How report False Positive for WSA?

Discussion in 'Prevx Releases' started by Romagnolo1973, Oct 11, 2011.

Thread Status:
Not open for further replies.
  1. Romagnolo1973

    Romagnolo1973 Registered Member

    Joined:
    Feb 17, 2009
    Posts:
    518
    Location:
    Italy - Ravenna
    Hi Joe, Triple & Co:D
    I think this post is out of date
    https://www.wilderssecurity.com/showthread.php?t=245129
    So .. what's your favorite way to know FP?
    At the moment I have 2 FP and I send my log.txt to you with WSA directly using
    System Tools - Submit a file
    I send the log file.txt istead of the real file
    Could be a good idea?
    At the moment wsa still continue adv. me the 2 files are infected, so I don't know if I get the right way to report the issue
    In case it's not correct the problem is about messenger with wsa heuristic set to max

    Webroot Scan Log (Version v8.0.0.4:cool:
    Log saved at Tue 11-10-2011 19:02:55

    v8.0.0.48
    Windows 7 Service Pack 1 (Build 7601) 64bit
    Scan Started: Tue 11-10-2011 18:59:47
    Files Scanned: 31546
    Malicious Files: 2
    Duration: 2m 50s

    Some legitimate files are not included in this log
    [J] c:\program files (x86)\windows live\messenger\msgsres.dll [MD5: 43A43541DFA5D0623EDACC4B0DF892B0] [Flags: 08000000.1006]
    [J] c:\program files (x86)\windows live\messenger\msnmsgr.exe [MD5: 45BF61E3709FC678C6686404A4A0C18F] [Flags: 00080000.1075]

    Thanks
     
  2. PrevxHelp

    PrevxHelp Former Prevx Moderator

    Joined:
    Sep 14, 2008
    Posts:
    8,242
    Location:
    USA/UK
    :thumb: I've been meaning to make this same post!

    The best way is to write into our support inbox by clicking "Send Feedback" within the UI of the product. This will ensure it gets to the correct support team quickly and now the research team works directly with the support team so you should get a very fast response.

    Sending files through the UI itself ends up putting them in a stream of a very large number of other files so it's possible they'll not be seen as quickly. Communicating to us through the support interface will get our engineers to work on it very quickly.

    Thanks!
     
  3. TonyW

    TonyW Registered Member

    Joined:
    Oct 12, 2005
    Posts:
    2,634
    Location:
    UK
    To add to what PrevxHelp has said, if you can find the MD5 hashes of the files, either from the scan log or through a program like HashTab, you can communicate that through to Support without actually sending the file(s) themselves.
     
  4. Triple Helix

    Triple Helix Webroot Product Advisor

    Joined:
    Nov 20, 2004
    Posts:
    12,012
    Location:
    Ontario, Canada
    You can also use the same when it comes to undetected malware files also! ;)

    TH
     
  5. PrevxHelp

    PrevxHelp Former Prevx Moderator

    Joined:
    Sep 14, 2008
    Posts:
    8,242
    Location:
    USA/UK
    :thumb:

    :thumb:

    (It occurs to me that I'm running out of :thumb:s)
     
  6. Triple Helix

    Triple Helix Webroot Product Advisor

    Joined:
    Nov 20, 2004
    Posts:
    12,012
    Location:
    Ontario, Canada
    Here are some more :thumb::thumb::thumb::thumb::thumb::thumb::thumb::thumb: :D

    TH
     
  7. Romagnolo1973

    Romagnolo1973 Registered Member

    Joined:
    Feb 17, 2009
    Posts:
    518
    Location:
    Italy - Ravenna
    Joe your helpdesk said this:
    "Hi,
    Having your heuristic detection settings set to maximum will cause frequent false positives. We recommend that you use the "reset to defaults" button on the heuristic settings page to avoid the possibility of frequent false positives.

    Thank you,
    Webroot Advanced Malware Removal Team"
    Ok I think is a Preload respond:D but Messenger is on every pc (even on every pc infectet administrators have) so I personally think is better Webroot solve the issue concerning Messenger instead of tell users setting heuristic to middle

    Even if I decrease my setting to High I have the same issue, Messenger as FP and I think I found a bug too
    When WSA scan and found Messenger dll as infection, I dont select the file (or it will be deleted) and press NEXT, next table is that:
    http://img23.imageshack.us/img23/7374/immaginezjs.th.jpg

    I manage the file to ALLOW it but WSA do nothing, it scan again and still continue seen messenger dll as virus and so on to infinite

    Well I'm here so ... I have another FP concening Radiosure (program for radio via web) is a legitimate file
    http://www.virustotal.com/file-scan...cd6236c81d815c2aaeecbe858031781c07-1316458954
    [E] c:\usb key portable\multimedia\radiosure\radiosure.exe [MD5: 3E5344CC610D2CB0B656946B401B8281] [Flags: 08080100.4417]

    thanks
     
  8. PrevxHelp

    PrevxHelp Former Prevx Moderator

    Joined:
    Sep 14, 2008
    Posts:
    8,242
    Location:
    USA/UK
    It would really be best to go in through our support team and report the false positives there as they have a direct line into our database. It will likely just require whitelisting the files but it would be best to revert your configuration back to the actual defaults rather than "High" as even "High" will produce more false positives. At this point, you may need to use Detection Overrides to change the behavior if the infections are marked as active.
     
  9. TonyW

    TonyW Registered Member

    Joined:
    Oct 12, 2005
    Posts:
    2,634
    Location:
    UK
    Since you've given the MD5 hash, I've reported this directly to Support. In future, I would suggest you report it to Support as it is the quickest way the Research Team will get to see this.
     
  10. TonyW

    TonyW Registered Member

    Joined:
    Oct 12, 2005
    Posts:
    2,634
    Location:
    UK
    Support have told me the MD5 hash for the radiosure executable is a known good program in their database. As suggested earlier, it might be wise to lower heuristic settings to the defaults.
     
  11. COMPYPY

    COMPYPY Registered Member

    Joined:
    Oct 11, 2011
    Posts:
    80
    Really the Father of FP i should say. had to uninstall the trial version on same day as too many fp and bad firewall ( even port scan fail)
     
  12. PrevxHelp

    PrevxHelp Former Prevx Moderator

    Joined:
    Sep 14, 2008
    Posts:
    8,242
    Location:
    USA/UK
    Did you report these to our support team? We haven't had any high volume of FPs or firewall issues so it would be worth getting in contact with them to see if something was configured incorrectly.
     
  13. fax

    fax Registered Member

    Joined:
    May 30, 2005
    Posts:
    3,731
    Location:
    localhost
    Please correct me if I am wrong but this is by design. Its not an inbound firewall but only outbound, you need to turn on your windows or third party firewall to pass port scans (i.e.inbound scans).
     
  14. COMPYPY

    COMPYPY Registered Member

    Joined:
    Oct 11, 2011
    Posts:
    80
    I havent reported it. It detect extension of chrome ( download assitant which we use to integrate internet download manager) as virus .

    You are correct but what the use of internet security suite which do not prevent inbound attack after all one user pay 40-70 $ for its security and he/she has to use windows firewall.
    Regarding outbound firewall control you can get it free from window firewall controal software for less than 5 mb software
     
    Last edited: Oct 12, 2011
  15. PrevxHelp

    PrevxHelp Former Prevx Moderator

    Joined:
    Sep 14, 2008
    Posts:
    8,242
    Location:
    USA/UK
    That's correct - the Windows firewall does a perfect job of inbound protection and there really isn't anything we can improve upon with it that wouldn't introduce incompatibilities. WSA has a cloudbased outbound firewall as its additional layer of protection.
     
Thread Status:
Not open for further replies.