Webroot SecureAnywhere Discussion & Update Thread

Discussion in 'other anti-virus software' started by Triple Helix, Jun 6, 2014.

  1. Gein

    Gein Registered Member

    Joined:
    Dec 8, 2013
    Posts:
    190
    I'm not sure that there is, other than webroot not showing the deus ex game executable in the active processes tab while it's running, which is fairly minor. But I was wondering what the typical behavior the process monitor was. Is it only supposed to show currently running processes? One of my other game executables is set to monitor, and it indicates that it's been active for 14 hours, and I'm not sure if that means the monitoring has been active for 14 hours or the process has been active for 14 hours. Some of the other games are listed in the active processes tab that aren't currently running, but it's not giving me a time frame. It only really seems to be doing this for steam games. It's not telling me other executables like chrome are running, or my password manager or voip applications, so I'm not really sure if this is typical or anomalous.
     
  2. Triple Helix

    Triple Helix Specialist

    Joined:
    Nov 20, 2004
    Posts:
    12,764
    Location:
    Ontario, Canada
    If it's running it will be listed but it could be under another process name? Again it has to be running to show in active processes. And if something is being Monitored it's best to contact support as it could be a simple thing of getting it whitelisted in the Webroot Cloud database. https://www.webroot.com/En_US/Secur..._SystemControl/CH10b_ControllingProcesses.htm
     
    Last edited: Aug 27, 2016
  3. Gein

    Gein Registered Member

    Joined:
    Dec 8, 2013
    Posts:
    190
    It's being listed in task manager as DXMD.exe, and not showing up at all under the active processes section in webroot. The monitored game still shows up despite not being active, and there's another game too which is whitelisted, dota2.exe which it indicates is running in 3 seperate instances, despite not being turned on. I think it's only doing this for steam games. I'm probably going to fill out a support ticket later.
     
  4. Triple Helix

    Triple Helix Specialist

    Joined:
    Nov 20, 2004
    Posts:
    12,764
    Location:
    Ontario, Canada
    Well if it's running it will be listed under active processes and it could be under Steams processes so it would be best to Contact support and they will let you know.
     
  5. Gein

    Gein Registered Member

    Joined:
    Dec 8, 2013
    Posts:
    190
    Well I managed to fix the no-longer-running processes thing. I terminated the processes in webroot which did nothing until I rebooted. After that, they no longer show up as running. But the Deus Ex game executable still does not show up in the active processes. I guess I'll mention this to them when they get back to me on the support ticket.
     
  6. Triple Helix

    Triple Helix Specialist

    Joined:
    Nov 20, 2004
    Posts:
    12,764
    Location:
    Ontario, Canada
    Why are you trying to find fault within WSA's Active Process section when there is none? I'm sure they will tell you what's going on and clear this matter up. If I could see a simple Scan Log I could tell you what's going on but that's up to Webroot and as I said they will let you know what's going on.
     
  7. Gein

    Gein Registered Member

    Joined:
    Dec 8, 2013
    Posts:
    190
    I'm not tying to find fault, I was having some issues with deus ex and I figured I would try to turn the monitoring functions off to see if that would fix the issue. And that's when I noticed the oddities with the Active Process feature on my system.
     
  8. Triple Helix

    Triple Helix Specialist

    Joined:
    Nov 20, 2004
    Posts:
    12,764
    Location:
    Ontario, Canada
    Please let us know what support has to say as I'm not a gamer I don't use Steam and I would like to know what they say and learn from it as well.
     
  9. m0unds

    m0unds Registered Member

    Joined:
    Nov 12, 2015
    Posts:
    200
    I can confirm the same thing on my PC + DXMD. I've run into it before with another game, but support was unable to figure out why it was happening (technically, they just never replied to me after I reinstalled WSA as instructed, but my assumption is they couldn't figure it out. this has become a common problem.)
     
  10. Triple Helix

    Triple Helix Specialist

    Joined:
    Nov 20, 2004
    Posts:
    12,764
    Location:
    Ontario, Canada
    Honestly I don't know what your saying, as I said I'm not a Gamer and don't use Gaming tools such as Steam so no I have not heard anything but I will check into it!

    Thanks,

    Daniel
     
  11. Triple Helix

    Triple Helix Specialist

    Joined:
    Nov 20, 2004
    Posts:
    12,764
    Location:
    Ontario, Canada
  12. m0unds

    m0unds Registered Member

    Joined:
    Nov 12, 2015
    Posts:
    200
    Usually, when you run an app on a PC w/WSA on it, it shows up in "Control Active Processes" within WSA. Unknown stuff will enter "monitored" status, other stuff is allowed or denied or whatever, as you know. For whatever reason, this particular game doesn't show up at all in "Control Active Processes" even when it's running.

    Nah, there's just some quirk keeping DXMD from even showing up in the "Control Active Processes" dialog within WSA. I haven't observed any crashes or anything. I was just confirming I couldn't see the executable in "running processes" in WSA. I checked after the patch came out for the game.

    I generally follow the same workflow with new games/windows updates as @Gein where I verify nothing is being "Monitored", as stuff will occasionally get stuck, even after Webroot has flagged it as "good"; DXMD (launcher or game) isn't showing up as a running process, even when the game is currently running. I previously ran into this with Elite Dangerous, IIRC. It never got resolved, but didn't seem to hurt anything so I didn't press Webroot about it beyond my initial ticket submission.
     
  13. Gein

    Gein Registered Member

    Joined:
    Dec 8, 2013
    Posts:
    190
    I'm not sure what caused some of the game executables to be stuck as running tbh, but it hasn't been doing it since I reinstalled. I sent in my log files, so we'll see what support says soon. I'm thinking with the DXMD.exe (deus ex executable) is a denuvo drm game. So for whatever reason the DRM software is making it so webroot can't see the game which is a weird interaction I think. I don't have any other denuvo games installed but I might re-download the new Doom game and see if it does the same thing.
     
    Last edited: Aug 30, 2016
  14. Triple Helix

    Triple Helix Specialist

    Joined:
    Nov 20, 2004
    Posts:
    12,764
    Location:
    Ontario, Canada
    I have showed these last few posts to my Webroot contacts and they well be looking into this as they told me there have been no reports at the time.

    I will post any comments one way or another.

    Thanks,

    Daniel
     
  15. Gein

    Gein Registered Member

    Joined:
    Dec 8, 2013
    Posts:
    190
    They want me to schedule an appointment with the Webroot Advanced Malware Removal Team. I wonder what they found in my logs. Is the Advanced malware removal team as serious a deal as it sounds?
     
  16. Tarnak

    Tarnak Registered Member

    Joined:
    Feb 5, 2007
    Posts:
    4,737
    Sounds like Webroot canal therapy... Hopefully, not painful! :argh:
     
  17. Triple Helix

    Triple Helix Specialist

    Joined:
    Nov 20, 2004
    Posts:
    12,764
    Location:
    Ontario, Canada
    Well if it was something serious they would deal with it ASAP and not make an appointment so I wouldn't worry and please let us know what they say in the end.

    Thanks,

    Daniel
     
  18. boredog

    boredog Registered Member

    Joined:
    Feb 1, 2015
    Posts:
    2,499
    " I'm thinking with the DXMD.exe (deus ex executable) is a denuvo drm game."

    if this is true it is a rootkit as part of their DRM software.

    did you try running the exe's at virustotal?

    DXMD.exe & steam.exe
     
    Last edited: Sep 2, 2016
  19. Triple Helix

    Triple Helix Specialist

    Joined:
    Nov 20, 2004
    Posts:
    12,764
    Location:
    Ontario, Canada
    @Gein This is very interesting:


    Thanks for the Bug report!

    Daniel ;)

     
  20. Muddy3

    Muddy3 Registered Member

    Joined:
    May 31, 2010
    Posts:
    399
    Location:
    Belgium
    This is not good, but at the same time it sadly doesn't surprise me. Webroot Support are not of the same calibre as Prevx were (I found Prevx Support to be absolutely outstanding 99% of the time). Unfortunately, it really does depend who replies to your post. The best Support people are excellent, but too many are in my opinion just dumb.

    This is one area where I think Webroot, which offers in my opinion a top-class AV product and this in no small way thanks to Prevx, lets itself down.This really should have been picked up when m0unds first contacted Support.
     
  21. Gein

    Gein Registered Member

    Joined:
    Dec 8, 2013
    Posts:
    190
    No problem, I'm glad they tracked it down.

    I haven't been home all that much the past few weeks, so I've been pretty slow to respond. They did indicate that the suspicious log entry was:
    Possible detection of CVE: 2016-08-25T17:54:45.500000000Z^^Additional Information: 2016-08-25T08:27:14.325778700Z^^^^This Event is generated when an attempt to exploit a known vulnerability (2016-08-25T17:54:45.500000000Z) is detected.^^This Event is raised by a User mode process.^^

    I'm sort of wondering where the logfile is grabbed from -- I couldn't find it in the windows event-viewer. It references a user mode process but it doesn't say which.
     
    Last edited: Sep 3, 2016
  22. Triple Helix

    Triple Helix Specialist

    Joined:
    Nov 20, 2004
    Posts:
    12,764
    Location:
    Ontario, Canada
    It's a simple scan log when you open a support ticket. You may want to look at a scan log and post any MD5's that are under [U ] or under Monitoring.

    This is from my testing system for example:

    Thu 2016-09-01 12:31:15.0181 Begin passive write scan (6 file(s))
    Thu 2016-09-01 12:31:15.0412 End passive write scan (6 file(s))
    Thu 2016-09-01 12:32:26.0929 Monitoring process E:\Security Programs Folder\SlickVPN Folder\SlickVPN_installer_v0.1.384(gc837c5b).exe [AED7F3A59B1BF18EAD6EDAF755050795]. Type: 3 (4913)
    Thu 2016-09-01 12:32:26.0929 Monitoring process E:\Security Programs Folder\SlickVPN Folder\SlickVPN_installer_v0.1.384(gc837c5b).exe [AED7F3A59B1BF18EAD6EDAF755050795]. Type: 4 (4913)
    Thu 2016-09-01 12:32:26.0929 Monitoring process E:\Security Programs Folder\SlickVPN Folder\SlickVPN_installer_v0.1.384(gc837c5b).exe [AED7F3A59B1BF18EAD6EDAF755050795]. Type: 5 (4913)
    Thu 2016-09-01 12:32:26.0929 Monitoring process E:\Security Programs Folder\SlickVPN Folder\SlickVPN_installer_v0.1.384(gc837c5b).exe [AED7F3A59B1BF18EAD6EDAF755050795]. Type: 7 (4913)
    Thu 2016-09-01 12:32:26.0929 Monitoring process E:\Security Programs Folder\SlickVPN Folder\SlickVPN_installer_v0.1.384(gc837c5b).exe [AED7F3A59B1BF18EAD6EDAF755050795]. Type: 8 (4913)
    Thu 2016-09-01 12:32:26.0929 Monitoring process E:\Security Programs Folder\SlickVPN Folder\SlickVPN_installer_v0.1.384(gc837c5b).exe [AED7F3A59B1BF18EAD6EDAF755050795]. Type: 6 (4913)
    Thu 2016-09-01 12:32:27.0192 Monitoring process C:\Users\Daniel\AppData\Local\Temp\is-PE1RL.tmp\SlickVPN_installer_v0.1.384(gc837c5b).tmp [9303156631EE2436DB23827E27337BE4]. Type: 2 (4914)
    Thu 2016-09-01 12:32:27.0492 Monitoring process E:\Security Programs Folder\SlickVPN Folder\SlickVPN_installer_v0.1.384(gc837c5b).exe [AED7F3A59B1BF18EAD6EDAF755050795]. Type: 3 (4913)
    Thu 2016-09-01 12:32:27.0492 Monitoring process E:\Security Programs Folder\SlickVPN Folder\SlickVPN_installer_v0.1.384(gc837c5b).exe [AED7F3A59B1BF18EAD6EDAF755050795]. Type: 4 (4913)
    Thu 2016-09-01 12:32:27.0492 Monitoring process E:\Security Programs Folder\SlickVPN Folder\SlickVPN_installer_v0.1.384(gc837c5b).exe [AED7F3A59B1BF18EAD6EDAF755050795]. Type: 5 (4913)
    Thu 2016-09-01 12:32:27.0492 Monitoring process E:\Security Programs Folder\SlickVPN Folder\SlickVPN_installer_v0.1.384(gc837c5b).exe [AED7F3A59B1BF18EAD6EDAF755050795]. Type: 7 (4913)
    Thu 2016-09-01 12:32:27.0492 Monitoring process E:\Security Programs Folder\SlickVPN Folder\SlickVPN_installer_v0.1.384(gc837c5b).exe [AED7F3A59B1BF18EAD6EDAF755050795]. Type: 8 (4913)
    Thu 2016-09-01 12:32:27.0492 Monitoring process E:\Security Programs Folder\SlickVPN Folder\SlickVPN_installer_v0.1.384(gc837c5b).exe [AED7F3A59B1BF18EAD6EDAF755050795]. Type: 6 (4913)
    Thu 2016-09-01 12:32:27.0730 Monitoring process C:\Users\Daniel\AppData\Local\Temp\is-VMV5A.tmp\SlickVPN_installer_v0.1.384(gc837c5b).tmp [9303156631EE2436DB23827E27337BE4]. Type: 2 (4914)
    Thu 2016-09-01 12:32:45.0393 Monitoring process D:\Program Files (x86)\SlickVPN\resources\bin\win32\tapinstall_NDIS6_64.exe [C00F0581FDE41603BA3E07B1B3CF7DCF]. Type: 2 (4920)
    Thu 2016-09-01 12:32:45.0462 Monitoring process D:\Program Files (x86)\SlickVPN\resources\bin\win32\tapinstall_NDIS6_64.exe [C00F0581FDE41603BA3E07B1B3CF7DCF]. Type: 2 (4920)
    Thu 2016-09-01 12:32:45.0909 Monitoring process D:\Program Files (x86)\SlickVPN\resources\bin\win32\slickvpnsrvc\slickvpnsrvc.exe [2B888D02D2C603B0CEE7F9CF7820EC34]. Type: 2 (4964)
    Thu 2016-09-01 12:32:46.0031 Monitoring process D:\Program Files (x86)\SlickVPN\resources\bin\win32\slickvpnsrvc\slickvpnsrvc.exe [2B888D02D2C603B0CEE7F9CF7820EC34]. Type: 2 (4964)
    Thu 2016-09-01 12:32:47.0195 Begin passive write scan (32 file(s))
    Thu 2016-09-01 12:32:47.0548 End passive write scan (32 file(s))
    Thu 2016-09-01 12:32:47.0579 Monitoring process D:\Program Files (x86)\SlickVPN\slickvpn.exe [5B559BAD9F3FBC1EC3AF3067108E6513]. Type: 2 (4944)

    Daniel
     
    Last edited: Sep 3, 2016
  23. Triple Helix

    Triple Helix Specialist

    Joined:
    Nov 20, 2004
    Posts:
    12,764
    Location:
    Ontario, Canada
    How come you don't say anything at the Webroot Community if you feel this way? This is the first I heard that from you.

    Joe did allot of the support here on Wilders and Webroot does have a great user experience for it users via the Ticket Support system and I find them top notch but some issues such as this needs to go above the standard support channels and I try my best to get them elevated such as in this case.
     
  24. Gein

    Gein Registered Member

    Joined:
    Dec 8, 2013
    Posts:
    190
    They're all listed as [G]. I'm not seeing anything listed as monitored.
     
  25. Triple Helix

    Triple Helix Specialist

    Joined:
    Nov 20, 2004
    Posts:
    12,764
    Location:
    Ontario, Canada
    How about any [U ] files? If there are none they must of Whitlisted all of your unknowns. Shai is a great guy and very high up in the Webroot Support Department and as I said if it was something urgent or an infection they would of dealt with it ASAP not make an a appointment.

    HTH,

    Daniel ;)
     
Loading...
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.