For a long time I have used a small utility, DShutdown, to automate system shutdown after completion of various tasks. While running ZoneAlarm, that was no problem. However, since switching to NIS 2009, Auto-Protect has blocked DShutdown.exe which it identifies as Adware.gen.
I'm comfortable that DShutdown is not a threat, but I'm unable to find any means to get NIS to ignore it. Adding it to the scan exclusion lists has no effect. Is there some way to tell Auto-Protect to ignore/exclude this program?
Did you add the DShutdown.exe file and it's corresponding folder to both AutoProtect Scan Exclusions and Manual Scan Exclusions?
If you want to report a suspected false positive, you can do so using this False Positive Submission form. False detections, once reported, are usually corrected when Symantec releases the next scheduled set of virus definitions.
I would consider the possibility that Norton is responding more to the behaviour of the utility in attempting to shut Norton down than to the actual file itself. Have you had a look in History>Norton product tamper protection to see if the utility has been blocked by that particular part of Norton.
I downloaded the program mentioned from softpedia, and it downloaded in a zipped file, I then scanned with Norton and it detected a heuristic virus “adware.gen”. So I don’t think its the behaviour of the file its blocking since I never executed it. I’m not sure how reputable the file is, this is the first time i have heard of it. Maybe an FP.
I just downloaded the Dshutdown direct from the creators web site; saved as zip and ran manual Norton scan. Same results as others; heuristic detection of a risktool.
Sent to VirusTotal and of the scanners that will scan into zip files most are saying that this is a Risktool but not a virus. Meaning that this program exposes great risk to your system but by itself it is not harmful. Because of the heuristic / behavioral detection that flags this file your choice may be to not use the file or disable enough of Norton to set it back about 3 or 4 years in it's ability to protect your system. That is of course, up to you.
Thanks to everyone for your replies. I'll try to clarify a few points in response.
1. I have added DShutdown.exe and its folder to both the AutoProtect and manual exclusion lists. That has no apparent effect on AutoProtect which continues to block it, identifying it as Adware.Gen. As noted by one response, it does this as soon as the zip file is extacted, before the program is ever started. Since it is not identifying DShutdown.exe as being blocked, but is instead identifying Adware.Gen, it is scanning the content of the exe file and seeing what it believes is some form of adware.
2. DShutdown is not adware. I've used this program for almost a year and it has never displayed any advertising, nor has it ever attempted to access the internet. When started, it just sits there and does what it's supposed to do.
3. DShutdown does not try to shut down Norton; it shuts down the entire system, either with a full power off or, alternatively, by placing the system in hibernate, just like going through the start menu. Consequently, DShutdown.exe does not trigger Product Tamper Protection.
4. It's difficult to see how this very benign program "exposes great risk to your system." I think the point here is that it does not, but it's nonetheless being blocked as though it does.
My question then is how to make AutoProtect stop blocking DShutdown. Adding it to the exclusion list doesn't cut it, but it's not at all clear why. One response suggested reporting it as a false positive, and that may be a good idea for this particular problem. The greater issue, though, is: What's the point of having exclusion lists if the listed items won't actually be excluded? If a specific program is listed in the AutoProtect exclusion list it should never be blocked by AutoProtect.
While your point is completely true that if you exclude some files from getting scanned, Auto-protect should not scan them for suspicious files. That is certainly not the expected behavior. But did you check if the file that you have added to exclusion is what is getting detected by the scanning engine as Adware.gen. If I were you, I'll check the file path to confirm that the exclusions are still getting scanned for.
If you think that the file is genuine and you don't want it to be scanned for, you can click on the AntiSpyware settings and exclude "Adware" from the security risk categories.However, doing this will result in disabling the Adware definitions applied by the scanning engine on all the applications that you are running.
Caution: To me, this suggestion leaves a vulnerability by allowing all the adware to sneak into your system.
You can try this once to see if it still gets detected. Let us know if you see the detections for Adware.gen even after excluding adware from the security risk categories.
Following your suggestion, I turned off Adware scanning. An AutoProtect scan exclusion entry had previously been made for DShutdown.exe. Then, I again extracted a copy of DShutdown to my C:\Temp folder. In the past it was at this point that AutoProtect would instantly block DShutdown.
This time, AutoProtect did not block DShutdown.exe.
Then, I tried reactivating Adware scanning but leaving the exclusion in place. Interestingly, AutoProtect still did not block DShutdown (for roughly 40 minutes so far).
The ball's in your court regarding why this would happen. Apparently, having once accepted the file while Adware scanning was turned off, it now continues to accept it as long as the AutoProtect exclusion remains in place. That solves my problem. Thanks again.
With AutoProtect exclusion in place but before Adware scan was disabled:
I have since repeated the process (AutoProtect exclusion, Adware scan off, extract, Adware scan on) while placing DShutdown in a permanent location under C:\Program Files. I've tested DShutdown, having it monitor a drop in CPU usage and then placing the system in hibernation. It's working normally and no longer triggers any NIS events. Thanks again.
