To Customer Support To Customer Support
Solved

How to find out what Threat is currently running?

  • 30 December 2013
  • 10 replies
  • 246 views
T
Rank
So I turn on webroot today and I see it colored RED and it shows ACTIVE INFECTION 1 however no matter where I go I cant find what it thinks the infection is.
So I perform the recommended scan and it scans the PC, then turns green and shows no infection found, neither gives me a choice to remove or quarantine what it thought was infected.
I go to the log and I can't find anything that points to what it thinks was infected.
There needs to be better communication between the program and the user, there is no way for the user to see what the program considers an infection.  
 
Here is the bit of the scan log and it shows nowhere where the infected file been or could have been.  I understand that webroot wants to make the program easy, but honestly don't make it soo easy that actually knowledgeble users can't actually see what the program is doing.
 
Some legitimate files are not included in this log
The following files are referenced in the system but could not be found:
Previous Scan Results
INFECTED - [Sun 2013-12-29 19:22:11] 21700 files scanned, 1 infection found in 12m 11s
CLEAN - [Sat 2013-12-28 16:22:46] 31595 files scanned, 0 infections found in 1m 12s
CLEAN - [Sat 2013-12-28 15:52:44] 22671 files scanned, 0 infections found in 4m 24s
icon

Best answer by Rakanisheu Retired 30 December 2013, 12:51

View original

10 replies

T
Rank
Ok i had to get through the whole log to find it:
There must be a better way to allow the user to see what the program webroot considers to be infected.
 
It appears to have been false positive on:
 
Sun 2013-12-29 19:25:36.0348Infection detected: SystemCurrentControlSetServicesMagicianSataModeReader [MD5: ] [12/00000000] [(null)]
 
The software it thought was malicious is part of: 
Samsung SSd Magician software.
shorTcircuiT
Rank
Userlevel 7
I believe you can find it also by logging into the Account Console.  Go to PC Security, click the affected PC, click the Scan Information tab.
RetiredTripleHelix
Rank
Userlevel 7
Badge +56
You must have Heuristics at Maximum drop it one level and send the line to the support inbox as it's a Registry Key being detected: Webroot Customer Service and when they whitelist it then you can set it back to Max!
 
Cheers,
 
Daniel 😉
T
Rank
Oh I know it's due to the fact that  the Heuristics are at Maximum, I love it that way.
That is the main reason that I would like to know what the software considers as an infection since I want to determine via my neural processor if it's indeed a true infection or false positive.  Since if it's a true infection then I have other tools that I will throw at it to monitor the spread or even use the Webroot's own Process Monitor launhcer since it's not to shaby.
 
 All I am asking is if the developers could add a better information to the detected infection side of things.
So if my Webroot goes red and it shows INFECTIOn present then I would like to let say click on the # that is displayed and be allowed to see the path and the file neame of the infection:
i.e.
 
ACTIVE INFECTION PRESENT: 2
 
So I can click on the "2" and be takedn to the 2 file locations, names, paths etc that the webroot thinks are infected.
RetiredTripleHelix
Rank
Userlevel 7
Badge +56
So do I and it caught one of my registry keys not to long ago Max can cause FP's such as this so contact support and they will whitelist it for you! Also the Scan Log is the best way to find out the infection and being set to Max that's what can happen and the reason they suggest not to set to Max or accept that there will be more FP's while set to Max.
 
Cheers,
 
Daniel 😃
T
Rank
Thanks!
 
Meh, I removed the software, was no longer testing the SSD.
 
Could the support provide better explenation of what each one of the bracketed metadata things means?
 
I know that:
[u] means UKNOWN
[g] Means Good
 
etc so could I get a list what the other mean?  That way I can proone the scan lists myself and submit what I really think is a threat or not...kind of reduce the load on the support and make them focus on more important things, like watching porn.
T
Rank
@DavidP1970 wrote:
I believe you can find it also by logging into the Account Console.  Go to PC Security, click the affected PC, click the Scan Information tab.
There must be a better method that can be done via the webroot installed software and not via the console.  I mean I would think that butt in the seat method would be more effective then the cloud in the browser method.
RetiredTripleHelix
Rank
Userlevel 7
Badge +56
@ wrote:
Thanks!
 
Meh, I removed the software, was no longer testing the SSD.
 
Could the support provide better explenation of what each one of the bracketed metadata things means?
 
I know that:
[u] means UKNOWN
[g] Means Good
 
etc so could I get a list what the other mean?  That way I can proone the scan lists myself and submit what I really think is a threat or not...kind of reduce the load on the support and make them focus on more important things, like watching porn.
If it was a true infection it would say at the end of the line in the Scan Log! I don't have one in the scan log to show you but you can see these would be at the end of the infection line in the Scan Log this is from the Online Console David was talking about.
 
Daniel
 

Rakanisheu Retired
Userlevel 7
Here are the common ones that you will see:
 
[r] = Rootkit
[u] = Unknown
[g] = Good
[e] = Local Determination set to Over-ride (i.e the file recieved a bad det from our DB but the local user wants to run the file)
[k] = Corrupt file/download
[m] = Manual Block (user has used the client to block a file)
 
As I have said before in my opinion running the Heurstics and other settings at Max is a bad idea and it does comes with a health warning. I certainly wouldnt advise it for a customer unless they are technical and know what they are doing.
T
Rank
Sweet thanks!!!
I agree with Max Heuristics not being for everyone.
That's why I use my Neural Net Processor (aka Brain) in determining the actual probability of an infection and that is why I was looking for easier methods of seeing what is being discovered.

I do love high heuristics, as long as the Anti-Malware package provides me with a choice of what to do once something is IDed as malware then I am fine with the huristics being high.

Besides Webroot Max Heuristics (so far) is not as picky as AVIRA's used to be. I mean **bleep** back in 2008/09 if you set AVIRA to MAX and turn on auto-delete you might as well just attempt a system re-install since half the Windows processes were considered malicious.

Reply


Terms & Conditions

© 2004 - Webroot Inc.

We have recently updated our Privacy Policies. We encourage you to read the full terms here.