aswSP rootkit?

Hello today I ran trend micro Rootkit Buster and got quite a few detections all related to aswSP I know this is the avast self protection Module so I ignored the detections.

My question is there a reason that this aswSP would cause a False Positive in 3 Party rootkit scanning software

the deteced file was located

C:windows/system32/drivers/aswSP

It is an avast driver aswSp.sys for the avast self-defence module, it has to be at a low level to provide this protection.

If you right click on it it should also be a signed file, see image.

So this detection by Trend Micro RootKit Buster is normal and nothing I have to worry about?

It is probably a false positive, besides posting it here I would also try: submitting it through the Avast program to the Avast Team, e-mail a copy of the file if possible to the Avast Team, submit the file to VirusTotal, submit it to the Comodo Instant Malware Analysis website, submit it to the Anubis website, and submit The Trend Micro Scan Log/a copy of the file if possible/and the Links from the VirusTotal/CIMA/Anubis Reports to Trend Micro by their forum and/or web submission form and/or e-mail/etc.

Maybe even scan your system with Hitman Pro free and/or Norton Power Eraser (which is free) and/or Malwarebytes Free; just to see if they find anything and/or that file as suspicious as well. :wink:

Good luck Boss,
-John Jr :smiley:

I would say it isn’t normal as it is incorrect, it really shouldn’t be picking it up. You need to report it to Trend Micro RootkitBuster for them to correct.

There is no point in sending this to avast as it isn’t avast that is the problem, it needs to be resolved by Trend Micro, this is a legitimate, digitally signed file.

The same is true of sending this raw file to virustotal of comodo as neither of these scans will be replicating an anti-rootkit scan, comparing what is running against what is reported in the Windows API as running. So it would simply come up clean.

True Boss, but some people want to have links/evidence from other sources when posting to forums/troubleshooting/etc, they may not be necessary but will they hurt Boss? :wink:

Though it is probably not necessary, there is a small chance that alerting Avast (though it is their file and they probably know it is clean, there is the very rare chance that there could be an issue with it and/or at least they would know that another company is detecting it :wink: ), all participates of VirusTotal that happen to look at the file, the Anubis project, and of course Trend Micro; could help one or more of these companies/individuals in some small way maybe and/or I see it as a way to possibly help the anti-malware community in the war against malware & false positives. ;D

But whatever you say Boss, you are the Expert, thank you for commenting. ;D :slight_smile:

Thank you for the educational tip, :wink:
-John Jr :slight_smile:

I’m pretty sure it’s a false positive now I ran rootkit buster on my Mother’s PC that has avast! 5.1 just like mine and it detected the same files as on my PC, as both PC’s are very similar set ups (xp home sp3)and have the same security software installed, I also checked the signing certificates on both and they are all in order like the example you posted above.

Thanks for your help.

You’re welcome.

:wink: