Solved

Exclude folders from scanning?


Userlevel 1
Is it possible to exclude certain folders from scanning?
 
Thank!
icon

Best answer by Kit 7 May 2012, 16:16

View original

176 replies

Userlevel 7
I think your being overly harsh, you make it out like we are burying our heads in the sand. We never say that we will block 100% of all malware no AV company would say so either. We have already said we are currently unable to get iMontior working with WSA and for that I apologise but you cant use that as a reflection on everything we do!
 
If you want to scan a network drive just right click on it and use the "Scan with Webroot" option. As for the 30 detections from AVIRA, I would need a complete log from the program. Please remember we dont run the same way as tradional AV`s we dont waste your time and system resources scanning every single file on your PC.
 
In Kits defense he is correct Webroot is vastly different to other AV`s. We dont bother about Cookies, empty folders or left over remanants of dead infections. For example I had a ticket yesterday where the customer had used some AV product that I had never heard of and said that they had 1,957 "infections" that Webroot didnt pick up. Needless to say not one was an actual infection.
 
The infection in that screen is an Autocad infection something I havent seen in a long while. We could gather some samples and have a look at it.
 
I dont see your ticket in the support queue. Can you send me a message of the email address that you used to create the ticket?
Userlevel 7
Please note I didn't say "There's definitely not a problem", I said "chances are there's not a problem". I don't expect in any way that Webroot is perfect, but I was not lying when I said that I've never seen a given case. I have seen things that Webroot misses, but also everything else missed it as well, and Webroot only missed it for about two hours, while everything else started picking it up after a week. So no, nothing's perfect. Everything sucks. Webroot just sucks less. ;)
 
It's common to throw blame around. People want to find something to blame for everything they dislike. As a good example, a commonly-used firewall had problems when it was installed alongside Webroot.  Webroot alone? No problem. Firewall alone? No problem. Firewall and Webroot? The firewall had problems. Must be Webroot's fault, right?
 
Turned out that the firewall itself was the problem. When attaching to a driver, there are two ways that the driver can require an attachment, effectively "full capability" and "limited". Network drivers generally only use Limited, but they can go into full mode, they just rarely do and when they do, they don't make use of anything other than limited commands. When Webroot is installed, Webroot's network driver stuff goes into Full mode and actually USES full mode, which is a good thing. Unfortunately the people who wrote the firewall thought "Nobody ever uses Full mode on network drivers, so why should we support it?" So their stuff got confused when they got a full mode message.
 
So could one say "Webroot was the problem"? Technically, yes. Webroot used something better that nobody else used and the badly-written firewall couldn't deal with it. But if the firewall had been written properly to begin with, there would have been no problem, whereas Webroot would have to be written badly instead of written properly to remove the problem.
 
So, the viruses...
AutoCAD viruses are malicious interpreted code in AutoLISP or VBA that take advantage of an older  version of AutoCAD (annoying that "older" means anything prior to 2013 SP1) to operate. Newer AutoCAD is not susceptible to this issue, and user attention also reduces the likelihood of being affected by this kind of infection, since it cannot do anything unless loaded into older AutoCAD. It is sadly also exceptionally trivial to hide these infections from other AVs and also to have false positives on them, so trusting any AV to detect these is not good.
 
"Baidu Malicious Code" is the Baidu Toolbar.  It's not a virus, it's just an annoying toolbar, like the Ask Toolbar and such. In many cases, AV programs will trigger on installers that are able to install the toolbar even if they default to not doing so. AV programs will also trigger on settings from the toolbar in the registry even if the toolbar itself is not there.
 
QQ malicious code - The only thing I could find about that is a False Positive from Avira on QQ.exe, QQBaseClassInDll.dll, and QQHelperDll.dll.
 
As was indicated by the Webroot Threat Researcher, without seeing the full logs of the detection from thee other program, nobody can say for certain what happened, we can only guess. I still stand by my statement that I have never seen anything detected by other AV that is actually a legitimate threat to the computer Webroot is installed on.
 
So no, no shares.  Not even a publicly-traded company anyway. But I can still say "Chances are it's not an issue" and be accurate, and I can also say "Without seeing logs, we have no way to know for sure, but here are examples of why this can happen." 😛 :)
 
Dear Rakanisheu,

Thank you for your reply. I 100% agree with you and share your opinion that nothing is perfect. And I also believe that WebRoot is a very fine piece of software (which I said already as well). Please read your private message where I sincerely express that I appreciate your and your teams great work.

Concerning the ticket - I sent a message in the available Service Form, kindly asking to let me know a method how to send Virus suspicions. I got the reply already with instructions. But since I am on the road for 3 days and away from my computer, I will attend to that early next week - and of course I will drop you a note once done.

Greetings
Dear Rakanisheu,
 
I now managed to upload a ZIP file with several from the files (not all) which other programs show as infected or malicious.
 
In the meantime, the following Antivirus Programs have reported them as malicious/infected:
 
Windows OS:
  • AVIRA
  • NORTON (I am not a fan of them, but for the sake of testing, I downloaded their trial)
MacOS:
  • MacKeeper 
Here is an extract of the NORTON result:
 
Scan Information:
Virus Defs Version: 2013.01.31.020
Virus Defs Seq ID: 141376
Scan Statistics:
Scan Start:
Local: 7/9/2013 12:19 AM
UTC: 7/8/2013 4:19 PM
Scan Time: 59 seconds
Scan Targets: \vmware-hostShared FoldersDesktopVIRUS
Counts:
Total items scanned: 11
- Files & Directories: 11
- Registry Entries: 0
- Processes & Start-up Items: 0
- Network & Browser Items: 0
- Other: 0
- Trusted Files: 0
- Skipped Files: 0
Total security risks detected: 3
Total items resolved: 3
Total items that require attention: 0
Resolved Threats:
ALS.Kenilfe
Type: Anomaly
Risk: High (High Stealth, High Removal, High Performance, High Privacy)
Categories: Virus
Status: Fully Resolved
-----------
1 File
\vmware-hostshared foldersdesktopvirusacad.fas - Deleted
1 Browser Cache
 
ALS.Bursted.B
Type: Anomaly
Risk: High (High Stealth, High Removal, High Performance, High Privacy)
Categories: Virus
Status: Fully Resolved
-----------
2 Files
\vmware-hostshared foldersdesktopvirusacaddoc.lsp - Deleted
\vmware-hostshared foldersdesktopvirusacaddoc.lsp 2 - Deleted
1 Browser Cache
 
WS.SecurityRisk.1
Type: Anomaly
Risk: High (High Stealth, High Removal, High Performance, High Privacy)
Categories: Security Risk
Status: Fully Resolved
-----------
1 File
\vmware-hostshared foldersdesktopvirus181c0ac68142e98b92f253b7a2e0253577fbf0a0 - Deleted
1 Browser Cache
 
 
Unresolved Threats:
No unresolved risks
 
 
Is there an e-mail WebRoot has where one can submit new virus suspicions so that they can be included in future?
 
Please let me know WebRoot's feedback on the files.
 
Thanx
Userlevel 7
Badge +56
Hello do you have copies of these files? Can you ZIP them up and password protect with the name infected all in lower case? I will send you a PM.
 
Thanks,
 
Daniel
Hello Daniel,
 
I have already sent them to WebRoot using the WSALOGS toold (grab file only). After that, I have used Norton to completely remove all threats from my Hard Disk. The file name is VIRUS.zip and is 428.9 MB
 
Here is a Report of Norton:
 
Scan Information:
Virus Defs Version: 2013.07.08.002
Virus Defs Seq ID: 145616
Scan Statistics:
Scan Start:
Local: 7/9/2013 1:22 AM
UTC: 7/8/2013 5:22 PM
Scan Time: 2,788 seconds
Scan Targets: Entire computer
Counts:
Total items scanned: 477,456
- Files & Directories: 471,577
- Registry Entries: 291
- Processes & Start-up Items: 4,935
- Network & Browser Items: 645
- Other: 5
- Trusted Files: 2,740
- Skipped Files: 15,860
Total security risks detected: 9
Total items resolved: 9
Total items that require attention: 0
Resolved Threats:
ALS.Bursted.B
Type: Anomaly
Risk: High (High Stealth, High Removal, High Performance, High Privacy)
Categories: Virus
Status: Fully Resolved
-----------
1 File
c:acaddoc.lsp - Deleted
1 Browser Cache
 
WS.SecurityRisk.1
Type: Compressed
Risk: High (High Stealth, High Removal, High Performance, High Privacy)
Categories: Heuristic Virus
Status: Fully Resolved
-----------
1 File
- Deleted

ALS.Kenilfe
Type: Compressed
Risk: High (High Stealth, High Removal, High Performance, High Privacy)
Categories: Virus
Status: Fully Resolved
-----------
1 File
- Deleted

ALS.Bursted.B
Type: Compressed
Risk: High (High Stealth, High Removal, High Performance, High Privacy)
Categories: Virus
Status: Fully Resolved
-----------
1 File
- Deleted

ALS.Bursted.B
Type: Compressed
Risk: High (High Stealth, High Removal, High Performance, High Privacy)
Categories: Virus
Status: Fully Resolved
-----------
1 File
- Deleted
 
Unresolved Threats:
No unresolved risks
Userlevel 7
Badge +56
Please read my latest PM.
 
Thanks,
 
Daniel 😉
Userlevel 7
The first question:
Do you run AutoCAD?
 
The second question:
If so, are you using AutoCAD 2013 SP1?
 
The third question:
If you run AutoCAD, do you open random AutoCAD files from random people or place unknown LSP files into your AutoCAD folders despite the fact that AutoCAD says not to?
Dear Triple Helix,
 
I already read your PM and send you the infected files as instructed by you. in fact, it is still uploading.
 
Regards,
JP
Dear Kit,
 
Here the replies:
 
@ wrote:
The first question:
Do you run AutoCAD?
 
I only run a free AUTOCAD viewer - I do not draw myself.
 
The second question:
If so, are you using AutoCAD 2013 SP1?
 
See above
 
The third question:
If you run AutoCAD, do you open random AutoCAD files from random people or place unknown LSP files into your AutoCAD folders despite the fact that AutoCAD says not to?
 
I do not run AUTOCAD - only AutoCad Viewers... I only open CAD files received from my customers related to projects we work on - or our suppliers in various parts of the world. If you want, they can be considered random people since I have no control over their computer and software. But I have to work with their files. I do not run them in AUTOCAD, only in my free AutoCad Viewer (on either MacOS or Windows on the same computer).
 
Kit,
 
the viruses found are not all in AUTOCAD files, they are in various different files, and they have been labelled as various different viruses. I already send files to different people related to WebRoot to have a deeper look into the case.
 
Thanx.
Userlevel 7
@ wrote:
Kit,
 
the viruses found are not all in AUTOCAD files, they are in various different files, and they have been labelled as various different viruses. I already send files to different people related to WebRoot to have a deeper look into the case.
 
Thanx.
Most of the named files are AutoCAD-related (ALS. = AutoCAD LISP Script)
 
Some of the "viruses" named are Windows Script (WS.).
 
Many of the items indicated do not include file information.
 
None of them are machine code or are capable of actually doing anything substantial other than trying to get something else onto the computer that can do something substantial. Anything they try to bring in that can do something substantial is blocked by Webroot.  Also, they can only do this in the event that you open the security settings of the AutoCAD viewer and the Windows Scripting Host wide open and completely ignore all warnings about potentially-malicious items given to you by the AutoCAD viewer and the WSH.
 
They are all on network shares. No, network shares are not normally scanned unless items on them are set to execute machine code. Under normal circumstances, that would not protect the computer any more than Webroot does and would take a substantial amount of time and energy as well as network resources.
 
The detections for all of the items listed are highly prone to false positives, since they are based on interpreting text-based script without actually utilizing a scripting engine. As for "Highly Dangerous", Norton also has detected and deleted an empty, hidden, system folder named approximately C:ProgramData2738sj38sT2H9k and called it a "Highly Dangerous, Highly Polymorphic", etc infection. Considering that I created it for testing purposes, I can tell you for a fact it was not dangerous. Norton is just not smart enough to know that.
 
The way that Webroot works, those files would not be detected on a scan since they do not contain machine code and they are not in a location that will run. In the event that they were executed by an interpreter and actually did something bad that the old interpreter and user settings allowed to occur, that bad would be attempted by the interpreter and would be caught by Webroot at the time it occurred.
 
Threat Research will bee able to give you a deeper understanding, since they are in direct possession of the files now, however I can still tell you the general case from looking at things.
Following feedback from a specialist (not WebRoot Service though):
 
and
Are Detected as Bad and its Adware!
 
 
[u] c:usersdanieldownloadsfe4e1b5427cd214a9171ff11921e488f3fa2c0c7 [MD5: BFE4A9B4186E005B26E22D58FBB2BEB3] [Flags: 00080001.5902]
Infected not detected by WSA but it’s a dormant file and can’t run!
https://www.virustotal.com/en/file/68ca5945880a926f48e72f52de0701962e6b1a1e287007cff29912751099d1a5/analysis/1373383559/
[u] c:usersdanieldownloads????2006 ???cibaf.exe [MD5: 398ABF7B9B2155BF041B46F8CDB3EA61] [Flags: 00080000.5962]
Clean
https://www.virustotal.com/en/file/2b914c1fcbd900fe200f95b4f1f2b39b8358b143a94870aabd9169835593a906/analysis/1373383772/
All the rest are good or can’t do any harm!
Roy and WebRoot Service have received copies of the infected files - let's wait and see what they have to say - and they are aware of the findings.
These are only some of the total 33 files with viruses and infections.
 
So it seems that some are not a risk, others (as it seems) indeed are malicious infections. And Webroot did not find them on my computer. That maybe was due to the fact that the files are on a virtual shared partition on my computer, and some of the files are in ZIP (or RAR) archives which I did not open.
 
While WebRoot keeps my computer safe by removing any infection upon unstuffing an archive, I guess that copying an infected archive or sending it by e-mail to others might cause other computers being infected if they are not properly secured. I personally am not so happy running the risk of sending an infected file to others. This could thoretically happen when I forward an infecgetd archive I received from elsewhere...
 
Of course one can argue that everybody should be responsible enough to have a proper antivirus software installed and running. But shouldn't we all think of how we can reduce the risk of infection by avoiding forwarding any potential source of infection to (maybe naïve) others?
 
Once I get feedback from others Antivirus Software Tech Supports, I will post here.
Userlevel 7
I'll let Roy take a look at the file itself and comment since he now has a copy of it, but something about VirusTotal - it's not always right, and you have to be careful about how you're looking at the results.  On that first file, 24 vendors say it's not an infection and 23 say it is.  On the second one, 18 say it's bad and 28 say it isn't.  So actually, those results are proportionately saying that both of them are false positives for the vendors that are detecting them as an infection.
Userlevel 7
How did you end up having 33 files with viruses and infections? Shouldn't the people who sent them to you have been protecting you against the stuff since they don't use Webroot?
 
Also note that the history of VT scanners on the samples was very telling.  All of them were detected by some of the VT scanners, however none of them detected all of the samples. Now most of the major ones detect it, but when you first forwarded the samples, any major AV would detect half or less of the infections. So... That means that if you thought you were being safe and not forwarding things that were infected because you have a different scanner than Webroot, you'd be forwarding half of them anyway.
 
In any case, you are fully welcome to make the decision whether you want to use Webroot to protect your computer best or whether you want to protect other people also at the cost of your computing resources. All of us who use it are fully aware that we are not protecting other people and we are perfectly fine with that.  It's not a hidden fact in any way.  It's come up in the past, in very similar ways, and nobody tries to hide it. People who are happier catching half the stuff before sending it on may use something else.  The rest of us are quite fine with protecting our computers better with less resources used.
 
And yes, everybody should be responsible enough. Because the ones who don't use Webroot are still passing on half the infections or more. Is it more responsible to know that you are not protecting everybody else and thus be more careful, or is it better to think you are protecting other people when your AV is probably missing half of the stuff anyway? If you think you are protecting people, you are liable to be less-cautious.  Or worse, you might tell them "I scanned it, it's safe." when it isn't, but your scanner just didn't catch it.
Kit, or anybody else,
 
can someone again explain me in simple terms what the main difference is between WebRoot and others Antivirus Applications?
 
Why is WebRoot using substantially less Resources than others?
 
What are the main differences between WebRoot scanning for Viruses and other Apps?
 
Thank you
@ wrote:
How did you end up having 33 files with viruses and infections? Shouldn't the people who sent them to you have been protecting you against the stuff since they don't use Webroot?
 
Dear Kit - on this planet, we have users of
• WebRoot
• updated AntiVirus Software
• users who have outdated or useless AntiVirus software
• Users who have no antivirus Software at all
The files I found them in were all in files copied or received from clients and customers which were in the respective folders and kept there for reference.
 
it is self explanatory then that all of us can occasionally receive files with infections, depending on the geographic region etc we work on...
Userlevel 7
Some good discussions in this thread! But I`ll post my thoughts, the first is that adware isnt always a bad thing! And thats a important thing to remember. Lots of "free" software is ad-supported this is very common in mobile applications. The people that write this software need to earn a living somehow!
 
Toolbars are sticky point, me personally I hate them all if I had my way I would blacklist every single one of them. However lots of people use them and they do have certain uses. I deal with a large number of tickets with people complaining that Webroot isnt removing a certain toolbar. I wont start naming the common ones but they nearly all require you to click OK a number of times before they install so you know what your getting. Now if a toolbar is deemed malicious or it installs in a sneaky way or wont uninstall we will mark it bad. However Webroot isnt the software police just because a piece of software is poorly written or you dont like it doesnt mean we should be blocking it :)
 
As for VT again you have to be very careful with its results. If I had a Euro for every time I saw an infection that wasnt in VT I would be a rich man. Also its common for a big Vendor to mark a file as bad and then people start jumping on that determination and copy said determination. VT is a useful tool but dont rely on it as a sole information on a file, use it along with other information!
 
Other AV programs detections, this is a tricky one really. Certain AV programs I will trust more than others and some are just pure junk. A program that most of us are familiar with is Malwarebytes. It will pick up registry issues and general windows issues as well as infections and this can cause confusion. So a customer will say they have 40 infections but its actually a toolbar with the 39 associated registry entries for the program! I actually like Malwarebytes but you have to know what its doing/detecting.
 
Webroot way of protecting your PC is different in that we dont scan every file on your PC like other AV`s do. This is a point that many people dont understand. Why bother scanning hundred of GB`s of data that will never be an infection? Why waste system resources and more importantly your time doing so? In order for an infection to do anything it has to run in active memory. Once it does so then we pounce and kill it. All of our data is in the cloud meaning that you dont have to download a large number of definitions every hour.
 
This is awesome but we run into an issue when somebody runs a full system scan with MSE or Norton and they find some dead infection thats been sitting in a random path for two years. Then they think WSA isnt doing its job but we are working as designed. I have about a 1gb of infections in a test PC sitting in folder just off the root of the C:. They are inactive and will never do anything unless I actually run them. If I scan the folder with WSA it will remove them all. Or if I run one of the files WSA will pop-up and remove the file (and it will probably scan that folder and remove the rest). WSA can scan your full PC if you want like a tradional AV but I never do it myself.
 
Sorry for the long post!
 
As for the samples that were posted.
 
c:usersdanieldownloadsfe4e1b5427cd214a9171ff11921e488f3fa2c0c7.exe
 
This file has been seen on 2 PC`s and nowhere in the wild from what I can see.
 
c:usersdanieldownloads????2006 ???cibaf.exe
 
Is a good file that has been seen on 6 PC`s

The badu toolbar files are bad in our database and WSA will remove them.
Userlevel 7
Roy,

Fantastic and informative post!
Userlevel 7
Seen on two PCs means scanned on Mine and one other, and I know whose (and it's not the OP's). XD
 
MBAM's "40 infections!" being an inactive toolbar DLL and 39 registry entries is a good example of the difference between the average viewpoint and a security expert's viewpoint such as what we see and know at Webroot, whether we work there still or not. I have nearly two decades of security experience under my belt from well before Webroot was a garage business and Roy pretty much summed it up. If it's not machine code, it's limited, and things that can control machine code to a degree (VBS, LISP, etc) still have to run through an interpreter that is machine code and in most cases need to acquire native machine code to further their efforts. Most, not all, but even those that don't get caught by virtue of being a module in the interpreter.
 
One thing I do find worth adding to Roy's information is that when last I checked, running a full scan (look at everything on the PC) is not the same as running a Deep Scan (normal, very fast scan) against everything on the computer. There is no way that I know of to run a Deep Scan against every file on the computer (and if there were, it would take days). A full scan takes a surface inventory but does not run the array of extra inspections that a Deep Scan performs, and without these extra inspections, previously-unknown malware will not be caught like it will by a Deep Scan.
Userlevel 7
Badge +56
Hi Kit the other was me as you can see the OP used my Scan log excerpts to post from as I was very curious about these files and detections I would like to thank you and Roy for the incite on this case that will be useful for other users and members!
 
Thanks Again Guys,
 
Daniel 😉
Userlevel 7
@ wrote:
Hi Kit the other was me
I know. Which means the person who provided the files never actually scanned them with Webroot.
Userlevel 7
Badge +56
@ wrote:
@ wrote:
Hi Kit the other was me
I know. Which means the person who provided the files never actually scanned them with Webroot.

Userlevel 7
I see cases extremely frequently in which someone believes they have "hundreds" or even "thousands" of viruses, the AV software told them so!
 
On closer examination, the issue Kit mentioned is sometimes the issue, but I also see cases in which the AV is detecting tracking cookies.  Many solutions do not make it clear what type of files have been found unless the user specifically looks for the details.
'

Reply