[u] c:program files (x86)stardockstart8start8_64.dll [MD5: 41A8BD7904C00AC9FE86A38C36982F80] [Flags: 00011001.7040]
[u] c:windows empcrf000audiosetup.exe [MD5: 28E857302E01FFBEDD53E67B8A6848EE] [Flags: 00001
Best answer by RetiredTripleHelixView original
I would suggest you submit a Trouble Ticket, which is the suggested method of reporting for potential False Positives.
Yes I downloaded from Surfright, however this is what happened.
I downloaded the HItman Pro Alert 2.5 beta with Cryptoguard. link to it
I allready ahve the Hitman Pro Alert 2.0 installed so I upaded the 2.0 to 2.5 and it prompted me to reboot the PC but I told it to wait. So I did not reboot the PC (had been working on stuff).
Then after an hour or so I did the manual Webroot Scan (I do that before I hit the sack) and that's when it found the rootkit.
So I assume the rootkit ID false positive is based on the fact that Webroot is detecting the path to the file and the version but it sees that the file is not "visible" or "running". So it assumes the file is hidden and unseen by the OS...so it thinks it's a rootkit.
I don't know it's a wild guess.
I have created a ticket and will check on the detectibility once I get home this evening.
Intrigued by your issue (and by the CryptoLocker malware) I have tried to reproduce what you have highlighted. The only difference is that I did not have HitmanPro Alert 2.0 installed already when I installed v2.5 beta, and as such I did not get a prompt to reboot after installation (in fact installation was very, very snappy).
Ran a full scan just after installation and...nothing...so I can only assume that either the issue was specific to your system or (more likely) the Support Ticket has resulted in the review & whitelisting of HitmanPro Alert v2.5 beta components.
Looks like an interesting piece of functionality so i am going to keep in installed and see how it plays with WSA & KIS.
Please post back with your experiences as it will be useful for other Forum users...including me! ;)
Yes I have my heuristics (had past tense, I'm now back onto a system image that was made before I put Webroot on). I can't speak regarding to Hitman Pro as I don't use it though.
But in any case contact support and they will whitelist the files or in the case of the OP the Registry Entry.
Talk again soon!
If it is of any help my heuristics are set to "Enhanced..." and I am not experiencing an issue withthe software. I will try chaning the setting to 'Maximum' and see what that gives.
UPDATE: Nothing detected with heuristics set to 'Maximum'. 😠
Same here no detection and the OP it's a Registry Key being detected and could of been whitelist on it's own in the Cloud.
After restoring to the image with Webroot on it and scanning with max heuristics again it detects the registry keys, but when I lower the heuristics to enhanced based on age, origin, etc. it doesn't detect the registry keys anymore so I gave kudos to both of your posts about the heuristics. Still though I would like to be able to have the higher heuristics enabled.
Thanks for the help :D
I understand what you mean re. "...would like to be able to have the higher heuristics enabled". That was my thoughts when I first started using WSA but as far as I understand it one is perfectly safe/protected with the setting at 'Standard'. Pushing it to 'Enhanced' or even 'Maximum' is what I would recommend only if there is a suspicion of infection...for the very reason that these higher settings are more likely to give what is generally termed False Positive...but what I call, in WSA's case, Overly Sensitive...;)
And I always run at Max and never seen a (FP) Overly Sensitive because of it!
Thank you both for your responses. I always like to have all my settings on the most aggressive levels. Also I read from someone else on these forums who said it's best to have them set to highest, so now I'm not sure :@
A glass of Romulan ale for all of us! (I can't post a picture of it though)!
I did it for you Cheers Daniel!
Completely understand your confusion at the conflicting advice. The default setting is, I believe, "Standard" (Daniel, please correct me if I am incorrect here) and I trust Webroot to know what the normal settings should be. But there is nothing wqrong with maxing out the fucntionality...other than the risk of 'Overly Senstives'...as previously stated. If you can live with that then no problem. ;)
I went into the advanced settings > heuristics and clicked "reset to defaults" and it set it to "Enhanced based on age, origin, etc.". No over sensitive detections with that :D
I raise my glass to you all! :D
Thanks for the feedback. I stand corrected on the default setting...good to have that confirmed (as I do not want to change my configuration at present). ;)
Anyway, glad the issue is sorted for you. :D
Now, down to the important stuff...as all this Foruming is thirsty stuff...Daniel, where do you get the A ale from...is that you personal stash? ;)
Regards...to you both!
No the Andorian Ale is my personal stash, the Captain of an Andorain Imperial Guard ship always keeps a stash hidden away for celebrations like these! (But I had to send some of my stash to Daniel so that he could post it! 😉 )