Skip to main content
Hi there.

 

I have been wondering - why does WRSA.exe, WRusr.dll, and the associated browser-extension files, etc. constantly come up as malware/downloader trojan when scanning with anything OTHER than Webroot?

 

For instance, SuperAntiSpyware, Sysinternals, HijackThis, etc. scans ALWAYS show Webroot files are not digitally signed, have invalid certificates, or are submitted to VirusTotal.com (both via the program and manually by me) and the results show malware?

 

The malware-positive totals via VirusTotal.com tend to be 1/56 or 2/56. I've wondered this for over a year and figured that perhaps I should ask :)

 

Thanks!

Sara
Hi ladyicculus

 

I would say because many of the other AV/IS/AM applications are more prone to false positives when compared to WSA as they do not have the benefit of ENZO (the Webroot database of whitelisted files, etc., to which are added approx. 200,000+ entries a day).

 

The other thing that I have noticed (and you may have to) in relation to the "...malware-positive totals via VirusTotal.com tend to be 1/56 or 2/56" that the AV/IS/AM applications that generally return the 1 or 2/56 result are in fact minor players and most probably have less than reliable detection methods/database of threats to refer to.

 

I should add that this is just my view, and I generally discount these minor players if they do pop up a warning...you can almost call it a VirusTotal 'false positive'...;)

 

Regards, Baldrick
I've written a bit about VirusTotal results before, and it is important to understand what VirusTotal is and is not, as well as how it works. I highly suggest reading VirusTotal's About Page: https://www.virustotal.com/en/about/ and the "Important notes and remarks" section in particular, which should give you a better understanding on why WSA files may sometimes be flagged by the VirusTotal scanners for some products. 

 

-Dan
Thanks for the insight, Dan...top information as per usual...:D

 

Regards, Baldrick
WSRA.exe still is a hit for VirusTotal on only one of my three (WebRoot protected) PC's.  Odd.

 

My notes:


  1. On VirusTotal, only one anti-virus company "Rising" or "Rising Global" or "Rising Antivirus" (Chinese company) says wsra.com is malware.  The hit was 1 of 64.
  2. Rising [whatever] may or may not be in business.
  3. Rising antivirus is on a short list of third party software the Central Intelligence Agency (CIA) has hacked (placed backdoor malware into without permission) for their infamous Embedded Development Branch program.  "Other antivirus programs hacked by the CIA included Russia-based Kaspersky Lab, Romania-based BitDefender, Dutch-based AVG Technologies, Rising Global, andF-Secure of Finland.
  4. The scan for malware used by VirusTotal though ProcessExplorer  looks only at running processes.  You could have a malware infected exe file out there this scan would miss.
  5. I do believe in layered security.  Since it costs nothing to scan all your running programs by downloading Microsoft's free ProcessExplorer program, then "Options->VirusTotal.com->Check VirusTotal.com"
    1. ProcessExplorer will compile a list of all active programs, then look their unique signature (hash) against a database at VirusTotal.com.  ProcessExplorer doesn't install anything - close the window - no crumbs.
    2. Inforworld Article

Reply