TDR identifying Webroot as threat/score of 8

TDR is identifying a Webroot update (WRupdate146283765.exe) as an incident with a score of 8.

"C:\Program Files (x86)\Webroot\WRSA.exe" -ls -remupg=C:\Users\\AppData\Local\Temp\WRupdate146283765.exe -ju

I have the Webroot exclusions (2x) enabled on all hosts.

Is this because the executable is in the Users Temp folder?

Comments

  • I suspect it is because the executable changes its name each time. Can you verify the file name C:\Users\AppData\Local\Temp\WRupdate146283765.exe is the same as your previous exclusion?

    Gregg Hill

  • The current exclusions are limited to the Program Files (x86)\Webroot folder, not the users temp folder.

  • That is most likely why it is flagging it. I get the same block when Microsoft Teams tries to update and I had to exclude its "C:\Users\%username%\AppData\Local\SquirrelTemp\Update.exe" file.

    Gregg Hill

  • WG Support has created a bug for this and is investigating.

  • RyanTaitRyanTait WatchGuard Representative

    This is kind of a weird one.

    The AV exclusions are there to prevent TDR from interfering with the scanning function of the Antivirus engine. We don't want TDR scanning updates for AV or scanning the AV engines temp files as its doing its job, and we don't want the AV engine doing the same thing to TDR.

    Our APT provider had classified the Webroot AV executable as malicious. they quickly noticed this and re-classified it as benign but not after TDR had quarantined or killed off the process.

    The bug Brian is talking about is to answer the question "Why didn't the AV exclusions prevent TDR from killing WRSA.exe" We discovered a typo in our build in exclusions and will be correcting that shortly. No user intervention is needed other than unquarantining any indicator for WRSA.exe and making any indicator for WRupdate*.exe as externally remediated.

  • Thanks for that info Ryan!

Sign In to comment.