Webroot SecureAnywhere Discussion & Update Thread

Discussion in 'other anti-virus software' started by Triple Helix, Jun 6, 2014.

  1. Triple Helix

    Triple Helix Specialist

    Joined:
    Nov 20, 2004
    Posts:
    13,269
    Location:
    Ontario, Canada
  2. Triple Helix

    Triple Helix Specialist

    Joined:
    Nov 20, 2004
    Posts:
    13,269
    Location:
    Ontario, Canada
    @Rakanisheu Hi Roy I hope you're enjoying your short vacation and thanks for stopping by! Can you explain the Registry Detections that you talked to us about them?

    Cheers,

    Daniel
     
    Last edited: Dec 23, 2014
  3. Mayahana

    Mayahana Banned

    Joined:
    Sep 13, 2014
    Posts:
    2,220
    Webroot was the first thing installed on this clean new purchased machine after any bloat was removed (by me personally). Also, note other scans with additional products found additional issues.

    I'm aware of how MBAM classifies threats/traces - artificially inflating the number.. However considering the sheer number of 'Junk' (Directories/Keys, BHO's, Files, etc), I consider this machine infected. If you do not, then that could be a problem with the product because the machine wasn't functioning very efficiently. Once Forticlient was installed and ran a full scan it found 2 more pieces of malware. At what point does Webroot decide a machine is choking, and it needs to roll-back? To me, this machine was long past the point of needing a rollback, and required manual intervention.

    Correct EEK log;
    https://www.amazon.com/clouddrive/share/0PqpVuMIs6OuJQ8bD7dZNlhu0QVv-VUwjvQmsAJj21Q
     
    Last edited: Dec 23, 2014
  4. Charyb

    Charyb Registered Member

    Joined:
    Jan 16, 2013
    Posts:
    679
    Here is the VirusTotal link to the Radio Rage toolbar.
    virus total results removed as per forum policy*

    15 of 54 detected this as PUP, mywebsearch, adware, etc.
     
    Last edited: Dec 23, 2014
  5. Charyb

    Charyb Registered Member

    Joined:
    Jan 16, 2013
    Posts:
    679
    I installed Radio Rage and during installation, I had to ok User Account Control and manually click install. It didn't install all by itself. Two times it required user intervention to install. I left the boxes checked to change the homepage and the default search engine. After installation I checked for an uninstall entry in Programs and Features and there is one present. This PUP doesn't install leaving no way to uninstall it. After installation I ran a Malwarebytes scan which detected over 300 problems. My computer should really be hosed, huh? I then uninstalled Radio Rage and ran MBAM again which found zero problems. The only problems, after uninstalling, is that I was required to manually change my homepage and default search provider back to my preferences. Radio Rage directs you to videos that show a person how to do this.

    Here is a link explaining the policy registry keys. I have seen these before while scanning with EIS.
    http://support.emsisoft.com/topic/1...for-decisions-that-require-user-intervention/

    Please see attached MBAM log, image of uninstall entry in Programs and Features, and Radio Rage install window.

    Sorry, I'm NOT buying into the hype here.
     

    Attached Files:

    Last edited: Dec 23, 2014
  6. Rakanisheu

    Rakanisheu Guest

    I don't see anything malicious in those logs, all BHO's and some system settings. A reset of the browser and the use of the Windows add/remove control panel to remove those unwanted software and that's it. I wasn't connected to the PC so I cant tell what condition it was in. People get wound up over PUA's and the majority of them remove cleanly and/or require consent to install.
     
    Last edited by a moderator: Dec 23, 2014
  7. WRDanP

    WRDanP Webroot Threat Expert

    Joined:
    Dec 22, 2014
    Posts:
    3
    We do not disclose our detection criteria for PUAs, but I will say that the criteria is solid and objective. Different vendors have different detection criteria for PUAs/PUPs so there will always be cases where one vendor detects a program while another may not.
     
  8. Mayahana

    Mayahana Banned

    Joined:
    Sep 13, 2014
    Posts:
    2,220
    Also there are other versions of Conduit, RadioRage, Mindspark, and other PUA's to factor here. Downloading one particular version doesn't necessarily give insight into the whole scheme. I don't know if it's a matter of people being wound up, or people tired of 'junk' being added to their installs, soiling registries, and leaving a lot of temp files around. When I re-checked his system last night, Webroot found more threats, but was unable to quarantine them, and kept wanting to scan over and over. I provided the dumps relating to that as well. I'd have to go in and pull logs from Forticlient, my father in-law said the full scan ran for a couple of hours, and found 2 more threats. That was after Webroot->MBAM->EEK->BitDefender Adware Remover was processed. I forgot to grab the logs for Bit Defender AWR, that pulled an additional piece.

    The objective of installing Webroot on my father in-law's machine was to avoid these kinds of plagues. After this I think he is better suited for Eset, Norton 2015, or possibly Forticlient. Something with an aggressive PUA policy, and/or firm reputation based evaluation. I suspect Webroot paired with MBAM would also be a good solution.

    What does the archived WSA logs tell you? No suspected rootkit activity?
     
  9. Victek

    Victek Registered Member

    Joined:
    Nov 30, 2007
    Posts:
    6,219
    Location:
    USA
    It looks like you downloaded Radio Rage as a standalone app,yes? I ask because a big part of the problem with PUP/PUA is the way they are bundled. Some are intentionally deceptive, making it hard to see or understand how to opt out. Technically the user gives consent, but not informed consent. Personally I think the law needs to be changed to shift the responsibility back on the software distributors and in particular require their "bundles" be Opt-In instead of Opt-Out, but moving right along...My personal preference is that security apps be ruthlessly aggressive against PUPs, but in the end the responsibility lies with the user.
     
  10. Muddy3

    Muddy3 Registered Member

    Joined:
    May 31, 2010
    Posts:
    415
    Location:
    Belgium
    I thought there was something pretty odd about Webroot allowing 232 threats/traces to invade a device over a period of 6 months (over any period, frankly!). I thought however, being myself far less computer-savvy than most other posters here, mine was not the place to raise such questions. Seems from what I've read subsequently my scepticism was amply justified.
     
  11. Mayahana

    Mayahana Banned

    Joined:
    Sep 13, 2014
    Posts:
    2,220
    As Victek points out, there are many different vectors, and as I pointed out, many different versions. This machine had NO uninstallers available on it that were functional - that of course is the first thing I always try. I'd be curious to hear what the WSA log dump archive has to show.

    We consider a machine like that as compromised, and there is good reason for that. I am not here to argue over how/why Webroot doesn't consider it compromised, but I will say it's suicide in the MSP business to deploy a solution that would allow such a level of 'trash' to impede on a system in the first place, regardless of how it was on-loaded. Some big money is lost cleaning this stuff up, and clients get pretty upset when we need to explain why their solution isn't blocking/stopping, or at least reducing this kind of thing.
     
  12. Rakanisheu

    Rakanisheu Guest

    But its not 232 threats as we have already discussed, its two tool-bars that aren't malicious. We don't show the individual components as I have said earlier.
     
  13. Charyb

    Charyb Registered Member

    Joined:
    Jan 16, 2013
    Posts:
    679
    The use of the words grim, horrendously, suicide, trash, and compromise while describing this situation makes me chuckle. This is an obvious case of sensationalism. If it's not on your list of antivirus programs to promote for the day, which appears to be Norton, ESET and Forticlient, it is not worthy. BTW, Norton didn't detect this as a PUA/PUP either. You have been taking jabs at Webroot every since your return to this forum. Please, don't use Webroot if it is this painful for you. While you are at it, don't use EAM because this is another program that I like and I don't know if I can handle more drama.
     
  14. Muddy3

    Muddy3 Registered Member

    Joined:
    May 31, 2010
    Posts:
    415
    Location:
    Belgium
    Exactly!
    Almost every Webroot user I have come across would share your view that Webroot do not take an aggressive enough attitude towards PUA/PUPs. That said, talking about 232 threats/traces does somewhat overhype the incident in question and arguably risks stretching your credibility as a poster here. Having said that, you certainly have drawn the attention of a couple of important Webroot programmers/developers to this discussion and if that causes Webroot to have second thoughts on this matter, I can only offer you my hearty congratulations! (Maybe we're wrong in our view on PUAs, Rakanisheu, but it is our point of view and even TripleHelix strongly shares this view!)
     
  15. Charyb

    Charyb Registered Member

    Joined:
    Jan 16, 2013
    Posts:
    679
    I will send you a pm.
     
  16. Rakanisheu

    Rakanisheu Guest

    I classify thousands of PUA's every day as do many of my colleagues. I personally would rather spend the time classifying malicious threats. I have already explained the detections in the logs. We take an approach of simplifying things here in Webroot. I personally don't see the benefit to users of showing them every single component of a detected threat. PUA/PUP's are no so black and white. Lots of people think the AV companies should blanket them all bad. Its not that easy, just look at how many legitimate programs bundle software with there own software. I think we are stuck in a loop in this discussion.

    I don't know why people think Webroot has a less aggressive attitude towards PUA. Pretty much everybody hates PUA's, but they are a part of our life unfortunately.
     
  17. Mayahana

    Mayahana Banned

    Joined:
    Sep 13, 2014
    Posts:
    2,220
    Wait, I am not suddenly the villain here? I fail to see the logic for attacking me. I provided all of the logs requested, and all I have really gotten in return is something along the lines of 'it's harmless, ignore it all' for the most part. The way this system was running, the popups, and inability to uninstall some of them draw a good bit of worry from my father in-law, justifiably so perhaps? This isn't about bashing WSA, if it was about bashing WSA I would have complained, and not provided logs. I'm not faulting the product, but the PUA issue means WSA isn't a good product for someone like myself (kids in house), or relatives. Which up to this point I thought WSA was fine for folks like my inlaws.. He needs something like ESET, EMsisoft or whatever. It's nothing personal.

    I don't see a reason to lash out at me about it. But I do agree with Rakanisheu, there is really no point in going on about this. The answer was provided, and I DO appreciate the time/effort spent looking into this from all parties involved.
     
  18. Muddy3

    Muddy3 Registered Member

    Joined:
    May 31, 2010
    Posts:
    415
    Location:
    Belgium
    I know that Webroot takes a more aggressive policy towards PUAs than many AVs, I just wish it were possible for Webroot to take an even more aggressive attitude than it does. (Perhaps that is not feasible for reasons such as you mention in your post above??)
     
  19. Rakanisheu

    Rakanisheu Guest

    Sorry that was not my intention I am not having a go at anybody I was just stating the difference's in detection.
     
  20. Blues7

    Blues7 Registered Member

    Joined:
    May 11, 2009
    Posts:
    870
    Location:
    2500'
    Mahayana, perhaps the discussion would seem a bit more rational and objective if it could simply be focused on the success or lack thereof of Webroot without a constant mantra and reference to other competing AV's which are not particularly relevant to whether Webroot performed properly or not. (Maybe Theravada would be the yang to your yin...or vice versa. <g>)

    (For the record, I have only been using Webroot AV (without issue) for just over a year. Prior to that I used Emsisoft Anti-Malware and other products over the years...so I have no affiliation nor ax to grind with any particular AV solution.)

    I do agree that your taking the time to provide the logs has been very helpful due to the discussion and information it has engendered.
    Very informational for those of us with much less technical acumen.
     
  21. Victek

    Victek Registered Member

    Joined:
    Nov 30, 2007
    Posts:
    6,219
    Location:
    USA
    Yes, I would like to know based on the logs provided if WSA performed as it was supposed to or not.

    Ah, Buddhists among us :)
     
  22. Blues7

    Blues7 Registered Member

    Joined:
    May 11, 2009
    Posts:
    870
    Location:
    2500'
    Ouch...I just felt the 'sound of one hand slapping' courtesy of Gautama.
    (Even he has his limits, :isay:...though I did make an attempt at studying and understanding "the way"...way back in my idealistic youth.)
     
  23. robboman

    robboman Registered Member

    Joined:
    May 6, 2013
    Posts:
    62
    Location:
    holland
    So what it comes down to sometimes a AV will detect a bundled program as a pup and sometimes not. I don't see why WSA 'failed' here.
     
  24. Frank the Perv

    Frank the Perv Banned

    Joined:
    Dec 16, 2005
    Posts:
    882
    Location:
    Virginia, USA
    And I fail to see how WSA succeeded here.

    But to each his own.... Kool-Aide for everybody!
     
  25. Mayahana

    Mayahana Banned

    Joined:
    Sep 13, 2014
    Posts:
    2,220
    I opened a ticket as a 'consumer' reporting an infection, and this is what I got back.. I'm speechless.. If I could answer all of those questions (I can, but average home users?) then I could remove the threat myself...

    Hello,

    In order to diagnose your issue in the most effective way, we need a full description of the symptoms you are reporting. Please copy and paste the contents below into your reply and answer each question as best you can in a separate line:

    ----------
    - Question: When did the symptoms begin, and do you recall what event might have triggered the symptoms?
    - Answer:

    - Question: Are you receiving pop-ups? What exactly do the pop-ups say? Are you able to make the pop-up go away? If so, how?
    - Answer:

    - Question: Do you see suspicious activity? What exactly are you seeing? What program(s) are you using at the time when this occurs?
    - Answer:

    - Question: Has your Windows Desktop background been changed? If so what text is being displayed?
    - Answer:

    - Question: Have you noticed a suspicious program? What is the program’s name? If you launched it, what did it do or display?
    - Answer:

    - Question: Are your Web searches or clicked links being redirected to other websites that you do not expect?
    - Answer:

    - Question: Where are the visible symptoms of the infection coming from (eg. the Taskbar, System Tray, or Desktop)? What do they say?
    - Answer:

    - Question: Can you trigger the symptoms or must you wait for it to show itself? If so, how?
    - Answer:

    - Question: Provide the name of any repeated detections identified by the Webroot software on every scan. Even if the suspicious item is being detected by a different legitimate security program on your system, please list the name of the item.
    - Answer:

    - Question: If you boot the computer into Windows Safe Mode with Networking (accomplished by pressing the F8 key as the computer boots up, but before Windows launches, and selecting the Safe Mode with Networking option), do the symptoms persist?
    - Answer:
    ----------

    The answers to these questions will be examined carefully. We will assess the issue based on this information, and will provide further instructions soon.

    Thank you,

    The Webroot Advanced Malware Removal Team
     
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.