Jump to content


  • Content Count

  • Joined

  • Last visited

About dellyfry

  • Rank
    Advanced Member
  • Birthday 01/01/1970
  1. Some recent malware changes the system clock to defeat antimalware protection by moving time backward or forward a few years, thus disabling their subscription . I find this to be a problem for antimalware programs that validate their time of installation by the user's clock, and not by an online time source/reference. This happened recently when using a trial version of SuperAntiSpyware Pro on a user's system. Lo and behold the malware changed the clock back eight years and all the sudden SAS Pro complained about the trial version time being up. I only suspect it would be the same for non-lifetime licenses as well. Maybe SAS Pro could provide realtime protection on drastic clock changes (like what the homepage protection does) or reference an online source (if available)?
  2. I can see your point. However, do you know of any legitimate programs that modify these values? I can't think of one.. other than malware. Maybe it could be locked down without any user interaction? Either way, I'm sure you have sometime up your sleeve... Keep up the good work.
  3. Much of the malware today is hijacking the exefile value in the registry. When the malware component in question is removed and the offending registry entry is not repaired, it can cause issues in trying to execute any *.exe file on the next reboot. Case in point - SAS recently removed a malware file cftmon.exe that had hijacked the exefile extension, but did not repair the value after removal - so on the next reboot, the system was unable to open any program. SuperAntiSpyware already locks down the homepage from tampering. Why not add the ability to lock certain parts of the registry down from tampering - such as the exefile value? Any changes to the entry would have to be cleared by the user or denied outright.
  4. I would also like to see an improved installation of SuperAntiSpyware - safe mode install friendly. Some very infected spyware systems will only (reliably) boot and run in safe mode compared to booting and running in normal mode. I can imagine installing and running SAS in this environment may help, at least, with the initially cleanup.
  5. Zipped and mailed to the sample submission email address. I snagged them while at work cleaning out an infected system and at the time, I could only remember the sample email address to send them to. I have not looked too close at the files myself and don't know what they do or why they are there. There are so many of them on an infected system that deleting them has become necessary. I'd be curious to know if you find out (if it is possible to know by looking at them, that is).
  6. Nick, Have you received those pos*.tmp files yet? I am increasingly running across these things with systems infected with spam bots. Generally, the files are in the root of c:\ and/or in the users My Documents folder... they often number in the hundreds or thousands. I generally delete them on sight. If you have not received them yet, I will make sure to send some up to you next time I get my hands on some.
  7. Nick, Do you ever see the time when you might have to develop technology to disinfect a file? I personally am seeing an increasing amount of file infectors, typically once reserved for the classic virus such as klez. These are now used for spam bots, rogue applications, etc. SAS often sees the infection but resolves itself to removing the entire file. Often, various Windows and startup applications are infected and SAS answer is to remove the entire file - causing both Windows and the application in question to be seriously maligned (and sometimes not boot). Unless I do an external antivirus scan with disinfection abilities, I generally have to go back and replace the files by hand. Of course, that is the benefit of a multi-layer approach anyway I guess. Keep up the great work.
  8. Certainly SAS does a great job on detecting and removing difficult threats, however many people do not or will not run a full HIPS program. While I'm not certain that SAS will ever include any form of HIPS like functionality, it just seemed like a hop, jump and a skip away (relatively speaking) from implementing something close to this (program execution), as it appears to me that the SAS team already has a form of a whitelist available ( www.fileresearchcenter.com). Understood, and I really have no idea if it would add substantial overhead or not... which is why I would recommend it be turned off by default.... but would still be nice if the options was there.
  9. Since SuperAntiSpyware Pro hooks into explorer shell, I think it would be a prime candidate to offer program execution protection - i.e. suspending unknown processes from launching/running. You could use the whitelist from www.fileresearchcenter.com for all known good programs, signed Windows components, along with user added submissions, to help a user control what runs on their PC. Great for unknown spyware.... Of course this would all be an option for those who may or may not want to run it.
  10. Thanks for the reply and information.
  11. Quick question... During a scan of an infected system, are the entries that are labeled "variant" a heuristic detection (not strictly defined by a signature)? Just curious to know what is a detection based on heuristics versus a variant that was labeled during the creation of the then current spyware definitions.
  12. While I do agree, some of us actually inspect many of these items before delete/removal.... or just don't care and remove them all anyway. Anyhow, it would be much faster with a delete all.
  13. One change that I think would be beneficial would be granting additional removal options - A) Remove, Quarantine, C) Ignore Once, D) Ignore Always.... etc. - When a scan has been performed. This could also be specified as a preference before a scan is even performed. For the most part, quarantining cookies I don't think is largely necessary (though, I guess, you never know who might be mad if you delete their cookies! I would recommended automatic selection of cookies to be removed, and all others to be quarantined except for low threats which are not selected as is the current case may be.
  14. As it stands now, a user has to manually select, one by one, a log file or quarantine entry in order to delete it. It would be great to have a select all function to remove all in one fell swoop. A minor function but helps with the general house keeping for those of us who want to minimize clutter.
  15. Thank you for the reply and I will do just that. Thanks for your time.
  • Create New...