False Positive - RAM Scan

Hi there,

I was conducting a customized RAM Rootkit scan (to compare results with the boot scan). I wanted to see if something among the services was a potential rootkit.

However, I received a false positive with SuperAntiSpyware.exe (www.superantispyware.com) the free version. Just to verify my results, I did the same scan on three other computers (one I installed SuperAntiSpyware free version just prior to the scan) to compare results. Each displayed a similar issue (PID was different on each machine, but results were the same). (see image below).

I know SAS free version stays resident to conduct random check for program updates, ensure home page does not change, etc, and the full version does scheduled scans, definition updates, and maintains protection from spyware and such, but I didn’t know if anyone else reported the issue from a RAM scan.

http://home.myfairpoint.net/vze2xgg2/images/AvastFalsePositiveFromSAS.jpg

well…you have done what a million others have done… a custom scan and selected “scan memory”

the short story DO NOT use the scan memory setting as it give some weird results

if you searc the forum for scan memory / memory scan / detection in memory

you should find a ton of info about why not

  1. It isn’t saying SuperAntiSpyware.exe is infected, just that it is the ‘Process - 2700’ responsible for loading that data into the memory block.

  2. It isn’t a false positive as you have asked avast to scan memory for viruses, etc. and it has found some in the form of unencrypted virus signatures loaded into memory by SAS.

SAS free also stays resident so that you can do a context memory (right click) scan on a file to do that it has preloaded some signatures in memory.

Same as buying an attack dog, don’t be surprised if it bites someone.