Jump to content



Photo

What happens if Webroot SecureAnywhere misses a virus?


  • Please log in to reply
69 replies to this topic

#16 Webroot_Will

Webroot_Will

    Neowinian

  • Joined: 28-August 12

Posted 29 August 2012 - 07:58

Hi Mr. Black,

Email Scanning isn't a focus for us right now. We tend to find that most home users use Webmail with AV and Anti-Spam built-in, and most businesses use a dedicated email security solution. Besides, if a user were to receive a virus by emal and execute it, we'd catch it at that point, so from a security stand-point the user/PC is still secured. We have a 'Web Threat Shield' designed to prevent the execution of malicious content from web-sites and to prevent software vulnerabilities from being exploited. Even if we 'miss' one of these attacks, something has to execute on the PC in some way for malicious modifications to take place, and we're sitting there at the kernel layer watching every single operating system activity.

From a security stand-point, scanning benign files like Zip files in real-time is unneccessary; a Zip file in itself cannot execute and harm the PC in anyway. As soon as the user extracts the contents or if the Zip file changes in some way so that it could potentially pose a threat, Webroot will step in and protect the PC/user. There are pros and cons to this approach, but our customers really appreciate the performance boost they receive without compromising on security.


#17 Yusuf M.

Yusuf M.

  • Joined: 25-May 04
  • Location: Toronto, ON
  • OS: Windows 8.1
  • Phone: Nexus 5 (Android 4.4.2)

Posted 29 August 2012 - 09:32

Moved

#18 Shane Nokes

Shane Nokes

    Neowinian Senior

  • Joined: 29-July 12

Posted 29 August 2012 - 09:46

When was the last time an AV vendor purposely infected a PC running their software....?


Hopefully every single time they test their definitions and heuristics...otherwise without testing it's pointless.

That would be like asking...when was the last time a chef intentionally tasted their own food to make sure that it was good...

You want to be a good chef? You taste your own food.
You want to make sure your AV product works? You infect a system and see what happens.

#19 Webroot_Will

Webroot_Will

    Neowinian

  • Joined: 28-August 12

Posted 29 August 2012 - 10:12

Hopefully every single time they test their definitions and heuristics...otherwise without testing it's pointless.

That would be like asking...when was the last time a chef intentionally tasted their own food to make sure that it was good...

You want to be a good chef? You taste your own food.
You want to make sure your AV product works? You infect a system and see what happens.


Hi Shane,

The point is that the other vendors would never publish a video showing what happens if they miss a threat. Why not? Because the PC would be trashed and the customer's data would be stolen.

#20 Shane Nokes

Shane Nokes

    Neowinian Senior

  • Joined: 29-July 12

Posted 29 August 2012 - 11:22

Hi Shane,

The point is that the other vendors would never publish a video showing what happens if they miss a threat. Why not? Because the PC would be trashed and the customer's data would be stolen.


Indeed, and the logic behind that is usually these types of attack go after the antivirus/antimalware program first, and disable all of the settings like this and often kill the process itself and prevent it from doing its job.

Then it deploys the keyloggers & various other nasty bits, and then it still steals the data.

So the video only shows what happens IF the virus/malware doesn't target the AV product itself and it can keep itself up and running with its policies in place.

Any 'good' virus/malware these days takes out the security first before doing the dirty work. So what keeps them from attacking the processes that you use and just proceeding?

I ask because with claims of this kind there needs to be some pretty heavy duty assurances in place to prevent that scenario. ;)

#21 sc302

sc302

    Neowinian Senior

  • Tech Issues Solved: 21
  • Joined: 12-July 05
  • Location: NJ, USA

Posted 29 August 2012 - 11:32

with 0day and 0hr infections, no antimalware software can protect you, cloud or traditional. Good luck fighting the battle you already lost.

#22 Webroot_Will

Webroot_Will

    Neowinian

  • Joined: 28-August 12

Posted 29 August 2012 - 12:02

Indeed, and the logic behind that is usually these types of attack go after the antivirus/antimalware program first, and disable all of the settings like this and often kill the process itself and prevent it from doing its job.

Then it deploys the keyloggers & various other nasty bits, and then it still steals the data.

So the video only shows what happens IF the virus/malware doesn't target the AV product itself and it can keep itself up and running with its policies in place.

Any 'good' virus/malware these days takes out the security first before doing the dirty work. So what keeps them from attacking the processes that you use and just proceeding?

I ask because with claims of this kind there needs to be some pretty heavy duty assurances in place to prevent that scenario. ;)


Hi Shane,

You make a great point, and it's one we've thought long and hard about.

One of the key benefits of being so lightweight (the entire program is <700kb) is that Webroot SecureAnywhere is able to sit at the kernel-layer watching every single operating system event. After a few minutes of being installed on a typical machine, we've normally observed millions of events. If the traditional, heavy-weight solutions tried to do this, the machine would be so slow it would be unusable. This allows us to have exceptional self-protection.

As you will have seen in the video, the first thing we do prior to allowing a file to execute is obtain a classification for the file (Good, bad or unknown). We can assume that a brand new 0-hour virus is unknown, so it will be executed in the monitor state shown in the video. This already limits the malicious modifications the file can make to the system, and it certainly means that we won't let the file get anywhere near terminating the Webroot agent.

We've yet to see a virus which can circumvent this approach. Will it happen in the future? No doubt about it, but I'd like to think we're already a step-ahead of the game.

We can prove that we have an industry leading detection rate (most vendors do!). The difference is we come with a plan B.

with 0day and 0hr infections, no antimalware software can protect you, cloud or traditional. Good luck fighting the battle you already lost.


Hi sc302,

Did you watch the video? Keen to hear your thoughts on why you think this protection model can't protect you.

#23 sc302

sc302

    Neowinian Senior

  • Tech Issues Solved: 21
  • Joined: 12-July 05
  • Location: NJ, USA

Posted 29 August 2012 - 12:33

Didn't watch the video. I really don't need to.


How is it that you think you can predict the future or the unknown?

#24 Webroot_Will

Webroot_Will

    Neowinian

  • Joined: 28-August 12

Posted 29 August 2012 - 13:12

Didn't watch the video. I really don't need to.


How is it that you think you can predict the future or the unknown?


All I can suggest is that if you watch the video, all will become clear.

The key fundamental here is that the Webroot Intelligence Network doesn't just include classifications for known-bad files, it also includes classifications for known-good files. The files inbetween are considered to be unknown, and you get all of the protection benefits highlighted in the video.

#25 sc302

sc302

    Neowinian Senior

  • Tech Issues Solved: 21
  • Joined: 12-July 05
  • Location: NJ, USA

Posted 29 August 2012 - 13:59

while your newest software has gotten significantly better reviews than your previous rendition of your cloud based software, I will eventually test your software when I have time or have an infection that I need to dissect to see if it lives up to the reviews. I am sorry I don't believe in videos made by the manufacturer they are a bit one sided and always tout their services and make it seem that theirs is better than everyone elses. I am even a bit skepticle on reviews until it has been proven by myself to work.

#26 Webroot_Will

Webroot_Will

    Neowinian

  • Joined: 28-August 12

Posted 29 August 2012 - 14:18

while your newest software has gotten significantly better reviews than your previous rendition of your cloud based software, I will eventually test your software when I have time or have an infection that I need to dissect to see if it lives up to the reviews. I am sorry I don't believe in videos made by the manufacturer they are a bit one sided and always tout their services and make it seem that theirs is better than everyone elses. I am even a bit skepticle on reviews until it has been proven by myself to work.


Hi sc302,

I can't argue with that - I think you're right to be sceptical, and I'm exactly the same.

#27 remixedcat

remixedcat

    meow!

  • Tech Issues Solved: 1
  • Joined: 28-December 10
  • Location: Vmware ESXi and Hyper-V happy clouds
  • OS: Windows Server 2012 R2
  • Phone: I use telepathy and cat meows to communicate

Posted 29 August 2012 - 14:44

I know how you can easily test.... go to a buncha "hair styles" sites.... back a few years ago I got nasty viruses visiting those.... I'm afraid to go to those again.... Please give those a try and get infected and report back to us.

Also go to those warez sites, get infected, and report back. Please Webroot_Will, post videos of that unedited and with full desktop UI and no selective cropping.

#28 Webroot_Will

Webroot_Will

    Neowinian

  • Joined: 28-August 12

Posted 29 August 2012 - 15:11

I know how you can easily test.... go to a buncha "hair styles" sites.... back a few years ago I got nasty viruses visiting those.... I'm afraid to go to those again.... Please give those a try and get infected and report back to us.

Also go to those warez sites, get infected, and report back. Please Webroot_Will, post videos of that unedited and with full desktop UI and no selective cropping.


Hi remixedcat,

It almost sounds like you don't trust me? :-P

I could do exactly what you said, but it wouldn't demonstrate the identity and privacy protection showcased in the video. It's a pointless task because we detect 99% of the threats immediately (who wants to see a video of an AV program detecting a virus?), the rest are 'unknown' to us so are executed in monitor state so the PC and its data are safe.

I have the unedited version of the original video if you'd like to see that! (I suspect not :-))

#29 sc302

sc302

    Neowinian Senior

  • Tech Issues Solved: 21
  • Joined: 12-July 05
  • Location: NJ, USA

Posted 29 August 2012 - 15:42

I know how you can easily test.... go to a buncha "hair styles" sites.... back a few years ago I got nasty viruses visiting those.... I'm afraid to go to those again.... Please give those a try and get infected and report back to us.

Also go to those warez sites, get infected, and report back. Please Webroot_Will, post videos of that unedited and with full desktop UI and no selective cropping.


lol. they have lots of ways to test it starting with infected files with all different types of infections, to their own catalog of non released 0days. sure warez sites have plenty and I am sure that there are a bunch of unpatched ad servers out there in existence (where you were getting your viruses from not the hair style sites, per say)...a good webfilter and you would see exactly what/where your infections came from but as a end user you would assume it was coming from the site you visited not the ads that were displayed on the site or the script running on the site.

#30 remixedcat

remixedcat

    meow!

  • Tech Issues Solved: 1
  • Joined: 28-December 10
  • Location: Vmware ESXi and Hyper-V happy clouds
  • OS: Windows Server 2012 R2
  • Phone: I use telepathy and cat meows to communicate

Posted 29 August 2012 - 16:03

Hi remixedcat,

It almost sounds like you don't trust me? :-P

I could do exactly what you said, but it wouldn't demonstrate the identity and privacy protection showcased in the video. It's a pointless task because we detect 99% of the threats immediately (who wants to see a video of an AV program detecting a virus?), the rest are 'unknown' to us so are executed in monitor state so the PC and its data are safe.

I have the unedited version of the original video if you'd like to see that! (I suspect not :-))


well that example has been reported on in the news and some substitute teacher got fired and revoked when there was a porn ad shown and the PC got infected as well. many of those sites are malicious. They know tons of people are looking for hairstyles and it's an easy grab. same with mp3 download sites and warez ones.

go ahead and post the uneditied video ;-)

BTW I'm not trying to diss you or anything I'm just curious...

lol. they have lots of ways to test it starting with infected files with all different types of infections, to their own catalog of non released 0days. sure warez sites have plenty and I am sure that there are a bunch of unpatched ad servers out there in existence (where you were getting your viruses from not the hair style sites, per say)...a good webfilter and you would see exactly what/where your infections came from but as a end user you would assume it was coming from the site you visited not the ads that were displayed on the site or the script running on the site.


I had adblocking on when I visited those sites as well as a HOSTS file and that included 1000s of ad networks. I have been running that for years.



Click here to login or here to register to remove this ad, it's free!