WSA Issue with KB2742595

Discussion in 'Prevx Releases' started by Alexhousek, Nov 2, 2013.

Thread Status:
Not open for further replies.
  1. Alexhousek

    Alexhousek Registered Member

    Joined:
    Jul 25, 2009
    Posts:
    410
    Location:
    USA--Colorado
    I posted this 3 hours ago on the WSA forums, but have received no responses, so I thought I would post here as well.

    I decided this afternoon to do several .NET 4 Framework Windows Updates. I walked away to eat some lunch. When I came back, I saw that one of the updates failed. And, I noticed that WSA had popped up with a PUA.Conduit error.

    So, I attempted to install the Windows Update again. WSA popped up again. I saw that for some reason, it was pointing to a file on my external HD (J:), so I unplugged it (USB). And, I tried the installation of the Windows Update again. Same message or pop-up with WSA, only this time it's pointing to a setup.exe file on C drive.

    As you can tell below, WSA has blocked that file. I'm wondering if I should click "monitor" on that file and try installing the Windows Update again?

    WSA issue.jpg

    Is there a way to have WSA flag this as ok?
     
    Last edited: Nov 2, 2013
  2. Triple Helix

    Triple Helix Webroot Product Advisor

    Joined:
    Nov 20, 2004
    Posts:
    12,012
    Location:
    Ontario, Canada
    I have it installed I wonder why it's being detected now? Are you getting it via Windows Update? If you are I would set to Monitor and Submit a Support Ticket and find out why it's being detected and if it does need to be whitelisted then it will Auto Allow!

    Also some info here: http://support.microsoft.com/kb/2742595

    Daniel

    03-11-2013 12-10-20 AM.png
     
    Last edited: Nov 3, 2013
  3. PrevxHelp

    PrevxHelp Former Prevx Moderator

    Joined:
    Sep 14, 2008
    Posts:
    8,242
    Location:
    USA/UK
    I saw another file blocked recently with that same PUA.Conduit detection. Could you write into our support inbox or email me a log file to my username at gmail.com so that I can take a look?

    Thanks!
     
  4. Alexhousek

    Alexhousek Registered Member

    Joined:
    Jul 25, 2009
    Posts:
    410
    Location:
    USA--Colorado
    I sent an email with the logs to 'report@prevxresearch.com'. I found that address in an older WRData thread. I'll go ahead now and also send them to your email address.

    Thank you.
     
  5. PrevxHelp

    PrevxHelp Former Prevx Moderator

    Joined:
    Sep 14, 2008
    Posts:
    8,242
    Location:
    USA/UK
    Thanks - I received them and have passed it on to our threat research team. The @prevxresearch.com address is not monitored: information like this should ideally just go to the support inbox where our threat researchers are standing by, or I can send it over myself if sent to me directly.
     
  6. fax

    fax Registered Member

    Joined:
    May 30, 2005
    Posts:
    3,731
    Location:
    localhost
    Yes, PUA.Conduit. I have the same on a checkpoint digitally signed file. But checkpoint left Conduit several years ago. I have the impression the detection is going too far (.e.g. just read publisher "conduit" and that flag it... ehm, no... does not work like this unless you want to generate a lot of false positives!)

    Struggling also to get some kaspersky/checkpoint files whitelisted from support... That they suggested to keep monitoring.. you never know... what? :blink:

    I have the impression writing to support to get file whitelisted faster does not work anymore or may be I just found a stubborn first line of support.
     
    Last edited: Nov 3, 2013
  7. PrevxHelp

    PrevxHelp Former Prevx Moderator

    Joined:
    Sep 14, 2008
    Posts:
    8,242
    Location:
    USA/UK
    Can you PM me your email address? I'll see where it's assigned and get it moved over if needed.

    Thanks!
     
  8. Alexhousek

    Alexhousek Registered Member

    Joined:
    Jul 25, 2009
    Posts:
    410
    Location:
    USA--Colorado
    I assume that you were referring to Fax and not my original post?

    Support did ask me to download and run wsalogs.exe; which I did. It automatically sent my logs to support, as I understand. I am waiting on a response.
     
  9. Triple Helix

    Triple Helix Webroot Product Advisor

    Joined:
    Nov 20, 2004
    Posts:
    12,012
    Location:
    Ontario, Canada
    Did you let them know after that you uploaded wsalogs? If you did then yes just wait till they reply if not let them know it was uploaded and wait for a reply.

    Daniel
     
  10. Alexhousek

    Alexhousek Registered Member

    Joined:
    Jul 25, 2009
    Posts:
    410
    Location:
    USA--Colorado
    Just a quick update on this issue:

    Support sent me a note today to uninstall WSA, reboot, re-name the WRData folder to WRData1 (but, it no longer existed after the reboot; which they indicated might happen), and then re-install WSA.

    I did all that and it went off without a hitch. I haven't, however, re-attempted to download and/or install the Windows Update yet. (I'm kind of paranoid now to even try it.....)
     
  11. Triple Helix

    Triple Helix Webroot Product Advisor

    Joined:
    Nov 20, 2004
    Posts:
    12,012
    Location:
    Ontario, Canada
    I would try again and please let us know and if it continues keep in contact with support until it is corrected.

    Daniel
     
  12. PrevxHelp

    PrevxHelp Former Prevx Moderator

    Joined:
    Sep 14, 2008
    Posts:
    8,242
    Location:
    USA/UK
    I agree with TH - we've corrected the underlying rule so you should be good to go!
     
  13. Alexhousek

    Alexhousek Registered Member

    Joined:
    Jul 25, 2009
    Posts:
    410
    Location:
    USA--Colorado
    UPDATE: I finally had some time to 1) do a backup with AX64, and 2) complete my windows updates.

    All is well in the Alexhousek household! The windows update did it's thing; downloaded and installed, and it seemed to go just fine.

    It was one of those few updates (. NET 4) that didn't require a re-boot. So, I haven't done that yet, but all appears good.

    Thanks to the support team at WSA! Great job!
     
  14. PrevxHelp

    PrevxHelp Former Prevx Moderator

    Joined:
    Sep 14, 2008
    Posts:
    8,242
    Location:
    USA/UK
    Glad to hear it!
     
Thread Status:
Not open for further replies.