A closer analysis of DE-Cleaner from Symantec

I was curious about how the DE-Cleaner of Symantec works, so I downloaded the software and give it a closer look.
I did not dissemble it or anything similar… I simply performed a little black box testing.

So, I started it without any internet connection. The result was: no scanning was possible. DE-Cleaner requires an Internet connection.
This is an indication that the software is an in-the-cloud scanner. After seeing this, I searched on the website botfrei.de more details.
And I found them… yes, indeed the Symantec De-Cleaner needs an Internet connection. This is why the file has the size of only 6 MB – because it contains no signatures.

After allowing it to connect to the Internet through the Avira Firewall, I let it scan a folder.
And the results were: MANY FALSE POSITIVES which should have been easily skipped.

Let’s take one of them, which is the software I bought for preparing myself for the exam CompTIA Project+ which I took in July.

I don’t know how you see it, but I find not enough infos to say that the software is suspicious.

I think that the guys from Symantec have still a lot of work ahead to do with their in the cloud solution based on file reputation.

Another interesting issue I’ve found is the fact that the cleaner scans only executable files. This is normal for a file reputation scanner. Any other solution which scans for signatures will unpack archives and scan inside container files for malware. This tool only searches the signatures.
I wonder how they scan for rootkits 🙂


© Copyright 2010 Sorin Mustaca, All rights Reserved. Written For: Sorin Mustaca on Cybersecurity


Check www.endpoint-cybersecurity.com for seeing the consulting services we offer.

Visit www.itsecuritynews.info for latest security news in English
Besuchen Sie de.itsecuritynews.info für IT Sicherheits News auf Deutsch