Why did Webroot missed infected files?

Discussion in 'other anti-virus software' started by Drifter104, Aug 18, 2014.

Thread Status:
Not open for further replies.
  1. Drifter104

    Drifter104 Registered Member

    Joined:
    Mar 25, 2010
    Posts:
    12
    Quick bit of info

    Firstly I'm not trying to suggest the product is bad we have it installed everywhere, but I'm looking for viable reasons as to why the following happened.

    Laptop with webroot installed, linked to central administration.
    Recently had a pop up from ransomeware, ran scans with webroot and it found nothing. I ran scans with another AV product using an online scanner and it found 864 infected files.

    I downloaded the same product and installed it alongside webroot and ran scans, the first scan was with the preloaded def files that came with the product download which are very old. It found 80 infected files and removed. I then updated the def files and it found the rest of the files and removed them.

    What I'm trying to work out is why webroot missed them, as I've eliminated the 0 day element. I'm wondering if there is something in the configuration that is not set high enough or not enabled. The real time shield is showing as enabled and was all along.

    Some advice on what to check would be appreciated. If it is of any help the other AV product identified the infections as

    Win32/Filecoder.CR trojan
    Win32/Filecoder.CR.Gen trojan
    A variant of Win32/kryptik.CDOU trojan
    A variant of Win32/kryptik.CCXN trojan

    The management are asking if it didn't show up on one machine what is to say all the other machines aren't infected. I need something solid to go back with other than I'm sure they aren't.
     
  2. NWOAbschaum

    NWOAbschaum Registered Member

    Joined:
    Feb 9, 2014
    Posts:
    185
    Location:
    Germany
    Maybe webroot just missed them. Webroot havnt the best detection rate and infections always can happens with any av installed.
     
  3. ronjor

    ronjor Global Moderator

    Joined:
    Jul 21, 2003
    Posts:
    57,770
    Location:
    Texas
  4. fax

    fax Registered Member

    Joined:
    May 30, 2005
    Posts:
    3,729
    Location:
    localhost
    Well, a non active/broken/dead infection? or false positive (e.g. GEN + variant)? Your "other" AV is prone to false positives... 864 infected files sounds way too much...

    You need to check where these files were located. Files? or Registry entries or a mix?
    From the quarantine (don't tell me you have removed them) you will need to check with virustotal the virdict from other antiviruses. Don't post it here as it is against forum rules.

    Finally you should conctat webroot support and send them the log of the other AV as their team can investigate further the issue.

    As you are speaking about "management" then I guess you have business install. Even more important to get support directly via webroot channels.

    Cheers,
    Fax
     
  5. Marcos

    Marcos Eset Staff Account

    Joined:
    Nov 22, 2002
    Posts:
    14,374
    I'd add that these detections come from ESET. Win32/Kryptik.CDOU is an older generic malware detection from June 6th, 2014. It's likely that this Cryptolocker would have been recognized and blocked by Advanced memory scanner even before asi it takes advantage of HIPS to analyze files upon execution.

    And no, ESET is not prone to false positives at all. Quite the contrary :)
     
  6. fax

    fax Registered Member

    Joined:
    May 30, 2005
    Posts:
    3,729
    Location:
    localhost
    oh, here it does produce false positives... ;) but I don't want to open an offtopic discussion on an old dispute with no solution than lawyers. :thumb:
     
  7. Rompin Raider

    Rompin Raider Registered Member

    Joined:
    May 6, 2010
    Posts:
    1,228
    Location:
    North Texas
    If you're serious about help for Webroot, go to their help forums. That's what they are there for.
     
  8. phyniks

    phyniks Registered Member

    Joined:
    Jun 3, 2011
    Posts:
    258
    Webroot claims to have the best rollback system..... But the problem is

    Rolling back process Depends on what kind of malware you have been infected with (and it's severity) .

    There are lots of cases in which the system is nor repairable.

    So,just like in Health, Prevention is far better than cure.
     
  9. zfactor

    zfactor Registered Member

    Joined:
    Mar 10, 2005
    Posts:
    6,012
    Location:
    on my zx10-r
    one thing it seems people forget many times is no av is perfect. i have seen systems get infected with every av out there. webroot and eset both are not perfect (sorry marcos as much as i love eset i have seen it miss things while its very rare it has happened). sadly this is the way it is with av's. as far as having near 900 files detected many could be nothing more than sitting there as left overs or internet history/cache etc. i get calls many times where someone says i ran a scan with x brand av and it shows 100+ infections please come out right away. then when i check the system many times the majority of those are not doing anything at all to the system and are anything from leftovers to stuff already removed, registry keys doing nothing, cache etc etc. many times to one av something that is considered malicious is not by another.

    but you will not get any better support where webroot is concerned than by going to their forums. i personally know people who had webroot (for free!!) connect to their system to clean it for them while they watched. imo thats awesome customer service. otherwise triple helix is here and i would also be happy to help if needed.

    imo i would run a scan with the following: hitman pro (not what it used to be imo but still a good second opinion scanner), malwarebytes, and one of my favorite stand alone scanners is dr web cure it. i find it can and does find things other sometimes miss especially keyloggers.
     
  10. zfactor

    zfactor Registered Member

    Joined:
    Mar 10, 2005
    Posts:
    6,012
    Location:
    on my zx10-r
    agreed. 100% prevention is ALWAYS the best medicine. i have seen the rollback work very well though, but yes depending on the severity it may not always work.
     
  11. Drifter104

    Drifter104 Registered Member

    Joined:
    Mar 25, 2010
    Posts:
    12
    Yes the "other" av was Eset but I didn't state that before because as I said I didn't want to turn it into a webroot v xxxx thread. I want to hope that there was something wrong with the setup here rather than the infection being missed, assuming it was a live infection not "left overs"

    I do have the quarantine still Fax so will pop over to virustotal, as for the file location they were all over the place. system folders and also in places like the oem drivers folder in the root of c:

    I'll stick a post up on webroot forums too.

    Cheers ppl
     
  12. Marcos

    Marcos Eset Staff Account

    Joined:
    Nov 22, 2002
    Posts:
    14,374
    That's not a false positive but a correct PUA detection. Anyways, this thread is about a completely different subject so we won't continue discussing PUA detections here. Just wanted to put things right for those who read this and point out that ESET is NOT prone to false positives at all.
     
  13. fax

    fax Registered Member

    Joined:
    May 30, 2005
    Posts:
    3,729
    Location:
    localhost
    Agree no offtopic. But I still stand correct, lets call it PUA false positive. ;)
    Sorry no more follow-up on this here. Thanks.
     
  14. cruelsister

    cruelsister Registered Member

    Joined:
    Nov 6, 2007
    Posts:
    976
    Location:
    Paris
    Drifter- If this is a true Ransomware encrytor (Filecoder.CR trojan), all you will have to do is see if any doc, txt, jpg, etc files are encrypted. Here's something that may help:

    1). Malware cryptor is run.
    2). It searches local drives and network shares for various file formats (like the 3 listed above). It will encrypt them.
    3). Normally the malware file itself will self-delete.
    4). It will create both text files and HTML files on the desktop and within every folder with the "Your files are encrypted" sort of message.

    Please note-although NONE of your personal documents that were trashed will show up as infected by any scanner that I know of, all of these messages will (and there will be a bunch). A more important point for you that certain anti-malware applications will allow the creation of the malware warning messages but at the same time will actually prevent any file encryption for occurring.

    So- help us out by answering:

    1). were ANY documents on the computer encrypted?
    2). What what the "other AV product" that you used to check for infection.
    3). give one or two examples of what that product found.
     
  15. TonyW

    TonyW Registered Member

    Joined:
    Oct 12, 2005
    Posts:
    2,634
    Location:
    UK
    One thing to bear in mind is that when another AV is installed alongside Webroot, the latter will let the other product take over if it finds the detection first.
     
  16. Triple Helix

    Triple Helix Webroot Product Advisor

    Joined:
    Nov 20, 2004
    Posts:
    12,012
    Location:
    Ontario, Canada
    Sounds like AV Malware testing to me and it has been said no AV is perfect you need to have brains, no typical consumer will have 864 infected files? Also read this on this new ransomware Zero Locker: http://www.webroot.com/blog/2014/08/14/zero-locker/ and notice the Question Answer section at the Bottom said by Webroot's Tyler Moffitt:

    TH
     
    Last edited: Aug 18, 2014
  17. waters

    waters Registered Member

    Joined:
    Nov 8, 2004
    Posts:
    934
    Rubbish, my mother in law did
     
  18. Minimalist

    Minimalist Registered Member

    Joined:
    Jan 6, 2014
    Posts:
    5,069
    Yes that is when both of them are running at the same time. Which is not the case here.
     
  19. Drifter104

    Drifter104 Registered Member

    Joined:
    Mar 25, 2010
    Posts:
    12
    I'm sorry but that is at best a disillusion statement; in my previous job I would regularly clean up machines that had infections in the high hundreds, where customers would join us having previously had no/free/poor AV software.
    I'm well aware that no AV is 100% effective and in each of my posts I have been keen to say I'm not looking to bash webroot. I used Eset for 6 years so I'm more comfortable with it and I know it inside and out, but I'm not that familiar with webroot. Which was the whole point to the thread to ask those that are familiar with it to point me in the right direction on the assumption the cause was configuration/setup based, not a poor product. If I was blaming the product it would simply be gone already and replaced.

    Hi

    1) Yes in each of the locations where I found a set of files relating to the decryption I found encrypted files
    2) Eset
    3) .url .txt .html in each location but I think the source of the infection was the following two files. \appdata\local\temp\kb42906329.exe and \appdata\local\temp\cwqo.dll these were identified as the win32/kryptik infections (see first post)
     
  20. fax

    fax Registered Member

    Joined:
    May 30, 2005
    Posts:
    3,729
    Location:
    localhost
    Assuming those files were malware then I can guess a non active/non functional malware and therefore no action needed by WSA. Just broken files.
    This would also explain why the system was working fine even with more than 800 mixed components here and there, if active they would have killed any system.
    Finally I would check if WSA was shutdown for any reason by the user. Or even better if WSA can at all been paused or exited by the users. This should not be allowed in a Enterprise environment. IMO, a good temp cleaner software could have been used for removing the clutter..

    Have you posted at webroot forum? Can't see a post there... hopefully this is not yet another thread with high claims but not solid evidence provided.
     
    Last edited: Aug 19, 2014
  21. Drifter104

    Drifter104 Registered Member

    Joined:
    Mar 25, 2010
    Posts:
    12
    Thanks again Fax.

    I created a support ticket but I've yet to get a response. Is straight to the forum a better approach with webroot?
     
  22. GreekGuy

    GreekGuy Registered Member

    Joined:
    Oct 6, 2011
    Posts:
    41
    Location:
    Toronto, CANADA
    My experience with Webroot's tech support is they usually get back to me within 24-48hrs.

    On the otherhand, response times to "help me" type questions on Webroot's forum is typically less than a couple of hours.
     
  23. Triple Helix

    Triple Helix Webroot Product Advisor

    Joined:
    Nov 20, 2004
    Posts:
    12,012
    Location:
    Ontario, Canada
    Sorry but I see 800+ files and why WSA didn't detect them and I post as I see it. And yes come and post at the Webroot Community and please let us know what support has to say after they look at your Scan Logs as I'm interested in what they have to say!

    Thanks,

    Daniel :)
     
  24. cruelsister

    cruelsister Registered Member

    Joined:
    Nov 6, 2007
    Posts:
    976
    Location:
    Paris
    I guess we are making this topic more complicated than it should be. Webroot depends on definition based detection and does not have any intrinsic file protection for true zero day samples (and these are being produced and sold in small batches on the DarkWeb on a daily basis).

    As can be seen on a Webroot Blog: http://community.spiceworks.com/top...n-to-encrypting-ransomware-webroot-threatblog

    "but just in case of new zero day variants remember that with encrypting ransomware the best protection is going to be a good backup solution"

    In other words, if you run across a new sample you are out of luck.
     
  25. fax

    fax Registered Member

    Joined:
    May 30, 2005
    Posts:
    3,729
    Location:
    localhost
    Not based on definition but behaviour only then files are marked as good or bad with a signature. So no action/behaviour, no reaction.
     
Loading...
Thread Status:
Not open for further replies.