Jump to content
Bart

Quarantine and Removal Question

Recommended Posts

My daily SAS run just quaranteened and removed these:

NTICDMK32.dll

NTIDBD32.dll

NTIEMBED.dll

NTIMPEG2.dll

What are these? Famous last words, but I don't think I go to any questionable sites. Where might they come from?

Can I rest easy that SAS has removed any threat they might present?

Thanks,

Bart

Share this post


Link to post
Share on other sites

Do you have any NTI software installed? I had SAS flag NTIBUN4.DLL today and that file is part of NTI's Backup NOW! software that is installed on that PC. My guess is that there's some code in those DLLs that triggers SAS, so I'm thinking false positive. To be sure do like I did and send the quarantined files to SuperAntiSpyware. Use the button in the Quarantined Items window to do that. It's very simple and it will improve the definitions.

Share this post


Link to post
Share on other sites

Thanks for the reply.

I don't knowingly use NTI. My backup software is Acronis.

How do I access the quarantined window in order to send off the files?

Bart

Share this post


Link to post
Share on other sites

I also had SAS quarantine NTIEMBED.DLL as a virus. Not knowing what the file was used for, I searched for NTI*.*. What I found were several files in Windows folders [c]and one GIF file [ntimage.gif]. Viewing that file showed a faint WINDOWS XP logo.

I aslo found NTIAspi.dll in a Realplayer\CDBurning folder.

I hope SAS tech support resolves this issue before my sysyem needs to use NTIEMBED.DLL ... ;)

Share this post


Link to post
Share on other sites

If they are submitted in our false positive reporting, we will analyze the files and remove them if necessary, thank you for taking the time to report them!

Share this post


Link to post
Share on other sites

Is there a way a SAS Pro user can tell if a suspected FP item has been submitted to the false positive reporting system?

Share this post


Link to post
Share on other sites
How do I access the quarantined window in order to send off the files?

Bart, after the scan you should see the Quarantined Items window. On the right are 4 buttons:

Trust/Allow Item(s)

Manage Allowed Items

Report False Positive...

Explain Detected Item

Select the item(s) that you think to be a false positive.

Click the Report False Positive... button and follow the instructions in the window that shows.

HTH

Nightcap

Share this post


Link to post
Share on other sites

Thanks, Nitecap.

When that scan finished, since it said the four items had been quarantined and deleted I clicked on Finish so everything closed down.

Is it possible to find those files now, given that SAS said they were deleted? I can't find them via my Explorer.

Bart

Share this post


Link to post
Share on other sites

Bart, when you go to Main Menu (click twice on the "bug" in the system tray) and click the "Manage Quarantine" button, you can see what files are in quarantine. In quarantine means that they are no longer in the folder they used to be, but kept in a "safe place" managed by SAS. If you really did delete the quarantined files, than there's no way for you to send them to SuperAntiSpyware or to restore them if they turn out to be false positives.

In the case SAS finds a threat on my PCs, I always quarantine it and let it sit there until I'm absolutely sure it isn't a false positive. Files in quarantine don't pose a threat anymore so it's safe to keep them there. If it turns out to be a false positive I can easily restore the file(s) and there's no harm done to my computer.

Nightcap

Share this post


Link to post
Share on other sites

Nightcap,

I do find them via Manage Quarantine, but my options there are Restore or Remove. How would I send them for false positive analysis?

I have the feeling that once I closed the scan the other day that found and quarantined them, I can't get to the screen that offers the option to send away for analysis. Is that right?

After hearing in this thread that several others are getting what appears to be false positives, I am not all that keen to do so. Just asking for next time...

Thanks,

Bart

Share this post


Link to post
Share on other sites

jayt36, I restored the quarantined Backup NOW! DLL and the application is working again like always. Strange that a restore wouldn't work for you. Even if some registry values were deleted during the quarantine, restoring should put those back too.

Glad you got it working again though.

Share this post


Link to post
Share on other sites

Me too Bart, so now I'm really stumped why you're not seeing those 4 buttons. Maybe someone else can explain that?

Share this post


Link to post
Share on other sites

Thanks, guys. I'm going to pass on the restore and not send away for analysis. The four flagged items have not showed up again. If they do I will follow the instructions you all have given me.

Thanks again,

Bart

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now

×
×
  • Create New...