Table of Contents

    The Windows 10 "WSReset" Tool That Can Enable Attackers To Bypass Antivirus

    "WSReset" Tool

    WSReset.exe is widely known as a troubleshooting tool that helps users diagnose issues with Windows OS and also aids in resetting the cache without removing installed apps or making any changes to their account settings. It has the ability to bypass any antivirus protection that is implemented on the host and can be found in the System 32 directory of your computer’s C-drive.

    However, hackers are using similar file names to propagate viruses into systems. Here’s how it works and how you can defend your device against this threat.

    What Is This 'WSReset.exe'?

    WSReset.exe is primarily a troubleshooting tool. It can also be used for resetting and clearing the Windows Store. The account settings and installed apps aren’t affected by the process. The executable file is located in the C drive, Windows\System32 folder, on your Windows computer. 

    Contrary to what most people think, WSReset.exe isn't a virus, but there are possibilities that some viruses can take the form of WSReset.exe file by manipulating the file name. If you find any other executable file of the same name in locations other than the System32 folder, then it could be a virus. In that case, it’s best that you perform a complete virus scan immediately.

    How It Can Be Abused To Bypass Antivirus

    Given we’ve established that one can use WSReset.exe to bypass antivirus protections, let us proceed to see how it’s done. 

    Antivirus definitions and configuration files are stored in the C drive\Program data folder. For instance, Avira antivirus will have its configuration files in the path C:\ProgramData\avira\avira antivirus. The Antivirus program has to have various interactions with these folders to get the malware signatures and other crucial definitions. It’s not quite possible for a regular user to delete this folder. 

    The attacker who targets the Antivirus program will first create "\INetCookies" that acts as a link to connect to the "\avira antivirus" folder. Then, it’ll proceed to run WSReset. Once this is complete, all the files that were contained in the pointer folder will get deleted without a trace. Even when the deletion process might not be complete, it can still cause a lot of issues within the antivirus program, eventually causing the program to malfunction.

    When you relaunch the antivirus program after this process, the program will be deactivated permanently.  This happens as malware definitions, signatures, and other pertinent files are deleted from the folder. 

    What You Can Do

    Ideally, you must always make sure that the executable file isn’t a virus. If the path seems suspicious, run a thorough scan immediately and verify the file before proceeding further. This can usually be detected by the path or location of the file. 

    You can also make use of Microsoft's Process Explorer to detect malicious files. To proceed this way, you need to follow the steps below.

    • Launch Microsoft's Process Explorer program 
    • Activate the "Check Legends" Options
    • Navigate to View > Select Columns 
    • Add "Verified Signer" as a column in this module 
    • If the status of "Verified Signer" is "Unable to Verify", the file could be malicious

    Bottom Line

    Although the WPReset.exe file is a legitimate troubleshooting tool, hackers can use files with similar names to bypass antiviruses on the computer without any detection. Because this executable file has elevated privileges to deal with Windows settings, this vulnerability allows attackers to remove files even if they don’t have the privileges. 

    Be very cautious and make sure that you are executing the right file. You can also download the executable file, WSReset.exe, or even reinstall the core application that is associated with the operating system.