false posative?


I have Windows 10 and webroot keeps flagging the same 4 items are these false posatives?
 
SystemCurrentControlSetServicesOneSyncSvc_Session3
SystemCurrentControlSetServicesPimIndexMaintenanceSvc_Session3
SystemCurrentControlSetServicesUnistoreSvc_Session3
SystemCurrentControlSetServicesUserDataSvc_Session3

13 replies

Userlevel 7
Badge +62
Hello onthego,
 
Welcome to the Webroot Community,
 
My advise would be to submit a Support Ticket and they can check or correct these if they are a false positive. This is free of charge with an active Webroot subscription.
http://www.webroot.com/us/en/support/contact
  Hope this Helps, Kind Regards,
Userlevel 3
Hi,
 
just found this here - I am using WSA since approx 3 weeks and the same problem. Sometimes I get these file marked as rootkit, sometimes not. I opened a ticket and the recommendation was to reinstall WSA - it helped one or two days than the issue came back again.
I wrote again and got the same advise.
The last statement was that it is now send to the Dev team.
 
I wonder that this seem to be a problem since August and still no solution ?
 
What I would also like to know if other WIN 10 users don't have the problem ?
 
Peter
Userlevel 7
Hello there ?
 
I have been using Windows 10 since August, and I have never had that detection.  Please submit a Trouble Ticket to have Webroot Support take a look at it for you.
 
Userlevel 3
Hi David,
 
as I wrote I raised a ticket and the last status is that it was forwarded to the Dev team to find a solution.
The strange this is that sometimes I get this warning when turning on the PC, and sometimes I don't get it..
 
Peter
Userlevel 7
That is very strange that it sometimes hits and sometimes not, at least I think so.  Did you mention that in your Trouble Ticket?
 
Thanks for the update on it that it has been sent to the Dev team!
Userlevel 3
Yes - this is completely strange - if it hits than I can run 3 or 4 times the virus scan and sometimes it disappears then.....
 
I did mentioin this in the ticket - the problem is that I have no idea when this hits or not - there seem to be no rule when it happens.
 
 
Userlevel 7
I think that may well be a part of what the Dev team wants to take a look at.  They may be looking at a couple things:
 
1) the detection itself.  If anything needs whitelisted they will do it.
 
2) the WHY it hits sometimes but not others.  That almost makes it look like WSA is not uniformly starting up on time at boot time: it might not be starting up on time every time, according to design.
Userlevel 3
Today the rootkit warning did not come up with booting the PC - I just ran a scan and the warning came.........
 
Peter
Was there ever a resolution to this? I get the same thing except I have a few more entries.
 
SystemCurrentControlSetServicesCDPUserSvc_6d0ec
SystemCurrentControlSetServicesDevicesFlowUserSvc_6d0ec
SystemCurrentControlSetServicesMessagingService_6d0ec
SystemCurrentControlSetServicesOneSyncSvc_6d0ec
SystemCurrentControlSetServicesPimIndexMaintenanceSvc_6d0ec
SystemCurrentControlSetServicesPrintWorkflowUserSvc_6d0ec
SystemCurrentControlSetServicesUnistoreSvc_6d0ec
SystemCurrentControlSetServicesUserDataSvc_6d0ec
SystemCurrentControlSetServicesWpnUserService_6d0ec
 
Thanks.
Userlevel 7
Badge +62
Hello dpandkp,
 
Welcome to the Webroot Community Forum,
 
I am not aware of any resolutions...
 
Please Submit a Support Ticket so they can check or/and correct these if they are false positives.
 
Thanks,
 
 
Userlevel 7
Badge +56
@ wrote:
Was there ever a resolution to this? I get the same thing except I have a few more entries.
 
SystemCurrentControlSetServicesCDPUserSvc_6d0ec
SystemCurrentControlSetServicesDevicesFlowUserSvc_6d0ec
SystemCurrentControlSetServicesMessagingService_6d0ec
SystemCurrentControlSetServicesOneSyncSvc_6d0ec
SystemCurrentControlSetServicesPimIndexMaintenanceSvc_6d0ec
SystemCurrentControlSetServicesPrintWorkflowUserSvc_6d0ec
SystemCurrentControlSetServicesUnistoreSvc_6d0ec
SystemCurrentControlSetServicesUserDataSvc_6d0ec
SystemCurrentControlSetServicesWpnUserService_6d0ec
 
Thanks.
Can you please lower your Heuristics back to default and the detections will stop, also WSA can't remove those so no worries there! See here: https://docs.webroot.com/us/en/home/wsa_pc_userguide/wsa_pc_userguide.htm#SettingPreferences/AdjustingHeuristics.htm%3FTocPath%3DSetting%2520Preferences%7C_____3 maybe @ can supply more info as I can't find his older posts about this subject?
 
Enable enhanced heuristics based on the behavior, origin, age, and popularity of files
Default; recommended setting.
Userlevel 7
Badge +35
@ wrote:
@ wrote:
Was there ever a resolution to this? I get the same thing except I have a few more entries.
 
SystemCurrentControlSetServicesCDPUserSvc_6d0ec
SystemCurrentControlSetServicesDevicesFlowUserSvc_6d0ec
SystemCurrentControlSetServicesMessagingService_6d0ec
SystemCurrentControlSetServicesOneSyncSvc_6d0ec
SystemCurrentControlSetServicesPimIndexMaintenanceSvc_6d0ec
SystemCurrentControlSetServicesPrintWorkflowUserSvc_6d0ec
SystemCurrentControlSetServicesUnistoreSvc_6d0ec
SystemCurrentControlSetServicesUserDataSvc_6d0ec
SystemCurrentControlSetServicesWpnUserService_6d0ec
 
Thanks.
Can you please lower your Heuristics back to default and the detections will stop, also WSA can't remove those so no worries there! See here: https://docs.webroot.com/us/en/home/wsa_pc_userguide/wsa_pc_userguide.htm#SettingPreferences/AdjustingHeuristics.htm%3FTocPath%3DSetting%2520Preferences%7C_____3 maybe @ can supply more info as I can't find his older posts about this subject?
 
Enable enhanced heuristics based on the behavior, origin, age, and popularity of files
Default; recommended setting.

A support ticket would be the way to go with this one. I haven't seen a report of this in a long time.
 
-Dan
Userlevel 7
Badge +56
@ wrote:
@ wrote:
@ wrote:
Was there ever a resolution to this? I get the same thing except I have a few more entries.
 
SystemCurrentControlSetServicesCDPUserSvc_6d0ec
SystemCurrentControlSetServicesDevicesFlowUserSvc_6d0ec
SystemCurrentControlSetServicesMessagingService_6d0ec
SystemCurrentControlSetServicesOneSyncSvc_6d0ec
SystemCurrentControlSetServicesPimIndexMaintenanceSvc_6d0ec
SystemCurrentControlSetServicesPrintWorkflowUserSvc_6d0ec
SystemCurrentControlSetServicesUnistoreSvc_6d0ec
SystemCurrentControlSetServicesUserDataSvc_6d0ec
SystemCurrentControlSetServicesWpnUserService_6d0ec
 
Thanks.
Can you please lower your Heuristics back to default and the detections will stop, also WSA can't remove those so no worries there! See here: https://docs.webroot.com/us/en/home/wsa_pc_userguide/wsa_pc_userguide.htm#SettingPreferences/AdjustingHeuristics.htm%3FTocPath%3DSetting%2520Preferences%7C_____3 maybe @ can supply more info as I can't find his older posts about this subject?
 
Enable enhanced heuristics based on the behavior, origin, age, and popularity of files
Default; recommended setting.

A support ticket would be the way to go with this one. I haven't seen a report of this in a long time.
 
-Dan
@ Dan I don't understand? These Detections are from the Registry and you told me it's because users have there Heuristics set a Max, you also suggested that lowering the Heuristics to default solves this issue, so has things been changed since you last told us around a year or more ago? https://docs.microsoft.com/en-us/windows-hardware/drivers/install/hklm-system-currentcontrolset-services-registry-tree
 
Other thread: https://community.webroot.com/t5/Webroot-SecureAnywhere-Antivirus/What-could-cause-the-Caution-Rootkit-virus-to-return-a-day-later/m-p/259496#M26294 and here as I had the same Detections: https://community.webroot.com/t5/Webroot-SecureAnywhere-Antivirus/What-could-cause-the-Caution-Rootkit-virus-to-return-a-day-later/m-p/259719#M26333
 
Thanks,
 
Daniel

Reply