Solved

WRSA tags all keygens as 'W32.Malware.Gen'

  • 6 June 2012
  • 5 replies
  • 10081 views

Hello:
 
Webroot SecureAnywhere tags all keygen.exe files as 'W32.Malware.Gen'.  Does it actually test them for anything at all?   AFAIK, the ones I have on my system are not maliciious, have always worked OK, and are zero threat. 
 
-- Roy Zider
 
WRSA version 8.0.1.184v.
Windows XP SP3
 
icon

Best answer by TripleHelix 31 May 2018, 17:28

@ wrote:
How about the opposite desired result? We have key generators that we WANT Webroot to dectect but is not doing so. How can we make it so that when a user downloads a crack or key gen is detected and quarantined? 
You can Submit the file here: http://snup.webrootcloudav.com/SkyStoreFileUploader/upload.aspx or if you have the MD5 or SHA256 Hashes you can always Submit a Support Ticket and ask Webroot to see if they will add Detection?
 
EDIT: I see from your Profile that you are a Webroot MSP so it would be best to contact Webroot and ask them Directly: https://www.webroot.com/us/en/business/partners/msp-partner-program
 
Thanks,
View original

5 replies

Userlevel 7
Hi Roy,
 
Webroot checks everything it scans via a combination of rules-based detections and heuristics.  If you believe the files in question were inappropriately quarantined, you could do one of two things:
 
1. You could use "Detection Configuration" in the PC Security > Quarantine area to locally whitelist the files.  That would allow you to keep using them without Webroot quarantining them.
 
or
 
2. You could open a support ticket with us by clicking here.  This would allow us to inspect those files a bit closer for you manually and make an educated determination on why they are being flagged as malware.  If they shouldn't be flagged, we can then whitelist them.  Conversely, if there is some good reason we are flagging them as malware, we can tell you why.
 
Since your other thread indicates you are finding a very large amount of malware on the computer, and scans are running quite slow, which shouldn't happen, it would be advisable to take the second course of action.  This assumes of course you're talking about the same computer.  If not, and you feel comfortable manually whitelisting the files, you can do that.  Keygens in general however are a very good, easy way for a malware-writer to distribute malware.  When you think about it, keygens are typically used in software piracy, and a person who ends up with a virus by trying to crack a piece of software is going to be less likely to report an infection for fear of being identified than say someone who gets hit with a drive-by attack coming from an infected ad on an otherwise respectable website.  Keygens are a fairly common malware distribution method.  As such, it makes the most sense to let us take a look at them for you and see what's going on there.
JimM:
 
I've submitted one ticket now. I'd rather hold off on this until the first one is resolved or understood. 
 
I am anxious to clear these keygents.  While I believe them to be clean, I'm not willing to manually whitelist them without further information.  I don't have a sandbox like you would have to detect what would be happening here.  That is what I look to an AV operation like Webroot to do.  Eset NOD32 has been very good over the years, but even they appear to reflexively tag some of these keygens, resulting in false positives.
 
I'll open a ticket on this when the first one is closed.   Thank you for your time and attention.
 
-- Roy Zider
Userlevel 7
This is going to be part of the same answer as given here, but in the interests of keeping the keygen discussion in the keygen thread, I'll post basically the same thing here for you and any other curious onlookers as well.
 
Different keygens are unique files with unique file signatures and are treated independently by SecureAnywhere.  They are not all group-flagged as bad just by virtue of being keygens.  So if we are flagging them as bad, they almost certainly are actually bad, but we can take another look for you manually if you'd like.
 
So while it may be flagging many of your keygens as being malware, it is not just by virtue of them being keygens.  There is something happening in those files that is triggering the malware classification.
How about the opposite desired result? We have key generators that we WANT Webroot to dectect but is not doing so. How can we make it so that when a user downloads a crack or key gen is detected and quarantined? 
Userlevel 7
Badge +55
@ wrote:
How about the opposite desired result? We have key generators that we WANT Webroot to dectect but is not doing so. How can we make it so that when a user downloads a crack or key gen is detected and quarantined? 
You can Submit the file here: http://snup.webrootcloudav.com/SkyStoreFileUploader/upload.aspx or if you have the MD5 or SHA256 Hashes you can always Submit a Support Ticket and ask Webroot to see if they will add Detection?
 
EDIT: I see from your Profile that you are a Webroot MSP so it would be best to contact Webroot and ask them Directly: https://www.webroot.com/us/en/business/partners/msp-partner-program
 
Thanks,

Reply