Viruses being automatically deleted

Hello @BBourassa 

WSA shouldn’t delete anything without user input. Can you Save a Scan Log and post the lines of what has been deleted and it will be near the bottom of the log.

Right click on the Webroot Tray Icon.

Please see here for the latest version of WSA as CE 24.4 is the edition of the Management Console.

Thanks,

 thnk what is happening is that the protection alerts me, but there is nothing in the quarantine where usually there is.

Can you post the lines from a scan Log then I can help you more!

Thu 2024-10-31 14:42:44.0160    Infection detected: R:\005 - Utilities\File Compare\FolderMatch 5.0.3.0\FolderMatch.exe [SHA256: A0F668F8B32BF3794E20D6307827166C35AE8D4669CC4F817ADB683B8EA3C523] [MD5: 664B0BE80EB0E17FBEB2827E17F90C3D] [3/08080001] [W32.Trojan.Gen]
Thu 2024-10-31 14:42:44.0160    File blocked in realtime: R:\005 - Utilities\File Compare\FolderMatch 5.0.3.0\FolderMatch.exe [UniqueID: F868F6A0, MD5: 664B0BE80EB0E17FBEB2827E17F90C3D, Size: 5147136 bytes] [134742017/00000003] [W32.Trojan.Gen]
Thu 2024-10-31 14:42:44.0175    Determination flags modified: R:\005 - Utilities\File Compare\FolderMatch 5.0.3.0\FolderMatch.exe - UniqueID: F868F6A0, MD5: 664B0BE80EB0E17FBEB2827E17F90C3D, Size: 5147136 bytes, Flags: 00000020

Hi @BBourassa 

Do you feel that this is a true infection or false positive?

The MD5 hash shows that Webroot says it’s bad: @DanP might like to chime in?

On VirusTotal many AV’s say it’s bad: https://www.virustotal.com/gui/file/a0f668f8b32bf3794e20d6307827166c35ae8d4669cc4f817adb683b8ea3c523/detection

If you feel it’s not bad then Please contact Webroot Support and they will let you know for sure!

Webroot Support:

Submit a ticket

Call 1-866-612-4227 during the week Mon - Fri 7 AM to 5:30 PM (MDT)

Note: When submitting a Support Ticket, Please wait for a response from Support. Putting in another Support Ticket on this problem before Support responses will put your first Support Ticket at the end of the queue.

Thanks,

VirusTotal has 44/72 matches for a bad verdict

https://www.virustotal.com/gui/file/a0f668f8b32bf3794e20d6307827166c35ae8d4669cc4f817adb683b8ea3c523

John

I re-scanned it and it’s now 47 out of 72 https://www.virustotal.com/gui/file/a0f668f8b32bf3794e20d6307827166c35ae8d4669cc4f817adb683b8ea3c523?nocache=1

Even the Jotti scanner shows Bad but they don’t have many scanners like VT: https://virusscan.jotti.org/en-US/search/hash/664B0BE80EB0E17FBEB2827E17F90C3D

Webroot still doesn’t detect on VirusTotal and @DanP did an awesome Blog about it back in 2016: https://www.webroot.com/blog/2016/02/09/some-notes-on-virustotal/ and we can see Webroot was added to VirusTotal sometime after his blog.

Another good one: https://www.webroot.com/blog/2015/12/02/whats-in-a-name/

Why is the “virus” not being sent to quarantine. This is my bigest question. They used to go there, now they do not.

@BBourassa

What this tells me:

Drive R it must be a USB Flash Drive or can you tell us what Drive R is?

Thu 2024-10-31 14:42:44.0160    Infection detected: R:\005 - Utilities\File Compare\FolderMatch 5.0.3.0\FolderMatch.exe [SHA256: A0F668F8B32BF3794E20D6307827166C35AE8D4669CC4F817ADB683B8EA3C523] [MD5: 664B0BE80EB0E17FBEB2827E17F90C3D] [3/08080001] [W32.Trojan.Gen]
Thu 2024-10-31 14:42:44.0160    File blocked in realtime: R:\005 - Utilities\File Compare\FolderMatch 5.0.3.0\FolderMatch.exe [UniqueID: F868F6A0, MD5: 664B0BE80EB0E17FBEB2827E17F90C3D, Size: 5147136 bytes] [134742017/00000003] [W32.Trojan.Gen]
Thu 2024-10-31 14:42:44.0175    Determination flags modified: R:\005 - Utilities\File Compare\FolderMatch 5.0.3.0\FolderMatch.exe - UniqueID: F868F6A0, MD5: 664B0BE80EB0E17FBEB2827E17F90C3D, Size: 5147136 bytes, Flags: 00000020

Look at the Block/Allow Files list to see if it’s allowed if it is remove it and do another scan and allow WSA to remove it.

Any news @BBourassa ?

Thanks,

In the past, when something was questioned by the WebRoot app the file in question was sent to the quaranteen and a “Block” entry was added to “Block/Allow” tab. This is not happening. The particular entry is not already located in the “Block/Allow” section. Wether Drive R: is a USB or not should be irrelevant, in my opinion.

Again:

All I can say is Contact Webroot Support and they will tell you what’s going on as we can’t see on the backend and only support does!

Webroot Support:

Submit a ticket The best way

Call 1-866-612-4227 during the week Mon - Fri 7 AM to 5:30 PM (MDT)

Note: When submitting a Support Ticket, Please wait for a response from Support. Putting in another Support Ticket on this problem before Support responses will put your first Support Ticket at the end of the queue.

Thanks,