PUA detections

  • 1 December 2015
  • 5 replies

Userlevel 3
I decided to leave WRSA ( business version ) on one PC ( in scan only mode) while I consider whether to renew or not ( and at the same time test out alternatives) - see https://community.webroot.com/t5/Webroot-SecureAnywhere-Antivirus/Expiry/m-p/228788#M20877. Support advised me at the time that the software with expired subscriptions continues in scan only mode i.e no shields but scans continue .
Scans are now giving me detections
MSIDF19.TMP, Pua.Advanced.System.Optimizer, %windir%installer, http://snup.webrootcloudav.com/SkyStoreFileUploader/upload.aspx?MD5=BD2A821CB5DD0E4B17386407D3BE2503 BD2A821CB5DD0E4B17386407D3BE2503These seem to be detections on msi files which have only started arising yesterday - the only recent msi file I have is OffCAT.msi which is downloaded directly from Microsoft and is a configuration analysis tool for Office products ( seems unlikely to be infected). Also when I try to go to C:windowsinstaller folder to investigate it does not exist ! ( I have hidden folders set to show). Also trial Malware Bytes AntiMalware scan shows no issues ( there was a probably left over  registry entry relating to Hicosmea which I deleted but even after that Webroot is still showing infections as above).
Any idea what is going on ?

5 replies

Userlevel 7
Badge +56
Ok I checked with my contacts in support and they told me that the shields should still be on. Not sure if that info you got before was out-dated, or whether there's just some confusion about the post-expiry functioning. Here's their best guess as to what is happening in your case:

"More than likely what happened is that the PUA was detected as a threat as some point while the subscription was still active. What he is getting now is that someone tried to reinstall the same infection, and the realtime shield stopped it from ever getting onto the machine. "

If you want to contact support again they can take a look at the logs to confirm.
Userlevel 3
Thanks Nic - I appreciate your help . Couldn't get a support ticket to go through but I have PM'd details to you - perhaps you could forward on my behalf ?
Userlevel 7
Badge +56
Yep, got it!
Userlevel 3
As some follow up on this I notice that if I set "detect potentially unwanted applications" off in scan settings the items detected above are no longer detected ( naturally) but in the scan logs are marked [u] ie unknown. Set the PUA detection back on and the scan log shows them as [b] ie bad. If the items are known by Webroot to be bad how can they at the same time be unknown ?
I have still been unable to track down the threats concerned on the PC but I now recall an automatic update recently of the paid version of CCleaner - is there any possibility Webroot is marking CCleaner as a PUA ?
Userlevel 3
Further update - uninstalled ccleaner temporarily and detection still arose. I installed a trial of Eset and it detected winzip system utilities as PUA - is it possible that the webroot PUA detection is also in respect of Winzip Utilities ( not winzip itself) ?
Also as to the question of shields and expiry - my guess from my investigations is that the shields were set to off immediately on expiry and that it was only the web portal which remained accessible for 30 days - it has today (31st day) become inaccessible other than the home page. This leaves me with the problem of how to uninstall webroot from the remaining PC as it has no entry in the control panel "programs and features" listing ( in neither normal or safe mode) nor an uninstall option in the start menu listing ?
At the minute I am reluctant to continue using Webroot with so many unresolved issues.