WSA missed a trojan

  • 1 November 2012
  • 39 replies

Show first post

39 replies

Badge +3
Much appreciated and apologies for hijacking this thread...wasn't my intent.
Userlevel 7
No problem. 🙂 Not like there are too many threads about infections on the forum anyway. XD
Badge +3
One clarification, the files are quarantined in MBAM's quarantine, so not sure how you'd be able to see them via cloud method you mention.
And second, just googling a bit more, today someone reported the same files MBAM flagged on friend's PC yesterday.  See here, top post:
So perhaps this is something new?  On friend's PC, the first folder flagged didn't even exist prior to quarantine, perhaps hidden/system attribute set...not sure if he shows those or not...didn't think to ask at the time.
Badge +3
So he could restore those files safely, then immediately move them over to his desktop and perhaps go back to his image library from a few months ago and compare those files with these current ones to see if they are a match or changed...?  If changed, he could submit them to you folks for analysis and get it added to the database as needed?
Well, I just installed MBAM and ran and came up with two files identified as trojan.agent.  They are:
Files Detected: 2
C:WindowsInfafw.inf (Trojan.Agent) -> No action taken.
C:WindowsInfafwmp.inf (Trojan.Agent) -> No action taken.
A google finds false positive reported on mbam's forums...though the google link doesn't take me to the actual unsure.  BUT...when MBAM was installed, right clicking on the file in Windows Explorer and invoking Scan with Webroot no longer worked (WSA didn't pop up as normal).  Closing MBAM didn't help...somehow the context menu was broken.  Uninstalling MBAM and rebooting fixed that, then I had my first blue screen (frowny face) in Win8...oh joy...not webroot's fault...was browsing at the time...probably Outpost Firewall if I had to guess.  Just an FYI.  Thx.
Userlevel 7
POTENTIALLY safely.  In my position, I would be comfortable taking the risk on my computer, but it's up to you.  After all, if it's a threat and does go active agan somehow, MBAM removed it once, so should be able to again, right?
Even just scanning it with SecureAnywhere gets all the data we need from the file into the cloud, so generally it doesn't need to be "submitted".  the scan line, like I showed above, contains the information key for us to look it up on the cloud, and then changing determinations is a 12-second process. :D  We'd want to evaluate it first though, bu the scan does the raw evaluation and sends that data to the cloud so we can look at it.
inf files are a type of installer script that is processed by WIndows.  They are not machine code and in and of themselves cannot be threats.  They can be USED by threats to install themselves though in a manner that bypasses detection by a lot of security software.
MBAM's forums appear to be down, according to numerous posts about MBAM FPs on other forums.. :/
As to the right-click scan not working, that is something I am trying to get greater attention on.  It occurs when the system service for SecureAnywhere crashes and restarts.  Focus thus far has been on preventing the crashes, but I am concerned that there are thousands of things that can crash software, and faulty hardware would be outside out control for example, so it should recover gracefully.   You can find the line about 'teminated unexpectedly' in the WRSA logs prior to the context menu stopping working.
You can recover it by rebooting, as you noted, but also by simply shutting down and restarting SecureAnywhere itself.
Badge +3
Well after all that, it turns out the _isdel.exe file was a false positive.  MBAM fixed the FP on their end and now it looks like the inf files that were being flagged are also FPs.  I did submit one file for review via the WSA client software.  Not sure how this exercise fixed my buddy's problem but it seems to have nothing to do with that file...and now restored.  Thanks for all the was an interesting effort...and the remaining mystery apparently won't be solved.  Cheers!
Userlevel 7
Glad to hear it wasn't a problem going on there.  There is a potential that MBAM was interfering with the normal operation of the OS while it had some issues there.  The shutdown you described is caused when a program that is invisible but critical to the system operating shuts down or crashes.  There are so many potential causes that it's nearly impossible to narrow down from the information provided and not really our position to try to determine on that, but it doesn't sound like a malware issue.  You might want to do a full disk check including checking for bad sectors just in case.
Userlevel 4
😛 I have to put my 2 cent worth in,  I have paid webroot.  I have Superantispiware that caught a malaware where Webroot did not. 
Userlevel 4
😃 LOL  That is very true.
Userlevel 4
:D  I check SAS and  MBAM is compatible with webroot. I had these programs for a number of years never had a problem with conflicting with any antivirus software.  Webroot may detects viruses that SAS miss,  same with the MBAM detect malware that Webroot and SAS do not catch. 
Userlevel 4
Hi Kit,
I never had any problem with either one,  they both are compatible and compliment WebRoot.
Thanks for your reply
@ wrote:
Everything is compatible with Webroot
Even BitDefender?? I'd heard from several internet forum sources of problems with BitDefender co-existing with Webroot. It's the only AV I've heard about where this was supposedly the case.
Userlevel 4
Userlevel 4
Thank you for the information