Dave Tyler Posted December 17, 2011 After downloading today's updates and product update I got two alerts that I quarantined. The basic alert was: Heur.Agent/Gen-Fakesas. Administrators.... help? Is this a false positive? Share this post Link to post Share on other sites
siliconman01 Posted December 17, 2011 I am also getting 1 false detection. Ran file ICONCDDCBBF15.EXE through VirusTotal and 0 scanners reported as malicious. SUPERAntiSpyware Scan Log https://www.superantispyware.com Generated 12/17/2011 at 03:57 AM Application Version : 5.0.1142 Core Rules Database Version : 8064 Trace Rules Database Version: 5876 Scan type : Complete Scan Total Scan Time : 00:20:19 Operating System Information Windows 7 Professional 64-bit, Service Pack 1 (Build 6.01.7601) UAC Off - Administrator Memory items scanned : 623 Memory threats detected : 0 Registry items scanned : 72468 Registry threats detected : 0 File items scanned : 38074 File threats detected : 1 Heur.Agent/Gen-FakeSAS C:\WINDOWS\INSTALLER\{CDDCBBF1-2703-46BC-938B-BCC81A1EEAAA}\ICONCDDCBBF15.EXE NOTE: The file ICONCDDCBBF15.EXE has been submitted to SAS as a suspected false positiive. Share this post Link to post Share on other sites
pudelein Posted December 17, 2011 I also encountered this detection from SAS this morning; interestingly, the folder in which it was located was created on 01/24/2009: this is the date on which I first installed SAS 4.25.1002 and did nothing else of significance. So, if it is not a false positive, it looks like SAS is detecting something that it introduced nearly three years ago! Share this post Link to post Share on other sites
Dave Tyler Posted December 17, 2011 Same here. The one I reported? Or the other one? Share this post Link to post Share on other sites
Dave Tyler Posted December 17, 2011 I also encountered this detection from SAS this morning; interestingly, the folder in which it was located was created on 01/24/2009: this is the date on which I first installed SAS 4.25.1002 and did nothing else of significance. So, if it is not a false positive, it looks like SAS is detecting something that it introduced nearly three years ago! The one I reported? Or the other one? Share this post Link to post Share on other sites
Dave Tyler Posted December 17, 2011 Will the SAS people respond here efficiently? This is my first post. Share this post Link to post Share on other sites
SAS Customer Service Posted December 17, 2011 I will forward this to the proper person. Share this post Link to post Share on other sites
pudelein Posted December 17, 2011 Will the SAS people respond here efficiently? This is my first post. I was responding about the same detection that you did, namely, Heur.Agent/Gen-FakeSAS. I believe siliconman01 and kerr were both referring to your post also. As far as I know, there was no other issue in this thread until the Russians entered the discusiion after the rest of us were gone. Share this post Link to post Share on other sites
Dave Tyler Posted December 17, 2011 I was responding about the same detection that you did, namely, Heur.Agent/Gen-FakeSAS. I believe siliconman01 and kerr were both referring to your post also. As far as I know, there was no other issue in this thread until the Russians entered the discusiion after the rest of us were gone. Ok, sorry I was thrown off by the first response it looked like a different issue. Share this post Link to post Share on other sites
Kidd Posted December 18, 2011 The one I reported? Or the other one? Heur.Agent/Gen-FakeSAS C:\WINDOWS\INSTALLER\{CDDCBBF1-2703-46BC-938B-BCC81A1EEAAA}\ICONCDDCBBF15.EXE Share this post Link to post Share on other sites
Detour Man Posted December 18, 2011 This came up on a full scan today on me as well. After removing and quarantining it, I ran another and it came back again. I suspect a FP and submitted it as such. My other programs don't pick it up. Share this post Link to post Share on other sites
siliconman01 Posted December 19, 2011 This False Positive is fixed in latest update Core=8066, Trace=5878 Share this post Link to post Share on other sites
Dave Tyler Posted December 22, 2011 I will forward this to the proper person. Any word on this? I downloaed the latested and I still get this result. These two have been quarantined: Heur.Agent/Gen-FakeSAS C:\DOCUMENTS AND SETTINGS\DAVE\APPLICATION DATA\MICROSOFT\INSTALLER\{CDDCBBF1-2703-46BC-938B-BCC81A1EEAAA}\ICONCDDCBBF1.EXE C:\SYSTEM VOLUME INFORMATION\_RESTORE{74EE98A3-11E4-4025-90D3-C1F59E0E3C73}\RP636\A0118513.EXE Share this post Link to post Share on other sites
geoff Posted December 22, 2011 Hi Dave, Can you tell us what version of the core and trace databases you have installed as of this latest result? Also, if you can, please submit another false positive report for each detected item (after restoring and re-scanning) so we can make sure the mitigation effort is correct. Thank you! Share this post Link to post Share on other sites
Dave Tyler Posted December 23, 2011 Hi Dave, Can you tell us what version of the core and trace databases you have installed as of this latest result? Also, if you can, please submit another false positive report for each detected item (after restoring and re-scanning) so we can make sure the mitigation effort is correct. Thank you! SAS: Program: 5.0.1142 Database: 8086 updated 3 minutes ago. Could you tell me how to submit a false positive report beyond what I have done above? Thank you. Share this post Link to post Share on other sites
Dave Tyler Posted December 29, 2011 Ok I will be running the scan again today after I un-quarntine the items. And I have contacted SAS directly However, I don't seem to have this mysterious, report False positive button. Can someone tell me where this is? Share this post Link to post Share on other sites
Dave Tyler Posted January 6, 2012 SAS has reported that this/they have been fixed These have now cleared as of scanning last night. Share this post Link to post Share on other sites
dgrasser Posted January 21, 2012 I just upgraded SAS, early am of 1/21/12. After running a full scan, SAS detected two Heur.Agent/Gen.FakeSAS files, so apparently SAS has not yet fixed the problem. The file name of the file is "ICONCDDCBBF.13EXE" located in two separate locations. C:\DOCUMENTS AND SETTINGS\DON\APPLICATION DATA\MICROSOFT\INSTALLER\{CDDCBBF1-2703-46BC-938B-BCC81A1EEAAA}\ICONCDDCBBF1.EXE C:\DOCUMENTS AND SETTINGS\HELPASSISTANT\APPLICATION DATA\MICROSOFT\INSTALLER\{CDDCBBF1-2703-46BC-938B-BCC81A1EEAAA}\ICONCDDCBBF1.EXE Share this post Link to post Share on other sites
mikew_nt Posted January 21, 2012 Yep, this is an FP again, similar to the one in this thread from last year. For now I've put mine as a managed allowed item. Please let us know when an update fixes this. Heur.Agent/Gen-FakeSAS C:\WINDOWS\INSTALLER\{CDDCBBF1-2703-46BC-938B-BCC81A1EEAAA}\ICONCDDCBBF13.EXE Virus Total reports 0/43 SHA256: cc2a8301c5376dc7cf7ecbec6ae240c8152f737f4db6cb0639da922530a202c4 SHA1: c47e6e3ff9d3fbe7aa45f6a4f49328d2514b0772 MD5: 5a0cd869c004ffcc7fafe43f1c60090a File size: 18.5 KB ( 18944 bytes ) File type: Win32 EXE Detection ratio: 0 / 43 Analysis date: 2012-01-21 03:55:16 UTC ( 6 hours, 23 minutes ago ) Share this post Link to post Share on other sites
dgrasser Posted January 21, 2012 Here is the SAS information for the scan that resulted in the two Heur.Agent/Gen.FakeSAS files: Program Version - 5.0.1142 Database Version - Core Definitions 8153, Trace Definitions 5965 01/20/2012, 04:44PM PST Share this post Link to post Share on other sites
GP45 Posted January 22, 2012 Hello everyone! just joined the board to show My own SUPERAntiSpyware Scan Log Generated today 01/22/2012 at 02:46 PM Application Version : 5.0.1142 Core Rules Database Version : 8153 Trace Rules Database Version: 5965 Scan type : Complete Scan Total Scan Time : 00:58:59 Operating System Information Windows XP Home Edition 32-bit, Service Pack 3 (Build 5.01.2600) Administrator Memory items scanned : 538 Memory threats detected : 0 Registry items scanned : 24860 Registry threats detected : 0 File items scanned : 54240 File threats detected : 1 Heur.Agent/Gen-FakeSAS C:\WINDOWS\INSTALLER\{CDDCBBF1-2703-46BC-938B-BCC81A1EEAAA}\ICONCDDCBBF13.EXE So, False Positive (my guess...) or not...? Any official reply from SAS people ? Share this post Link to post Share on other sites
SAS Customer Service Posted January 23, 2012 This was a false positive which will be addressed as of the next definition release. Share this post Link to post Share on other sites