Jump to content
SASD630

False positive Trojan found in Opera folder?

By SASD630, in False Positives

Recommended Posts

SASD630   

SASD630
Posted

Hi, new member here. I am using the free SAS version, thank you for this excellent program. My main browser is Firefox Portable. I have done many manual SAS scans over the past months, through all that I have had Opera portable browser in a folder on my desktop. I rarely use Opera [i only open it for the "fit to width" feature] and don't think I had used it since my last SAS scan which came up clean.

Yesterday's SAS scan found this in that Opera folder: Trojan.Agent/Gen-FakeAlert[RnGlobal].Process

It was the only malware found, though it seemed strange to be there I allowed the program to delete it. Opera would then not open. I copy/pasted my Opera backup [from an external drive] into the folder, Opera opened, then I ran an SAS scan on just that folder and got the same trojan.agent report.

My external Opera backup is quite old [6 months or more], and has come up clean on many scans.

Any thoughts on this? Much appreciated, thank you.

Matt

Share this post

Link to post
Share on other sites

SASD630   

SASD630
Posted

PS: sorry, somehow I missed the False Positive forum section. I don't want to double post, if this could be moved...

thanks,

Matt

Share this post

Link to post
Share on other sites

SASD630   

SASD630
Posted

whoa... excellent! I missed that button as well as the False Positive forum section. OK, report sent, thank you siliconman01.

much appreciated

Matt

Share this post

Link to post
Share on other sites

sas1   

sas1
Posted

I'd love to know the outcome of this since I'm experiencing something very similar.

Eerily, my situation is much like SASD360's. I have Opera Portable installed on my external drive. I seldom use Opera Portable (prefer Firefox Portable and sometimes Chrome), but on 3/4/11 or 3/5/11 I got this alert during an SAS scan:

Trojan.Agent/Gen-FakeAlert[RnGlobal]

G:\SYSTEM VOLUME INFORMATION\_RESTORE{5D527826-05BD-4A83-8416-28ACDDA14001}\RP843\A0147057.DLL

I quarantined it and yesterday I restored a sandboxed version and saw that it was associated with Opera.

Lastly, I sent it off to SuperAntiSpyware to be investigated as a false positive, but haven't received a reply.

BTW - I mistakenly made a post in the General Questions section prior to seeing this one.

Share this post

Link to post
Share on other sites

SASD630   

SASD630
Posted

Hi sas1, thanks for posting... I haven't received a reply since Mar. 1 on my false positive submission, but got another virus alert today. The same Trojan as noted in your post [i believe it's the same, I went to look at the log and there's nothing there].

Note: I was running an ancient version of Opera@USB, version 9.63. Since my first post I downloaded the latest v11.01 and had both that installed and 9.63 when I scanned with SAS today. I deleted v9.63 today after allowing SAS to quarantine, then rescanned and came up clean.

I would be curious to know, what version of Opera@USB are you running?

thanks

Matt

Share this post

Link to post
Share on other sites

siliconman01   

siliconman01
Posted
G:\SYSTEM VOLUME INFORMATION\_RESTORE{5D527826-05BD-4A83-8416-28ACDDA14001}\RP843\A0147057.DLL

The System Volume Information directory is your system restore points and is a Microsoft protected directory that I doubt that SAS can delete/quarantine files from...even though it says it does.

The only safe way to clean out the System Volume Information directory is to turn off System Restore for that disk (the G:\ disk in this case), reboot your system, and then turn System Restore back on for that disk. The same applies if the this had been on the C:\ drive.

http://windows.microsoft.com/en-US/windows-vista/Turn-System-Restore-on-or-off

http://www.howtogeek.com/howto/windows-vista/disable-system-restore-in-windows-vista/

http://us.norton.com/support/kb/web_view.jsp?wv_type=public_web&docurl=20080421114858EN&ln=en_US

Share this post

Link to post
Share on other sites

sas1   

sas1
Posted

@siliconman You might be right (about SAS not being able to access the System Volume director), but I'm seeing some posts that indicate otherwise. Here's one: https://forums.superantispyware.com/index.php?/topic/3723-trojan-in-system-volume-information/ And scanning my system again with SAS (after the alleged quarantine took place) revealed no malware. Not trying to be contrary, just relaying the info as I understand it all. (Another, less global way of cleaning System Restore is via CCleaner. A user can select a particular restore point to delete versus all of them. I've not used that feature yet, however.)

@SASD360 Sorry, but yesterday I decided to do some cleanup of my external (G) drive and one of the programs I deleted was that Opera app. I simply no longer used it. I'm pretty much married to Firefox Portable for now. Anyway, please continue to post here if you get any update from SAS regarding the status of this potential false positive. I'll do likewise.

Share this post

Link to post
Share on other sites

SAS Customer Service   

SAS Customer Service
Posted

No.

If you believe SUPERAntiSpyware has improperly detect a file as harmful, please use the built-in false positive reporter in SUPERAntiSpyware to send a sample of the file directly to our definitions team. The false positive reporter is available at the end of a scan. The item must be detected during the scan, not in quarantine.

At the end of the scan, click once on the item to be submitted to highlight it, and click the "Report False Positive" button to the right.

The file will be submitted to the SUPERAntiSpyware team for analysis. If it's found to be benign, it will be excluded from SUPERAntiSpyware's definitions.

Share this post

Link to post
Share on other sites

sas1   

sas1
Posted

If you believe SUPERAntiSpyware has improperly detect a file as harmful, please use the built-in false positive reporter in SUPERAntiSpyware to send a sample of the file directly to our definitions team. The false positive reporter is available at the end of a scan. The item must be detected during the scan, not in quarantine.

At the end of the scan, click once on the item to be submitted to highlight it, and click the "Report False Positive" button to the right.

The file will be submitted to the SUPERAntiSpyware team for analysis. If it's found to be benign, it will be excluded from SUPERAntiSpyware's definitions.

Well, this ^^^ bit of information may be helpful if/when the next detection occurs. But, I don't see how it helps the current situation.

Share this post

Link to post
Share on other sites

SASD630   

SASD630
Posted

@SAS customer service/Sean: OP here, thanks for checking in. I _did_ use the false positive button [March 1]. I kept the SAS scanner open at pre-quarantine/delete status, posted to the forum, then submitted the item after siliconman01 directed me to the report false positive instructions.

Then at some point later I scanned and got the System Restore malware result, same as sas1 [system volume information].

Everything cleaned up now, so it would appear that SAS can indeed clean system restore files. But thank you siliconman01 for pointing out what they were.

Matt

Share this post

Link to post
Share on other sites

Seth   

Seth
Posted
The System Volume Information directory is your system restore points and is a Microsoft protected directory that I doubt that SAS can delete/quarantine files from...even though it says it does.

Agreed.

Even if an antimalware program can remove infections from the SR folder, it's most likely that SR point won't deploy due to a checksum error.

Clean the system, purge the SR, and create a new SR point.

Share this post

Link to post
Share on other sites
Guest
This topic is now closed to further replies.
Go To Topic Listing
×
×
  • Create New...