Jump to content
Sign in to follow this  
anonymous_user

Trojan.Agent/Gen-UsrMgr

Recommended Posts

Hello.

SAS detects this program

int main (void)

{

return 0;

}

as Trojan.Agent/Gen-UsrMgr if compile with compiler from MinGW (compiled file attached). Looks like SAS reacts like this to any file compiled with MinGW (I tried few programs before found that this empty program is marked as infected). Please fix.

By the way, one cannot attach file at this forum without JavaScript...

foo.exe

Share this post


Link to post
Share on other sites

I've submitted it as a false positive.

This file is questionable though, several other scanner are detecting it!

Just so you know, that in the results window on the right hand side there is a button "Report False Positive", select the entry in question and click it to submit a report.

Share this post


Link to post
Share on other sites

> I've submitted it as a false positive.

Thank you. I hoped developers are here on forums though.

> This file is questionable though, several other scanner are detecting it!

Yes, I saw. But at least they don't detect any programs compiled with that compiler. You can just try to compile empty program and check.

> Just so you know, that in the results window on the right hand side there is a button "Report False Positive", select the entry in question and click it to submit a report.

I am not a user of SAS... In fact I write some tiny programs (mostly specific ones for local usage) and use MinGW compiler. And was notified that my program (and I'm 100% sure that it does nothing evil :) ) marked as virus by SAS. So I tried to found what is the reason... Deleted piece of code. Nothing changed. Deleted more code. Still marked as virus. Deleted all code. Lol, still marked as virus. So I'm here.

Share this post


Link to post
Share on other sites

> I've submitted it as a false positive.

Thank you. I hoped developers are here on forums though.

> This file is questionable though, several other scanner are detecting it!

Yes, I saw. But at least they don't detect any programs compiled with that compiler. You can just try to compile empty program and check.

> Just so you know, that in the results window on the right hand side there is a button "Report False Positive", select the entry in question and click it to submit a report.

I am not a user of SAS... In fact I write some tiny programs (mostly specific ones for local usage) and use MinGW compiler. And was notified that my program (and I'm 100% sure that it does nothing evil :) ) marked as virus by SAS. So I tried to found what is the reason... Deleted piece of code. Nothing changed. Deleted more code. Still marked as virus. Deleted all code. Lol, still marked as virus. So I'm here.

Great thanks guys! We will have a look :D

*Edit*

No longer detected!!

Share this post


Link to post
Share on other sites

> No longer detected!!

Great. Please be so kind to take a look at file which is attached to this post. Here is empty program from first post. I just compiled it again. foo.exe and foo2.exe have only 8 different bytes. 4 for timestamp of compilation and 4 for checksum. And while foo.exe is OK, foo2.exe is marked as virus (and all my programs too). I really can't understand what was the point to whitelist that build of empty program :)

foo2.exe

Share this post


Link to post
Share on other sites

> No longer detected!!

Great. Please be so kind to take a look at file which is attached to this post. Here is empty program from first post. I just compiled it again. foo.exe and foo2.exe have only 8 different bytes. 4 for timestamp of compilation and 4 for checksum. And while foo.exe is OK, foo2.exe is marked as virus (and all my programs too). I really can't understand what was the point to whitelist that build of empty program :)

Will submit this as a FP, as well...

Thanks!

Programs compiled with that program, may be used in real malicious files is why the packer is detected.

The Support Staff will be looking into this shortly.

Share this post


Link to post
Share on other sites

> Programs compiled with that program, may be used in real malicious files is why the packer is detected.

But it is not a packer. It is a compiler. Like one from MS Visual Studio.

I believe it is used mostly by developers of open source software (since it is open source itself). And this is a reason of absence of false positive reports. Open source developers don't take care about antiviruses, they say "Our program is not a malware. There is a bug in your antivirus. Check source code if unsure" :-)

But hey, how long SAS will mark my (and a lot of others) harmless programs as viruses?

Share this post


Link to post
Share on other sites
Guest
This topic is now closed to further replies.
Sign in to follow this  

×