To Customer Support To Customer Support
Solved

A threat has been eliminated

Asklepios
Rank
Userlevel 6
Good morning USA;)
Yesterday, when using my laptop, I have a WSA mesage: "this site is not secure".
Then I saw on the security bookmark: "1 threat has been elimanted".
Is it possible to see what was this threat?
icon

Best answer by Rakanisheu Retired 29 June 2013, 20:18

View original
Regards, Asklepios

31 replies

Rakanisheu Retired
Userlevel 7
It shouldnt be removing it, unless something weird is going on. I will need support logs at this stage.
Asklepios
Rank
Userlevel 6
@ wrote:
I think we have got mixed up that screenshot is related to the file that I have already whitelisted. That message from Windows is due to the fact that you are downloading a .exe. Its normal and isnt anything to do with Webroot. That file is good in our database.
Hello Roy,
You are right, the first message is from Windows but after downloading this .exe Webroot deleted it and moved it in quarantine:@
Regards, Asklepios
Rakanisheu Retired
Userlevel 7
I think we have got mixed up that screenshot is related to the file that I have already whitelisted. That message from Windows is due to the fact that you are downloading a .exe. Its normal and isnt anything to do with Webroot. That file is good in our database.
Asklepios
Rank
Userlevel 6
That's the analyse.logs:
 
30-06-2013 17:43:10.0985 Begin passive write scan (1 file(s)) 30-06-2013 17:43:12.0420 End passive write scan (1 file(s)) 30-06-2013 17:44:00.0405 Begin passive write scan (1 file(s)) 30-06-2013 17:44:01.0404 End passive write scan (1 file(s)) 30-06-2013 17:57:14.0822 Begin passive write scan (1 file(s)) 30-06-2013 17:57:16.0350 End passive write scan (1 file(s)) 30-06-2013 18:04:39.0009 Begin passive write scan (1 file(s)) 30-06-2013 18:04:40.0238 End passive write scan (1 file(s)) 30-06-2013 18:04:48.0014 Begin passive write scan (1 file(s)) 30-06-2013 18:04:48.0943 End passive write scan (1 file(s)) 30-06-2013 18:05:01.0000 A suspicious file was detected: c:users
obertdesktoplanguagepack_french.exe - D2AFB7BBE8DDF4C4BD05537BD1598870 - 00080801 30-06-2013 18:05:01.0000 File blocked in realtime: c:users
obertdesktoplanguagepack_french.exe [MD5: D2AFB7BBE8DDF4C4BD05537BD1598870, Size: 517696 bytes] [526337/00000020] [(null)] 30-06-2013 18:05:01.0002 Monitoring process C:UsersRobertDesktopLanguagePack_French.exe [D2AFB7BBE8DDF4C4BD05537BD1598870]. Type: 3 (4666) 30-06-2013 18:05:01.0002 Monitoring process C:UsersRobertDesktopLanguagePack_French.exe [D2AFB7BBE8DDF4C4BD05537BD1598870]. Type: 4 (4666) 30-06-2013 18:05:01.0002 Monitoring process C:UsersRobertDesktopLanguagePack_French.exe [D2AFB7BBE8DDF4C4BD05537BD1598870]. Type: 5 (4666) 30-06-2013 18:05:01.0003 Monitoring process C:UsersRobertDesktopLanguagePack_French.exe [D2AFB7BBE8DDF4C4BD05537BD1598870]. Type: 8 (4666) 30-06-2013 18:05:01.0125 A suspicious file was detected: c:users
obertdesktoplanguagepack_french.exe - D2AFB7BBE8DDF4C4BD05537BD1598870 - 00080801 30-06-2013 18:05:01.0125 File blocked in realtime: c:users
obertdesktoplanguagepack_french.exe [MD5: D2AFB7BBE8DDF4C4BD05537BD1598870, Size: 517696 bytes] [526337/00000020] [(null)] 30-06-2013 18:05:13.0984 Determination flags modified: c:users
obertdesktoplanguagepack_french.exe - MD5: D2AFB7BBE8DDF4C4BD05537BD1598870, Size: 517696 bytes, Flags: 00000020 30-06-2013 18:05:42.0475 Performing cleanup entry: 1 30-06-2013 18:05:43.0276 Scan Started: [ID: 37 - Flags: 551/128] 30-06-2013 18:06:50.0337 Connected to B5 30-06-2013 18:06:54.0338 Scan Results: Files Scanned: 38408, Duration: 1m 10s, Malicious Files: 0 30-06-2013 18:06:54.0348 Scan Finished: [ID: 37 - Seq: 70992414]
Regards, Asklepios
Rakanisheu Retired
Userlevel 7
Hmm I cant find the info on that file, can you post the cleanup logs or MD5?
Rakanisheu Retired
Userlevel 7
Ah ok that is different, let me see If I can fix that.
Asklepios
Rank
Userlevel 6
No it says that this file was rarely downloaded and should be insecure.
The file was deleted by WSA-C after I have accepted to download it......
Regards, Asklepios
Rakanisheu Retired
Userlevel 7
That doesnt look like it was us that removed that! My french is rusty is that saying that the file was not downloaded to your PC as it may cause damage?
Asklepios
Rank
Userlevel 6
Hello Roy,
Thanks for whitelisting this file.
I don't know if this can help you but when I download this file with IE9 (Vista pro) I get the following error message and then WSA-C deleted the file:


 
I think it might be interesting to try to download "Sapnish pack" and "German pack";)
Regards, Asklepios
Rakanisheu Retired
Userlevel 7
Not sure why that file was removed on your PC, its not bad in our database.  I have whitelisted the file in anycase, its not behaviour is not malicious and its associated files/processes are good. WSA not being on VT doesnt really bother me too much, VT is only a rough guide and should never be taken as gospel.
Asklepios
Rank
Userlevel 6
@ wrote:
Hello Robert I can't tell for sure but to me it looks like an FP and I did a Search on VT using your MD5 Hash File D2AFB7BBE8DDF4C4BD05537BD1598870 as only Symantec came up with some kind of detection so it's best to wait for a conformation from Roy or another Threat Researcher. I wish Webroot was listed on VT as I made a suggestion maybe if a few more will Kudo it they will look at again as it's on Hold. http://community.webroot.com/t5/Ideas-Exchange/Adding-a-Webroot-SDK-to-VirusTotal/idi-p/7462#.UdBubW2DmJO  :D
 
HTH,
 
Daniel ;)
Hi
Thanks Daniel!
Idea kudoed;)
Now I wait the Roy's answer.
Regards, Asklepios
ProTruckDriver
Rank
Userlevel 7
@ wrote:
I wish Webroot was listed on VT as I made a suggestion maybe if a few more will Kudo it they will look at again as it's on Hold.
I agree Daniel. If I could cheat and Triple Kudo it, I would. 😃
 Late 2015 ~ 5K ~ 27 inch iMac ~ macOS Catalina 10.15.7 ~ Clone & Backup with: SuperDuper - Time Machine & iCloud. PWM: RoboForm. 
RetiredTripleHelix
Rank
Userlevel 7
Badge +56
Hello Robert I can't tell for sure but to me it looks like an FP and I did a Search on VT using your MD5 Hash File D2AFB7BBE8DDF4C4BD05537BD1598870 as only Symantec came up with some kind of detection so it's best to wait for a conformation from Roy or another Threat Researcher. I wish Webroot was listed on VT as I made a suggestion maybe if a few more will Kudo it they will look at again as it's on Hold. http://community.webroot.com/t5/Ideas-Exchange/Adding-a-Webroot-SDK-to-VirusTotal/idi-p/7462#.UdBubW2DmJO  :D
 
HTH,
 
Daniel 😉
Asklepios
Rank
Userlevel 6
Hi Roy,
 
I think that's WSA-C have blocked another sure file on my home PC this time:
 
Automated Cleanup Engine Starting Cleanup at 30/06/2013 - 16:05:42 GMT Starting Routine> Removing c:users
obertdesktoplanguagepack_french.exe...#(PX5: - MD5: D2AFB7BBE8DDF4C4BD05537BD1598870)... Deleting File> c:users
obertdesktoplanguagepack_french.exe
 
Is it this a false positive ?
Regards, Asklepios
Asklepios
Rank
Userlevel 6
Hi Roy,
Thanks for your help:D
I have restored the file, even if my laptop continued to works well without it.
Then I launched an analyse and the laptop is clean.
Good Sunday!
Robert
Regards, Asklepios
Rakanisheu Retired
Userlevel 7
Replied to the PM! The file is good and can be restored. The prevx information is out of date.
Asklepios
Rank
Userlevel 6
@ wrote:
Hi Robert you can call him Roy if you like!
 
Daniel
Thanks Daniel for the info;)
Regards, Asklepios
Asklepios
Rank
Userlevel 6
@ wrote:
@ wrote:
You wont need to submit logs, I found the file in our database and its now good. Saves you doing any work :)
Thanks Rakanisheu:D
But I don't understand the link given by Jim:@ :
http://www.prevx.com/filenames/X460799281356301372-X1/HDCTRLEX.DLL.html#nogo
Can you explain to me ?
Another think that I don't understand is that the page above reports always that the file hdctrlex.dll is a "fraudulent security program".
Regards, Asklepios
RetiredTripleHelix
Rank
Userlevel 7
Badge +56
Hi Robert you can call him Roy if you like!
 
Daniel
Asklepios
Rank
Userlevel 6
Hello Roy;)
I'm sorry to insist but I don't understand what I have to do.
Now I'm at home and I run my laptop, and I see that the suspicious file ("hdctrlex.dll") remains in the quarantine.
I don't know if I can restore it?
I'll send you a PM with the report of detection.
Regards, Asklepios
Asklepios
Rank
Userlevel 6
Thanks Rakanisheu:D
Can you tell me if this file is really a file of my professional program ?
Regards, Asklepios
Rakanisheu Retired
Userlevel 7
That page is out of date since I just changed the database entry for that file. I assume it will autoupdate soon enough.
Asklepios
Rank
Userlevel 6
@ wrote:
You wont need to submit logs, I found the file in our database and its now good. Saves you doing any work :)
Thanks Rakanisheu:D
But I don't understand the link given by Jim:@ :
http://www.prevx.com/filenames/X460799281356301372-X1/HDCTRLEX.DLL.html#nogo
Can you explain to me ?
Regards, Asklepios
Rakanisheu Retired
Userlevel 7
You wont need to submit logs, I found the file in our database and its now good. Saves you doing any work 🙂
Asklepios
Rank
Userlevel 6
@ wrote:
I don't see Rakanisheu online this morning, but I might be able to help.
 
It's hard to say just based on the file name.  The file name alone doesn't tell us as much as the MD5 of the file would.  The MD5 is submitted automatically when you contact us via the support system, which is why we suggest using that system in all cases of false positives or infections.
 
That said, I'm leaning more towards it being an infection, based on this.  However, we won't really know for sure until we get a closer look, since file names alone can be misleading.  If you update your support case, we can provide a better answer since we'll have more data to go on.
Thanks Jim
This thread was on my old laptop and I cannot access to it before Saturday evening or Sunday.
 
Regards, Asklepios

Reply


Terms & Conditions

© 2004 - Webroot Inc.

We have recently updated our Privacy Policies. We encourage you to read the full terms here.