JD wrote:
> Doing some research about a question in another newsgroup, I fired up
> Process Explorer, from http://technet.microsoft.com/en-us/sysinternals
> and I found a couple of new process running the the background:
>
> SASCORE.exe: The Description is "core service." I run SUPERAntiSpyware
> Free as an on-demand scanner and manually update it so I'm curious as to
> why this process starts with Windows? The SAS response is: "You need it
> for the free edition - leave it set as we set it. The core service
> should be left running - that's the bottom line - it uses little memory
> or cpu." Anybody here familiar with this service? I can easily set it to
> manual or disabled using Control Panel, Administrative Tools, Services.
I think the sascore process showed up after some update in August. It
looks like it was there before in the Pro version and then got added in
August via update to the free version. Although claimed for use during
real-time protection, it's now there for the the free version that
doesn't have real-time protection. Despite going through all of its
configuration settings, it WILL be running processes on Windows startup.
Also, from what I've read (since I don't have it anymore), SAS will
re-insert its startup process. So you disable/delete it but SAS puts it
back in. I use WinPatrol and can have it *permanently* disable an item.
If it shows up again, WinPatrol will disable it again (before you reboot
and it loads again). For example, Apple's sticks its worthless
qttask.exe into the registry as a startup item and it will reappear (I
forget the event that reinstates this entry, like you run their program,
it's config, or due to an update), so I disable it in WinPatrol. If
WinPatrol sees it show up again as a startup entry then it disables it
again. From other users, sascore is NOT required despite the claims of
SAS techs but it keeps trying to reinstate itself so you need to keep
disabling it (unless you use something automatic to do that, like
WinPatrol). When queried about the purpose of this background process,
SAS won't elucidate. That's no big surprise since many anti-malware
authors rely on secrecy (and not help malware authors) rather than
robustness to deter anti-malware.
Even if you address the sascore process, SAS also installs a system hook
when it installs. It doesn't matter if you configure it to be passive
or not. It still injects a hook into the system. I'd have to install
it again and monitor that install. I suspect I either saw it using
Resplendence's Hook Analyzer (as a system API hook) or SysInternal's
AutoRun (as a "shell execute" hook). I just remember finding it despite
trying to keep SAS Free completely quiescent when not loaded.
Despite their claim that these measures were needed for SAS to attempt
to get "below" any existing active malware to ensure SAS could detect
and eradicate the malware, I wanted a completely passive on-demand
secondary anti-malware scanner. So I uninstalled SAS (and used the
snapshot recorded in Zsoft Uninstaller to eliminate any remnant registry
entries and files after the normal uninstall).
> a2Service.exe: The Description is Emsisoft Anti-Malware Service. I run
> Emsisoft Anti-Malware as an on-demand scanner and manually update it so
> I'm also curious as to why this process starts with Windows? I haven't
> found a real description of what it does. Anybody here familiar with
> this service? I can easily set it to manual or disabled using Control
> Panel, Administrative Tools, Services.
>
> I'm not a big fan of services that run in the background for no real
> reason.
It seems you are mixing two anti-malware products together in your post:
SuperAntispyware (SAS) and a-Squared (Emsisoft). It's been way too long
since I trialed a-Squared to remember anything about that software.
From what I read, this is used to run A2 while logged on under a limited
user account (LUA). If you're always logged on under an admin-level
account, see if setting this service to "manual" startup mode has not
detrimental affects on using A2. Automatic means it gets loaded when
Windows is started (and before you login). That only means it gets
loaded, not that it remains loaded (some will load, do some checks, and
unload). Manual means it won't be loaded until called, so when you load
A2 then it'll call this service to load it. Of course, once the service
is started and running doesn't mean its gets stopped when you exit the
application. I suspect if you set the service to manual (service not
running when you start Windows) and then right-click on a folder or file
to select the A2 content menu entry to scan the file, the A2 service
gets loaded and it will continue running even after the scan has
completed. So if you use anything of A2 then the service gets started
and continues running until the next time you restart Windows. So
consider if the process' memory footprint is really that bad that you
need to keep the service from loading on Windows startup since anytime
you use A2 will start the service, anyway.
So how many security products did you install on your host? If you're
only using some of them as only on-demand scanners, why not look at
using their online scanners? http://www.emsisoft.com/en/software/ax/ for
A2 but many other AV vendors have online detect-only scanners. They
still require installing a client, like an ActiveX control, that
downloads their newest signatures, but it only does a scan and nothing
of it is running before or after the scan. Of course, that also means
any currently active malware could deter, affect, or corrupt their
client regarding the detection and eradication of the pest. Many online
scanners only tell you about a pest and won't get rid of it since the
full client isn't running on your host; however, unless they say you are
infected then you don't need their full client. The detection rate is
the same (but doesn't do the cleanup provided by the full client).
That's about as quiescent a *scanner* as you can get when not using it.
A word of caution about using online scanners: use an install monitor to
record their changes. The prevalent majority of online scanner provide
no uninstaller. They install a small detect-only client on your host
either as an app or browser add-on (AX for Internet Explorer). I've
found way too many browser helpers, add-ons, AX controls, or even helper
apps (clients) don't add an entry to the Add/Remove Programs applet (no
entry under the Uninstall registry key) so you're stuck with them unless
you used something to record their installation that you can then later
use to eradicate them. I use Zsoft Uninstaller (free). There are
payware uninstall tools, too, that will monitor installations (e.g.,
Revo Unintaller and Total Uninstaller). If you're using a 64-bit
version of Windows, make sure you use an uninstaller that supports it
(Zsoft is too old and Revo free is an old version that doesn't support
Win x64).
Reply With Quote