Jump to content
tjseven

Is this a False Positive??

Recommended Posts

SAS is the only application that detects this and while it says it will remove it...it's always there on the next scan??

Trojan.Windows Overlay Components/SysMon

HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_WINDOWS_OVERLAY_COMPONENTS

HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_WINDOWS_OVERLAY_COMPONENTS#N extInstance

HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_WINDOWS_OVERLAY_COMPONENTS\0 000

HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_WINDOWS_OVERLAY_COMPONENTS\0 000#Service

HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_WINDOWS_OVERLAY_COMPONENTS\0 000#Legacy

HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_WINDOWS_OVERLAY_COMPONENTS\0 000#ConfigFlags

HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_WINDOWS_OVERLAY_COMPONENTS\0 000#Class

HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_WINDOWS_OVERLAY_COMPONENTS\0 000#ClassGUID

HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_WINDOWS_OVERLAY_COMPONENTS\0 000#DeviceDesc

Thanks

TJ

Share this post


Link to post
Share on other sites

Yes, google is my friend. As I found during my past googles that SAS was the only app detecting this.

I guess my question would be: Why does SAS say it will remove these and they still return???

Are these legacy or are they being regenerated by something I can't find???

Thank you for you help.

TJ

Share this post


Link to post
Share on other sites
Yes, google is my friend. As I found during my past googles that SAS was the only app detecting this.

I guess my question would be: Why does SAS say it will remove these and they still return???

Are these legacy or are they being regenerated by something I can't find???

Thank you for you help.

TJ

It's likley they can't be removed due to registry permissions - our 4.0 version handles that - you can try 4.0 if you would like to PM me.

Share this post


Link to post
Share on other sites
Guest
This topic is now closed to further replies.

×