I downloaded an exe file and webroot quarantined it

  • 26 March 2016
  • 5 replies
  • 145 views

Userlevel 1
I downloaded an exe file and webroot quarantined it with no warning message.  It just disappeared from the folder I was trying to put it in.  I have a few questions about quarantined files.
 
1) If Webroot quarantines a file, has it really found a threat in the file or is this just an automatic response for certain types of files, like exe's?
 
2) I am somewhat a new user of Webroot, so is this the way that Webroot handles files that it quarantines, that is, it just removes it from the folder and really doesn't tell what it was doing?
 
3) I did get error messages when trying to move the exe file into a new folder.  It said, I was not authorized to access the target folder rather than tell me the file might be a threat to my system.  Is this really Webroot's behavior?  It would seem to me that it would be better to notify the user that there was a perceived threat problem with the file rather than use a more obtuse error message.
 
Just checking out how this new software is working to protect me from threats.
Thanks,
John Kruse

5 replies

Userlevel 7
Hi john
 
If WSA has quarantined a file then it will be in the Quarantine folder (PC Security > gear/cog to the right > Quarantine tab) for you to either remove permanently, restore or just leave there where it can do your system no harm.
 
As for your question; I will try to answer them as best I can. :D
 
1) If Webroot quarantines a file, has it really found a threat in the file or is this just an automatic response for certain types of files, like exe's?
 
In general it is because WSA has determined the file as suspicious or capable of posing a threat to your system. Having said that it is also the case that some quarantining is due to false positive determinations, i.e., WSA believes there is a threat when there is none...often due to new versions of existing processes or exes.
 
2) I am somewhat a new user of Webroot, so is this the way that Webroot handles files that it quarantines, that is, it just removes it from the folder and really doesn't tell what it was doing?
 
As I stated above WSA will quarantine something it deems as a threat to your system; that is the default behaviour for threats detected...so assume that it will always do this in that circumstance.
 
3a) I did get error messages when trying to move the .exe file into a new folder.  It said, I was not authorized to access the target folder rather than tell me the file might be a threat to my system.  Is this really Webroot's behavior?  
 
You can/should only move quarantined files using the features available in WSA, i.e., permanently delete or restore the quarantined item. The options are available at the bottom of the Quarantine tab, and as a 3rd option you can just leave the items where they are.
 
3b) It would seem to me that it would be better to notify the user that there was a perceived threat problem with the file rather than use a more obtuse error message.
 
This is the way WSA works...threats are Quarantined, and what I always do after a notification of threat detection, which one will always get, is to run a manual scan which will generally quality the issue(s) identified.
 
3c) Just checking out how this new software is working to protect me from threats.
 
Completely understand what you are doing, and if I may say so it is a very wise move on your part. ;)
 
Regards, Baldrick
Userlevel 3
Badge +3

My problem is very similar to what John Kruse experienced four years ago. I have used Webroot for many years, successfully I might add, and  have similar questions to better understand its behavior.

I purchased some software and trying to download it , Chrome and some other browsers returned messages saying “insufficient permissions” and the download file disappeared. I did find it in the Quarantine area.  

My questions:

  1. Is there a way for Webroot to rescan this file in the quarantine area?
  2. Is there a database that Webroot maintains to identify suspicious files?
  3. Should these files be explicitly reported to Webroot or is this done automatically?
  4. Is it safe to run the file using the block/allow files, checking off Allow and Monitor - will Webroot do the right thing if it continues to find suspicious behaviours?
  5. A program download will morph into a program, with possibly multiple files, after it is run. Does Webroot check the individual files that are created?
  6. And if it doesn't find a problem, does that mean a false positive was generated and the original file was okay?

Just curious.

 

Userlevel 7
Badge +59

Hello @wgr 

 

Save a Threat Log to see was removed: https://docs.webroot.com/us/en/home/wsa_pc_userguide/wsa_pc_userguide.htm#UsingReportsAndViewers/SavingThreatLogs.htm%3FTocPath%3DUsing%2520Reports%2520and%2520Viewers%7C_____2

 

If that doesn’t show then Save a Scan Log and look near the bottom of the log: https://docs.webroot.com/us/en/home/wsa_pc_userguide/wsa_pc_userguide.htm#UsingReportsAndViewers/SavingScanLogs.htm%3FTocPath%3DUsing%2520Reports%2520and%2520Viewers%7C_____1

 

If you can from the Logs above post any lines that says infection and we are looking for the MD5 Hash.

 

Now if you believe these are some sort of False Positives the best thing to do is Submit a Support Ticket and they will let you know either way.

 

Note: When submitting a Support Ticket, Please wait for a response from Support. Putting in another Support Ticket on this problem before Support responses will put your first Support Ticket at the end of the queue and support can take up to 48 hours to reply or a little longer because of COVID-19.

 

Thanks,

Userlevel 3
Badge +3

 

 

If you can from the Logs above post any lines that says infection and we are looking for the MD5 Hash.

 

Now if you believe these are some sort of False Positives the best thing to do is Submit a Support Ticket and they will let you know either way.

 

 

 

 

Thank you for your detailed reply, TripleHelix. It is highly illuminating. Webroot is a very feature-rich and complex program.

The scan log had several instances of the download appearing (I did try multiple times to download in different ways) and they did have the MD5 hash. At the end of some lines, [W32.Malware.Gen] appeared. This I would assume is the category of the alleged it infection.

I have been using software from this company for several years and I think the company is reputable.  That's why I was considering to un-quarantine the download and have Webroot monitor it going forward using this choice offered in the Quarantined section of the Webroot interface.

But is this a risky step, to rely on Webroot's dynamic monitoring to catch any follow-on malware?
I don't know how effective Webroot is in its follow-up of unleashed quarantined programs.

Or should I submit a support ticket to Webroot and wait for an official response?

I would be interested in opinion from the forum.

But in the meantime, I will submit a support ticket as suggested and also wait to hear back from the software vendor.
 

Userlevel 7
Badge +59

Hello @wgr 

 

Yes please submit a support ticket as it could be a FP and they can correct it. We can only do so much on the forum.

 

Thanks,

Reply