SASD630 Posted March 1, 2011 Hi, new member here. I am using the free SAS version, thank you for this excellent program. My main browser is Firefox Portable. I have done many manual SAS scans over the past months, through all that I have had Opera portable browser in a folder on my desktop. I rarely use Opera [i only open it for the "fit to width" feature] and don't think I had used it since my last SAS scan which came up clean. Yesterday's SAS scan found this in that Opera folder: Trojan.Agent/Gen-FakeAlert[RnGlobal].Process It was the only malware found, though it seemed strange to be there I allowed the program to delete it. Opera would then not open. I copy/pasted my Opera backup [from an external drive] into the folder, Opera opened, then I ran an SAS scan on just that folder and got the same trojan.agent report. My external Opera backup is quite old [6 months or more], and has come up clean on many scans. Any thoughts on this? Much appreciated, thank you. Matt Share this post Link to post Share on other sites
SASD630 Posted March 1, 2011 PS: sorry, somehow I missed the False Positive forum section. I don't want to double post, if this could be moved... thanks, Matt Share this post Link to post Share on other sites
siliconman01 Posted March 1, 2011 See the link below on how to submit a suspected False Positive. https://www.superantispyware.com/supportfaqdisplay.html?faq=28 Share this post Link to post Share on other sites
SASD630 Posted March 1, 2011 whoa... excellent! I missed that button as well as the False Positive forum section. OK, report sent, thank you siliconman01. much appreciated Matt Share this post Link to post Share on other sites
SAS Customer Service Posted March 2, 2011 *Moved* to False positives. Share this post Link to post Share on other sites
sas1 Posted March 7, 2011 I'd love to know the outcome of this since I'm experiencing something very similar. Eerily, my situation is much like SASD360's. I have Opera Portable installed on my external drive. I seldom use Opera Portable (prefer Firefox Portable and sometimes Chrome), but on 3/4/11 or 3/5/11 I got this alert during an SAS scan: Trojan.Agent/Gen-FakeAlert[RnGlobal] G:\SYSTEM VOLUME INFORMATION\_RESTORE{5D527826-05BD-4A83-8416-28ACDDA14001}\RP843\A0147057.DLL I quarantined it and yesterday I restored a sandboxed version and saw that it was associated with Opera. Lastly, I sent it off to SuperAntiSpyware to be investigated as a false positive, but haven't received a reply. BTW - I mistakenly made a post in the General Questions section prior to seeing this one. Share this post Link to post Share on other sites
SASD630 Posted March 7, 2011 Hi sas1, thanks for posting... I haven't received a reply since Mar. 1 on my false positive submission, but got another virus alert today. The same Trojan as noted in your post [i believe it's the same, I went to look at the log and there's nothing there]. Note: I was running an ancient version of Opera@USB, version 9.63. Since my first post I downloaded the latest v11.01 and had both that installed and 9.63 when I scanned with SAS today. I deleted v9.63 today after allowing SAS to quarantine, then rescanned and came up clean. I would be curious to know, what version of Opera@USB are you running? thanks Matt Share this post Link to post Share on other sites
siliconman01 Posted March 7, 2011 G:\SYSTEM VOLUME INFORMATION\_RESTORE{5D527826-05BD-4A83-8416-28ACDDA14001}\RP843\A0147057.DLL The System Volume Information directory is your system restore points and is a Microsoft protected directory that I doubt that SAS can delete/quarantine files from...even though it says it does. The only safe way to clean out the System Volume Information directory is to turn off System Restore for that disk (the G:\ disk in this case), reboot your system, and then turn System Restore back on for that disk. The same applies if the this had been on the C:\ drive. http://windows.microsoft.com/en-US/windows-vista/Turn-System-Restore-on-or-off http://www.howtogeek.com/howto/windows-vista/disable-system-restore-in-windows-vista/ http://us.norton.com/support/kb/web_view.jsp?wv_type=public_web&docurl=20080421114858EN&ln=en_US Share this post Link to post Share on other sites
Seth Posted March 7, 2011 Is that G drive an image? Share this post Link to post Share on other sites
sas1 Posted March 7, 2011 @siliconman You might be right (about SAS not being able to access the System Volume director), but I'm seeing some posts that indicate otherwise. Here's one: https://forums.superantispyware.com/index.php?/topic/3723-trojan-in-system-volume-information/ And scanning my system again with SAS (after the alleged quarantine took place) revealed no malware. Not trying to be contrary, just relaying the info as I understand it all. (Another, less global way of cleaning System Restore is via CCleaner. A user can select a particular restore point to delete versus all of them. I've not used that feature yet, however.) @SASD360 Sorry, but yesterday I decided to do some cleanup of my external (G) drive and one of the programs I deleted was that Opera app. I simply no longer used it. I'm pretty much married to Firefox Portable for now. Anyway, please continue to post here if you get any update from SAS regarding the status of this potential false positive. I'll do likewise. Share this post Link to post Share on other sites
sas1 Posted March 8, 2011 Is that G drive an image? No. Share this post Link to post Share on other sites
SAS Customer Service Posted March 10, 2011 No. If you believe SUPERAntiSpyware has improperly detect a file as harmful, please use the built-in false positive reporter in SUPERAntiSpyware to send a sample of the file directly to our definitions team. The false positive reporter is available at the end of a scan. The item must be detected during the scan, not in quarantine. At the end of the scan, click once on the item to be submitted to highlight it, and click the "Report False Positive" button to the right. The file will be submitted to the SUPERAntiSpyware team for analysis. If it's found to be benign, it will be excluded from SUPERAntiSpyware's definitions. Share this post Link to post Share on other sites
sas1 Posted March 11, 2011 If you believe SUPERAntiSpyware has improperly detect a file as harmful, please use the built-in false positive reporter in SUPERAntiSpyware to send a sample of the file directly to our definitions team. The false positive reporter is available at the end of a scan. The item must be detected during the scan, not in quarantine. At the end of the scan, click once on the item to be submitted to highlight it, and click the "Report False Positive" button to the right. The file will be submitted to the SUPERAntiSpyware team for analysis. If it's found to be benign, it will be excluded from SUPERAntiSpyware's definitions. Well, this ^^^ bit of information may be helpful if/when the next detection occurs. But, I don't see how it helps the current situation. Share this post Link to post Share on other sites
SASD630 Posted March 11, 2011 @SAS customer service/Sean: OP here, thanks for checking in. I _did_ use the false positive button [March 1]. I kept the SAS scanner open at pre-quarantine/delete status, posted to the forum, then submitted the item after siliconman01 directed me to the report false positive instructions. Then at some point later I scanned and got the System Restore malware result, same as sas1 [system volume information]. Everything cleaned up now, so it would appear that SAS can indeed clean system restore files. But thank you siliconman01 for pointing out what they were. Matt Share this post Link to post Share on other sites
Seth Posted March 11, 2011 The System Volume Information directory is your system restore points and is a Microsoft protected directory that I doubt that SAS can delete/quarantine files from...even though it says it does. Agreed. Even if an antimalware program can remove infections from the SR folder, it's most likely that SR point won't deploy due to a checksum error. Clean the system, purge the SR, and create a new SR point. Share this post Link to post Share on other sites