Symantec Removal Tools False Positive

Viruses and worms
1

Hello All -
I have some of Symantec’s Virus Removal Tools on my computer, and every time avast! does a scan, it detects the W32.Bropia and the W32.SQLExp.Worm Removal Tools from Symantec as Viruses themselves (Win32:SdBot-2865 [Trj] and Win32:SQLSlammer, respectively). Is there a way to stop this behavior? I’m using the U3 Edition of the product, Engine Version 1.0.108, Virus Definitions Version 0662-1, 12/24/2006. Thanks in advance, -Harrison N.

2

Those removal tools may well have unencrypted signatures of the viruses they are looking for.

You could also check the offending/suspect file at: VirusTotal - Multi engine on-line virus scanner
Or Jotti - Multi engine on-line virus scanner if any other scanners here detect them it is less likely to be a false positive. You can’t do this with the file in the chest, you will need to move it out. You will probably find others also detect them, which would tend to confirm an unencrypted signature.

If it is indeed a false positive, add it to the exclusions lists (Standard Shield, Customize, Advanced and Program Settings, Exclusions) you might want to create a folder for those tools, ‘RemovalTools’ etc. and use the wild card in the path for the exclusions, e.g. ?:/RemovalTools/.

3

Does the U3 Edition support an exclusion list, and, if so, how would I access it? Please note that the virus removal tools are on the same USB Flash Drive that avast is installed on. Thanks, -Harrison N.
P.S. Actually, besides avast!, only two other virus scanning engines on the first site you supplied flagged both removal tools as “suspicious”, eSafe and Fortinet; no other engines on the second site flagged the removal tools.

4

Sorry Harrison, I’m just an avast user and haven’t used the U3 version so I’m unaware of its full functionality.

As you say it is being detected but by what provider or the on-demand scan.

In the regular version of avast there is the Program Settings, Exclusions for on-demand scans and the Standard Shield, Customize, Advanced and add the exclusion path. So if there is anything similar in the U3 version that’s where to look.

You could send the samples to avast they would analyse them and possibly modify something to avoid detection, but it is difficult if there is an unencrypted signature in the tool as there is no context checking (as far as I’m aware) to look further and what the purpose might be. If there were then I believe it would slow scans possibly to an unacceptable level.

Send the sample to virus@avast.com zipped and password protected with password in email body and false positive/undetected malware in the subject.

Merry Christmas