To Customer Support To Customer Support
Solved

Testing trial webroot, false positives?

  • 19 April 2014
  • 7 replies
  • 51 views
B
Rank
I was testing out trial version of webroot today and I was surprised to get keylogger result instead of the usual trojan result from a file.
I scanned a patch update for sony vegas, I decided to ' deal with it later ' option (or something along those lines, can't recall)
and after scanning file for second and third time I get no results at all.
 
So after first test did webroot deal with it even when I decided not to immediately?
Is it a false positive coming from any type of patch crack present in folder?
Have the other anti virus got it wrong and it is really keylogger?
 
Here is my current qurantine page:
https://]http://i.imgur.com/zIplW3h.png?1[/img][/url]
 
 
icon

Best answer by shorTcircuiT 19 April 2014, 18:58

View original

7 replies

shorTcircuiT
Rank
Userlevel 7
Hello bubbletubs and welcome to the Webroot Community!
 
I do not know which would have it correct, WSA as a keylogger or the other guy as a Trojan.  Either way, it would appear to me that the file is flagged for good reason.  Most AV solutions, as you are noticing, are going to flag crack files as malware of some sort no matter what.
 
As for why it is not finding it on subsequent scans, there are a couple of possibilities.  On your image does the file in question show in the quaratine?  If so, that is why it will not trigger on another scan: it has already been isolated. If the file in question does not show, that might be the result of allowing it the first time around.  On your image, click the next tab over to see if it is listed there and marked as Allow.  If it is, I would suggest that you remove it from the list or change that to Monitor.
 
If you are quite positive that the crack files are of no danger, it is your option to allow and use them though it is not recomended nor supported by WSA.  They are marked as bad as a matter of routine due to the way in which file cracks work.  Any AV should pick them up as malware. 
B
Rank
Thank you for the swit response, here is screenshot of the block/allow section:
 
https://]http://i.imgur.com/zxNxnoN.png?1[/img][/url]
 
 
So the downloaded file location is quarantined as shown on my previous post and using patch whatever was in it is apparently being blocked (I ran sony vegas to check for any changes and was prompted if I wished to block internet connection to it which I accepted for time being).

It is running fine even while the 'patch file' is quarantined and blocked. After having applied the patch openning any patch folders in both C: and 😨 (download location) its contents are nowhere to be seen, empty.

I am not quite sure how to find the original webroot report that displayed exactly what the detection named it, from what I recall there were four words seperated by '.' one of them being keylogger. I usually don't bat eyelid, but getting different results caught my attention.

PS: I am quite impressed with webroot so far, only come across praises too.
shorTcircuiT
Rank
Userlevel 7
Ok, i think i understand.  I am working from a tablet while relaxing on the front porch, so bear with me if i am wrong on something :-) 
 
Anyway, having the patch download in the quarantine is why you canmot find it in the expected folder locations.  
 
The only thing i didnt get is if the program running as expected for having been patched or does it appear that the patch failed to work at all?
B
Rank
The patch seems to have been applied, I mean Sony Vegas is running just fine right now.
shorTcircuiT
Rank
Userlevel 7
Thanks for the clarification.
 
The patch folders will be absent as while the patch may be applied, it is a patch and normal to be flagged as such.
 
I would not worry about the difference in classification from other AV's....sometimes one file may have multiple attributes that are flaggable and so different AV's may well classify it differently.
 
Crack patches are both a common transmitter of malware, and in a sense even when not makware the work they do will be flagged as they alter files.  Using them is generally considered hazardous, so always a case of user beware, and Webroot Support will not test them to see if they can be whitelisted due to the fact that would essentially aid in the use of potentially illegal software.
 
Be careful whe using them :-) 
B
Rank
By the usage of the delete function in quarantine, any idea if it will also modify the patched program?
shorTcircuiT
Rank
Userlevel 7
Deleting the filr from quarantine should not affect the already patched file.  The items in the quarantine have effectively been "deleted" from access as it is.  They are isolated so that no processes can access them, and they cannot be accessed.  It would like the Recycle Bin in terms of deleting it.

Reply


Terms & Conditions

© 2004 - Webroot Inc.

We have recently updated our Privacy Policies. We encourage you to read the full terms here.