Solved

Tired with FALSE POSITIVES!!


Userlevel 4
The speed at which a false positive is white-listed is great, but common whats going on here? it seems like WSA flags every file in the universe as a virus until someone specifically asks for it to be white-listed, I reported like 4 FPs this week

now this is the 4th: http://dlcdnet.asus.com/pub/ASUS/nb/Apps_for_Win8.1/LiveUpdate/LiveUpdate_Win81_64_VER327.zip  The zip itself is not the virus, once you install the Live updater, when it runs, that gets flagged as a virus!

for the love of good it's an ASUS updater!

seriously considering to switch solutions as I can't deal with so many FPs and I thought Panda Cloud AV was bad! this is horrible!
icon

Best answer by RetiredTripleHelix 10 March 2014, 00:45

View original

32 replies

Userlevel 6
@ , sorry you feel so negative about Webroot.  Your negativity accomplishes nothing. Lets not KILL THE MOOD in the community.  We are here to help eachother. SO I will ask you again to please read the https:///t5/Community-Announcements/Webroot-Community-Guidelines/td-p/2 AND follow them.
Userlevel 7
Your right we dont create Viruses , we leave that to the malware authors. Your last few posts are just about slamming our product. I am sorry you dont like our software but spamming our forum with negative feedback isnt really helping anybody. 
I just found this post on Yahoo. I don't blame you for getting upset I had the same problem so I dumped Webroots crappyActually webroot doesn't create viruses it just gets a lot of false positives but yes I hate webroot for other reasons. It has way too many problems and cons to be distributed with OEM computers software.
Userlevel 7
Badge +56
@MaXimus wrote:
Reply from Support:

Hello,

We very much apologize again for the issues you have been having. We have reversed this false detection in our system as well.

Regards,

Webroot Threat Research
----------------------------------------------

I'm gonna give WSA one last try, hope I don't get another FP this week :)

thanks all for your support
Well to me it's better to be over protective and at least they fixed the FP for you!
 
Daniel 😉
Userlevel 7
Badge +56
Yes that's what's it's meaning so I would contact support!
 
Daniel
Userlevel 4
Reply from Support:

Hello,

We very much apologize again for the issues you have been having. We have reversed this false detection in our system as well.

Regards,

Webroot Threat Research
----------------------------------------------

I'm gonna give WSA one last try, hope I don't get another FP this week :)

thanks all for your support
Userlevel 4
well the first time it detected the virus I allowed it to run maybe that's why
Userlevel 7
Badge +56
[e] = OVERRIDDEN TO IGNORE
 
As I don't have ASUS I can't run the full installer to find out about that file that you have over ridden to ignore, Did you get it installed in any case? And you should contact support and ask what's going on with this installer it could be a simple thing of Whitelisting that Overridden file detection.

 
Daniel

 
Userlevel 7
Hi MaXimus
 
Have checked on the MD5s for the updatechecker.exe, and found a couple of site reporting it as "Trojan downloader activity" and that the file is not digitally signed.
 
File sizes match too!
 
Regards
 
 
Baldrick
Userlevel 4
yup, no one experiences what I did because the issue is not with the installer, it's when you actually run the updater
Userlevel 7
Hi MaXimus
 
Can appreciate how you are feeling especially with us saying we are not seeing the same as you (and that is very real for you) but as Daniel says there must be something somewhere that is causing this...so I would suggest one last try...and go  for the scan of the .exe and then posting if there is anything that seems untoward, or even PM'ing the scan log to us so that we an have a look discretely. ;) if that does not cause you a problem?
 
Would hate to lose you back to NOD32 . :(
 
EDIT:  Just seen that you have... I am behind the curve tonight...it is just frenetic.  :S
 
Regards
 
 
Baldrick
Userlevel 4
@ Triple Helix:

[g] c:program files (x86)asusasus live updatealvupdt.dll [MD5: ED14568B51A1B0FB4B9EE7B49A64CB5F] [Flags: 00000000.2439]

[g] c:program files (x86)asusasus live updatecheckmetro.dll [MD5: 056095A6359318395A36AA47365F849E] [Flags: 00000000.2438]

[e] c:program files (x86)asusasus live updateupdatechecker.exe [MD5: A6B15C616EBF66A45FCBD1A62A6B8A3D] [Flags: 00080100.2445]

Mon 2014-03-10 03:18:39.0248 Infection detected: c:program files (x86)asusasus live updateupdatechecker.exe [MD5: A6B15C616EBF66A45FCBD1A62A6B8A3D] [3/00080000] [W32.Malware.Gen]

Mon 2014-03-10 03:18:39.0248 File blocked in realtime: c:program files (x86)asusasus live updateupdatechecker.exe [MD5: A6B15C616EBF66A45FCBD1A62A6B8A3D, Size: 11776 bytes] [524288/00000003] [W32.Malware.Gen]

Mon 2014-03-10 03:18:39.0248 Determination flags modified: c:program files (x86)asusasus live updateupdatechecker.exe - MD5: A6B15C616EBF66A45FCBD1A62A6B8A3D, Size: 11776 bytes, Flags: 00000020

Mon 2014-03-10 03:20:54.0008 Determination flags modified: c:program files (x86)asusasus live updateupdatechecker.exe - MD5: A6B15C616EBF66A45FCBD1A62A6B8A3D, Size: 11776 bytes, Flags: 00000100

Mon 2014-03-10 03:57:52.0910 Monitoring process C:Program Files (x86)ASUSASUS Live UpdateLiveUpdate.exe [63B5DFA2469652174598BAA69A0646DF]. Type: 3 (2443)

Mon 2014-03-10 03:57:52.0910 Monitoring process C:Program Files (x86)ASUSASUS Live UpdateLiveUpdate.exe [63B5DFA2469652174598BAA69A0646DF]. Type: 4 (2443)

Mon 2014-03-10 03:57:52.0910 Monitoring process C:Program Files (x86)ASUSASUS Live UpdateLiveUpdate.exe [63B5DFA2469652174598BAA69A0646DF]. Type: 5 (2443)

Mon 2014-03-10 03:57:52.0910 Monitoring process C:Program Files (x86)ASUSASUS Live UpdateLiveUpdate.exe [63B5DFA2469652174598BAA69A0646DF]. Type: 8 (2443)

Mon 2014-03-10 03:57:52.0910 Determination flags modified: c:program files (x86)asusasus live updateliveupdate.exe - MD5: 63B5DFA2469652174598BAA69A0646DF, Size: 3202840 bytes, Flags: 00008000
Userlevel 7
That's weird... I haven't experienced any false positives for a long time.
Even on my new laptop, which is full of applications and add-ons from Samsung, after a few scans WSA classified almost all of them as [g].
So far there is not even necessary to do whitelisting.
 
 
Mike
Userlevel 7
Badge +56
Can you scan the files and save a scan log and post the lines like I did? I ran the installer and no detection so there is a problem on your end.
 
Thanks,
 
Daniel
Userlevel 4
@ Triple Helix, I never save or import my settings. I've said that it's a pure clean installation and the problem is not with the installer since you and I can run it, the problem is when the ASUS updater program itself starts.

It's fine, let this one go, I seriously have no time to be dealing with such issues on a daily basis. Gonna install NOD32 and get this headache over with
Userlevel 7
Badge +52
@MaXimus wrote:
I just showed you the screnshots above and the virus total link, how will support help me? if they can't even install the program?

and what in the world makes WSA mark it as a virus or PUP to start off with? that's my point, the FPs in WSA are beyond imagination. I'm tired of submitting support tickets I've submitted like 4 this week.

Might as well go back to my NOD32 and enjoy a FP free life


@ wrote:
"
We have a set guidelines on what we can mark as bad and we follow them to the button.We mark a large number of PUA`s every day in fact I marked about 75 thousand bad yesterday.

A large amount of the tickets I see about customers having an issue about PUA is that they installed it themselves by clicking a number of accept dialogue boxes. If a program tells you what it does (and isnt malicous) and gives you the option to uninstall cleanly it wont probably wont be marked bad (thats not set in stone of course!).

In the links you posted the first one isnt really PUA they are talking about malware (password stealers etc) which we of course we block. The grayware def again is a little vague they talk about Dialers (which we block), Adware which there a varying types of some we block some we dont (it varies for each program).

What people forget is that "free" programs often use advertising in order for the creater to make some money. Its extremely common on mobile applications but for some reason when its on a PC platform people get really annoyed 😃 Toolbars are a pet hate of mine, if I had my way I`d mark them all bad but to be honest the majority of them will tell you what they do before the install! My rule of thumb is to avoid them all."

https:///t5/Tips-and-Tricks/Webroot-s-position-on-PUA/m-p/40404#M448
Userlevel 7
Badge +56
No detection here and I have mine set to the Max! And marked Good! Strange! Can you do another clean reinstall of WSA and make sure you don't import your old settings make sure you have Keycode and Reboot after Uninstall and after reinstall.
 
Some legitimate files are not included in this log
[g] c:usersdanieldownloadsliveupdate_win81_64_ver327.zip/setup.exe [MD5: 17C5C943A0D3F047AC571843543330A5] [Flags: 00001000.4473]
[g] c:usersdanieldownloadssetup.exe [MD5: 17C5C943A0D3F047AC571843543330A5] [Flags: 00001000.4473]
 
 
 

Userlevel 4
I just showed you the screnshots above and the virus total link, how will support help me? if they can't even install the program?

and what in the world makes WSA mark it as a virus or PUP to start off with? that's my point, the FPs in WSA are beyond imagination. I'm tired of submitting support tickets I've submitted like 4 this week.

Might as well go back to my NOD32 and enjoy a FP free life
Userlevel 7
Badge +52
@MaXimus wrote:
I also did submit a ticket 
 
The program is intended only for asus and I can not fully test it
I think in the near future support will solve your issue
 
Userlevel 4
that's why you were not able to run the program
 
here's a screeny i just took on another clean installation of WSA / Windows 8.1 formatted
 
http://tinypic.com/r/mil8c1/8
 
and
 
http://tinypic.com/r/vsdp3r/8
 
 Virus Total Link of the actual EXE not the installer EXE: https://www.virustotal.com/en/file/8e45b0ddb9b218de2a07b1e913e78ee95ed44d86b7ad937576c5143fbc39e7b3/analysis/
 
clean by ALL AVs (webroot not mentioned)
 
When I had webroot on I couldn't even upload the file to virus Total IE kept crashing until I shut down WSA then I was able to upload the file!
 
 
Userlevel 7
Badge +52
@ wrote:
This what I get with your link?
 
Daniel
 
Correct link
http://dlcdnet.asus.com/pub/ASUS/nb/Apps_for_Win8.1/LiveUpdate/LiveUpdate_Win81_64_VER327.zip
Userlevel 7
Hi MaXimus
 
I appreciate that you have a new install but what I was wondering when these FPs (the 4 a day that you are unfortunately getting) started?  Has this always been the case or have they started since the last install of WSA, etc.
 
I will check again on my Win8.1 system but as I have it set to do auto updates they are usually installed before I even get sight of them.  But given the info you have provided I will double check.
 
Cheers
 
 
Baldrick
Userlevel 7
Badge +56
This what I get with your link?
 
Daniel
 

Userlevel 7
Badge +52
@MaXimus wrote:
did you actually run the udpater and hit the update button? it won't find anything, just try that see what WSA says




 
Everything works
Userlevel 4
Hi Mr. Baldrick, I have the latest WSA clean installed after disabling Windows Defender. It's a fresh win 8.1 installation with the latest drivers and a fresh clean install of the latest WSA so that's not the issue here
 
did you actually run the udpater and hit the update button? it won't find anything, just try that see what WSA says

Reply