infected, but not found by webroot

Discussion in 'Prevx Releases' started by webbit, Jul 29, 2013.

  1. webbit
    Offline

    webbit Registered Member

    i have been infected on my laptop, kept getting pop ups and although webroot did warn about them it never cleaned them , i had to run malwarebytes, here is my malwarebytes log
    Folders Detected: 4
    C:\Users\Ebony\AppData\Roaming\Babylon (PUP.Optional.Babylon.A) -> Quarantined and deleted successfully.
    C:\ProgramData\Tarma Installer (PUP.Optional.Tarma.A) -> Quarantined and deleted successfully.
    C:\ProgramData\Tarma Installer\{361E80BE-388B-4270-BF54-A10C2B756504} (PUP.Optional.Tarma.A) -> Quarantined and deleted successfully.
    C:\ProgramData\Tarma Installer\{361E80BE-388B-4270-BF54-A10C2B756504}\Cache (PUP.Optional.Tarma.A) -> Quarantined and deleted successfully.

    Files Detected: 7
    C:\Users\Ebony\Downloads\SoftonicDownloader_for_folderico.exe (PUP.Optional.Softonic) -> Quarantined and deleted successfully.
    C:\Users\Ebony\AppData\Roaming\Babylon\log_file.txt (PUP.Optional.Babylon.A) -> Quarantined and deleted successfully.
    C:\ProgramData\Tarma Installer\{361E80BE-388B-4270-BF54-A10C2B756504}\Setup.dat (PUP.Optional.Tarma.A) -> Quarantined and deleted successfully.
    C:\ProgramData\Tarma Installer\{361E80BE-388B-4270-BF54-A10C2B756504}\Setup.exe (PUP.Optional.Tarma.A) -> Quarantined and deleted successfully.
    C:\ProgramData\Tarma Installer\{361E80BE-388B-4270-BF54-A10C2B756504}\Setup.ico (PUP.Optional.Tarma.A) -> Quarantined and deleted successfully.
    C:\ProgramData\Tarma Installer\{361E80BE-388B-4270-BF54-A10C2B756504}\_Setup.dll (PUP.Optional.Tarma.A) -> Quarantined and deleted successfully.
    C:\ProgramData\Tarma Installer\{361E80BE-388B-4270-BF54-A10C2B756504}\_Setupx.dll (PUP.Optional.Tarma.A) -> Quarantined and deleted successfully.
  2. SweX
    Offline

    SweX Registered Member

    They are all PUP (potentially unwanted application) detections so they are not really harmful, but can be very annoying as you say seeing pop-ups, and they can add toolbars in the browser and so forth..... and they are unwanted hence the detection name. And should be detected!

    I see softonic in the log file, so I assume you have downloaded something from softonic that was bundled with a PUP that got past WSA.

    And also the Babylon PUP that we see a lot of.

    In the future stay away from C-Net, Softonic, and use other download source like... Majorgeeks, Softpedia... or go to the vendor site directly.
  3. guest
    Offline

    guest Guest

    doesn't surprise me at all
  4. webbit
    Offline

    webbit Registered Member

    what do you mean?
  5. Triple Helix
    Offline

    Triple Helix Webroot Product Advisor

    Not all PUA's & PUP's are detected by WSA for reason as SweX said (Potentially Unwanted Application or Potentially Unwanted Program) detections so they are not really harmful so the user has to take the time looking when installing software as PUA's & PUP's are usually Pre-Checked! You want to see a nice list of programs with PUA's & PUP's: http://www.calendarofupdates.com/up...ndar&section=view&do=showevent&event_id=44514

    Definition of PUP: http://www.techterms.com/definition/pup

    Don't blame WSA for what the user should know and if it turns out to be malicious then that is when WSA will jump in and remove it.

    TH
    Last edited: Jul 30, 2013
  6. kdcdq
    Offline

    kdcdq Registered Member

    What 'doesn't surprise me at all' is guest's comment previously... :argh:

    We are trying to help users of WSA here.... :thumb:
  7. guest
    Offline

    guest Guest

    Back when I first started using it, I had a .exe that was some type of virus, been a while back and a nasty one at that because it locked up my system, don't really remember where I got it at, I just knew it got past wrsa, but to give credit it was not long after they first came out with it, maybe it needed some work at that time, anyhow I just put the best antivirus program you can get to work on it, which is a clean image and had it fixed in just a few minutes, since then I now just run lets say a harden version of windows and so far never had another problem
  8. webbit
    Offline

    webbit Registered Member

    no AV can claim to be 100% effective and webroot certainly do not claim that, but the support and help from webroot is 2nd to none, i post this thread for advice and it was answered, i am more than happy with webroot, and this is the only problem i have had for over 8 months.:thumb:
  9. Thankful
    Offline

    Thankful Registered Member

    The detection is down as evidenced by the latest AV-Test. Webroot doesn't participate in many tests anymore, so a mediocre result is noticed. I would be interested in knowing why detection dropped significantly from the previous AV-test tests and why so many false positives occurred during May.
    I don't see such a significant drop off in detection among the highly rated AV products from test to test, so I believe it is a reasonable question.
  10. Triple Helix
    Offline

    Triple Helix Webroot Product Advisor

    It was already given in the AV-Test thread so let's leave it there. Also:

    TH
  11. The Red Moon
    Offline

    The Red Moon Registered Member

    I think there has been far too much criticism of webroot on this forum and i feel it should stop here.

    No security solution is 100% effective and the developers of webroot have been more than helpful in relation to the product.
  12. Thankful
    Offline

    Thankful Registered Member

    I respectfully disagree. A product which was able to score well with AV-Test's
    methodology is now no longer able to. Why is the test methodology now an issue?
    Why are FPs still an issue?
  13. Triple Helix
    Offline

    Triple Helix Webroot Product Advisor

    Basically the Journalling, Monitoring of unknown processes and Rollback features. https://community.webroot.com/t5/We...t-Misses-quot-a-Virus/ta-p/10202#.UfmI3W3Nnns

    TH
  14. Thankful
    Offline

    Thankful Registered Member

    What am I supposed to do with malware which appeared on my computer saying it was from the FBI, locking up my computer? Am I supposed to wait for WSA to recognize it as malware? My computer was completely locked up.
    Too late. Rolling back is worthless.
  15. Triple Helix
    Offline

    Triple Helix Webroot Product Advisor

    Do you see any complaints of WSA users having this issue in here? There is no sense continuing this conversation as you are always going to be negative at what ever I say.

    Cheers,

    TH
  16. Thankful
    Offline

    Thankful Registered Member

    If you say so. A real cop out.
  17. Thankful
    Offline

    Thankful Registered Member

    Yes. This happened to me. I am a WSA user.
    If the test doesn't represent the capabilities of WSA,they should not be in the test.
    Webroot shouldn't pat themselves on the back when they score 5/6 in detection and run away from the results when they score 3/6 in detection.
  18. Techfox1976
    Offline

    Techfox1976 Registered Member

    OP: Non-threat PUP's (Which means PWPs) detected by something else. What would you do if you wanted them and you had them ripped out? That would be considered an FP.

    Then...

    AV testing: "Does the installer package for this FBI infection get detected? No. FAIL! Does it run? Yes, its code is allowed to load into a process. FAIL AGAIN! The test must have ended in an infection."

    Reality: "Does the installer package get detected? No. Does it run? Yes. Does the thing it installs get detected? Yes. Does it run? No. Does the installer get seen as installing the infection and nothing else, and thus whacked for it? Yep. No infection in the end, no FBI warning popup, user never sees any infection, no data is captured, no threat occurs."

    The tests have a very good habit of doing things that real users will never do and then making (inaccurate) assumptions based on detailed machine data. They don't have the extra three seconds to test to see that the payload gets whacked and no infection occurs.

    A good way to think of it: Mortal Football (US style football). In every game before ever, if the ball makes it past the 50 yard line, the team that got it past the 50 yard line will get a touchdown. So when testing, they see the ball go past the 50 yard line and say "Ah, the bad guys will get a touchdown. We won't watch anymore."

    Unfortunately they didn't account for the changes in the game. The good guys team has installed a minefield at the 30 yard line and a lava moat between the 20 yard line and the end zone. The tests only see "Got past the 50 yard line, bad guys must have succeeded." and don't take the delicious explosions in the minefield or the sizzle and crackle of fried flesh in the lava moat into account. :)
  19. Thankful
    Offline

    Thankful Registered Member

    Techfox1976,
    Thank you for responding. I appreciate it.
    I did have the FBI warning appear on my computer and my computer did freeze up. There was no way of terminating the malware except for manually
    turning off my computer by pressing the off button.
    I agree with you that no damage was done to my computer, but the malware did run. If I'm misunderstanding you, I apologize.
  20. TonyW
    Offline

    TonyW Registered Member

    No, because as we ascertained in another thread, most contact Support via the GUI, which is the correct and preferred method of communication.
  21. Triple Helix
    Offline

    Triple Helix Webroot Product Advisor

    And what did Joe say?
    Daniel ;)
  22. SweX
    Offline

    SweX Registered Member

    Webroot could simply add an option in the GUI that users can enable if they would like PUPs/PUAs to be detected, unless Webroot chose to have it enabled by default.

    And a PUP cannot be considered an FP, the PUP isn't a part of the software the user downloaded. It has been added to the package. So it is the PUP that is detected and not the actual software/program itself, if that were the case, yes then it would be an FP.

    Edit: Example 1, I download webroot.exe it is bundled with a PUP and it is not detected as you would see that as an FP if it would have been "ripped out".

    Example 2, I download the same webroot.exe this time it is bundled with a Trojan but this time it is detected and not seen as an FP, but it will still get ripped out even if it is the same file, only the payload is different.

    Though, I don't know what you mean by "PWPs".

    Wanted them....really. Are there any humans that actually like PUPs and want to have them and don't mind them at all? I doubt that very much :doubt:

    I guess Joe is having a well deserved summer vacation at the moment ;)
    Last edited: Jul 31, 2013
  23. Triple Helix
    Offline

    Triple Helix Webroot Product Advisor

    Far from it he's to busy working on the 2014 product line. ;)

    Daniel
  24. ProTruckDriver
    Offline

    ProTruckDriver Registered Member

    I don't think Joe goes on vacation. He always working improving WSA. ;)
  25. PrevxHelp
    Offline

    PrevxHelp Former Prevx Moderator

    Yes, this is correct, but this is correct for every vendor. We have Wilders and our own Community forum and many users do go there - more go to our support directly but if someone has a problem with us or any vendor, I think it's common practice to complain publicly. We simply do not have any volume of users that get infected.

    We are adding exactly this in the 2014 release. The definition of a Possibly Unwanted Program changes between vendors, and even within a single vendor over time. I suggest writing into our support inbox and seeing what our threat research team says.

    Not exactly :) I've just been in meetings and working on 2014 ;)

    We have made improvements for this infection specifically, and indeed, this infection was a different case than has existed in the past as it interrupts the boot process. We now have generic processes in place to prevent any infection from affecting the system in such a way that it can take over the PC.

    To the point on testing not accurately reflecting the product when it previously has shown it as effective: we're working with testing firms but it is increasingly difficult to have the product correctly tested due to threats changing. Over time, the methods that we use to block threats are moving towards our more unique protection methodology rather than plain blacklisting, which is what most AV testing is. The FBI infection you encountered is a perfect case in point here: with the new method we've added, we will completely block the infection, but we would still "miss" it according to current testing methodologies.

    As for false positives, the latest AV-Test result fell into the same condition as the Virus Bulletin test quite a long time ago. We would have still had a few false positives, but no where near the volume we saw. We finally managed to find what was causing this scenario and have corrected it - the false positives would have only existed for a nanosecond on files that were not executable (and within an archive) and the detection would be reverted instantly, not affecting any users. We explained this to AV-Test but they rightly kept our FPs counted as they were when they first tested due to the fact that we did find the files. Moving forward, we won't run into this scenario, but it just further shows how the differences between testing and normal users end up affecting perceptions.