What the hell just happened?

Discussion in 'Prevx Betas' started by x942, Oct 8, 2011.

Thread Status:
Not open for further replies.
  1. x942

    x942 Guest

    I booted my computer today and all of a sudden WSA started detecting EVERYTHING (well after it hit 40% done) as infected.certificate. My settings were on default. My system is locked down, I do scans every hour, I use SRP, and sandboxie. I know I am NOT infected. WTH is WSA detecting? It even says Eset Nod32 is infected. Eset Nod32 sees nothing at all. MBAM Sees nothing (both set to highest settings).


    Sadly WSA successfully killed this install by removing critical system files (including conhost.exe and explorer.exe).




    What is "infected.certificate"?
     
    Last edited by a moderator: Oct 8, 2011
  2. PrevxHelp

    PrevxHelp Former Prevx Moderator

    Joined:
    Sep 14, 2008
    Posts:
    8,242
    Location:
    USA/UK
    Infected.Certificate is shown when certain file infectors are found. Could you write into our support inbox and send them a scan log so that they can help you? I'm unfortunately traveling all weekend.

    Sorry for the inconvenience but we'll help get this resolved for you ASAP.
     
  3. x942

    x942 Guest

    Unfortunately I can't. My system uses PGP Full Disk Encryption and since windows won't boot at all (PGP was removed as well) I can't do anything. PGP bootloader just freaks out when I supply my password. It says invalid partition and just flashes over and over.

    I can say that this was a fresh install so likely hood of infection is slim. I have only visited security sites and installed WebRoot, Eset Nod 32, PGP, MBAM and Sandboxie.


    Thanks for the reply :thumb: This is probably an issue of Beta or a conflict with something.

    I should add it didn't detect anything until I was in safe mode. In a normal boot all was well.
     
  4. PrevxHelp

    PrevxHelp Former Prevx Moderator

    Joined:
    Sep 14, 2008
    Posts:
    8,242
    Location:
    USA/UK
    I've dug deeper and believe I've found the cause. This will first only come into play if you have raised heuristic settings, but, it looks like the discrepancy is because of the disk encryption passing file detail back differently. It's effectively showing the files as not validly signed when reading past the encryption (as WSA reads below the OS layer).

    I'll be including a fix for this in the next update. Sorry again for the inconvenience but this behavior should be significantly improved in build 8.0.0.48+.

    Let me know if you have any questions.
     
  5. m00nbl00d

    m00nbl00d Registered Member

    Joined:
    Jan 4, 2009
    Posts:
    6,623
    Unfortunately FPs are something that will always happen. Some apps with more than others, but they still happen. It's quite problematic when it happens with O.S own files.

    This is one of the reasons why I always advise people to have their antimalware apps set only to alert/block, but not clean/delete.
     
  6. x942

    x942 Guest

    Awesome! I did lower it and it still detected the threats, I assume it was because I didn't clear it out after each scan.

    This is why I love prevx/webroot; Awesome support! :thumb:

    Thanks for your help!
     
Thread Status:
Not open for further replies.