WRupdate347369.exe Fake or Legitimate update?

  • 3 November 2012
  • 5 replies

Userlevel 5
Badge +22
This morning, Webroot Secureanywhere did not start.  OnlineArmor asked if I wanted to allow a program with a name similar to "WRupdate347369.exe" to execute out of the temp folder.  It identified itself as a Webroot program but the numbers seemed strange and executing out of the temp folder concerned me.  I NEEDED to log in for a webinar so execution was blocked and Secureanywhere had to be manually started.  The executable did not appear again.
Was this a legitimate WR update?  If so, how can it be verified before allowing it to execute?
(Comment:  It has been advised by other applications (JAVA & Adobe are the most notorious) not to allow automatic updates to execute but rather go to the website and get the update directly.)

Best answer by ExpertNovice 3 November 2012, 15:54

View original

5 replies

Userlevel 7
Badge +13
Yes it is a legitimate update.It is the auto update for build can always manually update through the download link in your purchase email,but 99% of us have no problem with the auto update feature of the program.
Userlevel 7
Badge +13
Adobe and java are in a class by themselves and are frequently exploited and as such,with certain threats actually using a compromised version of them(zeroaccess comes to mind-flash),updates on those programs should only be done via the direct download links on their sites.I know some advocate install over the top with thse programs,but to minimize and potential issues,it is always best to remove the previous version completely before installing the new version.Security programs today frequently autoupdate.The result would be same were you were using Norton or Kaspersky.You would get a prompt from Online armor asking for permission depending on how you have Online Armor set.Once a firewall like OA learns your system and all it's processes,anything new it will typically prompt you for a decision.All in all,absolutely nothing to worry about.
Userlevel 5
Badge +22
Thanks all.  That is what I figured but it seems I'm overly concerned these days.  n the future any program named WRUpdate*.exe will be allowed to execute.
Userlevel 7
Badge +56
Yes it's normal via the https:///t5/Release-Notes/PC-Release-Notes-Version-8-0-2-37/m-p/14648#M61 and it could be any set of numbers behind WRUpdate*.exe and if allowed it will delete itself after update but if something does block it as in this case I asume OA it will remain in the temp folder.
Userlevel 7
Some useful notes:
As was already indicated, if you're not sure about the update, you can download the new version from the normal download link in the email you received.  This will always have the most up to date version and simply running the downloaded version will install the update if there is one to update.
Also, useful information for verifying a lot of things: As long as the digital signature is intact and you trust the digital signature (The company has not been hacked and the signature hasn't been revoked yet), you can check this in the file properties.  Windows displays a different warning based on the validity or lack thereof of the digital signature for example. 
Right-Click on the file and click Properties at the bottom. 
Click on Digital Signature tab (If it's not there, it's not signed).
Click on the signature and click Details to see the details below.  As long as it says the signature is OK, it's validly signed and not tampered with.
This applies to all executable files, like EXEs, DLLs, and SYS files.