Jump to content
Dave Tyler

False Positive? - Heur.Agent/Gen-Fakesas

By Dave Tyler, in False Positives

Recommended Posts

Dave Tyler   

Dave Tyler
Posted

After downloading today's updates and product update I got two alerts that I quarantined.

The basic alert was: Heur.Agent/Gen-Fakesas.

Administrators.... help? Is this a false positive?

Share this post

Link to post
Share on other sites

siliconman01   

siliconman01
Posted

I am also getting 1 false detection. Ran file ICONCDDCBBF15.EXE through VirusTotal and 0 scanners reported as malicious.

SUPERAntiSpyware Scan Log

https://www.superantispyware.com

Generated 12/17/2011 at 03:57 AM

Application Version : 5.0.1142

Core Rules Database Version : 8064

Trace Rules Database Version: 5876

Scan type : Complete Scan

Total Scan Time : 00:20:19

Operating System Information

Windows 7 Professional 64-bit, Service Pack 1 (Build 6.01.7601)

UAC Off - Administrator

Memory items scanned : 623

Memory threats detected : 0

Registry items scanned : 72468

Registry threats detected : 0

File items scanned : 38074

File threats detected : 1

Heur.Agent/Gen-FakeSAS

C:\WINDOWS\INSTALLER\{CDDCBBF1-2703-46BC-938B-BCC81A1EEAAA}\ICONCDDCBBF15.EXE

NOTE: The file ICONCDDCBBF15.EXE has been submitted to SAS as a suspected false positiive.

Share this post

Link to post
Share on other sites

pudelein   

pudelein
Posted

I also encountered this detection from SAS this morning; interestingly, the folder in which it was located was created on 01/24/2009: this is the date on which I first installed SAS 4.25.1002 and did nothing else of significance. So, if it is not a false positive, it looks like SAS is detecting something that it introduced nearly three years ago!

Share this post

Link to post
Share on other sites

Dave Tyler   

Dave Tyler
Posted

I also encountered this detection from SAS this morning; interestingly, the folder in which it was located was created on 01/24/2009: this is the date on which I first installed SAS 4.25.1002 and did nothing else of significance. So, if it is not a false positive, it looks like SAS is detecting something that it introduced nearly three years ago!

The one I reported? Or the other one?

Share this post

Link to post
Share on other sites

pudelein   

pudelein
Posted

Will the SAS people respond here efficiently? This is my first post.

I was responding about the same detection that you did, namely, Heur.Agent/Gen-FakeSAS. I believe siliconman01 and kerr were both referring to your post also. As far as I know, there was no other issue in this thread until the Russians entered the discusiion after the rest of us were gone.

Share this post

Link to post
Share on other sites

Dave Tyler   

Dave Tyler
Posted

I was responding about the same detection that you did, namely, Heur.Agent/Gen-FakeSAS. I believe siliconman01 and kerr were both referring to your post also. As far as I know, there was no other issue in this thread until the Russians entered the discusiion after the rest of us were gone.

Ok, sorry I was thrown off by the first response it looked like a different issue.

Share this post

Link to post
Share on other sites

Kidd   

Kidd
Posted

The one I reported? Or the other one?

Heur.Agent/Gen-FakeSAS

C:\WINDOWS\INSTALLER\{CDDCBBF1-2703-46BC-938B-BCC81A1EEAAA}\ICONCDDCBBF15.EXE

Share this post

Link to post
Share on other sites

Detour Man   

Detour Man
Posted

This came up on a full scan today on me as well. After removing and quarantining it, I ran another and it came back again. I suspect a FP and submitted it as such. My other programs don't pick it up.

Share this post

Link to post
Share on other sites

Dave Tyler   

Dave Tyler
Posted

I will forward this to the proper person.

Any word on this? I downloaed the latested and I still get this result.

These two have been quarantined:

Heur.Agent/Gen-FakeSAS

C:\DOCUMENTS AND SETTINGS\DAVE\APPLICATION DATA\MICROSOFT\INSTALLER\{CDDCBBF1-2703-46BC-938B-BCC81A1EEAAA}\ICONCDDCBBF1.EXE

C:\SYSTEM VOLUME INFORMATION\_RESTORE{74EE98A3-11E4-4025-90D3-C1F59E0E3C73}\RP636\A0118513.EXE

Share this post

Link to post
Share on other sites

geoff   

geoff
Posted

Hi Dave,

Can you tell us what version of the core and trace databases you have installed as of this latest result? Also, if you can, please submit another false positive report for each detected item (after restoring and re-scanning) so we can make sure the mitigation effort is correct.

Thank you!

Share this post

Link to post
Share on other sites

Dave Tyler   

Dave Tyler
Posted

Hi Dave,

Can you tell us what version of the core and trace databases you have installed as of this latest result? Also, if you can, please submit another false positive report for each detected item (after restoring and re-scanning) so we can make sure the mitigation effort is correct.

Thank you!

SAS: Program: 5.0.1142

Database: 8086

updated 3 minutes ago.

Could you tell me how to submit a false positive report beyond what I have done above?

Thank you.

Share this post

Link to post
Share on other sites

Dave Tyler   

Dave Tyler
Posted

Ok I will be running the scan again today after I un-quarntine the items.

And I have contacted SAS directly

However, I don't seem to have this mysterious, report False positive button.

Can someone tell me where this is?

Share this post

Link to post
Share on other sites

dgrasser   

dgrasser
Posted

I just upgraded SAS, early am of 1/21/12. After running a full scan, SAS detected two Heur.Agent/Gen.FakeSAS files, so apparently SAS has not yet fixed the problem. The file name of the file is "ICONCDDCBBF.13EXE" located in two separate locations.

C:\DOCUMENTS AND SETTINGS\DON\APPLICATION DATA\MICROSOFT\INSTALLER\{CDDCBBF1-2703-46BC-938B-BCC81A1EEAAA}\ICONCDDCBBF1.EXE

C:\DOCUMENTS AND SETTINGS\HELPASSISTANT\APPLICATION DATA\MICROSOFT\INSTALLER\{CDDCBBF1-2703-46BC-938B-BCC81A1EEAAA}\ICONCDDCBBF1.EXE

Share this post

Link to post
Share on other sites

mikew_nt   

mikew_nt
Posted

Yep, this is an FP again, similar to the one in this thread from last year. For now I've put mine as a managed allowed item. Please let us know when an update fixes this.

Heur.Agent/Gen-FakeSAS

C:\WINDOWS\INSTALLER\{CDDCBBF1-2703-46BC-938B-BCC81A1EEAAA}\ICONCDDCBBF13.EXE

Virus Total reports 0/43

SHA256: cc2a8301c5376dc7cf7ecbec6ae240c8152f737f4db6cb0639da922530a202c4 SHA1: c47e6e3ff9d3fbe7aa45f6a4f49328d2514b0772 MD5: 5a0cd869c004ffcc7fafe43f1c60090a File size: 18.5 KB ( 18944 bytes ) File type: Win32 EXE Detection ratio: 0 / 43 Analysis date: 2012-01-21 03:55:16 UTC ( 6 hours, 23 minutes ago )

Share this post

Link to post
Share on other sites

dgrasser   

dgrasser
Posted

Here is the SAS information for the scan that resulted in the two Heur.Agent/Gen.FakeSAS files:

Program Version - 5.0.1142

Database Version - Core Definitions 8153, Trace Definitions 5965

01/20/2012, 04:44PM PST

Share this post

Link to post
Share on other sites

GP45   

GP45
Posted

Hello everyone! just joined the board to show

My own SUPERAntiSpyware Scan Log

Generated today 01/22/2012 at 02:46 PM

Application Version : 5.0.1142

Core Rules Database Version : 8153

Trace Rules Database Version: 5965

Scan type : Complete Scan

Total Scan Time : 00:58:59

Operating System Information

Windows XP Home Edition 32-bit, Service Pack 3 (Build 5.01.2600)

Administrator

Memory items scanned : 538

Memory threats detected : 0

Registry items scanned : 24860

Registry threats detected : 0

File items scanned : 54240

File threats detected : 1

Heur.Agent/Gen-FakeSAS

C:\WINDOWS\INSTALLER\{CDDCBBF1-2703-46BC-938B-BCC81A1EEAAA}\ICONCDDCBBF13.EXE

So, False Positive (my guess...) or not...? :unsure:

Any official reply from SAS people ?

Share this post

Link to post
Share on other sites
Guest
This topic is now closed to further replies.
Go To Topic Listing False Positives
×