Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Symantec Endpoint detects Trojan.ADH.2 in the Combofix folder


  • Please log in to reply
6 replies to this topic

#1 TechnoGeek89

TechnoGeek89

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:12:47 PM

Posted 02 March 2012 - 04:39 PM

Our Symantec Endpoint Protection server reported this Risk:

Risk name: Trojan.ADH.2
File path: C:\Installs\Combofix\ComboFix.exe Event time: 2012-03-02 20:19:13 GMT Database insert time: 2012-03-02 20:57:39 GMT
User: SYSTEM

Has anyone seen this before? Is this a false positive? Symantec has an article about it on their website but I wonder if this is just Combofix identifying that it cleaned the trojan.... or is the machine actually infected.

BC AdBot (Login to Remove)

 


#2 cryptodan

cryptodan

    Bleepin Madman


  • Members
  • 21,868 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Catonsville, Md
  • Local time:05:47 PM

Posted 02 March 2012 - 04:46 PM

Where did you get Combofix, and why are you trying to use it?

Please read:

No one should be using ComboFix unless specifically instructed to do so by a Malware Removal Expert who can interpret the logs. It is a powerful tool intended by its creator to be "used under the guidance and supervision of an expert. Using this tool incorrectly could lead to disastrous problems with your operating system such as preventing it from ever starting again. When issues arise with new malware infections or other security tools conflicting with ComboFix, experts are aware of them and can advise users what should or should not be done while providing assistance. Those attempting to use ComboFix on their own do not have such information and are at risk when running the tool in an unsupervised environment. Please read the pinned topic ComboFix usage, Questions, Help? - Look here.

What specific issues are you having that requires using ComboFix?

Compliments of QuietMan7

#3 TechnoGeek89

TechnoGeek89
  • Topic Starter

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:12:47 PM

Posted 02 March 2012 - 04:49 PM

I often use combofix to clean up malware infected computers. It is one of the best free cleaners out there. I have had systems that were virtually unusable and Combofix has got them going again. I usually run it in Safe mode if possible unless I am helping someone remotely.

#4 TechnoGeek89

TechnoGeek89
  • Topic Starter

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:12:47 PM

Posted 02 March 2012 - 04:52 PM

Forgot to mention. I usually download it from bleepingcomputer.com but one of the other techs might have downloaded it from the wrong place. It was one of his computers.

#5 cryptodan

cryptodan

    Bleepin Madman


  • Members
  • 21,868 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Catonsville, Md
  • Local time:05:47 PM

Posted 02 March 2012 - 05:00 PM

It is more then likely a false positive. I would first upload the file to http://www.virustotal.com and see what they find. If it says its clean, then submit a report to Symantec.

But I would highly recommend not using Combofix as it could make the computers inoperable.

#6 TechnoGeek89

TechnoGeek89
  • Topic Starter

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:12:47 PM

Posted 02 March 2012 - 05:18 PM

cryptodan. Thanks for your help. I just got an email from the tech that he deleted the file so I guess I'll see if it pops up again in the next couple of days.

Thanks,
Tom

#7 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,768 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:01:47 PM

Posted 03 March 2012 - 07:16 AM

Symantecís antivirus products contain an highly sensitive detection technology designed to detect entirely new malware threats without traditional signatures. This technology is aimed at detecting malicious software that has been intentionally mutated or morphed by attackers.

If one or more files on your computer have been classified as having a Trojan.ADH.2 threat, this indicates that the files have suspicious characteristics and therefore might contain a new or unknown threat. However, given the sensitive nature of this detection technology, it may occasionally identify non-malicious, legitimate software programs that also share these behavioral characteristics. Therefore, it is recommended that users manually check all files detected as Trojan.ADH.2 by Symantec antivirus products for potential misidentification, and submit any suspect files to Symantec Security Response for further analysis. For instructions on how to do this, read Submit Virus Samples.

In rare cases where a legitimate file has been misidentified and subsequently quarantined, your computer may behave abnormally or you may find that one or more applications no longer function as expected. In such rare situations, you should open the Quarantine in your Symantec antivirus product. From here, you may review the list of all files detected as Trojan.ADH.2 and, if you identify a potential misidentification, restore the file from quarantine and allow it to run normally.

Symantec description of Trojan.ADH.2



Certain embedded files that are part of legitimate programs or specialized fix tools such as Combofix may at times be detected by some anti-virus and anti-malware scanners as a "Risk Tool", "Hacking Tool", "Potentially Unwanted Program", or even "Malware" (virus/trojan) when that is not the case. This occurs for a variety of reasons to include the tool's compiler, the files it uses, whether files are compressed or packed, what behavior it performs, any registry strings it may contain and the type of security engine that was used during the scan. Other legitimate files which may be obfuscated, encrypted or password protected in order to conceal itself so they do not allow access for scanning but often trigger alerts by anti-virus software.

Such programs have legitimate uses in contexts where a Malware Removal Expert asked you to use the tool or when an authorized user/administrator has knowingly installed it. When flagged by an anti-virus or security scanner, it's because the program includes features, behavior or files that appear suspicious or which can potentially be used for malicious purposes. Compressed and packed files in particular are often flagged as suspicious by security software because they have difficulty reading what is inside them. These detections do not necessarily mean the file is malware or a bad program.

It means it has the potential for being misused by others or that it was simply detected as suspicious or a threat due to the security program's heuristic analysis engine which provides the ability to detect possible new variants of malware. Anti-virus scanners cannot distinguish between "good" and "malicious" use of such programs, therefore they may alert you or even automatically remove them. In these cases the detection is a "false positive".

The problem is really with the anti-vendors who keep targeting these embedded files and NOT with ComboFix. We can inform the developer but he has encountered this issue many times before and in most cases there isn't much he can do about it. Once the detection is reported to the anti-virus vendor, they are usually quick to fix it by releasing an updated definition database.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users