Dropbox et al issues

  • 14 September 2013
  • 1 reply
  • 60 views

Userlevel 3
Badge +8
Hi, I've been seeing some weird stuff with Dropbox and webroot. When a file in dropbox is syncing webroot is reporting it multiple times as undetermined software (for example - ~5E839294.TMP in %profiles%dropbox.dropbox.cache or 
CONTROLSCF.RESOURCES (DELETED F3AC29B235882A96028CFA36266D9F22).DLL
%profiles%dropbox.dropbox.cache2013-09-12) with each file getting flagged with the size which can be changing.
 
How does one stop this from happening? I can see the value in flagging new files and want to see them, and I know cache folders are high risk areas, but why the temp files during download or sync? I see the same thing when downloading say a 7Zip installer file, multiple files with the .part extension and then finally the actual file (7Z920.EXE.PART    %cache%).
Also, why does it just show the variable %profiles% rather than the actual user name?
 
Any direction would be appreciated.
 
Regards,
Wayne

1 reply

Userlevel 7
I can answer part of this question. It says %profiles% instead of the username because that's a more helpful path for our heuristics engines. If we take the general name, we can feed that into logic easier than trying to parse down a practically infinite number of profile names.

Where Dropbox is concerned, I haven't seen this behavior myself. I'd suspect the temp files in question contain executable code. The fact that it does the same thing on an exe.part file supports that theory. Realistically, I doubt you'd be able to get these to stop showing up as undetermined, because that is in fact what they are. It doesn't mean they are threats, but Webroot is looking at those files as unknowns because it's never seen them before. Dropbox is actually a relatively common attack vector. Once you configure it to sync, it has a free pass through your firewall, so something needs to be keeping an eye on it, which is what Webroot is doing.

You could disable age-based and popularity-based heuristics and see if that cuts down on the number of undetermined files that are reported into the console, but you'd be limiting your protection by disabling portions of the heuristics engine.

In short, I'd say it's working as designed and that Dropbox just tends to create a lot of unknown files.

Reply