Jump to content

John

Members
  • Content Count

    4
  • Joined

  • Last visited

Posts posted by John


  1. Sorry,I wasn't clear enough in my description above: the problem app is Mmm+ (the paid for version), not Mmm (the free version).

    As soon as I start the installation, SAS blocks the installer with the message:

    SAS has detected & blocked a potentially harmful application from running.

    When I then allow the installer as a trusted program, the install proceeds normally, but then is instantly blocked from running by SAS.

    The description is as follows:

    Summary : Trojan.Unknown Origin.Process

    Unknown

    Description : Randomly (or deceptively-) named application process.

    Contains deceptive, incomplete, or missing version or

    company information and is installed in the Temp,

    Windows, System, System32, or Application Data

    directories. May also be found under randomly named

    sub-directories under these folders or Program Files.

    Trojans are programs that can appear to serve a

    legitimate purpose but actually have an unwanted or

    harmful effect.

    A large segment of trojan programs download other

    harmful software components to a user's PC without

    his/her knowledge.

    This application is most likely downloaded and installed by

    another application that is considered to be adware or

    spyware.

    Threat Level 10

    (1-10) :

    Processes : *

    I've posted a copy of the Mmm+ installer here:

    http://rapidshare.com/files/242358380/mmmplusinstall.rar

    Thanks.


  2. The latest definition updates from yesterday (06-05-09) (Pro Version) is targeting & deleting the .exe of one of my installed programs that I've used for years. The program is Mmm, a context menu editing tool.

    Homepage:

    http://hace-software.com/mmm-plus.shtml

    FAQ & privacy policy:

    http://hace-software.com/faq-mmm-plus.shtml

    I've tried putting Mmm's executable in the "Allowed/Trusted Items" list, I've added the installation folder to the "Excluded Folders" list, and I've tried disabling First Chance Prevention on my XP machines. No matter what I do, SAS immediately deletes the installed exe. The exe doesn't even show in quarantine, it's just totally removed from my machine.

    I can't use the built-in false positive reporter to send a sample of the file because the executable is deleted from my machine the instant SAS starts running. Yet, when I scan the installer (via the right-click context menu) SAS tells me the file is clean?? Also, uploading the installer to VirusToatal gives it a clean bill of health (with only a couple of "possible" heuristic alerts).

    This problem only got worse when I tried to experiment with the installer in a Virtual Machine. In a VM, SAS won't even let me run the installer. If I close SAS down, run the installer, then restart SAS, it immediately breaks the program by deleting the installed exe.

    Here's my 3 questions:

    1) Since I've used this program for years without any other security app ever targeting it, I'm suspecting this is a false positive?

    2) Why won't SAS listen to me when I try to exclude it from being scanned and/or deleted?

    3) Why isn't the targeted exe put in quarantine, instead of being deleted?

    This has turned into a big mess. Can someone please advise on what I need to do please? I can provide the installer file if necessary. Thank you.


  3. Here's 2 suggestions:

    1) Make SAS watch/protect/notify about changes to the HOSTS file...and be able to function with large custom HOSTS files without chocking & freezing with files that have many thousands of entries.

    2) Make SAS watch/protect/notify about changes to IE's Trusted Sites list. As unbelievable as it sounds, I've even found "legitimate" installers which silently add a bunch of garbage to this list, without asking or giving any notification. fx....Audigy Sound Blaster drivers loads a bunch of AOL sites to this list when installing the drivers. And that's the best case scenario. Malware silently installing to this list could be "troublesome". :wink:

×
×
  • Create New...