Jump to content
mbf

False positive daemon.exe (DaemonTools v3.47)

Recommended Posts

Yesterday I noticed that on every boot of Windows XP the file daemon.exe was deleted automatically.

After a lot of sleuthing I traced the problem back to SuperAntiSpyware (Free Edition, but probably in the paid-for version as well). It seems that this behavior was triggered by a recent signature update.

It would be nice to get this false positive fixed, and I'm thanking for it in advance. :)

Best regards,

Marc

Share this post


Link to post
Share on other sites
Yesterday I noticed that on every boot of Windows XP the file daemon.exe was deleted automatically.

After a lot of sleuthing I traced the problem back to SuperAntiSpyware (Free Edition, but probably in the paid-for version as well). It seems that this behavior was triggered by a recent signature update.

It would be nice to get this false positive fixed, and I'm thanking for it in advance. :)

Best regards,

Marc

Can you submit the file to samples@superantispyware.com and we can update our definitions?

Share this post


Link to post
Share on other sites

I've just mailed you the file in question. Please let me know if you need the complete installer. That should be doable, since it's less than 500KB.

Best regards,

Marc

Share this post


Link to post
Share on other sites
I've just mailed you the file in question. Please let me know if you need the complete installer. That should be doable, since it's less than 500KB.

Best regards,

Marc

Marc - what version of the product and definitions are you using? Where it is installed by default? We just scanned here and it was not detected.

Share this post


Link to post
Share on other sites

I've currently uninstalled SuperAntiSpyware (SAS), due to this problem since I need DaemonTools running. I did however run a complete system scan yesterday and according to the logs the following definitions were used:

Core Rules Database Version : 3095

Trace Rules Database Version: 1123

The SAS installer is labeled as version 3.2.0.1028.

However, the problem doesn't appear during scanning. Nothing is found. Actually, I ran SAS for this exact purpose, since I was afraid I somehow had gotten som malware on my system.

What happens is that I can install DaemonTools v3.47 over and over again and the daemon.exe file (default install location: \Program Files\D-Tools\daemon.exe) will have been silently deleted upon every boot, as well as the previously mentioned registry key.

I've been searching through the registry (I have some experience in that) and have also been scanning my system with SysInternals' RootkitRevealer. Nothing out of the ordinary was found. Finally I ran HijackThis and in the log I found: Winlogon Notify: SASWinLogon - D:\Program Files\SUPERAntiSpyware\SASWINLO.dll

Just for kicks I uninstalled SAS, and lo and behold daemon.exe wasn't deleted and neither was the registry key deleted.

I've been using SAS for quite some time, and this problem only started yesterday, so I believe there's a problem with the definition files. I remember updating these on sunday.

Do you need the DT 3.47 installer? You can download it here. The MD5 hash is fe36ef3abf2589bef67f0113f40ff845. Alternatively, I can of course mail the installer to you.

I hope you can fix this issue.

Best regards,

Marc

Share this post


Link to post
Share on other sites
I've currently uninstalled SuperAntiSpyware (SAS), due to this problem since I need DaemonTools running. I did however run a complete system scan yesterday and according to the logs the following definitions were used:

Core Rules Database Version : 3095

Trace Rules Database Version: 1123

However, the problem doesn't appear during scanning. Nothing is found. Actually, I ran SAS for this exact purpose, since I was afraid I somehow had gotten som malware on my system.

What happens is that I can install DaemonTools v3.47 over and over again and the daemon.exe file (default install location: \Program Files\D-Tools\daemon.exe) will have been silently deleted upon every boot, as well as the previously mentioned registry key.

I've been searching through the registry (I have some experience in that) and have also been scanning my system with SysInternals' RootkitRevealer. Nothing out of the ordinary was found. Finally I ran HijackThis and in the log I found: Winlogon Notify: SASWinLogon - D:\Program Files\SUPERAntiSpyware\SASWINLO.dll

Just for kicks I uninstalled SAS, and lo and behold daemon.exe wasn't deleted and neither was the registry key deleted.

I've been using SAS for quite some time, and this problem only started yesterday, so I believe there's a problem with the definition files. I remember updating these on sunday.

Do you need the DT 3.47 installer? You can download it here. The MD5 hash is fe36ef3abf2589bef67f0113f40ff845. Alternatively, I can of course mail the installer to you.

I hope you can fix this issue.

Best regards,

Marc

Do you know which version of SAS you were running? We are trying to reproduce this so we can resolve the problem.

Share this post


Link to post
Share on other sites
Guest
This topic is now closed to further replies.

×
×
  • Create New...