Solved

Unusual False Positive

  • 22 June 2012
  • 3 replies
  • 115 views

I'm currently running trial version 8.0.1.193 and today had my download of OpenOffice 3.4 stopped (via Firefox download). 
 
It's something I've been having troubles with these last few days where downloads or page loading in Firefox is being reset, initially I pinned the blame on my generic router but I can see now in the threat log it was Webroot that caused this latest occurrence.  Unfortunately repeated attempts to reproduce the issue are seeing the download continue just fine.  
 
My Threat Log reads :

Automated Cleanup Engine
Starting Cleanup at 22/06/2012 - 01:52:24 GMT

Starting Routine> Removing c:users
usticdogdownloadsapache_openoffice_incubating_3.4.0_win_x86_install_en-us.exe.part...#(PX5: 7BDC821BB0ADC4FAA05304EF10ECCF006E61FEC1 - MD5: 451CF77F5FAAE701D0D70B4BE172B75D)...
Deleting File> c:users
usticdogdownloadsapache_openoffice_incubating_3.4.0_win_x86_install_en-us.exe.part
Closing Handle> 3656 - PID: 988 - C:Users
usticdogDownloadsApache_OpenOffice_incubating_3.4.0_Win_x86_install_en-US.exe.part
 

Edit : Found this in logs too :
Fri 22-06-2012 13:52:24.0568    Infection detected: c:users
usticdogdownloadsapache_openoffice_incubating_3.4.0_win_x86_install_en-us.exe.part [MD5: 451CF77F5FAAE701D0D70B4BE172B75D] [3/00080000] [TROJAN.PROXY.G]
Fri 22-06-2012 13:52:24.0568    File blocked in realtime: c:users
usticdogdownloadsapache_openoffice_incubating_3.4.0_win_x86_install_en-us.exe.part [MD5: 451CF77F5FAAE701D0D70B4BE172B75D, Size: 303280 bytes] [524288/00000003] [TROJAN.PROXY.G]
Fri 22-06-2012 13:52:24.0570    Determination flags modified: c:users
usticdogdownloadsapache_openoffice_incubating_3.4.0_win_x86_install_en-us.exe.part - MD5: 451CF77F5FAAE701D0D70B4BE172B75D, Size: 303280 bytes, Flags: 00000020
 
 
 
icon

Best answer by YegorP 22 June 2012, 17:21

View original

This topic has been closed for comments

3 replies

Userlevel 7
Hey rusticdog,
 
First of all, welcome to the Webroot Community and thanks for posting on the forums! :D
 
Sorry to hear about your troubles! I'd like to help you get this resolved ASAP so you can run OpenOffice and SecureAnywhere with no conflicts.
 
I'd like you to open a support ticket from the computer that you're having the issue as we'll have to examine the log files that come through when you send in the ticket.
 
Please let me know that you've sent the ticket. When the issue is resolved, I'll post the solution back here on the thread!
 
Thanks,
No, it's fine. I can download the file, it was just that one time it decided the file part contained a Trojan, which is what I found unusual. If it were truly a false positive then I should have seen repeated blocks rather than this as a one off...or that's what I'd expect.
Userlevel 7
Hi rusticdog,
 
That's fine and I'm glad you could get the file downloaded.
 
Regarding the file in question, it looks like it was blacklisted on your computer and placed in quarantine. Right now, we're keeping a close eye on the file, which is currently set to an 'unknown' status, and will wait and see how it behaves before making a surefire decision one way or the other. In the meantime, you can remove the file from your quarantine and restore it if you'd like. 
 
Make sure to check back on the Community and let us know if you have any other questions!