System.RegistryEditorDisabled

[Madeline]

I'm running SAS Free.

Apparently I had 'System.RegistryEditorDisabled' on my PC. This item was added/updated in the database version 4817 on 16/04/2010.

Since that time I ran 5 SAS scans before updating, none of which found it. My SAS version then was 4.35.1002.

I also ran scans with the following programs:

Spybot S&D 1.6.2

MBAM 1.45 and 1.46 (Quick Scans)

Norton Internet Security 2010 v 17.6.0.32 (Full System Scan)

during the period from 16/04/2010 to 30/04/2010 when my SAS version was still 4.35.1002 and none of these found anything.

This piece of malware appeared only after updating to v4.36.1006. The strange thing is that it appeared as soon as I opened the program. It hadn't even scanned the Memory, let alone the Registry, but somehow it had 'found' this piece of malware! How did it do that without scanning?

The malware is now in quarantine, but...

Is it a false positive? Is it a bug? Was it really there?

Any ideas or info please?

[SFdude]

Hi Madeline,

Yes, I'm having EXACTLY the same symptom

detected by SAS today,

(SAS latest version with latest updated Virus db):

"system.RegistryEditorDisabled"

I also ran Full System scans with

the latest MalwareBytes (MBAM)

and the latest AVAST.

Both show: "0 infections".

Only SAS shows this message...

Also, I can open my REGEDIT and System Tasks windows OK,

with no problems - so, they are not "disabled", as the SAS message suggests.

Weird!

The SAS message appeared as soon as I started scanning a

a single file I d/l from a trustworthy web site.

(I always scan every file I d/l, even if it's from Microsoft, Google, etc).

False positive or real threat?

I don't want to quarantine a critical Registry setting...

SAS? Anyone?

SFdude

Win XP/SP3.

SAS v4.36.1006 / MBAM / AVAST (all free, updated, latest versions)

[Madeline]

Also, I can open my REGEDIT and System Tasks windows OK,

with no problems - so, they are not "disabled", as the SAS message suggests.

Same here, I forgot to mention it earlier! I'm becoming convinced that this is an incorrect detection and, if this is the case, I hope that SAS will amend their database so that this won't be detected again.

If this happens, what do I do about the item in Quarantine?

[SFdude]

Same here, I forgot to mention it earlier! I'm becoming convinced that this is an incorrect detection and, if this is the case, I hope that SAS will amend their database so that this won't be detected again.

If this happens, what do I do about the item in Quarantine?

I accidentally had SAS Quarantine it.

Not what I wanted...

So, I simply "UNQuarantined" it, until somebody from SAS,

(or another Forum colleague) gives us a better = correct info.

BTW:

I searched in my Registry,

(yes, my REGEDIT works just fine! = it's not "disabled").

Yet, I did NOT find the Registry Key which made SAS so nervous.

The string does not even exist in my Registry!

Madeline, try searching your Registry for the

"system.RegistryEditorDisabled" string,

which SAS alerts it has "detected".

Meanwhile, I'm starting to become disappointed with the lack

of feedback from SAS to this post.

It sounds like a false positive...Anybody?

MBAM and AVAST report a totally clean XP/SP3 system...

SFdude

[Madeline]

It would be good to hear from someone at SAS about this, but we may have to wait a few days at least. It's a holiday weekend here in the UK and I think it may be the same in the US (Labor Day?). This odd detection is annoying but it's not really a major problem.

For now, I'm going to do the same as you and unquarantine the item in question. Let's hope we hear from SAS before too long!

[SUPERAntiSpy]

We have already adjusted the definitions (on Friday). Did you update definitions and see if you still have this detection?

[Madeline]

We have already adjusted the definitions (on Friday). Did you update definitions and see if you still have this detection?

Thanks for your reply Nick. What I did was as follows:

About an hour after my previous post, I unquarantined the offending item and ran a scan using what were then the latest defs - Core 4878, Trace 2690 - and nothing was found. I hadn't scanned before that since I'd quarantined the apparent piece of malware.

Anyway, it all seems to be fine now, so thanks for your help. I hope you're having a good weekend regardless of whether or not it's a holiday one!