This might be a false positive.

This morning I ran a workstation that is almost never used and Avast claimed to have detected rootkits on it.

This machine is a Windows 7 Ultimate 32-bit workstation. It was set up last November to function as a spare workstation for our accounting department. It has various types of accounting software on it. Immediately after setting it up, it was turned off, disconnected from our network, and put into storage.

In April of this year I used this machine again to update the OS and software on it and then turned it off, disconnected it, and put it back into storage.

This morning I used the machine again. All I did was hook it up to the network, start it, run Windows Update, then run the accounting software, which downloaded an update to itself from our in-house accounting server.

I have Avast on the machine but the machine is not set to run any “scans” – no boot-time scan, and I didn’t run any manual scans on the machine. There is no email application on the machine, and I did not use any web browser.

There is nothing about this machine in the SOA Shield Log.

However, the SOA Scan Log shows 39 “rootkit” files detected this morning at the time when I was doing these updates. (See attached .png image.)

The File System Shield is turned on; and certainly some files must have been opened by my update processes. But I would then expect to see any issues in the Shield Log, not in the Scan Log.

I sincerely doubt that it is possible that any real rootkit was installed on this machine. It simply is never used to connect to the internet for either email or web access, nor are there any rootkits floating around on my network that it could have picked up.

The software update I installed today was Abila MIP Fund Accounting 2014.5.

So:

1. Is Avast running “scans” on my computer (as opposed to executing whatever the “Shields” call what they do) even though no “scans” are turned on in the SOA Group settings? Or is this just nomenclature confusion and, perhaps, misdirection of data from what should be the Shield Log to the Scan Log?

2. Is this a false positive?

Thanks for any help.

It appears to be a windows update that the scheduled scan found. They can be ignored if in winsxs

Thank you.

However, there was no “scheduled scan”.

Boot-time scan is not scheduled. That is the sort of thing that “scheduled scan” means to me.

I realize that the shields “scan” files when they are opened, executed, etc. But I don’t call that “scheduled”. More importantly: Why did these events appear in the Scan Log when they are Shield events which, presumably, should be in the Shield Log?

Reading the log it appears that an individual scan was run on one of the networked computers. It would be best asking in the business forum https://forum.avast.com/index.php?board=33.0
As I have never used this version