WSA Problem.

Discussion in 'Prevx Releases' started by Taliscicero, Aug 19, 2013.

Thread Status:
Not open for further replies.
  1. Taliscicero

    Taliscicero Registered Member

    Joined:
    Feb 7, 2008
    Posts:
    1,439
    Just a warning to anyone who cares. I put WSA complete on my girlfriends computer which was a second hand computer reformatted to almost basics. I ran HMP to make sure there was nothing on the machine and it was clean. I then installed WSAComplete. WSA in its install scan detected Scvhost.exe & Exploror.exe as malware and my girlfriend deleted them thinking it found real malware. She rebooted the machine and then there was no taskbar and exploror.exe would not open, nor would WSA from the cmd screen and or run menu. I also could not open it in safe mode and could not restore the system files or copy new ones. I was away for a week and could not help her reinstall the system as the disc drive did not work and the only other computers she had was a mac which is some-what hard to explain how to burn an ISO onto a USB from a mac for windows software.

    Anyway, my point is WSA-Complete detected two system files on a clean machine with its first time scan when its installing onto the machine. Just fair warning, WSA can detect system files.
     
  2. PrevxHelp

    PrevxHelp Former Prevx Moderator

    Joined:
    Sep 14, 2008
    Posts:
    8,242
    Location:
    USA/UK
    I'm very sorry to hear of the issues you've had here. WSA can and does detect system files if they've been replaced with malicious copies. We have a process in place which automatically repairs them to clean versions but it would appear that something didn't work correctly.

    Could you please write into our support inbox so that they can look into your scan logs directly? WSA stores a complete copy of what changes it makes so we'll definitely be able to see what went wrong.

    Sorry again for the inconvenience but please let me know if I can help with anything in the meantime!
     
  3. Taliscicero

    Taliscicero Registered Member

    Joined:
    Feb 7, 2008
    Posts:
    1,439
    There is no scan logs, the system had to be reformatted and we could not open WSA in any capacity before the format, if we could I would have removed the detections and replaced the files back to where they belong myself. WSA detected them as something beginning with "b", we forget exactly what it was. I believe it was on a new windows installation because it was a second hand laptop which had nothing but defaults installed from her father. I doubt the infection was real, although WSA decided to think so. What troubles me is not being able to open up WSA again after this. WSA should open without explorer.exe just fine but it did not, even team-viewer worked. WSA was in the biggest sense of the word broken after it deleted those files.
     
  4. PrevxHelp

    PrevxHelp Former Prevx Moderator

    Joined:
    Sep 14, 2008
    Posts:
    8,242
    Location:
    USA/UK
    WSA should still be accessible through the commandline or from Safemode without Networking when in this state. If you could please send me a PM with the license key used on this system? We should be able to find any false positives or correct detections from there. We have significant measures in place to prevent FPs on critical system files so I'm somewhat doubtful of it being a false positive (as we would most certainly have heard about it from more users) but it is definitely worth investigating closer.

    Thank you!
     
  5. Taliscicero

    Taliscicero Registered Member

    Joined:
    Feb 7, 2008
    Posts:
    1,439
    I sent along the key to your PM.

    I will be interested to see the explanation behind what happened. Thanks. :thumb:
     
  6. Techfox1976

    Techfox1976 Registered Member

    Joined:
    Jul 22, 2010
    Posts:
    749
    Given that the keycode allows them to look up exactly what was seen on the computer, what was detected, and why, as well as the configuration of the software and various other things, this should be interesting. *Grabs popcorn*
     
  7. Alexhousek

    Alexhousek Registered Member

    Joined:
    Jul 25, 2009
    Posts:
    410
    Location:
    USA--Colorado
    Given the recent events surrounding privacy, no one else finds this troubling? I'm sorry, but I'm not sure that I'm ok with a company having all the information about my computer usage....
     
  8. PrevxHelp

    PrevxHelp Former Prevx Moderator

    Joined:
    Sep 14, 2008
    Posts:
    8,242
    Location:
    USA/UK
    We don't - we have some access to the web console if registered which is what I was hoping for, but unfortunately, the keycode isn't set up so the logs aren't sent. Storing logs for everyone who isn't using the web console would require an excessively large amount of data storage which would be extremely expensive.

    So, as of now, we haven't been able to find anything. Our researchers have been looking through our database for any recently determined svchost.exe/explorer.exes but haven't found any obvious false positives.

    Taliscicero: is there any chance you can re-install WSA on your girlfriend's computer to see if it happens again? It may be worth installing it alongside HMP - we had a FP a while back with a similar scanner due to finding their injected modules, but have since added workarounds. And, do you happen to remember if the detection shown on the UI was "Win32.MalComponent" or wsa it something like "Win32.Malware.Gen"?

    Thanks for the help!
     
  9. Techfox1976

    Techfox1976 Registered Member

    Joined:
    Jul 22, 2010
    Posts:
    749
    No, only your malware usage. Sorry about the lack of clarity. Should have been more precise with something like "What was seen as threats, what it was detected as, and why", while the "why" includes actions taken by the specific code across all computers that allowed it to be determined to be a threat.
     
  10. Taliscicero

    Taliscicero Registered Member

    Joined:
    Feb 7, 2008
    Posts:
    1,439
    The detection started with bo or bu, I forget which. It was not a generic detection if that's what your asking. It had a malware class name. It was also nothing to do with HMP. I had removed it before WSA was installed. Its also unfair to blame their product for WSA's mistake. My girlfriend is a web designer and already lost a week of work for her client, so yeah no i'm not gonna put it back and its not my job to fix false positives in WSA. I don't use the web console because it forgot my password and you issued me a replacement key because it was locked, and then a few days later it did the same thing and i did not bother asking you again, as the console is not worth the effort. I can assure you one thing though, that WSA can't be opened or re-installed under the circumstances i found, which is troubling as there is no way to put the false positive files back.

    Windows 7 x64 operating system. If that helps any.
     
  11. PrevxHelp

    PrevxHelp Former Prevx Moderator

    Joined:
    Sep 14, 2008
    Posts:
    8,242
    Location:
    USA/UK
    I'm certainly not blaming HMP - I'm just trying to diagnose what happened here as it isn't happening for other users. Uninstalling software often leaves traces which could most definitely be part of the cause here.

    I certainly understand the trepidation with reinstalling but at this point, there isn't anything for us to go on - just a report of something being detected with no logs or associated data, so unfortunately I don't think we're going to be able to make any changes or investigate closer.

    If she frees up and isn't in the middle of a project, it would be helpful to try installing again. If it finds the threats again, simply don't clean them, but send me a log and we'll be able to take a closer look. You can call our tech support toll-free number while on the screen as well and they can assist you in realtime if that's easier.
     
  12. Taliscicero

    Taliscicero Registered Member

    Joined:
    Feb 7, 2008
    Posts:
    1,439
    Well, if people start running into the same problem you know why. I have a great suspicion the installer may not have been connected to the cloud correctly and detected those files, where as the cloud may have white-listed them as false positives.
     
  13. PrevxHelp

    PrevxHelp Former Prevx Moderator

    Joined:
    Sep 14, 2008
    Posts:
    8,242
    Location:
    USA/UK
    I use Windows 7 x64 myself and have never received those detections (and just rescanned on each of my systems with nothing found). There aren't any local detections for those components either so I don't think it would be a cloud connectivity issue (and it would have failed to activate the license key, preventing the installation, if it was unable to connect initially).
     
  14. Taliscicero

    Taliscicero Registered Member

    Joined:
    Feb 7, 2008
    Posts:
    1,439
    Well, possible you guys had a detection at that time? and quickly removed it realizing the mistake?
     
  15. PrevxHelp

    PrevxHelp Former Prevx Moderator

    Joined:
    Sep 14, 2008
    Posts:
    8,242
    Location:
    USA/UK
    A FP on a system file that popular is prevented by our systems - users and rules are unable to change determinations of files seen on vast numbers of computers so I would think a FP like that would be unlikely.
     
  16. Triple Helix

    Triple Helix Webroot Product Advisor

    Joined:
    Nov 20, 2004
    Posts:
    12,012
    Location:
    Ontario, Canada
    I haven't seen anything on my Win 7 x64 and I have HMP but as Joe has said it's kind of hard to diagnose the problem without the detection names or even better scan logs. :(

    Daniel
     
  17. Taliscicero

    Taliscicero Registered Member

    Joined:
    Feb 7, 2008
    Posts:
    1,439
    Sadly yes, but WSA locked itself. I could not have got the scan log even if i wanted to.
     
  18. PrevxHelp

    PrevxHelp Former Prevx Moderator

    Joined:
    Sep 14, 2008
    Posts:
    8,242
    Location:
    USA/UK
    They are stored in C:\Programdata\wrdata. You don't need to access the UI to copy them.
     
  19. Taliscicero

    Taliscicero Registered Member

    Joined:
    Feb 7, 2008
    Posts:
    1,439
    I looked, Webroot folders all locked. even this one.
     
  20. Techfox1976

    Techfox1976 Registered Member

    Joined:
    Jul 22, 2010
    Posts:
    749
    WSA does not lock those files or folders. Ergo something on your system is interfering with normal computer operations and normal WSA operations.

    Also:
    Scvhost.exe & Exploror.exe

    If those were the real filenames and not typos, then yes, chances are they were really infections. The correct system files are svchost.exe and explorer.exe. The misspelled scvhost.exe file is, in fact, a threat that injects itself into the shell registry entry and thus you would encounter the symptoms you describe (no shell when booting).

    If those were the filenames of the things that were removed and not typos, you definitely had a real infection on the system, and it sounds like you may still have one if access to wrdata is locked. I'd point to something like TDL4 Bootkit or some other similar MBR modifier that persists through a reinstall of Windows.
     
  21. PrevxHelp

    PrevxHelp Former Prevx Moderator

    Joined:
    Sep 14, 2008
    Posts:
    8,242
    Location:
    USA/UK
    Exactly - WSA allows full access to all of its folders (specifically for cases like this).

    I didn't notice this when first reading the post. These would definitely be infections if those names are accurate. TDL4 sounds likely and could indeed be the case for why your system ended up behaving as described.

    Thanks Techfox1976!
     
  22. Taliscicero

    Taliscicero Registered Member

    Joined:
    Feb 7, 2008
    Posts:
    1,439
    Typos, I'm notoriously dyslexic. Files were locked for what ever reason, and could not re-install WSA
     
  23. Techfox1976

    Techfox1976 Registered Member

    Joined:
    Jul 22, 2010
    Posts:
    749
    Right then...
    Base information gathering:
    Step 1:
    You say the files are "locked". Explain this directly please. What precisely occurs when you attempt to access them and how are you trying to access them? For example, "I try to open that location in Windows Explorer and it's not there" or "When I click on the folder, I get a message that says 'Folder locked Read Only' and has buttons to 'Try Again' or 'Cancel'".
     
  24. Taliscicero

    Taliscicero Registered Member

    Joined:
    Feb 7, 2008
    Posts:
    1,439
    The computer was formatted, but if your interested, you click the folder icon and nothing happens, you click open and it does not open.
     
  25. Triple Helix

    Triple Helix Webroot Product Advisor

    Joined:
    Nov 20, 2004
    Posts:
    12,012
    Location:
    Ontario, Canada
    I would of loved if that install was still intact and Joe could do a remote session or one of the Threat Researchers as this is got my curiosity, with locked folders I use "Unlocker" program to get in or delete a stubborn file. :doubt:

    TH
     
Thread Status:
Not open for further replies.