Rootkit False Positives

Discussion in 'Prevx Releases' started by DoctorPC, Feb 2, 2014.

Thread Status:
Not open for further replies.
  1. DoctorPC

    DoctorPC Banned

    Joined:
    Jan 9, 2014
    Posts:
    813
    I keep getting Rootkit False Positives with WSA every few days on one of the systems I deal with. I believe they are false because I have run other opinion software, in safemode and not in safe mode to check.

    Gmer
    Dr. Web CureIT
    HitmanPro
    Kaspersky TDS
    BitDefender Anti-Rootkit
    MBAM Anti-rootkit
    herdProtect

    All show clear, and given that's essentially a scan with around 68 AV engines, and 5-6 specialty rootkit detectors, I would assume the system is clean. But every few days WSA pops up with a Rootkit warning, and I tell it to ignore the supposed threat rather than compromise the system by deleting a clean system file, and WSA freaks out, keeps forcing another scan, then forcing me to remove/allow it - over and over - until I reboot the system, the WSA shuts up for another few days.

    For disclosure sake, this system is layered with;

    1) Anti-Malware DNS server.
    2) SOHO packet inspection security appliance (running TrendNet database)
    3) SOHO router with IS/ID/SPI set to maximum.
    4) Locked down Windows 8.1 (as much as possible)
    5) MBAM Pro ResidentOn
    6) Webroot Secure Anywhere
    7) Adblocker w/only Malware Domains Activated
    :cool: Admuncher w/Custom Filters Activated

    Add to that weekly security audits, and I think I am pretty satisfied this is a false positive from WSA. If it isn't then something got past that virtual fortress of protection, and then capability fooled 68+ AV engines, and 6 dedicated rootkit scanners?
     
    Last edited by a moderator: Feb 2, 2014
  2. PrevxHelp

    PrevxHelp Former Prevx Moderator

    Joined:
    Sep 14, 2008
    Posts:
    8,242
    Location:
    USA/UK
    Could you post a screenshot of what WSA detected or an excerpt from the scan log with it listed?

    Thanks!
     
  3. DoctorPC

    DoctorPC Banned

    Joined:
    Jan 9, 2014
    Posts:
    813
    I would, unfortunately the logs show zero malware threats.. It actually doesn't write anything.. Which I find really annoying.. It says a rootkit, scans, wants to remove it, but the logs themselves show no malicious files..

    o_O
     
  4. PrevxHelp

    PrevxHelp Former Prevx Moderator

    Joined:
    Sep 14, 2008
    Posts:
    8,242
    Location:
    USA/UK
    That's very strange... do you think you could send me your log to my username @ gmail.com to take a look anyway just in case there is something I can dig out?

    Also, could you try running a "deep scan" from the Custom Scan dialog within PC Security and see if it occurs on-demand? A screenshot would probably help narrow it down as well.

    Thanks for the help!
     
  5. Triple Helix

    Triple Helix Webroot Product Advisor

    Joined:
    Nov 20, 2004
    Posts:
    12,011
    Location:
    Ontario, Canada
    Do you have your Heuristics set to Max? It could cause these type of issues I have had them in the past but to be expected.

    TH
     
  6. Techfox1976

    Techfox1976 Registered Member

    Joined:
    Jul 22, 2010
    Posts:
    749
    No details of what it's claiming to be finding and also claims that it's not writing anything, just "There's a problem." Not very useful for diagnosing. Yes, it could be a FP, or it could be user error, or it could be interference from the other items, or it could be an actual rootkit that the user is failing to take action on.

    But with no details, it's all user error to me.

    What file does it say is bad?
    What does it say the nature of it is?

    If all else fails, remember that WSA is not good at breaking systems in normal cases. Certain files are sacrosanct and it doesn't just delete any protected system files, it replaces them with validated clean copies. And yes, I -have- found systems that prepackaged rootkit scanners find nothing on, but specialty "get raw data and have a human being look at it" (remote kernel debugging FTW!) and WSA both show the rootkit clearly though everything else says it's clean.

    Details, details, details, or the claim is as useless as trolling. :(
     
  7. DoctorPC

    DoctorPC Banned

    Joined:
    Jan 9, 2014
    Posts:
    813
    Please don't make idiotic assumptions.. Specifically, I can guarantee it isn't user error, as what 'error' is a user, much less one with an engineering degree, 29 years of computer experience, and 18 IT certifications would commit? That's why your assumption is even more ludicrous - frankly. I clearly stated, the logs show nothing, yet Webroot claims there is a rootkit, and gets stuck in a perpetual scan cycle....

    Now, let's get back to business. Yes, Heuristics are set to maximum, TripleHelix is probably on to something, as based on the system, my knowledge of it (2 week old install no less, and controlled/monitored installations since), and the extensive layered security it's probably a strange flag by the heuristics. Also note - deep system scan shows nothing.

    I will tone down the heuristics, and see if the problem persists.
     
    Last edited: Feb 3, 2014
  8. PrevxHelp

    PrevxHelp Former Prevx Moderator

    Joined:
    Sep 14, 2008
    Posts:
    8,242
    Location:
    USA/UK
    Maximum heuristics definitely sounds like they could be the cause here. Do you happen to recall if it was a registry entry listed as a false positive? If it isn't too much of an inconvenience, I'd be curious to see what gets re-detected if you leave heuristics at Maximum and take a screenshot.

    Thanks!
     
  9. DoctorPC

    DoctorPC Banned

    Joined:
    Jan 9, 2014
    Posts:
    813
    I took a screenshot of the first detection, however it only captured a black screen. Absolutely no clue why. However I have been waiting for it to trigger again to see if I can grab another one. It has only happened about every 3-6 days so far.

    Correct - it was a registry entry.
     
  10. fax

    fax Registered Member

    Joined:
    May 30, 2005
    Posts:
    3,728
    Location:
    localhost
    Turn off WSA Identity Shield...
     
  11. Triple Helix

    Triple Helix Webroot Product Advisor

    Joined:
    Nov 20, 2004
    Posts:
    12,011
    Location:
    Ontario, Canada
    Did you send a scan log to PrevxHelp as he asked above?

    Thanks,

    TH
     
  12. DoctorPC

    DoctorPC Banned

    Joined:
    Jan 9, 2014
    Posts:
    813
    Sorry I haven't responded.

    I ended up uninstalling Webroot from my cluster of 6 PC's here at the home, and another dozen I had deployed it to outside of my home. I found 'strange' issues that kept coming up.

    1) False positives. (sometimes with no indicator, or log of the issue)
    2) Stalling of application/product installs. (especially on Windows 8.1)
    3) A general 'slowdown' of most activities. Launching Opera for example, had a 2.5 second delay under Webroot, but no delay without it or protection disabled.
    4) General slowdown of hard drive IO noted.
    5) Sandboxing of known applications. After 4 tickets sent it to get applications removed, I realized this was a futile effort. Every new version, every beta test, every strange application, every program my company works on in-house was being blacklisted by default. Absolutely too much hassle to maintain this.

    Overall, I like the product. But feel it's bloat may be increasing to dangerous levels, and that it's system of whitelist/blacklist may be too intrusive for some situations. I was forced to ditch the product, and remove deployment under some SOHO clients. Thankfully, all of the keys weren't used, and I have begun posting those on Ebay - the used ones? /shrug Possible toss em on relatives computers, or give them away.

    I will check back next year to see if it's improved/changed.
     
  13. fax

    fax Registered Member

    Joined:
    May 30, 2005
    Posts:
    3,728
    Location:
    localhost
    Sounds like a combination of non default settings and issues with third party software installed on those machines. What you describe as problems are actually the reasons why many standard users move to WSA (not instrusive, not slowing down, no impact on use, no weird pop-ups for clueless users, no blocking, etc).

    A pity you gave up otherwise I would have been courious to understand the issue as there has been a lot of complaints but not information posted ie. programs X is blocked, screenshots, logs, etc.
     
  14. PrevxHelp

    PrevxHelp Former Prevx Moderator

    Joined:
    Sep 14, 2008
    Posts:
    8,242
    Location:
    USA/UK
    I'd definitely be interested in seeing a log if you wouldn't mind sending one - I don't know what "bloat" would exist here as the client hasn't increased... but I'm definitely keen to look into whatever is being seen here to fix it as we certainly aren't seeing this slowdown across our userbase.
     
Thread Status:
Not open for further replies.