On 15 April 15 2020, the Webroot antivirus executable (WRSA.exe) and the Webroot update process were detected as malicious by TDR and the Firebox APT Blocker service. The executable was quickly reclassified as benign.

Any quarantined instance of WRSA.exe or wrupdate*.exe that occurred on 15 or 16 April 2020 can be safely unquarantined. Any instance of wrupdate*.exe on the same dates can safely be marked as externally remediated.

The predefined AV exclusions for Webroot failed to prevent TDR from detecting WRSA.exe as malicious. The predefined AV exclusion has been updated.

If you are using Webroot AV and have not enabled this exclusion, follow these steps:

1. In the TDR Web UI, navigate to Configuration > Exclusion and select the AV tab.
2. Find the Webroot exclusion and select the Enabled check box.