VanguardLH wrote:
> JD wrote:
>
>> Doing some research about a question in another newsgroup, I fired up
>> Process Explorer, from http://technet.microsoft.com/en-us/sysinternals
>> and I found a couple of new process running the the background:
>>
>> SASCORE.exe: The Description is "core service." I run SUPERAntiSpyware
>> Free as an on-demand scanner and manually update it so I'm curious as to
>> why this process starts with Windows? The SAS response is: "You need it
>> for the free edition - leave it set as we set it. The core service
>> should be left running - that's the bottom line - it uses little memory
>> or cpu." Anybody here familiar with this service? I can easily set it to
>> manual or disabled using Control Panel, Administrative Tools, Services.
>
> I think the sascore process showed up after some update in August. It
> looks like it was there before in the Pro version and then got added in
> August via update to the free version. Although claimed for use during
> real-time protection, it's now there for the the free version that
> doesn't have real-time protection. Despite going through all of its
> configuration settings, it WILL be running processes on Windows startup.
> Also, from what I've read (since I don't have it anymore), SAS will
> re-insert its startup process. So you disable/delete it but SAS puts it
> back in. I use WinPatrol and can have it *permanently* disable an item.
> If it shows up again, WinPatrol will disable it again (before you reboot
> and it loads again). For example, Apple's sticks its worthless
> qttask.exe into the registry as a startup item and it will reappear (I
> forget the event that reinstates this entry, like you run their program,
> it's config, or due to an update), so I disable it in WinPatrol. If
> WinPatrol sees it show up again as a startup entry then it disables it
> again. From other users, sascore is NOT required despite the claims of
> SAS techs but it keeps trying to reinstate itself so you need to keep
> disabling it (unless you use something automatic to do that, like
> WinPatrol). When queried about the purpose of this background process,
> SAS won't elucidate. That's no big surprise since many anti-malware
> authors rely on secrecy (and not help malware authors) rather than
> robustness to deter anti-malware.
>
> Even if you address the sascore process, SAS also installs a system hook
> when it installs. It doesn't matter if you configure it to be passive
> or not. It still injects a hook into the system. I'd have to install
> it again and monitor that install. I suspect I either saw it using
> Resplendence's Hook Analyzer (as a system API hook) or SysInternal's
> AutoRun (as a "shell execute" hook). I just remember finding it despite
> trying to keep SAS Free completely quiescent when not loaded.
>
> Despite their claim that these measures were needed for SAS to attempt
> to get "below" any existing active malware to ensure SAS could detect
> and eradicate the malware, I wanted a completely passive on-demand
> secondary anti-malware scanner. So I uninstalled SAS (and used the
> snapshot recorded in Zsoft Uninstaller to eliminate any remnant registry
> entries and files after the normal uninstall).
>
>> a2Service.exe: The Description is Emsisoft Anti-Malware Service. I run
>> Emsisoft Anti-Malware as an on-demand scanner and manually update it so
>> I'm also curious as to why this process starts with Windows? I haven't
>> found a real description of what it does. Anybody here familiar with
>> this service? I can easily set it to manual or disabled using Control
>> Panel, Administrative Tools, Services.
>>
>> I'm not a big fan of services that run in the background for no real
>> reason.
>
> It seems you are mixing two anti-malware products together in your post:
> SuperAntispyware (SAS) and a-Squared (Emsisoft). It's been way too long
> since I trialed a-Squared to remember anything about that software.
>
> From what I read, this is used to run A2 while logged on under a limited
> user account (LUA). If you're always logged on under an admin-level
> account, see if setting this service to "manual" startup mode has not
> detrimental affects on using A2. Automatic means it gets loaded when
> Windows is started (and before you login). That only means it gets
> loaded, not that it remains loaded (some will load, do some checks, and
> unload). Manual means it won't be loaded until called, so when you load
> A2 then it'll call this service to load it. Of course, once the service
> is started and running doesn't mean its gets stopped when you exit the
> application. I suspect if you set the service to manual (service not
> running when you start Windows) and then right-click on a folder or file
> to select the A2 content menu entry to scan the file, the A2 service
> gets loaded and it will continue running even after the scan has
> completed. So if you use anything of A2 then the service gets started
> and continues running until the next time you restart Windows. So
> consider if the process' memory footprint is really that bad that you
> need to keep the service from loading on Windows startup since anytime
> you use A2 will start the service, anyway.
>
> So how many security products did you install on your host? If you're
> only using some of them as only on-demand scanners, why not look at
> using their online scanners? http://www.emsisoft.com/en/software/ax/ for
> A2 but many other AV vendors have online detect-only scanners. They
> still require installing a client, like an ActiveX control, that
> downloads their newest signatures, but it only does a scan and nothing
> of it is running before or after the scan. Of course, that also means
> any currently active malware could deter, affect, or corrupt their
> client regarding the detection and eradication of the pest. Many online
> scanners only tell you about a pest and won't get rid of it since the
> full client isn't running on your host; however, unless they say you are
> infected then you don't need their full client. The detection rate is
> the same (but doesn't do the cleanup provided by the full client).
> That's about as quiescent a *scanner* as you can get when not using it.
>
> A word of caution about using online scanners: use an install monitor to
> record their changes. The prevalent majority of online scanner provide
> no uninstaller. They install a small detect-only client on your host
> either as an app or browser add-on (AX for Internet Explorer). I've
> found way too many browser helpers, add-ons, AX controls, or even helper
> apps (clients) don't add an entry to the Add/Remove Programs applet (no
> entry under the Uninstall registry key) so you're stuck with them unless
> you used something to record their installation that you can then later
> use to eradicate them. I use Zsoft Uninstaller (free). There are
> payware uninstall tools, too, that will monitor installations (e.g.,
> Revo Unintaller and Total Uninstaller). If you're using a 64-bit
> version of Windows, make sure you use an uninstaller that supports it
> (Zsoft is too old and Revo free is an old version that doesn't support
> Win x64).

I'll stick with the two programs, for now. Not a big fan on online
scanners, for the reasons you mention.

Sorry to confuse with asking about two different programs. Both the
SAScore.exe and the a2service.exe run as Services and both can be set to
Automatic, Manual or Disabled. I have both set to Manual.

Using SysInternal's AutoRun, I see the hook you're talking about:
Description: SABShellExecuteHook ClassShellExecuteHook
Publisher: SuperAdBlocker.com
Image Path: superantispyware\sasseh.dll

What does that do, exactly?

And you are correct about using the content menu entry to scan a file
with Emsisoft Anti-Malware. (They don't call it a2 anymore). Once the
scan is complete, the a2Service is turned back on. When it is set to
Manual. I stopped it and set it to Disabled and Emsisoft Anti-Malware
will not run.

SAScore does not exhibit that behavior using the content menu entry to
scan a file with SASfree.

Now I know how to deal with the two services. What about the SAS hook?
Just leave it alone?

--
JD..