W32.Rogue.Gen virus detected in RoonInstaller64.exe file

Roon Server Machine

Windows 11

Description of Issue

This morning, the Roon software was updating on one of my Windows PCs when Webroot SecureAnywhere identified the W32.Rogue.Gen virus. Here is the relevant line from the scan log:

Infection detected: C:\Users\vivac\AppData\Local\Temp\fd2c8d36-19f9-411a-a130-4fc56322c82d__RoonInstaller64_200001359.exe [SHA256: FBE628A1C302D19E5144B42783DB595B4E04AACC571ECB83A617B8A18FC52C1B] [MD5: 84656D6B9D58514DC81B3531DE0DA3C0] [3/00001000] [W32.Rogue.Gen]

I uninstalled the Roon software, scanned the PC again to ensure it was clean, rebooted the PC, then downloaded the RoonInstaller64.exe file from the Roon website to try a clean install.

Same issue: W32.Rogue.Gen detected.

I this a false positive? Until I know for sure, Iā€™m only using the Roon app on my Android devices.

You can upload your RoonInstaller file to VirusTotal and they will let about 80 different virus scanners go over the file. This way you will get a better idea if only your SecureAnywhere gets it wrong.

I already did this with the installer downloaded from the Roon website and the result is exactly that only SecureAnywhere flags it, so chances are that itā€™s a false positive. Here is the result:

3 Likes

Thanks for the feedback. I had checked the file on VirusTotal as well and got the same result that you did.

ā€œChances areā€ makes me a wee bit nervous, so Iā€™ll wait for confirmation from Roon or Webroot that itā€™s a false positive.

Note that the digital signatures on the file are intact (second tab on VT or the file properties of your own file), so it would be quite a feat to change the file without breaking the signatures. (Or someone has access to Roonā€˜s signing mechanism - possible but probably unlikely).

But sure, waiting is an option as well

1 Like

Response from Webroot:

Thank you for submitting the link to us.
This is indeed a false positive.
We have now updated our system and the file:

MD5: 84656d6b9d58514dc81b3531de0da3c0
VT Link: VirusTotal

3 Likes

This topic was automatically closed 36 hours after the last reply. New replies are no longer allowed.