokenFileAssociation" as of SAS Core Database Version 4875 (released a few moments ago). The rule, as you have seen, resulted in erroneous detections on certain systems, and our lead low-level developer is investigating. If you update your definition databases within the product, these registry keys will no longer be detected.

Thanks,

Geoff

[JMH]

Thank you for taking the time to report this issue and the details surrounding it. We have disabled the detection of "System.BrokenFileAssociation" as of SAS Core Database Version 4875 (released a few moments ago). The rule, as you have seen, resulted in erroneous detections on certain systems, and our lead low-level developer is investigating. If you update your definition databases within the product, these registry keys will no longer be detected.

Thanks,

Geoff

Your comments noted Geoff.
My suspicions confirmed.
Thanks for your prompt response.

[mark5scuba]

Thank you for taking the time to report this issue and the details surrounding it. We have disabled the detection of "System.BrokenFileAssociation" as of SAS Core Database Version 4875 (released a few moments ago). The rule, as you have seen, resulted in erroneous detections on certain systems, and our lead low-level developer is investigating. If you update your definition databases within the product, these registry keys will no longer be detected.

Thanks,

Geoff

I am having this problem now May 4, 2010 and have everything updated to latest versions. It just started this afternoon.

Mark

[geoff]

Hi mark5scuba,

Can you create a support ticket on our website requesting a SSI diagnostic in the problem description, making sure to mention that you are getting the System.BrokenFileAssociation detection? Also, please specify your OS in the problem description as well.

http://www.superanti...eateticket.html

Thanks,

Geoff

I am having this problem now May 4, 2010 and have everything updated to latest versions. It just started this afternoon.

Mark

[mark5scuba]

Hi mark5scuba,

Can you create a support ticket on our website requesting a SSI diagnostic in the problem description, making sure to mention that you are getting the System.BrokenFileAssociation detection? Also, please specify your OS in the problem description as well.

http://www.superanti...eateticket.html

Thanks,

Geoff

Geoff,

I installed the beta ver 4.90.1060 and the problem went away. My OS is Vista Ultimate 64bit on an MSI P55-GD65 with I7 860

Thanks,
Mark

[alan1476]

Exact same problem, I did as the above member did and the Broken file.System went away. OS is Vista 64bit Ultimate.

System.BrokenFileAssociation - I have no idea what it was, but I am happy its gone wit the new beta.

[hello its me]

I too am getting the System.BrokenFileAssociation detection. Location is HKCR\.exe My SAS Pro updated itself to 4.36.1006 and now every scan I run since has this detection. I've sent a support ticket request already. I am running WindowsXP Pro with serve pack 3 and have not installed any new software except SAS. I just want to know if it's a false positive or serious.

[Peaty]

add me to the list I've been getting it the past few days. I reboot every day and my files update:

SUPERAntiSpyware Scan Log
http://www.superantispyware.com

Generated 05/06/2010 at 06:11 PM

Application Version : 4.36.1006

Core Rules Database Version : 4895
Trace Rules Database Version: 2707

Scan type : Complete Scan
Total Scan Time : 00:44:55

Memory items scanned : 659
Memory threats detected : 0
Registry items scanned : 9220
Registry threats detected : 1
File items scanned : 39945
File threats detected : 1

System.BrokenFileAssociation
HKCR\.exe

-----

Win XP Home

[bekend]

I have the same problem and still do not know if this is a false positive. I also installed the beta ver 4.90.1060 but the problem is still there. It did not surprise me because the version of the database is the same.
My OS is Windows 7 Ultimate.

[alan1476]

New releasae did not fix this problem. The only fix is to go to the beta 64 bit installer.

[Peaty]

I still have the problem but this machine is running 32 bit win xp:

SUPERAntiSpyware Scan Log
http://www.superantispyware.com

Generated 05/08/2010 at 07:43 AM

Application Version : 4.37.1000

Core Rules Database Version : 4906
Trace Rules Database Version: 2718

Scan type : Complete Scan
Total Scan Time : 00:00:03

Memory items scanned : 111
Memory threats detected : 0
Registry items scanned : 0
Registry threats detected : 1
File items scanned : 0
File threats detected : 0

System.BrokenFileAssociation
HKCR\.exe

[Alinda]

For me the story is mostly the same as the first poster.. Except that the broken fileassociations were taken care off in an automatic scan.. A few hours later more and more programs started to malfunction.. So I rebooted.. After the reboot, Windows started, but no other program were able to start.. each time I tried to start a program it would tell me that there was no program associated with the extension .exe so that I need to install a program that could deal with that extension.

So now I have a completely non-functional Windows 7 Ultimate edition 64-bit.. I have a diskimage a few weeks old, but I am still hoping to find a solution to restore the current.. I can't even get SAS to start to let it undo it's damage.

I hope that somebody can give me advise to make the programs start again.. I do have a WinPE to access the computer with programs.

When booting "normally" I have a network. And for some reason windows explorer is the only program willing to start by itself, but no copying or pasting. I can use explorer to start programs that start by clicking on for example png, jpg, etc files.. So file-associations other than .exe seem intact, but even these programs fail if they try to startup other programs.

Please has anybody any idea?

[alan1476]

For me the story is mostly the same as the first poster.. Except that the broken fileassociations were taken care off in an automatic scan.. A few hours later more and more programs started to malfunction.. So I rebooted.. After the reboot, Windows started, but no other program were able to start.. each time I tried to start a program it would tell me that there was no program associated with the extension .exe so that I need to install a program that could deal with that extension.

So now I have a completely non-functional Windows 7 Ultimate edition 64-bit.. I have a diskimage a few weeks old, but I am still hoping to find a solution to restore the current.. I can't even get SAS to start to let it undo it's damage.

I hope that somebody can give me advise to make the programs start again.. I do have a WinPE to access the computer with programs.

When booting "normally" I have a network. And for some reason windows explorer is the only program willing to start by itself, but no copying or pasting. I can use explorer to start programs that start by clicking on for example png, jpg, etc files.. So file-associations other than .exe seem intact, but even these programs fail if they try to startup other programs.

Please has anybody any idea?

Its a false positive just eliminate that entry so it never finds it again.

[Seth]

Welcome to the SuperAntiSpyware forum Alinda.

Please download the .exe fix from the following site (using another computer obviously), save it to disk or USB stick, then follow the instructions on the site to extract and run the fix.

http://www.winhelpon...-for-windows-7/

[Alinda]

Welcome to the SuperAntiSpyware forum Alinda.

Please download the .exe fix from the following site (using another computer obviously), save it to disk or USB stick, then follow the instructions on the site to extract and run the fix.

http://www.winhelpon...-for-windows-7/

Thanks that seems to have worked fine. Even though I got error messages while trying to follow the instructions. Now I can just use my Windows 7 installation again.

After this experience and reading various articles I have now turned off the automatic quarantine and remove infected file option. I have had too many false positives, both from SAS and my virus scanner.

Thanks for the help!