What happens if Webroot SecureAnywhere misses a virus?

[er0n]

In this video Webroot purposely infect a machine running Webroot SecureAnywhere. They even disable the behaviour shield to replicate what would happen if a threat was missed and it executed on your PC.

We estimate there to be somewhere in the region of 50,000 new strains of malware every single day, so it's frankly impossible for the legacy signature-based approaches to keep up with the vast volume of threats.

Webroot SecureAnywhere adopts a new cloud-driven approach, ensuring that users always have access the the latest security "definitions" without needing to download any updates. This, coupled with a 700Kb agent, ensures optimal performance and enhanced security.

Webroot also recognise that the ever-rising volume of malware means that they'll miss threats, too. While they do have industry leading detection rates (See: http://www.av-test.o...er/mayjun-2012/) they have introduced unique protection against information-stealing malware, so even if they do miss something, the data that you really care about cannot be tampered with.

[ahhell]

"Webroot SecureAnywhere adopts a new cloud-driven approach"

That's great and all...until malware kills your internet connection.

Also, is it just me or does the "article" read like an ad?

[Rohdekill]

Neowin now sponsors Info-mercials...

Funny how they completely avoid discussing how this would work with an infection which blocks/alters your internet connection so you can't access the cloud.

[er0n]

I guess it kinda is an ad. The video and content came from Webroot themselves. Doesn't mean it can't stir up some interesting debate on a new approach to AV. When was the last time an AV vendor purposely infected a PC running their software....?

There is, of course, offline protection. Some of which is highlighted in the video.

[Jojo81]

dunno I was thinking about trying this but I've been pretty happy with malwarebytes/mse

[Rohdekill]

There is, of course, offline protection. Some of which is highlighted in the video.

Then it provides no benefit over its competition. My AV checks for updates every hour. If within that hour I get hit with something new which totally blocks my AV from grabbing an update (which may or may not resolve the issue) then I am hosed.

If I run the service you suggest and I get hit within the hour, I can't reach the cloud to grab the update so off-line mode can't fix it. Hosed either way.

[Charisma Veteran]

I like the idea of a constantly-updated "cloud" definition-base, but it would have to work as a hybrid system that also periodically downloads it locally. That way you generally get the very latest definitions, but in the event of malware that kills your internet connection, you still have a relatively-recent offline copy it can use to scan the system. I'm sure that's what er0n mentioned, but I am at work atm and can't view the video, so I can't be sure of how it works.

So then, Rohdekill, the advantage would be that in most cases you have a very up-to-date solution. Not sure which AV you use, but most people's don't update that frequently, so it may provide some benefit for an "average" user.

[Webroot_Will]

Then it provides no benefit over its competition. My AV checks for updates every hour. If within that hour I get hit with something new which totally blocks my AV from grabbing an update (which may or may not resolve the issue) then I am hosed.

If I run the service you suggest and I get hit within the hour, I can't reach the cloud to grab the update so off-line mode can't fix it. Hosed either way.

Hi Rohdekill,

Let me explain how our offline protection works.

When a new file is introduced to a PC we try to obtain a classification from the Webroot Intelligence Network (cloud). If the connection cannot be established because the user is offline, the file is assumed to be 'unknown'.

Files that have an 'unknown' classification will be executed in a 'Monitor' state. Even though it's running on the endpoint, we're carefully watching the file to make sure it can't make any malicious modifications to your PC. Also, every single change that the file does make to your PC while in the Monitor state will be recorded in a local change-journal database.

Once the connection to the internet has been established, and we send down a 'bad' classification to the PC, all of those changes are perfectly reversed. There is a lot of protection built into the product to protect and verify the integrity of the internet connection, including LSP chain protection and kernel-mode connectivity.

So in summary your endpoint is benefiting from a degree of generic protection to stop your PC being 'trashed' and you're also getting a perfect clean-up routine.

It could be argued that we're no better/worse than the competition at protecting your PC when it's offline, but the benefits when conneced to the internet are clear.

Let me know if you have any other concerns on this topic.

Thanks,

Will

If I run the service you suggest and I get hit within the hour, I can't reach the cloud to grab the update so off-line mode can't fix it. Hosed either way.

Edit: Take a look at the last part of the video and you'll see the journaling and rollback in action. In the unlikely scenario that the situation you describe occurs, the user will be able to manually 'block' the infected file, and every single change it made to the system will be perfectly reversed. This requires no active connection to the internet.

[Hum]

Wow -- where do I send in my money. :laugh:

[+LogicalApex MVC]

I like the idea of a constantly-updated "cloud" definition-base, but it would have to work as a hybrid system that also periodically downloads it locally. That way you generally get the very latest definitions, but in the event of malware that kills your internet connection, you still have a relatively-recent offline copy it can use to scan the system. I'm sure that's what er0n mentioned, but I am at work atm and can't view the video, so I can't be sure of how it works. So then, Rohdekill, the advantage would be that in most cases you have a very up-to-date solution. Not sure which AV you use, but most people's don't update that frequently, so it may provide some benefit for an "average" user.

Honestly, do we need AV that is updated every second? Unless you're a high value target (e.g.: government, banking, super rich...) are you really at risk of being hit with 0-day attacks?

Even if the 0-day threat is real for average users, which I don't think it is, the frequency of the definition downloads are less important than the total time it takes the AV vendor to discover, classify, and add a definition for it... The AV venders don't publish those numbers though...

[Webroot_Will]

Honestly, do we need AV that is updated every second? Unless you're a high value target (e.g.: government, banking, super rich...) are you really at risk of being hit with 0-day attacks?

Even if the 0-day threat is real for average users, which I don't think it is, the frequency of the definition downloads are less important than the total time it takes the AV vendor to discover, classify, and add a definition for it... The AV venders don't publish those numbers though...

I think most users will be absolutely fine, and it really depends how you use the internet, how highly you value your sensitive data, and how highly you value your time. If you don't do online banking or store your resume/CV on your PC, then you'll probably be fine with one of the legacy signature-based solutions.

Your last comment is exactly why we have decided to take the approach that we have. There are approximately 7 million users currently using Webroot SecureAnywhere today - whenever a new file is observed for the first time on one of our customer's PCs, it's executed on the PC in a isolated sandbox environment where we'll capture the intial behaviour of the file. We'll then make a determination as to whether the behaviour is good or bad - if it's bad, all of our 7 million customers are instantly protected without having to wait for us to publish a signature or get them to download anything.

If the behaviour doesn't appear to be bad, the file is executed on the endpoint but the user/PC is still protected using the methods shown in the video.

The window of exposure to a new threat (1 in ~50,000 per day) is dramatically reduced using this model.

FWIW, 0-day threats are not necessarily targetted attacks. They can spread through software vulnerabilities and infected legitimate web-sites.

P.S. I have no idea whether i'm actually allowed to be posting on this thread. I hope I'm not breaking any rules.

[Hum]

^ At last -- someone who knows what they are talking about.. :D

[+LogicalApex MVC]

I think most users will be absolutely fine, and it really depends how you use the internet, how highly you value your sensitive data, and how highly you value your time. If you don't do online banking or store your resume/CV on your PC, then you'll probably be fine with one of the legacy signature-based solutions.

Your last comment is exactly why we have decided to take the approach that we have. There are approximately 7 million users currently using Webroot SecureAnywhere today - whenever a new file is observed for the first time on one of our customer's PCs, it's executed on the PC in a isolated sandbox environment where we'll capture the intial behaviour of the file. We'll then make a determination as to whether the behaviour is good or bad - if it's bad, all of our 7 million customers are instantly protected without having to wait for us to publish a signature or get them to download anything.

If the behaviour doesn't appear to be bad, the file is executed on the endpoint but the user/PC is still protected using the methods shown in the video.

The window of exposure to a new threat (1 in ~50,000 per day) is dramatically reduced using this model.

FWIW, 0-day threats are not necessarily targetted attacks. They can spread through software vulnerabilities and infected legitimate web-sites.

P.S. I have no idea whether i'm actually allowed to be posting on this thread. I hope I'm not breaking any rules.

How is this dynamic scanning any different than heuristic engines that have been built into AV scanners for the last decade? Unless you're saying that every file a user opens is transmitted to Webroot for additional analysis?

[Webroot_Will]

How is this dynamic scanning any different than heuristic engines that have been built into AV scanners for the last decade? Unless you're saying that every file a user opens is transmitted to Webroot for additional analysis?

Hi Frazell,

Traditional AV products typically utilize basic local heuristics which are renowned for generating false positives and being largely ineffective.

Webroot SecureAnywhere sends the behaviour of the file, along with its meta data to the Webroot Intelligence Network (cloud) where the behaviour is compared to tens of thousands of advanced behavioural rules. In addition to the behaviour, Webroot is able to make a more accurate 'estimation' by considering the age (how long it's been known to the Webroot community) and popularity (how many users in the Webroot community are using it). Some other solutions have also started to adopt cloud reputation lookups.

The key thing here is that while our 'heuristics' should be more effective, we recognise that the bag guys are getting smarter, so we don't rely on them. We've implemented generic protection against information-stealing malware and implemented a unique feature for perfect remediation - you can see these features in action in the video in the OP.

[Mr. Black]

Webroot_Will,

Why doesn't the product have any kind of email scanning, and what about webpage scanning (ex. sites hacked to run malicous code in an iframe or script)...I also noticed it does not actively scan downloads like NOD32 does, including inside ZIP files.

[Webroot_Will]

Hi Mr. Black,

Email Scanning isn't a focus for us right now. We tend to find that most home users use Webmail with AV and Anti-Spam built-in, and most businesses use a dedicated email security solution. Besides, if a user were to receive a virus by emal and execute it, we'd catch it at that point, so from a security stand-point the user/PC is still secured. We have a 'Web Threat Shield' designed to prevent the execution of malicious content from web-sites and to prevent software vulnerabilities from being exploited. Even if we 'miss' one of these attacks, something has to execute on the PC in some way for malicious modifications to take place, and we're sitting there at the kernel layer watching every single operating system activity.

From a security stand-point, scanning benign files like Zip files in real-time is unneccessary; a Zip file in itself cannot execute and harm the PC in anyway. As soon as the user extracts the contents or if the Zip file changes in some way so that it could potentially pose a threat, Webroot will step in and protect the PC/user. There are pros and cons to this approach, but our customers really appreciate the performance boost they receive without compromising on security.

[Yusuf M. Veteran]

Moved

[Shane Nokes]

When was the last time an AV vendor purposely infected a PC running their software....?

Hopefully every single time they test their definitions and heuristics...otherwise without testing it's pointless.

That would be like asking...when was the last time a chef intentionally tasted their own food to make sure that it was good...

You want to be a good chef? You taste your own food.

You want to make sure your AV product works? You infect a system and see what happens.

[Webroot_Will]

Hopefully every single time they test their definitions and heuristics...otherwise without testing it's pointless.

That would be like asking...when was the last time a chef intentionally tasted their own food to make sure that it was good...

You want to be a good chef? You taste your own food.

You want to make sure your AV product works? You infect a system and see what happens.

Hi Shane,

The point is that the other vendors would never publish a video showing what happens if they miss a threat. Why not? Because the PC would be trashed and the customer's data would be stolen.

[Shane Nokes]

Hi Shane,

The point is that the other vendors would never publish a video showing what happens if they miss a threat. Why not? Because the PC would be trashed and the customer's data would be stolen.

Indeed, and the logic behind that is usually these types of attack go after the antivirus/antimalware program first, and disable all of the settings like this and often kill the process itself and prevent it from doing its job.

Then it deploys the keyloggers & various other nasty bits, and then it still steals the data.

So the video only shows what happens IF the virus/malware doesn't target the AV product itself and it can keep itself up and running with its policies in place.

Any 'good' virus/malware these days takes out the security first before doing the dirty work. So what keeps them from attacking the processes that you use and just proceeding?

I ask because with claims of this kind there needs to be some pretty heavy duty assurances in place to prevent that scenario. ;)

[sc302 Veteran]

with 0day and 0hr infections, no antimalware software can protect you, cloud or traditional. Good luck fighting the battle you already lost.

[Webroot_Will]

Indeed, and the logic behind that is usually these types of attack go after the antivirus/antimalware program first, and disable all of the settings like this and often kill the process itself and prevent it from doing its job.

Then it deploys the keyloggers & various other nasty bits, and then it still steals the data.

So the video only shows what happens IF the virus/malware doesn't target the AV product itself and it can keep itself up and running with its policies in place.

Any 'good' virus/malware these days takes out the security first before doing the dirty work. So what keeps them from attacking the processes that you use and just proceeding?

I ask because with claims of this kind there needs to be some pretty heavy duty assurances in place to prevent that scenario. ;)

Hi Shane,

You make a great point, and it's one we've thought long and hard about.

One of the key benefits of being so lightweight (the entire program is <700kb) is that Webroot SecureAnywhere is able to sit at the kernel-layer watching every single operating system event. After a few minutes of being installed on a typical machine, we've normally observed millions of events. If the traditional, heavy-weight solutions tried to do this, the machine would be so slow it would be unusable. This allows us to have exceptional self-protection.

As you will have seen in the video, the first thing we do prior to allowing a file to execute is obtain a classification for the file (Good, bad or unknown). We can assume that a brand new 0-hour virus is unknown, so it will be executed in the monitor state shown in the video. This already limits the malicious modifications the file can make to the system, and it certainly means that we won't let the file get anywhere near terminating the Webroot agent.

We've yet to see a virus which can circumvent this approach. Will it happen in the future? No doubt about it, but I'd like to think we're already a step-ahead of the game.

We can prove that we have an industry leading detection rate (most vendors do!). The difference is we come with a plan B.

with 0day and 0hr infections, no antimalware software can protect you, cloud or traditional. Good luck fighting the battle you already lost.

Hi sc302,

Did you watch the video? Keen to hear your thoughts on why you think this protection model can't protect you.

[sc302 Veteran]

Didn't watch the video. I really don't need to.

How is it that you think you can predict the future or the unknown?

[Webroot_Will]

Didn't watch the video. I really don't need to.

How is it that you think you can predict the future or the unknown?

All I can suggest is that if you watch the video, all will become clear.

The key fundamental here is that the Webroot Intelligence Network doesn't just include classifications for known-bad files, it also includes classifications for known-good files. The files inbetween are considered to be unknown, and you get all of the protection benefits highlighted in the video.

[sc302 Veteran]

while your newest software has gotten significantly better reviews than your previous rendition of your cloud based software, I will eventually test your software when I have time or have an infection that I need to dissect to see if it lives up to the reviews. I am sorry I don't believe in videos made by the manufacturer they are a bit one sided and always tout their services and make it seem that theirs is better than everyone elses. I am even a bit skepticle on reviews until it has been proven by myself to work.

[Webroot_Will]

while your newest software has gotten significantly better reviews than your previous rendition of your cloud based software, I will eventually test your software when I have time or have an infection that I need to dissect to see if it lives up to the reviews. I am sorry I don't believe in videos made by the manufacturer they are a bit one sided and always tout their services and make it seem that theirs is better than everyone elses. I am even a bit skepticle on reviews until it has been proven by myself to work.

Hi sc302,

I can't argue with that - I think you're right to be sceptical, and I'm exactly the same.