What happens if Webroot SecureAnywhere misses a virus?

[er0n]

In this video Webroot purposely infect a machine running Webroot SecureAnywhere. They even disable the behaviour shield to replicate what would happen if a threat was missed and it executed on your PC.

We estimate there to be somewhere in the region of 50,000 new strains of malware every single day, so it's frankly impossible for the legacy signature-based approaches to keep up with the vast volume of threats.

Webroot SecureAnywhere adopts a new cloud-driven approach, ensuring that users always have access the the latest security "definitions" without needing to download any updates. This, coupled with a 700Kb agent, ensures optimal performance and enhanced security.

Webroot also recognise that the ever-rising volume of malware means that they'll miss threats, too. While they do have industry leading detection rates (See: http://www.av-test.o...er/mayjun-2012/) they have introduced unique protection against information-stealing malware, so even if they do miss something, the data that you really care about cannot be tampered with.

[goretsky Supervisor]

Hello,

Not to complain about AV-Test, since this is more of a general issue facing all testers, but as I am sure you are aware, in any kind of sample set containing files not specifically verified by a human being there can be files which are incorrectly identified as malicious code when, in fact, they do not contain any executable code at all, or contain code that does not perform a threatening action, even though the behavior may initially be diagnosed as malicious (for example, a license key mechanism that injects the key into a runtime executable or library). While rare, reports of "false 'false positives'" can occur in tests involving samples, and investigating and balancing out those cases can be labor-intensive for both the tester and the testee.

Regards,

Aryeh Goretsky

Hi Yorak,

I would certainly be happy to work with you to personally address your false positive issues.

The problem with video reviews is that they can only over show the results of a sample-set which is statistically insignificant. Will we generate false positives? Absolutely, but I'd also like to think that our cloud-powered heuristics should generate less false positives versus the traditional approach.

Let's take a look at the latest AV-Test results: http://www.av-test.o...rt_no%5D=121849 (I hate these tests in general, but that's a whole other topic!)

Out of a sample of 661,176 we generated 4 false positives. Eset NOD32 generated 1 false positive out of the same sample, but they also missed a lot more threats, so it's always a bit of a trade-off.

As our community has grown, the quality of our security intelligence has improved, so we've seen a massive decline in the number of false positives compared to the early days.

Give it another whirl and if you still have problems send your keycode to wfletcher[at]webroot.com and I'll take a look for you.

[Webroot_Will]

I haven't tried Webroot nor do I know anyone personally that runs it. I've been using Nod 32 for many of years. I get great results with Nod 32 overall but am not adverse to switching to Webroot.

What advantages does Webroot have over Nod 32, specifically in the real-time protection?

Gimme a key and I'll give you a cookie. :D

Hi Marshall,

Webroot SecureAnywhere and NOD32 work very differently to eachother. NOD32 is an excellent product and it wouldn't be fair for me to provide competitive analysis on this thread. Make sure you do a review of the market when your renewal is due and pick the best product! :-)

[Webroot_Will]

Hello,

Not to complain about AV-Test, since this is more of a general issue facing all testers, but as I am sure you are aware, in any kind of sample set containing files not specifically verified by a human being there can be files which are incorrectly identified as malicious code when, in fact, they do not contain any executable code at all, or contain code that does not perform a threatening action, even though the behavior may initially be diagnosed as malicious (for example, a license key mechanism that injects the key into a runtime executable or library). While rare, reports of "false 'false positives'" can occur in tests involving samples, and investigating and balancing out those cases can be labor-intensive for both the tester and the testee.

Regards,

Aryeh Goretsky

Hi Goretsky,

I completely agree.

In my opinion, these tests are not representative of reality, but they can be useful as long as the reader understands the data. I remember a few months ago we absolutely bombed one of these tests because we generated hundreds of false positives. The tester installed us on a machine with thousands of infections and we (rightfully, in my opinion) automatically ramped up the heuristics to maximum, so we started to treat every file on the PC with maximum suspicion. Of course we generated lots of false positives and they trashed the product! In the real world, if one of our customers installed us on a machine with thousands of infections, the last thing they'll be concerned about is a false positive! Not to mention it would be pretty much impossible to get a PC into that state with Webroot SecureAnywhere installed!

One of the biggest problems I have with these tests is that the testers have to manually update the signature definitions before testing their sample malware. In the real-world, we don't get the luxury of updating our definitions the second before an infection strikes. With ~50,000 new threats every day, there's a huge window of exposure between updates which is not accounted for in the tests.

The 0-day tests they perform are also very weak. They tend to scan the virus and if the security vendor fails to detect it, the virus will be executed. If the virus is then running in memory, the security vendor is assumed to have failed. They don't take into consideration the monitoring capability of Webroot SecureAnywhere and the fact that the endpoint is protected from the threat, even though it's running (as you can see in the video in the OP).

The performance tests they perform can be very useful, though. :-)

[sc302 Veteran]

Hi Marshall,

Webroot SecureAnywhere and NOD32 work very differently to eachother. NOD32 is an excellent product and it wouldn't be fair for me to provide competitive analysis on this thread. Make sure you do a review of the market when your renewal is due and pick the best product! :-)

I don't know about that Will, I think it may be very entertaining.....

but I do agree, do your own homework on the product and pick the best one for you.

[sc302 Veteran]

Hi Goretsky,

The 0-day tests they perform are also very weak. They tend to scan the virus and if the security vendor fails to detect it, the virus will be executed. If the virus is then running in memory, the security vendor is assumed to have failed. They don't take into consideration the monitoring capability of Webroot SecureAnywhere and the fact that the endpoint is protected from the threat, even though it's running (as you can see in the video in the OP).

Complete success would be that it doesn't execute. If it doesn't execute it isn't taking up processor cycles. If it doesn't take processor cycles, it isn't going to take any part of it away from applications or other system processes. While the endpoint isn't going to allow the application/service to communication to the internet in essence it has failed to keep the machine clean and free from infection. It has given the end user the illusion that they are malware free because it stopped malware-x from communicating. So in my point of view it has failed from doing its job properly.

[Marshall Veteran]

Hi Marshall,

Webroot SecureAnywhere and NOD32 work very differently to eachother. NOD32 is an excellent product and it wouldn't be fair for me to provide competitive analysis on this thread. Make sure you do a review of the market when your renewal is due and pick the best product! :-)

Do you or could you offer a 30-day trial period? I see no option for this on your website.

[Webroot_Will]

Do you or could you offer a 30-day trial period? I see no option for this on your website.

Here you go: http://www.webroot.com/En_US/consumer-trials.html

The home products are Webroot SecureAnywhere Complete, Essentials and Antivirus. The business product comes with a much more advanced management console.

[Marshall Veteran]

I've downloaded and am currently using your product, however I have one problem. Why is it I get no notification pop-up when an executable containing malicious code is blocked? I have to manually open the Webroot program and go to the quarantine to see this.

Every malicious test file that I've downloaded has been successfully blocked by Webroot, but I'd like be notified instantly of the block. I see no option in the settings to allow this to happen, am I overlooking it?

Thanks for your time.

[Webroot_Will]

I've downloaded and am currently using your product, however I have one problem. Why is it I get no notification pop-up when an executable containing malicious code is blocked? I have to manually open the Webroot program and go to the quarantine to see this.

Every malicious test file that I've downloaded has been successfully blocked by Webroot, but I'd like be notified instantly of the block. I see no option in the settings to allow this to happen, am I overlooking it?

Thanks for your time.

Hi Marshall,

I'm just wondering if you may have downloaded our business product instead of the home user product(s)?

If the latter, I'll have a member of our consumer support team reach out to you, because you should be at least alerted by default.

[+Warwagon MVC]

I have a comment on the video then I have a question.

Comment : Thank you for turning off Animations and fades during recording. Most people don't do that and it makes the machine feel sluggish so props for that.

Question

1) I really liked the rollback feature I saw in the video and have a question about it. What if it monitors an unknown file that the user installs. This unknown file is some sort of safe free word processor that the user uses. Then at some point in time the file is accidentally flagged as malware and the user goes to clean up the infection by following webroots instructions. Would all of the data the user created with that program be removed during the removal process?

If so, can you undo an undo?

Thanks

Adam.

[Webroot_Will]

I have a comment on the video then I have a question.

Comment : Thank you for turning off Animations and fades during recording. Most people don't do that and it makes the machine feel sluggish so props for that.

Question

1) I really liked the rollback feature I saw in the video and have a question about it. What if it monitors an unknown file that the user installs. This unknown file is some sort of safe free word processor that the user uses. Then at some point in time the file is accidentally flagged as malware and the user goes to clean up the infection by following webroots instructions. Would all of the data the user created with that program be removed during the removal process?

If so, can you undo an undo?

Thanks

Adam.

Hi warwagon,

I'll start by saying the scenario you describe should be super rare (and will probably never happen to you), but the answer is yes. All of the content that is removed by the journaling and rollback feature can be restored if needed.

In fact, you'll be able to see exactly what has been rolled-back in the quarantine section, so if you needed to restore a specific document you can do so.

Let me know if you have any more questions!

[Marshall Veteran]

I've experienced multiple issues, mainly the detection rates. I visit a lot of dodgy sites (those of you who are subscribers or mods know why) so I willingly subject myself to malicious content. I've been infected with multiple trojans and malware during my experience with webroot. Never did I have an infiltration when using Nod32 for the few years I've been using it.

I've since uninstalled Webroot and reinstalled Nod32 for peace of mind. Your cloud based AV is headed in the right direction, it just doesn't get the job done.

[remixedcat]

did you first try that on a vm? I hope you did! I use VMs to test antivirus.

[Marshall Veteran]

No, I used a spare laptop that I use solely for experimental purposes.

[remixedcat]

so webroot didn't do so good... hmmm..... how was the CPU/RAM usage???

[Marshall Veteran]

It's very light on resources, more so than Nod32. You never know it's there, including when the real-time protection doesn't notify you of a threat or infestation.. :D

Like I said, Webroot is headed in the right direction, but in terms of detection of viruses, it is sub-par.

[Scorbing]

When it fails to detect a Virus, you do this and get something better:

[remixedcat]

Hope he can get in here and respond to the feedback:

Last Active:Sep 27 2012 06:35

[spaceelf]

"Webroot SecureAnywhere adopts a new cloud-driven approach"

That's great and all...until malware kills your internet connection.

Also, is it just me or does the "article" read like an ad?

Panda Cloud Antivirus is actually fantastic. I'd pay for it, but I don't really care enough to change from MSE.