A service was installed in the system seAWeaVP.sys

Hello,

All of a sudden I got this entry in my Eventviewer log and checking the driver seAWeaVP.sys it's signed by Webroot. Any info on what it is for?

 

I did a search on my Win 7 x64 and found nothing? And are you still on .46?

TH

 

No, I'm on 8.0.2.98 on Win 8 32 bit. Besides this driver, there is another one also signed by Webroot - cxiuNdbz.sys. I suspect they are randomly named for some reason. But it is strange really.

http://www5.picturepush.com/photo/a/11999548/640/11999548.jpg

http://www2.picturepush.com/photo/a/11999550/640/11999550.jpg

 

I don't have either so I would wait for Joe to reply.

TH

 

Just giving a random guess but I have a feeling its most likely for the rootkit scanner. A lot of rootkit scanners use randomly names .sys files. However why you have more then one on your machine and they are not deleting themselves I do not know

 

Most likely the normal WRKrn.sys driver randomly renamed because an attempt to install it to the normal name was interfered with or the option to install with a random name was selected.

 

No, the normal WRKrn.sys driver was present there as well. Actually after reboot those 2 drivers disappeared.

 

This is normal - during malware cleanup, WSA creates a randomized copy of its driver to provide additional cleanup functionality.

 

Good to know thanks!

TH

 

Also could be a pending rename op if there were two updates since the last reboot of the system.