Again yes I understand what you are saying but you are ignoring the fact that you are not declaring other files (EXE, ZIP, RAR) to be problems just because they are located in the root folder. Your logic or the logic of your coding is inconsistent. There is no reason to call winzip120.exe infected because it is in the root folder. If I put a copy of winzip120.exe into the root of C:\Program Files, it is not detected and I also believe that like the C:\ root folder, anything saved in the root of C:\Program File should also be questioned. If I put a valid copy of explore.exe in the root folder you will call it worm.autorun since explorer.exe is not expected in the root folder which is fine. But if I simply rename the valid explorer.exe file to exp1orer.exe and leave it in the root folder. You do not detect it at all and this file name is well known to be a trojan and should be consider a problem no matter what folder it is in. Why detect winzip120.exe which is not a system file and has no fixed place that it must be saved that it must be downloaded to? It is a valid WinZIP installer filename. I don't wish to continue debating this as I understand you have your reasons. I just don't agree with all of the logic and perhaps you should consider additional test methodologies. Thank you for fixing the other false positive so quickly.