Solved

WSA missed a trojan

  • 1 November 2012
  • 39 replies
  • 586 views

I've been a dedicated Webroot user for 3 years... until now. I downloaded the SecureAnywhere update a few weeks ago, and since then the service has basically stopped working. SecureAnywhere never found any viruses, spyware, or malware, despite repeated and regular scans. This would be great if I didn't know for a fact that my computer was infected. In the last few days it has gotten to the point that every other time I click on a search result from Google, I am taken to a completely unrelated website.
 
Since my subscription ends in a couple days, I decided to download the free trail for AVG Internet Security and see if it would help. As soon as I started the program, it detected and removed a trojan, which Webroot hadn't detected during the scan a few hours ago. I hadn't even run a scan yet! As soon as AVG removed the trojan, the problem stopped.
 
I was a huge fan of Spy Sweeper, but SecureAnywhere turned out to be a waste of my time (and money). I used to be a huge Webroot fan and recommended it to many others who had issues, but now I'll be recommending for everyone using it to switch.
icon

Best answer by gpb500 5 November 2012, 01:54

View original

39 replies

Userlevel 7
And Norton has caught stuff that AVG missed. But AVG also caught stuff Norton missed. And Webroot has caught more stuff that SAS missed than SAS caught that Webroot missed. And if SAS/AVG/Norton miss something, you're completely 100% out of luck because they will do nothing to fix it until they get a definition update. By comparison, Webroot can still remove it on your instructions even if it doesn't detect it. Or get free help from support to remove it, not costing you a penny extra.

Also notably, if you have another AV installed and both it and Webroot would catch the same Malware, only the Non-Webroot one will catch it, because if they both caught it, they'd get into a fight over it, so Webroot will always allow another installed program to catch it if it can. Mind you if you "get something" and then install SAS and it catches it, that's a different thing. But also the nature of what SAS "caught" is up for consideration. SAS will say "OMG, a text file that could have been created by Trojan.ADHD! I caught it!". So without knowing precisely what it "caught", there's no way to say anything.

Thank you for your input though. 🙂
Userlevel 7
You are correct, nothing is 100%. Though a curious question is whether you had the Webroot web filter extension active in the browser at the time. Also, the definition of "Malicious" varies. For example, "Tries to install malware" is consistently malicious. "Pops under an annoying video advertisement"? Annoying, but not technically malicious, but something might block it anyway. "Had a virus six months ago and now it doesn't"? Not-malicious, but still might be on some things.

Webroot itself is specifically made to be able to coexist with other security software. I cannot speak for SAS and MBAM at the same time however, though I can say that unless one of them explicitly indicates it can, I wouldn't. Blocking contentions can do horrible things.

@ I still exist. Move pretty far. All the usual. ^.^
Userlevel 7
Hi Muddy
 
You are absolutely correct in that BitDefender & WSA to not sit well together...and if I understand it correctly it is BitDefender that is at fault or at least that is what a WSA fan would say, eh? ;)
 
Regards, Baldrick 
Userlevel 7
Badge +62
Thank you ? for your input. It's always a pleasure to hear from you!
 
 Hope you are doing well?:D
Userlevel 7
Honestly tough to tell without a full evaluation. For example, the website could actually be "ineptly malicious", such as having a bug that will only be able to infect people who use Windows 2000. Technically, yes, it's malicious, but completely incapable of actually infecting anybody who uses the protection software, so not-blocked.

As this thread originally said, "OMG, Webroot missed this!" and that turned into "Never mind... the thing that caught it was lying. Sorry." So honestly it's really hard to say without knowing what you're looking at whether something is malicious or being lied about or mis-caught or just genuinely annoying.
Userlevel 7
Everything is compatible with Webroot no matter how hard they sometimes try to claim otherwise and break that compatibility. Webroot ensures that.

The question more becomes whether SAS and MBAM will work happily with each other. That is one I cannot answer. As a general rule, if they both perform on-demand scanning, they are not likely to be unless at least one of them say they are.
Userlevel 7
It's a pity you gave a farewell to WSA in favour of AVG :(
 
However what is more sad is that you didn't give Webroot a chance to clean your PC. They do that for paid users free of charge. Once you had any signs that something malicious is occupying your PC you should have contact them instantly and they would be very happy to help you out.

Well, there is literally no security solution which is 100% successful. It could have been a case that WSA wasn't working correctly in your environment and hence failing to catch a trojan. Nevertheless if you had contacted Webroot support you could end up in having your PC clean. Sorry but I cannot understand why you killed WSA so quickly without even asking them to help you. You was singing the praises on Webroot but you gave up in a way like Webroot was your first enemy instead.

Though if you would be willing to return to WSA and contact the support you can trust all your issues will be addressed. If not wishing you all the best with AVG.
I'm no specialist on computers, but one thing that I do understand is that WSA works very differently from traditional AVs. Traditional AVs look for any files on your computer that may contain viruses or Trojans even if they are just lying there in some obscure email message attachment from for example x years ago and will never ever pose a threat to you. WSA couldn't care about dormant AVs or Trojans that will probably never activate. But it is incredibly effective against any active threats. Did you try opening the files that contained those three Trojans to see how WSA reacts then??? If your other AV doesn't detect the malware first (WSA will always cede to another AV if it discovers the malware first so it can live in harmony with any other AV—and it's the only AV I know that does this), it will step in with a vengeance.
 
But Mike R will explain this much better than I ever possibly could.
 
Of course, if you want an AV that will clean up inactive threats, WSA is not the programme for you.
 
And btw in the six years I have been with Prevx/WSA I have never had to ask them to get rid of a malware their programme couldn't clean up by itself, nor have I yet heard of someone finding themselves in such a situation. Except, unfortunately, you :8
Userlevel 7
ZBot is actually a pretty serious infection and stuff lately is explicitly built to work at blocking and evading us.  I've seen a number of cases where infections work very hard to prevent us from installing.  It sounds like the description you give definitely indicates something of that sort.
 
If there is a new version attacking us, then we'd want to take a look at that and see what we can do to kill it better when it's pre-installed.  Generally security-related fixes like that get in within a few days or weeks at most, which is not common in the industry.
 
I speak of MBAM from a personal viewpoint, by the way.  I work for Webroot, but I've done stuff with MBAM since way before that.  It's great at a lot of stuff, but I kind of feel like it's super-strong antibiotics:  Sometimes the side effects are pretty bad and some stuff still gets through in the long run.  (Excellent example: Before I knew how to remove -everything- Malware by hand, I'd trust MBAM to do it.  It bricked a lot of systems more than I liked and in the long run, when I learned how to do it all by hand, I found it also missed a lot of stuff.)
 
ZBot works by hooking code into some pretty deep places and hiding relatively well.  Honestly, I'd put in a support ticket from his machine (Suspected Infection) with WSA properly installed and after a scan just to get our Threat Researchers to take a look and give it a double-check.  It's probably clean, but a second highly-trained human eye never hurts, right?
Userlevel 7
We don't actually send the files to the cloud.  The cloud has a list of the fingerprints of everything that is/was running or would be very likely to run though, as well as its genericized behavior, state, and current determination information.  We can also look that up by the keycode, as I mentioned earlier.   If the threat was running, we'd likely have it in the cloud information.  If it wasn't running... well, bear in mind that other products do find dormant and non-code things (like a log file that says "01001" but HAPPENS to be in a directory created by a threat) that we don't waste the user's time looking for.
 
Now, on that thread, this is interesting...  I'm trying to take a look in the cloud back end based on the filename, but that is usually a futile effort.  From the very surface, that looks like a false positive.  At the same time, a good infection will try to make sure it looks legitimate.  You could take a look at the scan logs to see if it lists that file anywhere in it as well, though a scan run after MBAM quarantined it would not see it.  Buuuuuuut...
 
On a 64-bit windows system, the location you're seeking is actually in c:windowsSysWOW64, not REALLY in system32.  And sure enough, that _isdel.exe shows up here with a file date of 6/10/2009.
 
Scan log shows it as:
[g] c:windowssyswow64installshield_isdel.exe [MD5: 9D4EC4B71FD189A0B2C4DBD6AADE16BF] [Flags: 00000000.0]

So it's NORMALLY a legitimate file.
 
Hmmm...  So a quick check on Google for "malwarebytes _isdel.exe"...  and suddenly it screams False Positive. :/  People with clean Windows 8 installs, multiple reports on the Norton forums 22 hours ago, etc...
 
One wonders whether the _isdel.exe is now completely missing from the SysWOW64InstallShield folder, in which case the computer will be slightly broken, as there SHOULD be a legitimate version of it there normally.
 
This is all just a casual inspection, mind you, and could easily warrant further investigation.  Depending on how brave you are, you could even poke at it more deeply if you wanted to.  Restoring the _isdel.exe from MBAM quarantine would not cause it to run unless MBAM didn't do a proper cleanup job, so it wouldn't "reinfect" until it did run.  Then scan it with MBAM again after updating the definitions and see if it's detected again.  Or run a scan on just that file with Webroot, save the logs when the scan is completed, and look for the line similar to what I pasted above.  If it says [u], we may have something Very Interesting™ to poke at.  If it matches the line above, or otherwise says [g], then it's legit and almost invariably a false positive by MBAM, though we can definitely investigate more deeply with the info in that line alone.
Userlevel 4
:(  I  unknowing click on a Malicious website,  Webroot did not block,  however Malwarebytes blocked the malicious website. No softeware is perfect so it would be wise to have both Malwarebytes and Superanti Spyware on a computer.
 
Thanks Kit ,  I like this forum.
Userlevel 7
Badge +56
? hey buddy long time no hear I hope your doing well, and nice to see drop in once in a while also say hi to ? for me!
 
Thanks,
 
Daniel 😉
Userlevel 4
:D  Thanks kit for your response.  Yes the webroot web filter extension is active in the browser.  I will check to see if SAS and MBAM coexist with other antispyware software.  How do one know if the website is annoying and not malicious?  I never had a virus on this computer.
Hey, give the chap a chance. He says he downloaded the Webroot WSA update just a few weeks ago and then encountered problems. At this point, he wasn’t sure if it was a virus or not but understandably felt somewhat dubious about WSA, the problem having started upon installation of same. What is more, he claims that as soon as he installed a trial version of AVG, a Trojan was detected and cleaned and the problem immediately stopped. (Btw, it’s possible he didn’t know that free malware removal is included in Webroot’s services, in case of infection.)
 
If I was him, I can well imagine I might have reacted similarly. As it is, given my knowledge of WSA I wouldn’t. I have known WSA AV and its predecessor (I was previously a 5-year long customer of Prevx on which WSA is based) for six years, and have found it to be superior to any other AV I have tried. So if this happened to me, I would be persuaded that this was an exceptional case.
 
But the poor chap, you are immediately “trolling” him (imho), when he has perhaps just had a once-off nasty experience—instead of gently advising him. My two cents’ worth…
 
Having said that, I concur with your advice 😉
Userlevel 7
@ wrote:
Hey, give the chap a chance. He says he downloaded the Webroot WSA update just a few weeks ago and then encountered problems. At this point, he wasn’t sure if it was a virus or not but understandably felt somewhat dubious about WSA, the problem having started upon installation of same. What is more, he claims that as soon as he installed a trial version of AVG, a Trojan was detected and cleaned and the problem immediately stopped. (Btw, it’s possible he didn’t know that free malware removal is included in Webroot’s services, in case of infection.)
 
If I was him, I can well imagine I might have reacted similarly. As it is, given my knowledge of WSA I wouldn’t. I have known WSA AV and its predecessor (I was previously a 5-year long customer of Prevx on which WSA is based) for six years, and have found it to be superior to any other AV I have tried. So if this happened to me, I would be persuaded that this was an exceptional case.
 
But the poor chap, you are immediately “trolling” him (imho), when he has perhaps just had a once-off nasty experience—instead of gently advising him. My two cents’ worth…
 
Having said that, I concur with your advice ;)
Just to clarify ... I wasn't trolling him at all. I was quite gentle considering the armed last sentence of the post. It doesn't sound nicely or friendly, doesn't it? OK, peace :D
Userlevel 7
I am sorry to hear your negative experience and I apologize for the frustration.
 
Thanks pegas and Muddy7 for both of your input. You both had valuable responses and thank you for being such loyal fans of a truly exceptional product. :D
 
Our journaling and rollback technology is one of the reasons why we are the best. This video explains it all if you are curious.
 
[b]ptp405 if you did not know of our free malware removal and if SecureAnywhere wasn't working properly on your system. I wish you the best with AVG.
 
 
 
 
Thanks for your thanks 😉.
 
Just a small point: your free malware removal service does not seem to be as blatantly clear on your Website as the same service is on Prevx's (see point 3)? Not only from our (customers) point of view but also from yours—seeing that this is a USP—would it not be an idea to more strongly highlight this on your Website??
 
Just a suggestion...
Userlevel 7
I completely agreee and have thought about this in the past. Want to submit a new idea in our Ideas Exchange for this implementation and see if we can start creating a buzz around it?
 
 
A whole system scan by AVG turned up 3 more trojans... 3! AVG was simple to install and worked fine on the first try. I simply chose to go with th program that works on its own rather than renew a subscription to a program where I am forced to contact customer service to get threats removed.
Userlevel 7
Muddy7 wrote:
Of course, if you want an AV that will clean up inactive threats, WSA is not the programme for you.

Or you could run a Full Scan instead of a Deep Scan.  Not that it's necessary since WSA scans on-execute if you ever go back to that inactive threat that's been sitting around untouched on your hard drive for who-knows-how-long, and catch the threat anyway. 😉
Badge +3
Interesting thread here.  I've been using Webroot Essentials for the past couple months coming from MSE and Avira prior.  Never really had any problems with malware or viruses.  I have a buddy who likes to tinker with computers (we do our own builds) and we share information on new software and what not.  So yesterday he calls and says he has a problem...when he was running quicken and viewed an attachment he would get a notice that windows encountered an error and would be restarted within a minute (attachment is a PDF so thinking adobe exploit).  I believe the exact text is "Windows has encountered a critical problem and will restart automatically in one minute. Please save your work now."
 
He uses Agnitum Outpost firewall and MSE.  I told him to install Webroot and perform a scan to see if it would find anything.  It did not.  We also tried two other scanning tools and they found nothing.  Finally we used Malwarebytes and it found two threats...file name was _isdel.exe (trojan zbot).  Once the two files were quarantined, the problem disappeared.  I was disappointed that the spyware function in Outpost missed it as well as all the others...including Webroot.  So I'm wondering how common this really is?
 
His computer configuration is the same as mine, W7x64 with all current patches.  Would appreciate any comments.  I think he still has the files quarantined.  He's trialing webroot (15-day) at the moment...and has uninstalled MSE.
 
Thanks!
 
PS - I just upgraded to W8...for better or worse.
Userlevel 7
Somewhat a two-part bit of fun.
 
Part 1:  That which gets first gets best.  No matter what AV you use, if the infection gets in first, it can very often hide extremely effectively.  If Webroot is installed first, it catches the infection TRYING to install itself and blocks it.  If the infection gets in first, it sees the AV working to get scan and hunkers down to evade. 
 
MBAM has a hyper-sensitive detection set for zbot.  Somewhat good, since it can catch more copies of that when they are hunkered down, but also means it FPs on things more oftent that it should (it called a quick litle automation program I wrote myself a zbot infection.  XD)
 
Part 2:  Best way to figure out what's up is to get a scan log to us, or get even just the keycode to us from the WSA install that didn't detect the threat. 
 
Bonus parts...
- If WSA was installed and scanned, it wants to think the computer is clean when the person does the installation.  Therefore a pre-existing infection occasionally needs to actually DO something in order to be detected.  ZBot spends a lot of time idle.  It's a trade off there of course.  That means that definition-based stuff like MBAM will catch it faster if they have that specific signature in their definition set, but that also means that if MBAM doesn't know the definition of that specific ZBot yet, it could take weeks to be caught by them as compared to hours for WSA.
 
Unknown to Bad for WSA -> Usually a few hours at most.
Unknown to Bad for MBAM and others -> A few days or even weeks.
 
How long after WSA's scan did you scan with MBAM?  Minutes?  Hours?  Days?
 
- The answer that most AV companies give to people having an infection is mail support, run MBAM and ComboFix, do a bunch of stuff, and oh, sorry, if your computer got blown up by it, too bad, reinstall your OS.  The answer that Webroot gives to an infection is that we can generally just get a single ticket sent from the infected computer and take care of it without further work from the customer within an hour or less, and if the computer gets killed or it's more complex, we'll take care of it remotely for free, even if the computer won't boot.
 
Infection gets by with WSA -> Usually fixed before you even get a ticket in to us, but if not, we'll take care of it all for you.
Infection gets by other things -> Days of epic work, using other peoples' tools, and frequently need to reformat the computer.
 
How often does it happen?  Infections get past -everything- out there.  Look at any web site that offers assistance with malware removal.  It's huge.  Go to the geek squad or computer repair outfits.  HUGE.  But the ones that get past Webroot to start have no access to critical stuff and then are generally gone before people can get a ticket to us or take the computer to the shop. 
 
We know things can get past anything, even us, so we want to make sure that when (not if) they do, it's not a catastrophe or even a minor headache for more than a short time.
Badge +3
I see...thanks for taking the time to post that. Some of that I've read before here about WSA...didn't realize the details about MBAM and zbot. We spent about five hours on it yesterday with me remoting in to assist and see what was going on. He has no idea how long he's had it...but probably no more than a couple days unless it just sits there.  The work he was doing is something he does regularly.  Also he runs drive images daily and suspected he got it yesterday afternoon until he restored the prior day's image and still had it. So in fact it was lying idle.

Also I should have said we had some problems installing WSA at first...it seemed to install but then we couldn't find it, no icon in the task tray...but two active tasks both assigned to his user ID rather than one system and one user.  No obvious way to access the GUI (no start menu items...trying a reinstall did nothing). So was the malware fighting this or perhaps the system was just compromised.  So in the end removing those two files (I believe the file name signifies the install shield deleter file or look-alike...after googling it..."_ISDEL.exe") seems too simple...I mean there must be something else hooked via the registry or other hack somewhere...? Maybe this is all academic at this point and there are no certain answers without knowing more. In any case, thanks again.
Badge +3
Interesting.  I'll point him to this thread and see if he's up for it.  What is the protocol for Webroot support "looking" at his computer?  Just a remoting in with/without phone?  Or does this include running diagnostics and emailing, etc?  
 
Thanks.
Userlevel 7
Just file a support ticket from the computer when Webroot is installed properly and it will automatically add its ID token to the support ticket on our side.  With that ID, we can look up the basic scan information in the cloud system.  There is a possibility for something further being needed (for example, if the system has certain MBR or full boot infections, there is no way for anything to see them, and that infection may have downloaded and installed ZBot), but in those cases we'll respond to the ticket with that info. 
 
We cannot remote in randomly, so if we do see a need for remote work, we'd request contact information and a time to reach him.  But usually it can be fixed just with the cloud view of the computer.

Reply