pudelein

I was responding about the same detection that you did, namely, Heur.Agent/Gen-FakeSAS. I believe siliconman01 and kerr were both referring to your post also. As far as I know, there was no other issue in this thread until the Russians entered the discusiion after the rest of us were gone.

I also encountered this detection from SAS this morning; interestingly, the folder in which it was located was created on 01/24/2009: this is the date on which I first installed SAS 4.25.1002 and did nothing else of significance. So, if it is not a false positive, it looks like SAS is detecting something that it introduced nearly three years ago!

I use Sysinternals Process Explorer (actually now a Microsoft product!) as a replacement for the normal Windows Task Manager. In my most recent scan, this morning, using database 5152, trace 2964, SAS detects "Security.Hijack [imageFileExecutionOptions]" as a malicious Registry key (actually two such). The key reported is HKLM\Software\Microsoft\Windows NT\Current Version\ImageFileExtensionOptions\TaskMgr.exe. This key contains the data "Debugger" which contains "C:\Program Files\Sysinternals Tools\ProcessExplorer\procexp.exe". The path is local to my system; I keep a group of Sysinternals tools executables there. It is NOT a hijack and should not be detected as such. It was not detected last week with what is apparently the same database, but with a different Trace (which I did not record, unfortunately). Further data: I use Windows XP SP3 Home Edition; SAS 4.40.1002; Process Explorer 12.1.0.0 used since November 2007).

I have just completed an SAS Free complete scan using Core 4376, the latest update available. The PCPBIOS.exe issue that is the subject of this thread no longer appears. It was evidently a false positive. Thanks to all at SAS and elsewhere for straightening matters out!

I found this same identification this morning during a routine SAS complete system scan. This has never been seen before by SAS; it is not seen this morning by Spybot S&D nor by MalwareBytes' Antimalware. A Google search suggests that this file might have a connection with PCPitstop, but there is no easy way to verify this. Almost certainly an SAS false positive!