Jump to content


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.

Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.


Combofix download

  • Please log in to reply
2 replies to this topic

#1 mlcoob


  • Members
  • 1 posts
  • Local time:03:04 PM

Posted 23 April 2015 - 06:58 AM

While downloading Combofix from your site, Norton 360 blocked and deleted download. Marked as unsafe.

Any suggestions?

BC AdBot (Login to Remove)



#2 Aura


    Bleepin' Special Ops

  • Malware Response Team
  • 19,305 posts
  • Gender:Male
  • Local time:03:04 PM

Posted 23 April 2015 - 07:10 AM

Hi mlcoob :)

What you are experiencing right now is called a "false positive". It usually happens when a file, program or process is identified as "malicious" by a Security vendor (Antivirus, Antimalware, Firewall, etc.) but in fact is totally legitimate. This happens because the targetted file, process, etc. have a behavior that could be associated with malware, despite the fact that it's not. This behavior can occur because it tries to access certain information on the system that is commonly targeted by malware. Symantec often detects ComboFix as a "malware" and blocks it, but this is because of their Reputation system. It's detected as WS.Reputation.1 (or something along these lines). It doesn't means that ComboFix is malicious at all. It's a false positive from Symantec on ComboFix. Mainly downloads hosted on BleepingComputer will be flagged as malicious, but they are all legitimate, hence all false positives. The trick here is to either whitelist the file you're trying to download or disable your Antivirus product for the time you're using it.

In addtion, ComboFix is a very powerful reporting and scripting tool that was developped by sUBs, used by members of the malware removal team here on BleepingComputer (and also on other forums). This tool can easily break a Windows installation if poorly and/or wrongly used. It can make the whole system unbootable and also delete everything present on your drives (leaving you with close to no chance of recovery) or damage your Windows installation so badly that you would be forced to reinstall it. Therefore, you should not be using ComboFix unless you are in one of the two situation listed below:
  • You have been trained in an online malware removal forum to use ComboFix;
  • You are using it under the supervision and instructions of a trained malware removal professional on BleepingComputer or another recognized malware removal forum (UNITE forums for example);
If you already ran ComboFix on your system and need assistance with the log, you will have to post a thread in the Virus, Trojan, Spyware, and Malware Removal Logs section of BleepingComputer, where a trained helper will assist you.

If you have any questions or concerns about ComboFix, quietman7 wrote a FAQ on it and you'll find all your answers in it.

ComboFix usage, Questions, Help? - Look here

Also be aware that BleepingComputer doesn't provide any advice on how to use ComboFix on your own, due to the nature of the tool and how dangerous it can be when used without supervision or proper training.

Security Administrator | Sysnative Windows Update Senior Analyst | Malware Hunter | @SecurityAura
My timezone UTC-05:00 (East. Coast). If I didn't reply to you within 48 hours, please send me a PM.

#3 quietman7


    Bleepin' Janitor

  • Global Moderator
  • 50,735 posts
  • Gender:Male
  • Location:Virginia, USA
  • Local time:03:04 PM

Posted 23 April 2015 - 07:16 AM

This is a false positive by the anti-virus.

Certain embedded files that are part of legitimate programs or specialized fix tools such as Combofix may at times be detected by some anti-virus and anti-malware scanners as suspicious, a Risk Tool, Hacking Tool, Potentially Unwanted Program, a possible threat or even Malware (virus/trojan) when that is not the case. This occurs for a variety of reasons to include the tool's compiler, the files it uses, whether files are compressed or packed, what behavior (routines, scripts, etc) it performs, any registry strings it may contain and the type of security engine that was used during the scan. Other legitimate files which may be obfuscated, encrypted or password protected in order to conceal itself so they do not allow access for scanning but often trigger alerts by anti-virus software.

When flagged by an anti-virus or security scanner, it's because the program includes features, behavior or files that appear suspicious or which can potentially be used for malicious purposes. Compressed and packed files in particular are often flagged as suspicious by security software because they have difficulty reading what is inside them. These detections do not necessarily mean the file is malicious or a bad program. It means it has the potential for being misused by others or that it was simply detected as suspicious or a threat due to the security program's heuristic analysis engine which provides the ability to detect possible new variants of malware. Anti-virus scanners cannot distinguish between "good" and "malicious" use of such programs, therefore they may alert you or even automatically remove them. In these cases the detection is a "false positive" and can be ignored. Either have your anti-virus ignore the detection or temporarily disable it until you download and run the tool.

The problem is really with the anti-virus vendors who keep targeting these embedded files and NOT with ComboFix. We can inform the developer but he has encountered this issue many times before and in most cases there isn't much he can do about it. Once the detection is reported to the anti-virus vendor, they are usually quick to fix it by releasing an updated definition database.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users