SAS false positives?

Maybe this belongs more properly in Viruses & Worms, but I figured it’s general enough plus would probably be seen by more members here. If the mods feel moving it is appropriate, no argument.

Is it just me, or is SAS (I’ve got the free version) starting to get heavy on FP’s? I usually do a quick scan over the weekend, and on 2 of the last 3 it flagged supposed trojans in a number of files relating to two apps that have been on my system for years. Different trojans each time, but the same one for all such files in each case.

Neither avast nor MBAM found anything, and (the first time, anyway) I even submitted all such files to both Jotti and VirusTotal, and both came back totally “nothing found”. So I submitted a FP report to SAS along with a zipped set of the files, and they obviously agreed because updated defs last weekend found nothing. But they’re supposedly back again with yesterday’s defs.

I’m seriously considering ditching SAS and keeping just avast and MBAM, under the circumstances, especially considering SAS includes a rather huge database of OK (I presume) apps which I’d just as soon get rid of. Any thoughts as to whether I’d still have reasonably good protection?

Well I think it is in the right forum as I believe the viruses and worms forum should really be avast related, but no matter.

I have been using SAS Pro for some considerable time, I update it weekly and do a Quick scan after the update and didn’t have any issues on the last scan yesterday.

The problem is that you don’t say what was detected, what it was called and where it was located so no one can really offer any advice or conclusion. The file name, location and malware name may have some bearing on whether or not it might be found to be a virus/trojan, etc. as the scanners on VT may not include what SAS detected/reported.

I haven’t seen an FP in SAS for some considerable time and mine is the Pro version which is also resident.

Hi David,

I just rescanned that one folder (for Graphic Workshop Pro, my personal favorite for image editing), and SAS claims it found Trojan.Agent/Gen-Krpytik in two files, Gwsjpg.DLL and Gwspng.DLL. I forgot what it supposedly found last time, but it was about 3 DLL’s in the same folder plus 6 more (again, all DLL’s) in the folder for Sierra’s Upball3 game. As I’d previously mentioned, the folks at SAS apparently agreed the earlier ones were all FPs and revised their defs accordingly.

Maybe the next step would be to Google this trojan and see if there’s anything interesting there.

Back again – interestingly, googling just the trojan name resulted in the majority of top “hits” being at the SAS forums. Apparently this particular one was reported as an FP by a number of others, and has been corrected as of today.

Even more interesting, there was at least one post in that same topic complaining about the unusual number of SAS false FPs over the last 2 or 3 weeks, so it sounds like others have experienced the same as me in the same time period. Which pretty much answers my first question, and leaves open the second one about how much I’d risk if I dropped SAS from my defense arsenal, since avast is pretty darned good and MBAM is widely believed to offer broader protection than SAS.

Yes, if you look at the malware name in a little more detail, trojan.agent can be almost anything and the /Gen indicating a generic signature and add to that the -Kryptic (if anything like a ‘cryptic’ crossword meaning) could well mean a very vague detection.

So given all that I would have said that it is highly likely to a signature that would have a high percentage of FPs. The problem with detecting new, previously undetected samples a fine line between catching something very new or a legit program.

I guess I live a very sheltered life as I don’t (fingers crossed) get hardly any alerts and those I do get are normally investigating stuff on the forums or false positives and that is primarily on MBAM and I still keep that as a second on-demand anti-malware.

So I wouldn’t ditch MBAM, I just fully investigate all detections on any of my security applications, so I suggest you do the same with SAS.

Fair enough, thanks Dave. I’ve got my SAS set up to create a report only if something’s found, so I’ve have to remember to clear those out from time to time.

I rarely use SAS for scanning but I use its REPAIR function which I find very much helpful