How report False Positive for WSA?

Hi Joe, Triple & Co
I think this post is out of date
https://www.wilderssecurity.com/showthread.php?t=245129
So .. what's your favorite way to know FP?
At the moment I have 2 FP and I send my log.txt to you with WSA directly using
System Tools - Submit a file
I send the log file.txt istead of the real file
Could be a good idea?
At the moment wsa still continue adv. me the 2 files are infected, so I don't know if I get the right way to report the issue
In case it's not correct the problem is about messenger with wsa heuristic set to max

Webroot Scan Log (Version v8.0.0.4
Log saved at Tue 11-10-2011 19:02:55

v8.0.0.48
Windows 7 Service Pack 1 (Build 7601) 64bit
Scan Started: Tue 11-10-2011 18:59:47
Files Scanned: 31546
Malicious Files: 2
Duration: 2m 50s

Some legitimate files are not included in this log
[J] c:\program files (x86)\windows live\messenger\msgsres.dll [MD5: 43A43541DFA5D0623EDACC4B0DF892B0] [Flags: 08000000.1006]
[J] c:\program files (x86)\windows live\messenger\msnmsgr.exe [MD5: 45BF61E3709FC678C6686404A4A0C18F] [Flags: 00080000.1075]

Thanks

 

I've been meaning to make this same post!

The best way is to write into our support inbox by clicking "Send Feedback" within the UI of the product. This will ensure it gets to the correct support team quickly and now the research team works directly with the support team so you should get a very fast response.

Sending files through the UI itself ends up putting them in a stream of a very large number of other files so it's possible they'll not be seen as quickly. Communicating to us through the support interface will get our engineers to work on it very quickly.

Thanks!

 

To add to what PrevxHelp has said, if you can find the MD5 hashes of the files, either from the scan log or through a program like HashTab, you can communicate that through to Support without actually sending the file(s) themselves.

 

You can also use the same when it comes to undetected malware files also!

TH

 

(It occurs to me that I'm running out of s)

 

Here are some more

TH

 

Joe your helpdesk said this:
"Hi,
Having your heuristic detection settings set to maximum will cause frequent false positives. We recommend that you use the "reset to defaults" button on the heuristic settings page to avoid the possibility of frequent false positives.

Thank you,
Webroot Advanced Malware Removal Team"
Ok I think is a Preload respond but Messenger is on every pc (even on every pc infectet administrators have) so I personally think is better Webroot solve the issue concerning Messenger instead of tell users setting heuristic to middle

Even if I decrease my setting to High I have the same issue, Messenger as FP and I think I found a bug too
When WSA scan and found Messenger dll as infection, I dont select the file (or it will be deleted) and press NEXT, next table is that:
http://img23.imageshack.us/img23/7374/immaginezjs.th.jpg

I manage the file to ALLOW it but WSA do nothing, it scan again and still continue seen messenger dll as virus and so on to infinite

Well I'm here so ... I have another FP concening Radiosure (program for radio via web) is a legitimate file
http://www.virustotal.com/file-scan...cd6236c81d815c2aaeecbe858031781c07-1316458954
[E] c:\usb key portable\multimedia\radiosure\radiosure.exe [MD5: 3E5344CC610D2CB0B656946B401B8281] [Flags: 08080100.4417]

thanks

 

It would really be best to go in through our support team and report the false positives there as they have a direct line into our database. It will likely just require whitelisting the files but it would be best to revert your configuration back to the actual defaults rather than "High" as even "High" will produce more false positives. At this point, you may need to use Detection Overrides to change the behavior if the infections are marked as active.

 

Since you've given the MD5 hash, I've reported this directly to Support. In future, I would suggest you report it to Support as it is the quickest way the Research Team will get to see this.

 

Support have told me the MD5 hash for the radiosure executable is a known good program in their database. As suggested earlier, it might be wise to lower heuristic settings to the defaults.

 

Really the Father of FP i should say. had to uninstall the trial version on same day as too many fp and bad firewall ( even port scan fail)

 

Did you report these to our support team? We haven't had any high volume of FPs or firewall issues so it would be worth getting in contact with them to see if something was configured incorrectly.

 

Please correct me if I am wrong but this is by design. Its not an inbound firewall but only outbound, you need to turn on your windows or third party firewall to pass port scans (i.e.inbound scans).

 

I havent reported it. It detect extension of chrome ( download assitant which we use to integrate internet download manager) as virus .

You are correct but what the use of internet security suite which do not prevent inbound attack after all one user pay 40-70 $ for its security and he/she has to use windows firewall.
Regarding outbound firewall control you can get it free from window firewall controal software for less than 5 mb software

 

That's correct - the Windows firewall does a perfect job of inbound protection and there really isn't anything we can improve upon with it that wouldn't introduce incompatibilities. WSA has a cloudbased outbound firewall as its additional layer of protection.