Solved

Anyone else seeing Webroot Security Anywhere reporting a threat called Keylogger.SpectorPro.r

  • 1 November 2015
  • 6 replies
  • 128 views

Webroot reported the following details:
 
/.MobileBackups/Computer/2015-10-30-212601/Volume/System/Library/Extensions/AppleKextExcludeList.kext
icon

Best answer by Wanderingbug 2 November 2015, 16:55

View original

6 replies

Userlevel 7
Badge +62
Hi ?,
 
Welcome to the Webroot Community,
 
This threat looks to be a Surveillance Monitoring Software
 
Looks like this is threat is being reported in your mobile backup?
 
Webroot is unable to remove any files from backups due to the way that OSX is set up.   Please have a look at what our Mac Threat Researcher ? has to say in the posts below.
 
Here and also in this Thread
 
Please submit a Submit a Support Ticket free of charge with an active subscription and they can take a look for you.
 
Hope this helps?
 
 
 
Userlevel 7
Hello Aviator1,
 
In some cases, Webroot will detect a threat that is located on your backup, such as Time Machine. If the file are in the backup, then they cannot hurt your system. You would have to restore the files from the backup to get them on the system, and at that point the Real Time Shield in Webroot would find and remove them. Even though Webroot cannot remove these files, as space for newer backups is needed the older backups will be deleted. This will delete the threats from the backup as well.
We recommend if Webroot continues to detect these files that you uncheck the box next to them on the removal page. This will tell Webroot to ignore the files in their current location.
If you would like to remove these files manually from the backup in Time Machine, you can use the following steps:
Note: This action is permanent, and will impact all past backups on the given Time Machine drive, even backups from the distant archives on that drive. For this reason, be absolutely certain you want to remove an item before deleting it, otherwise you may end up missing data you would have wanted to keep.
1. Open the backup manager by pulling down Time Machine menu item and selecting, “Enter into Time Machine.”
2. Navigate to the directory location of the files/folders you want to remove.
3. Right-click on the folder or file you want to remove and select “Delete all backups of [File Name].”
4. Confirm the removal.
As the process is the same whether you are deleting the backup of a file or an entire folder, please be careful to only select the items you wish to delete. You cannot recover these files.
Another option available to Time Machine users is to exclude the files and folders from being backed up by the Time Machine. You can add them to the exclusion list which will permanently block the files/folders from being backed up in the future. By doing this, the infected file will eventually be deleted from the backup over time and prevent it from ever getting re-introduced to the drive should it be installed on the computer again.
 
Regards,
 
Why is Webrrot NOT finding it on my MAC but it finds it when backed up to a Time Capsule?   I formated the Time Capsule, disconnected it, scanned my MAC - it was not found. Now I have reconfigured the Time Capsule, hooked it up to do a full backup and it finds it on the Time Capsule!!!!!!! Beyond frustrated!!!!!!
Why is Webrrot NOT finding it on my MAC but it finds it when backed up to a Time Capsule? I formated the Time Capsule, disconnected it, scanned my MAC - it was not found. Now I have reconfigured the Time Capsule, hooked it up to do a full backup and it finds it on the Time Capsule!!!!!!! Beyond frustrated!!!!!!
 
/Volumes/Time Machine Backups/Backups.bac.../AppleKexExcludelist.Kext/Contents/info.plist  
Threat Name is Keylogger.SpectorPro.r
Userlevel 7
Badge +62
Hello Foracell,
 
Welcome to the Webroot Community,
 
Our Mac Threat Reseacher ? states this:
 
"This file is in the Apple Kext Exclude List, which is a file that Apple uses to allow certain files to run on the machine without Gatekeeper's permission. The reason we are picking it up is because we are looking for a string of code which Apple is also looking for. There is an exclusion in place to allow the file on the actual machine but we do not have an exclusion for backups like this as this would cause an exploit in our detections.  The file is not malicous in nature at all."
 
Also he states this:

 
"No need to worry, there isnt a keylogger on your device.  Thie file that we are finding is the AppleExcludeList.kext on your backup. We are finding it due to the fact that apple has put the keyloggers information in the file and we are reading that.  I suggest that you allow the file, as we cannot remove it and nor should we as it is a legit file.  After allowing it please turn off scan mounted drives and this should correct the issue that you are having"
 
Hope this helps?
 
 
Userlevel 7
Badge +62
Hello again Foracell,
 
Please see here how to uncheck Scan Mounted Drives.
 
You open Webroot and click on the Advanced Settings in the right hand corner..
 
 
This is how I handle my Mac system with Webroot  Here is the Mac User Guide
 

Reply