Solved

Identity Protection > Application Protection > wrong folder referenced

  • 27 October 2013
  • 12 replies
  • 69 views

Userlevel 5
Badge +22
webroot SecureAnywhere Antivirus 8.0.4.17
This is a really strange issue that is seen in Webroot only but I don't think it is a Webroot issue.
 
I'm Trying to re-add c:KeePasskeePass.exe as a protected application.
Attempts 1-????
Webroot adds w:dc 2013-08-12  03;00;05 (full)keepasskeepass.exe.
Why?  How?
 
So, I made a copy of the folder which became c:KeePass - Copy
added c:KeePass - Copykeepass.exe
worked as expected.
 
renamed c:keepass to c:keepass (old)
added c:KeePass (old)keepass.exe
worked as expected.
 
Tried to rename c:keepass (old) to c:keepass
couldn't as the folder was in use.  Closing all but IE10 and reopening explorer didn't help.  Process Explorer didn't find what was locking it using "Find Handle or DLL"
 
renamed c:keepass - Copy to c:keepass
added c:KeePasskeePass.exe
Webroot added c:keepass (old)keepass.exe
Why?  How?
 
 
Any suggestions?
 
icon

Best answer by RetiredTripleHelix 27 October 2013, 17:03

View original

12 replies

Userlevel 7
Badge +56
ROFL and thanks for the extra info at least you have 2 hairs more then I do! :D
 
Daniel XD
Userlevel 5
Badge +22
ROFL.  I was going to post a follow up.
 
I now sort of understand what was meant by, "It only records the first filename it sees for that hash locally, not..."
 
"It" is looking up the hash value in a lookup "table" and returns the file and path it first finds in the table.  The table is not necessarily in an order we would expect it to be as evidenced by two files starting and ending in the same folder but the lookup returns different folders for each file.
 
if I find a better explanation it will be posted here.  Look, I had 5 hairs left when this started and I'm now down to 2.  Perhaps the information will help others keep all of theirs.  ;P
Userlevel 7
Badge +56
Us volunteers try our best to help others when we can!
 
Thanks,
 
Daniel 😃
Userlevel 5
Badge +22
heh
 
With the information you provided I'm asking a couple of friends if they can elaborate.
 
You resolved my concerns (in record time).
 
Thanks!
Userlevel 7
Badge +56
Well it was as close as I could get the info maybe someone from Webroot can comment to give even more information to make it more clear for all of us? :D
 
Daniel
Userlevel 5
Badge +22
Thanks for the link.  The comment (full comment copied below) about "first filename" is incorrect since, in my case, it recorded either the first instance or the backup of the second instance of the program.  Yet, it doesn't do this for all programs as shown by process explorer.
 
"Yes, and you are correct in your speculation. It protects based on file hash. It only records the first filename it sees for that hash locally, not the current location of the (or all) files that have that hash."
 
 
Userlevel 7
Badge +56
Your very welcome and yes when I said hash I did mean MD5 Hash please see here!
 
HTH,
 
Daniel 😉
Userlevel 5
Badge +22
Once again, Triple, Thank you!
While I have responded to each question/comment in your post, the only thing I would like for you to read is the first question because of the comment and question that follow.
 
Q: Did you install it from the D drive at anytime and if you did that's why as it goes by the Hash of the file in that location on D drive.
A: Yes.  The portable version of KeePass is being used which means extracting from a zip file into any folder.
Comment.  When I think hash, I think checkup (MD6, SHA-1, SHA-256, etc.) which have nothing to do with the location of the file.
Question: Can you explain this?  Installed KeePass by copying the files from d:x into c:keepass so WSA used d:x then, after Cobian Backup copied the KeePass file from c:keepass into w:folder so now WSA uses w:folder.  Go ahead, tell me you guys are just messing with me!  :D  Seriiously, I don't even know what to search for to find out about this behavior.  More importantly, Process Explorer was extracted from a zip file and copied into c:keepass folder and WSA had no issues knowing where the program existed.  
 
Q: make sure you have KeePass installed correctly
A: heh, old-school install.  It works from any folder including from a USB drive.
 
Q: reinstall WSA add KeePass to the ID shield and it should say from the correct Directory on the C drive!
A: That worked.
 
Q: I know it's the only work around but it is still protected even though it does not indicate the correct location. When I update Firefox then I look at the ID Shield it shows from the Temp File location but it is still protected.
A: Thanks for this information.
 
 
Userlevel 7
Badge +56
Did you install it from the D drive at anytime and if you did that's why as it goes by the Hash of the file in that location on D drive. But to correct this make sure you have KeePass installed correctly, then Download a fresh copy of WSA here and make sure you have a copy of your keycode then Uninstall WSA and Reboot and then install WSA with the new installer and let it finish it's install scan then Reboot again then add KeePass to the ID shield and it should say from the correct Directory on the C drive! I know it's the only work around but it is still protected even though it does not indicate the correct location. When I update Firefox then I look at the ID Shield it shows from the Temp File location but it is still protected.
 
HTH,
 
Daniel 😉
Userlevel 5
Badge +22
great...
Last night adding c:keepasskeepass.exe to Application protection KeePass would add d:x\keepass.exe?
Two hours later the automated backup backed up that folder to W:DC 2013-10-27 03;00;05 (Incremental)KeePass
now.
adding c:keepasskeepass.exe to Application protection KeePass adds  W:DC 2013-10-27 03;00;05 (Incremental)KeePassKeePass.exe.
 
I really, really, don't understand this!
Userlevel 5
Badge +22
Final weirdness.
D:x was deleted
The downloaded zip file was copied from c:<name>dlsoftware to c:keepass
extracted all files overwriting existing files.
deleted the zip file
adding c:keepasskeepass.exe but webroot added d:xkeepass.exe
 
next attempt.  Deleted all files from c:keepass
unable to delete or rmdir the folder because it is in use.  Process Explorer can't detect the program locking it..
Reboot.  Delete keepass
d:x is still deleted...
c:<name>dlsoftwarekeepass.zip was extracted to c:keepass
adding c:keepasskeepass.exe but webroot added d:xkeepass.exe
The zip file never existed on drive D:
 
Why would Keepass keep thinking, at this point, c:keepasskeepass.exe is in d:x\keepass.exe?
 
Of course, given the nature of keepass.exe I am concerned about malware.
 
Userlevel 5
Badge +22
Decided to see if updating KeePass would help.
Downloaded zip fil.
extracted files into D:x
unblocked all files   (Right click > properties > unblock)
Deletedcontents of  c:keepass
Copied, and on second attempt moved, the files from d:x to c:keepass
Tried to add c:keepasskeepass.exe to Webroot Application Protection.
Webroot added d:xkeepass.exe
 
So, I copied procexp.exe (process explorer) to c:keepass and adding it as a protected application worked as expected.
 

Reply