You are here

Webroot SecureAnywhere False Positives?

7 posts / 0 new
Last post
mirmos192
Offline
Last seen: 9 years 10 months ago
Joined: 2009-11-06 14:35
Webroot SecureAnywhere False Positives?

Webroot SecureAnywhere doesn't at all like
\portableapps\libreofficeportable\app\libreoffice\ure\bin\regcomp.exe
\portableapps\libreofficeportable\app\libreoffice\program\gengal.exe
\portableapps\libreofficeportable\app\libreoffice\program\soffice.exe
It appears to strip them out.
I'm not sure how crippling this is - and I don't know what to make of it.
I've trusted PortableApps for a long time... It's not clear whether it considers these files as PUPs or actual virus or trojan.
I've seen the previous posts regarding Symantec and yet another file in earlier versions of LibreOffice. I've also noted LibreOffice Portable 'Known Issues' regarding Avast and AntiVir.
I've contacted Webroot reporting what I believe to be the false positives. But I wonder whether anyone has any more information other than 'it's all rubbish' and 'they need to get their act together' kind of stuff I've read so far on this site?
Wink
Best
David

John T. Haller
John T. Haller's picture
Online
Last seen: 2 min 39 sec ago
AdminDeveloperModeratorTranslator
Joined: 2005-11-28 22:21
UPX, It's Clean

Webroot likely doesn't like the fact that they are compressed EXEs to save space. This can throw off some of the heuristic abilities of antivirus scanners. Heuristic scanners have much higher false positive rates than regular scanners because they 'guess' about a file possibly being bad based on certain criteria as opposed to it matching a definition of a known virus (what a standard scanner does). Most antivirus apps include both and will distinguish between the two based on the results (specific codes for one or the other).

As an example of the files you are worried about, here's soffice.exe on VirusTotal. Note that there are 2 heuristic results from lesser scanners. They'll likely fix their issue via whitelisting within a few days.

It helps to keep in mind that PortableApps.com has never packaged and distributed an infected app. Not once since I started working on Portable Firefox on my own personal site in 2004. The closest we came was when utorrent.com was hacked and sending out fake utorrent.exe files to people downloading. We moved to self-hosting utorrent.exe and hash matching it to mitigate that as a possibility as well for both platform and direct download users.

Sometimes, the impossible can become possible, if you're awesome!

Ed
Ed's picture
Offline
Last seen: 1 year 2 months ago
Joined: 2014-02-17 17:25
Avast notice of infected file for LibreOffice

Avast has stopped the installation of LibreOffice update because it believes the file is infected. The infection it identifies is Win32:Evo-gen [Susp]
from http://mirror.nexcess.net/tdf/libreoffice/portable/4...
today 140222 02/22/2014

Why didn't I think of that?

John T. Haller
John T. Haller's picture
Online
Last seen: 2 min 39 sec ago
AdminDeveloperModeratorTranslator
Joined: 2005-11-28 22:21
File? Inform them?

Did you note the file it alerted on? Did you let them know of their latest false positive?

Sometimes, the impossible can become possible, if you're awesome!

Alcasar
Offline
Last seen: 1 year 3 months ago
Joined: 2009-11-30 16:19
sent the file to virus lab

same thing for me today. can't update because of virus, even when i download the PAF manualy

Alcasar
Offline
Last seen: 1 year 3 months ago
Joined: 2009-11-30 16:19
Fixed

I was finally able to update.

I'm wondering: Can you and do you submit your files to virus total to see if they pop on any virus scanners?

John T. Haller
John T. Haller's picture
Online
Last seen: 2 min 39 sec ago
AdminDeveloperModeratorTranslator
Joined: 2005-11-28 22:21
Practically Difficult

This is practically difficult. The major antivirus vendors make it difficult to check files without having their apps (and a license). We do check occasionally with VirusTotal.com which checks many antivirus though the definitions are often 24-48 hours out of date. Unfortunately, it doesn't support apps as large as LibreOffice. Plus the ratings by the heuristics engines change and are exceedingly flaky, as you saw here (the 'Susp' part means it was a "guess" by your antivirus, not a real detection).

We're investigating using the whitelisting services of the major antivirus engines at some point. They let you submit your software to them to analyze. But it adds some time to each release. And only the major antivirus engines have this service (Norton, Kaspersky, etc) and they aren't the ones that are throwing heuristic false positives on us.

Sometimes, the impossible can become possible, if you're awesome!

Log in or register to post comments