Hi there.
I have been wondering - why does WRSA.exe, WRusr.dll, and the associated browser-extension files, etc. constantly come up as malware/downloader trojan when scanning with anything OTHER than Webroot?
For instance, SuperAntiSpyware, Sysinternals, HijackThis, etc. scans ALWAYS show Webroot files are not digitally signed, have invalid certificates, or are submitted to VirusTotal.com (both via the program and manually by me) and the results show malware?
The malware-positive totals via VirusTotal.com tend to be 1/56 or 2/56. I've wondered this for over a year and figured that perhaps I should ask :)
Thanks!
Sara
Why are WRSA files always turning up as positive for malware in other scanners?
Hi ladyicculus
I would say because many of the other AV/IS/AM applications are more prone to false positives when compared to WSA as they do not have the benefit of ENZO (the Webroot database of whitelisted files, etc., to which are added approx. 200,000+ entries a day).
The other thing that I have noticed (and you may have to) in relation to the "...malware-positive totals via VirusTotal.com tend to be 1/56 or 2/56" that the AV/IS/AM applications that generally return the 1 or 2/56 result are in fact minor players and most probably have less than reliable detection methods/database of threats to refer to.
I should add that this is just my view, and I generally discount these minor players if they do pop up a warning...you can almost call it a VirusTotal 'false positive'...;)
Regards, Baldrick
I would say because many of the other AV/IS/AM applications are more prone to false positives when compared to WSA as they do not have the benefit of ENZO (the Webroot database of whitelisted files, etc., to which are added approx. 200,000+ entries a day).
The other thing that I have noticed (and you may have to) in relation to the "...malware-positive totals via VirusTotal.com tend to be 1/56 or 2/56" that the AV/IS/AM applications that generally return the 1 or 2/56 result are in fact minor players and most probably have less than reliable detection methods/database of threats to refer to.
I should add that this is just my view, and I generally discount these minor players if they do pop up a warning...you can almost call it a VirusTotal 'false positive'...;)
Regards, Baldrick
Webroot SecureAnywhere Complete Beta Tester v9.0.24.49, imaged by Macrium Reflect v7.2
+35- OpenText Employee
I've written a bit about VirusTotal results before, and it is important to understand what VirusTotal is and is not, as well as how it works. I highly suggest reading VirusTotal's About Page: https://www.virustotal.com/en/about/ and the "Important notes and remarks" section in particular, which should give you a better understanding on why WSA files may sometimes be flagged by the VirusTotal scanners for some products.
-Dan
-Dan
Webroot Threat Research
Thanks for the insight, Dan...top information as per usual...:D
Regards, Baldrick
Regards, Baldrick
Webroot SecureAnywhere Complete Beta Tester v9.0.24.49, imaged by Macrium Reflect v7.2
WSRA.exe still is a hit for VirusTotal on only one of my three (WebRoot protected) PC's. Odd.
My notes:
My notes:
- On VirusTotal, only one anti-virus company "Rising" or "Rising Global" or "Rising Antivirus" (Chinese company) says wsra.com is malware. The hit was 1 of 64.
- Rising [whatever] may or may not be in business.
- Rising antivirus is on a short list of third party software the Central Intelligence Agency (CIA) has hacked (placed backdoor malware into without permission) for their infamous Embedded Development Branch program. "Other antivirus programs hacked by the CIA included Russia-based Kaspersky Lab, Romania-based BitDefender, Dutch-based AVG Technologies, Rising Global, andF-Secure of Finland.
- The scan for malware used by VirusTotal though ProcessExplorer looks only at running processes. You could have a malware infected exe file out there this scan would miss.
- I do believe in layered security. Since it costs nothing to scan all your running programs by downloading Microsoft's free ProcessExplorer program, then "Options->VirusTotal.com->Check VirusTotal.com" [list=1]
- ProcessExplorer will compile a list of all active programs, then look their unique signature (hash) against a database at VirusTotal.com. ProcessExplorer doesn't install anything - close the window - no crumbs.
- Inforworld Article
Login to the community
No account yet? Create an account
Enter your E-mail address. We'll send you an e-mail with instructions to reset your password.