Monday, August 04, 2014

"Free" video player gets flagged by Webroot as serving adware; not sure if this is an imitation of a legitimate player

Today, I received and posted a comment on my TV Reviews blog for an entry August 1 about an NBC report on Hannah Anderson’s kidnapping last year.  The report had been hard to find online.  I got an anonymous comment (which this time got past Blogger’s spam comment filter) giving a link to a Vodlocker video of the report.  I checked Vodlocker’s “reputation” on Webroot through Firefox on my older Windows 7 Dell computer, and it turned up green – OK.  So I posted the comment, which gave the name of the link to the video with the spelling of the video element name, but the link did not load a hyperlink in the comment stream.  I don’t know whether the video might have infringed on NBC’s copyright, but that would sound possible. 

So I tried it manually, in both Chrome and Firefox on two computers.  I always got invited to replace the video player.  I’ve gotten this invitation from reputable sites before – most of all Major League Baseball.  On MLB, you can ignore the invitation and just view the video with your present player (Windows Media in Windows 8 in my case).  But with vodlocker, at least on this element, the invitation persisted.
I tried clicking on it on my older Dell Windows computer (which is no longer used for critical applications like banking).  Webroot Secure Anywhere immediately intercepted it (before Windows 7 could ask me for permission to execute it), warning on “c:\users\owner\downloads\flvplayersetup.exe”, in group “Pua.Adware.Installer”.   The Webroot “W” notification icon had a red bar in it, and I noticed that the automated scan was 8 minutes into execution.  This may have been coincidental.  The scan completed without finding threats.  I rebooted, and ran the scan again (it takes 30 minutes).  No threats.   I also checked the directory with Windows Explorer (both machines) and did not find this “exe” element.  It’s possible that Webroot Secure Anywhere quarantined the element immediately.  But normally it asks for permission (when a “red line” shows up on the notification icon) before removing or quarantining a threat.
The product seems to be “Free Player Local”, which is supposed to be able to play BluRay.  There is a product called VLC Media Player.  I don’t know if it’s related to this issue.
It’s possible that the download is legitimate, but a false positive for adware, or that it might be an illegal copy of a legitimate media player.  Does someone know?  Maybe the invitations are for a legitimate product. 

Note: The Blogger label "Spysweeper" refers now to "Webroot Secure Anywhere.  A number of years ago the product was called Spysweeper.  Generally, Geek Squad, in my experience, has preferred Webroot, Kaspersky, and Trend Micro on Windows machines, and uses A-Square for researching difficult infections.  

1 comment:

Photo Snob said...

Richard from Webroot here (@RCMelick):

There are quite a few clones out there of the FLV player, and it is a favorite delivery system for malicious code . While I can't see why that one was flagged, it could be because of everything from loading secondary software on (aka. Potentially Unwanted Applications), which has minimal risk, or it's one of the many clones that is actually malicious. I would be cautious and not load it. If you are looking for a free media player, I would recommend VLC, and as always, only download it from