Solved

Not getting along with NIS

  • 2 December 2013
  • 6 replies
  • 44 views

Userlevel 7
  • Community Leader
  • 314 replies
Hi everyone,
 
Today I was using my computer as usual, and Webroot suddenly threw up a "Infection found" message. I ran a scan and it found 2 rootkits, however, these two rootkits were registry keys that turned out belonged to Norton, and when Webroot tried to remove them (I see from the quarantine that it removed more than just the two that the realtime protection caught) Norton went absolutely crazy. Norton's auto protect failed and couldn't get turned back on by Norton's "Auto-fix" and in the Norton logs I see "unauthorized access blocked...C:Program FilesWebrootWRSA.exe". Norton also asked me to uninstall Webroot (which I have temporarily) but I have been loving Webroot and will probably re-install it, but I want to get this fixed so that I can run them both together. I know that the system is clean because it was a backup image that I had made after a completely clean installation of Windows just yesterday. Another thing I noticed is that after installing and even after uninstalling Webroot, the user account control warning does not dim the screen like it should. I know that's not really related to the conflict, but I thought I should mention it.
Also, I just purchased a full year's subscription to Webroot just 4 days ago, as such I would really like to get this fixed.
Please advise.
 
Thanks,
Shran
icon

Best answer by Baldrick 2 December 2013, 22:02

View original

6 replies

Userlevel 7
Hi Shran
 
I run WSA in tandem with KIS and from what I know what you have experienced is a rare occurrence when WSA runs with any of the other mainstream AVs/ISs.
 
What I would do is, assuming that you have not yet re-installed WSA, (i) completely uninstal NIS, reboot and then reinstall NIS, then (ii) re-install a fresh copy of WSA (makiong sure that if it finds anything in the install scan you ignore it), (iii) immediately the WSA install is complete make sure that you register & 'Allow' all NIS key components in 'Block/Allow Files' under the PC Security tab on the main GUI (you can access using the gear/cog to the right of the tab)...if concerned by that then set them to 'Monitor' but make sure they are not set to 'Block'.
 
And then in NIS, make sure that the key WSA componenets are similiarly Excluded/Whitelisted (sorry...do not know the correct NIS terminology but hopefully you get my drift?).
 
Post back here and let us know how you get on. :D
 
Live long & prosper
 
 
 
Baldrick
 
Userlevel 7
Hi Baldrick,

I have followed your recomendations (fresh install of Norton, then Webroot), and added Norton to Webroot's exclusions, and added Webroot to Norton's exclusions, but Webroot still popped up saying that Norton's registry keys were rootkits, attempted to remove them, and Norton said "unauthorized access blocked", just as earlier.

What should I try next?

Thanks,
Shran
Userlevel 7
Hi Shran
 
OK, Plan B...prior to WSA doing the "attempted to remove them" were you given any options to ignore the removal attempt?  If so then if you are fairly sure that these Registry keys are NIS-related and that this looks like an FP then take the option. 
 
If there is no such opportunity then I would Open a Support Ticket ASAP providing all the details so that the keys can be analysed and hopefully whitelisted ASAP.
 
But to be truthful I am struggling visualise WSA's reaction to the 'supposed' infection.  Can you provide any more detail as to exactly what yo usee/whoat options you have presented to you?
 
LLAP
 
 
Baldrick
Userlevel 7
Hi Baldrick,

Update on the conflict: I did as you suggested and ignored the removal attempt, then later did a clean install of both programs on my "base" image, and Webroot seems to not be picking up the registry keys anymore. I guess one of the devs saw the thread and got it fixed already :)
Regarding you wanting more information: I don't remember the exact registry keys or paths, and I can't look again since Webroot is not detecting them anymore, but the name of the infection was "Caution.Rootkit" I don't have a screenshot, I apologize for that, I wish I did that way I could have a point of reference.
Thanks a bunch for your assistance Bladrick!

Shran
Userlevel 7
Hi Shran
 
My pleasure.  Glad to hear that it is sorted for you.  Hopefully co-existence will now reign...however, just make sure that you have got WSA excluded/whitelisted in NIS and NIS in WSA...;)
 
And do come back here with any more info & tips, and chip in about running NIS & WSA together...as this can be helpful to other users either running the same combo or even a different one but nevertheless a combo.
 
 It is what makes this Community one of the best on the Web...IMHO. :D
 
Live long and prosper
 
 
 
Baldrick
Userlevel 7
Hi Baldrick,

So far they are getting along nicely now :D

I will chip in in a new topic about how I have them set up with the real time protection so that they don't conflict.

You are right, this is a great community and I'm happy to be part of it :D

Shran

Reply