Summary
In some cases, Webroot will detect a file that is located on your backup, such as Time Machine. If the files detected include:
  These file are not threats, but are part of the OS X operating system and contain certain strings of code that we detect.

Additional Information
Our detections for the AppleKextExcludeList.kext include many applications that Apple will run that we do not (including certain keylogger families). This does not mean you have a keylogger just that Apple allows some of these programs to run.  

Similarly, MRT.app is Apple's built in Malware Removal Tool. This tool, while a great help to the OS X platform, was not encrypted and will cause our system to detect it.  We have built in safeguards to allow these programs to remain undetected on your system.  However, with the many various ways that Backups can be named and stored there may be instances that we detect these files.
 
Important Note:
Even after following the Recommended Action, this may happen again. It may re-occur if the files that were previously allowed are changed in any way, which can happen when an operating system update is applied. The Webroot allow action works with the files that you specify and if those files are modified, the new versions of those files need to be allowed.
 
Here is an example of a detection:
/Library/Apple/System/Library/CoreServices/XProtect.app/Contents/MacOS/MRTv3

with trace/malware group “Keylogger.Refog.1.r”

Recommended Action
If Webroot continues to detect these files, you can modify the agent to tell Webroot to ignore them.

Please follow the instructions below for your product to resolve this issue.

+Home users - Webroot SecureAnywhere
Instructions to prevent the files from being detected:
  1. Open the Webroot agent.
     
  2. Click the gear icon next to PC Security.
     
  3. Select the Block/Allow Files tab.
     
  4. Find the files and click Allow.

+Business users - Webroot Business Endpoint Protection
Important information:
  • In order to make changes to the Webroot Business agent and allow the files that were detected, the device must have the Unmanaged Endpoint policy applied.
  • If the Webroot agent is hidden, applying the Unmanaged policy will unhide it.
  • There is no way to allow files for Macs using the Webroot Management console, this has to be done at the agent.
  • To disable the scanning of archived files, you will modify the endpoint policy assigned to the device using the Webroot Management console.

Instructions to locally allow the files using the Webroot agent:
  1. Apply the Unmanaged policy.
  2. Open the Webroot agent.
     
  3. Click the gear icon next to PC Security.
     
  4. Select the Block/Allow Files tab.
     
  5. Find the files and click Allow.
     
  6. Re-apply the original policy.
  
 
If you have additional questions or concerns, please open a ticket and Support will provide assistance.
 
Is this article helpful?
   
Thanks for your feedback!

Powered by noHold, Inc. U.S. Patent No. 10,659,398
All Contents Copyright© 2022