Response to Reports of Webroot Compromised File

2 min. readlast update: 10.19.2022

We have received a number of concerns from clients about potential malicious software being distributed inside the wrsa.exe (Webroot) service.

The concern appears to have originated from an email from another security vendor. Who claimed that Webroot was pushing out malicious software similar to SolarWinds as a result of JoeSandbox.com reporting the wrsa.exe file being malicious. The recommendation from the vendor was to only allow the service by Hash and not the certificate.

ThreatLocker has confirmed that JoeSandbox.com marks the current version of WRSA.exe as potentially malicious, noting PoisonIvy.

ThreatLocker has seen no update of this file since April, and if the file were malicious, permitting the file by Hash instead of certificate would not have a bearing on the file's ability to execute malicious code. We have extensively monitored the behavior of the file in question and found no malicious activity at this point. We have also confirmed with Webroot that the file is, in fact, their file and not a compromised version.

It is Webroot's position that this is a false positive from JoeSandbox. Webroot has been extremely responsive, and ThreatLocker has no reason to believe the information that Webroot has provided is inaccurate. While it is best practice to run as little software on your computer as possible, ThreatLocker sees no reason that Webroot has any higher risk than any other like-kind application.

ThreatLocker recommends ringfencing all applications, so they can access no more than is required to perform their function. We have created a Ringfencing Policy for Webroot, which will limit its ability to access files, go out to the internet, and make registry changes. We have tested this in our lab environment, but you may want to put the Policy in Monitor Only state to review possible issues before securing.

Please contact cyberhero support if you need assistance adding the suggested policy. 

Please remember, while ThreatLocker does have built-in applications, ThreatLocker is not the judge of good or bad. We give you the tools to allow only the software required to run your business to execute. While we might analyze software for bad behavior and disclose our findings, this should not be an endorsement of the product.

Was this article helpful?