Jump to content
John

Suspected false positive

Recommended Posts

The latest definition updates from yesterday (06-05-09) (Pro Version) is targeting & deleting the .exe of one of my installed programs that I've used for years. The program is Mmm, a context menu editing tool.

Homepage:

http://hace-software.com/mmm-plus.shtml

FAQ & privacy policy:

http://hace-software.com/faq-mmm-plus.shtml

I've tried putting Mmm's executable in the "Allowed/Trusted Items" list, I've added the installation folder to the "Excluded Folders" list, and I've tried disabling First Chance Prevention on my XP machines. No matter what I do, SAS immediately deletes the installed exe. The exe doesn't even show in quarantine, it's just totally removed from my machine.

I can't use the built-in false positive reporter to send a sample of the file because the executable is deleted from my machine the instant SAS starts running. Yet, when I scan the installer (via the right-click context menu) SAS tells me the file is clean?? Also, uploading the installer to VirusToatal gives it a clean bill of health (with only a couple of "possible" heuristic alerts).

This problem only got worse when I tried to experiment with the installer in a Virtual Machine. In a VM, SAS won't even let me run the installer. If I close SAS down, run the installer, then restart SAS, it immediately breaks the program by deleting the installed exe.

Here's my 3 questions:

1) Since I've used this program for years without any other security app ever targeting it, I'm suspecting this is a false positive?

2) Why won't SAS listen to me when I try to exclude it from being scanned and/or deleted?

3) Why isn't the targeted exe put in quarantine, instead of being deleted?

This has turned into a big mess. Can someone please advise on what I need to do please? I can provide the installer file if necessary. Thank you.

Share this post


Link to post
Share on other sites

Sorry,I wasn't clear enough in my description above: the problem app is Mmm+ (the paid for version), not Mmm (the free version).

As soon as I start the installation, SAS blocks the installer with the message:

SAS has detected & blocked a potentially harmful application from running.

When I then allow the installer as a trusted program, the install proceeds normally, but then is instantly blocked from running by SAS.

The description is as follows:

Summary : Trojan.Unknown Origin.Process

Unknown

Description : Randomly (or deceptively-) named application process.

Contains deceptive, incomplete, or missing version or

company information and is installed in the Temp,

Windows, System, System32, or Application Data

directories. May also be found under randomly named

sub-directories under these folders or Program Files.

Trojans are programs that can appear to serve a

legitimate purpose but actually have an unwanted or

harmful effect.

A large segment of trojan programs download other

harmful software components to a user's PC without

his/her knowledge.

This application is most likely downloaded and installed by

another application that is considered to be adware or

spyware.

Threat Level 10

(1-10) :

Processes : *

I've posted a copy of the Mmm+ installer here:

http://rapidshare.com/files/242358380/mmmplusinstall.rar

Thanks.

Share this post


Link to post
Share on other sites

hello i also i'm having this problem, superantispyware would delete MMM.EXE everytime i restart my computer, even if i add it to trust zone. i been using this for about 2 years and never had any problem with it. i'm using Mmm+ v2.02, only the MMM.EXE in the folder is getting deleted. any fix for this soon? thanks

i attached the MMM+ EXE that keep getting deleted.

http://www.mediafire.com/?zxxfwdtzq4z

Share this post


Link to post
Share on other sites
Guest
This topic is now closed to further replies.

×