What happens if Webroot SecureAnywhere misses a virus?

[er0n]

In this video Webroot purposely infect a machine running Webroot SecureAnywhere. They even disable the behaviour shield to replicate what would happen if a threat was missed and it executed on your PC.

We estimate there to be somewhere in the region of 50,000 new strains of malware every single day, so it's frankly impossible for the legacy signature-based approaches to keep up with the vast volume of threats.

Webroot SecureAnywhere adopts a new cloud-driven approach, ensuring that users always have access the the latest security "definitions" without needing to download any updates. This, coupled with a 700Kb agent, ensures optimal performance and enhanced security.

Webroot also recognise that the ever-rising volume of malware means that they'll miss threats, too. While they do have industry leading detection rates (See: http://www.av-test.o...er/mayjun-2012/) they have introduced unique protection against information-stealing malware, so even if they do miss something, the data that you really care about cannot be tampered with.

[remixedcat]

I know how you can easily test.... go to a buncha "hair styles" sites.... back a few years ago I got nasty viruses visiting those.... I'm afraid to go to those again.... Please give those a try and get infected and report back to us.

Also go to those warez sites, get infected, and report back. Please Webroot_Will, post videos of that unedited and with full desktop UI and no selective cropping.

[Webroot_Will]

I know how you can easily test.... go to a buncha "hair styles" sites.... back a few years ago I got nasty viruses visiting those.... I'm afraid to go to those again.... Please give those a try and get infected and report back to us.

Also go to those warez sites, get infected, and report back. Please Webroot_Will, post videos of that unedited and with full desktop UI and no selective cropping.

Hi remixedcat,

It almost sounds like you don't trust me? :-P

I could do exactly what you said, but it wouldn't demonstrate the identity and privacy protection showcased in the video. It's a pointless task because we detect 99% of the threats immediately (who wants to see a video of an AV program detecting a virus?), the rest are 'unknown' to us so are executed in monitor state so the PC and its data are safe.

I have the unedited version of the original video if you'd like to see that! (I suspect not :-))

[sc302 Veteran]

I know how you can easily test.... go to a buncha "hair styles" sites.... back a few years ago I got nasty viruses visiting those.... I'm afraid to go to those again.... Please give those a try and get infected and report back to us.

Also go to those warez sites, get infected, and report back. Please Webroot_Will, post videos of that unedited and with full desktop UI and no selective cropping.

lol. they have lots of ways to test it starting with infected files with all different types of infections, to their own catalog of non released 0days. sure warez sites have plenty and I am sure that there are a bunch of unpatched ad servers out there in existence (where you were getting your viruses from not the hair style sites, per say)...a good webfilter and you would see exactly what/where your infections came from but as a end user you would assume it was coming from the site you visited not the ads that were displayed on the site or the script running on the site.

[remixedcat]

Hi remixedcat,

It almost sounds like you don't trust me? :-P

I could do exactly what you said, but it wouldn't demonstrate the identity and privacy protection showcased in the video. It's a pointless task because we detect 99% of the threats immediately (who wants to see a video of an AV program detecting a virus?), the rest are 'unknown' to us so are executed in monitor state so the PC and its data are safe.

I have the unedited version of the original video if you'd like to see that! (I suspect not :-))

well that example has been reported on in the news and some substitute teacher got fired and revoked when there was a porn ad shown and the PC got infected as well. many of those sites are malicious. They know tons of people are looking for hairstyles and it's an easy grab. same with mp3 download sites and warez ones.

go ahead and post the uneditied video ;-)

BTW I'm not trying to diss you or anything I'm just curious...

lol. they have lots of ways to test it starting with infected files with all different types of infections, to their own catalog of non released 0days. sure warez sites have plenty and I am sure that there are a bunch of unpatched ad servers out there in existence (where you were getting your viruses from not the hair style sites, per say)...a good webfilter and you would see exactly what/where your infections came from but as a end user you would assume it was coming from the site you visited not the ads that were displayed on the site or the script running on the site.

I had adblocking on when I visited those sites as well as a HOSTS file and that included 1000s of ad networks. I have been running that for years.

[sc302 Veteran]

no script

http://noscript.net/

ad blocking isn't enough, need to disable scripting as well.

could just have ran sandboxie

http://www.sandboxie.com/

[Mystic Mungis]

I have 13 copies of this at home because every time I buy a computer from eBuyer for a client they ship a copy of this as well and the client always tells me to keep it. Might give it a go, running MSE the now but may as well try a premium AV when it's free.

[Webroot_Will]

well that example has been reported on in the news and some substitute teacher got fired and revoked when there was a porn ad shown and the PC got infected as well. many of those sites are malicious. They know tons of people are looking for hairstyles and it's an easy grab. same with mp3 download sites and warez ones.

go ahead and post the uneditied video ;-)

BTW I'm not trying to diss you or anything I'm just curious...

I had adblocking on when I visited those sites as well as a HOSTS file and that included 1000s of ad networks. I have been running that for years.

Here you go: http://youtu.be/4AV0zG6_ZlM

I uploaded it to YouTube just for you.

(You'll have to imagine the audio)

[Jojo81]

Is this okay to use on Win 8 RTM?

[Webroot_Will]

I have 13 copies of this at home because every time I buy a computer from eBuyer for a client they ship a copy of this as well and the client always tells me to keep it. Might give it a go, running MSE the now but may as well try a premium AV when it's free.

13 copies! :-O

Let me know how you get on!

Is this okay to use on Win 8 RTM?

Yes, Windows 8 is officially supported.

[remixedcat]

Here you go:

http://youtu.be/4AV0zG6_ZlM

I uploaded it to YouTube just for you.

(You'll have to imagine the audio)

wow thanks a bunch! ;-)

[Mystic Mungis]

Well after half an hour or so of use I've got quite a few praises to sing for it, the install was instantaneous, seriously I actually sneezed when I pressed continue after entering my license key and when I looked back at the screen the Webroot UI was sitting staring at me!

The UI looks really nice, it isn't overly complicated and at a glance you get all of the info that you need. The first thing I did was run a scan and checked the footprint as it was going, barely took up any resources at all, basically the same amount as MSE was taking. The scan took 7 minutes which was pretty good, I have a 500Gb hard drive that is almost full and my system isn't the best, 3.4Ghz dual core cpu and 8Gb ram but that is that same time as MSE took. It picked up a couple of infected files which MSE had missed all together and then promptly removed them. All in all I'm pretty impressed, the sandbox feature will come in handy for testing programs in the future (that is if it works properly, but from my experiences so far I'm sure it will).

I'll give it a few more days and see how I get on but I'm sure I'll be keeping this on my system. I'm running Windows 8 Pro btw.

[Webroot_Will]

Well after half an hour or so of use I've got quite a few praises to sing for it, the install was instantaneous, seriously I actually sneezed when I pressed continue after entering my license key and when I looked back at the screen the Webroot UI was sitting staring at me!

The UI looks really nice, it isn't overly complicated and at a glance you get all of the info that you need. The first thing I did was run a scan and checked the footprint as it was going, barely took up any resources at all, basically the same amount as MSE was taking. The scan took 7 minutes which was pretty good, I have a 500Gb hard drive that is almost full and my system isn't the best, 3.4Ghz dual core cpu and 8Gb ram but that is that same time as MSE took. It picked up a couple of infected files which MSE had missed all together and then promptly removed them. All in all I'm pretty impressed, the sandbox feature will come in handy for testing programs in the future (that is if it works properly, but from my experiences so far I'm sure it will).

I'll give it a few more days and see how I get on but I'm sure I'll be keeping this on my system. I'm running Windows 8 Pro btw.

Thanks for the feedback, PalletTown!

P.S. each subscription starts from the moment the key is activated, With your 13 copies, you potentially have 13 years worth of protection... :-|

[Mystic Mungis]

Just noticed that each copy supports 3 PCs so I could either do that or support 39 PCs... sadly I only have 3 at home :p

[remixedcat]

How is your protection superior to something like Sophos (I use Sophos) ???

[Webroot_Will]

How is your protection superior to something like Sophos (I use Sophos) ???

Hi remixedcat,

Sophos is an excellent product and I have a lot of respect for the people there. I don't think it would be fair for me to provide a competitive comparison on this thread, so you'll have to make your own mind up. Sorry about that!

[remixedcat]

Wow, I am glad that you aren't bagging them and being all "pushy salesman" on me over that. Big respect for that ;-)

[Yorak]

The reason I will not use this software is simply because it has far too many false-positives and misses much more malware compared to an AV such as NOD32 or Kaspersky. Has it since been updated to work more efficiently? I really do like the idea of a cloud AV and the minimal memory usage. If Webroot fixes the problems with it by the time my NOD32 subscription runs out in November, I will definitely consider switching. As per my last few tests, it just was not cutting it. I can do some video reviews of it to show you what I am referring to. I will use the exact same links to test on Webroot SecureAnywhere and NOD32 or Kaspersky.

[remixedcat]

Please do some video reviews! ;-)

[Webroot_Will]

The reason I will not use this software is simply because it has far too many false-positives and misses much more malware compared to an AV such as NOD32 or Kaspersky. Has it since been updated to work more efficiently? I really do like the idea of a cloud AV and the minimal memory usage. If Webroot fixes the problems with it by the time my NOD32 subscription runs out in November, I will definitely consider switching. As per my last few tests, it just was not cutting it. I can do some video reviews of it to show you what I am referring to. I will use the exact same links to test on Webroot SecureAnywhere and NOD32 or Kaspersky.

Hi Yorak,

I would certainly be happy to work with you to personally address your false positive issues.

The problem with video reviews is that they can only over show the results of a sample-set which is statistically insignificant. Will we generate false positives? Absolutely, but I'd also like to think that our cloud-powered heuristics should generate less false positives versus the traditional approach.

Let's take a look at the latest AV-Test results: http://www.av-test.org/no_cache/en/tests/test-reports/?tx_avtestreports_pi1%5Breport_no%5D=121849 (I hate these tests in general, but that's a whole other topic!)

Out of a sample of 661,176 we generated 4 false positives. Eset NOD32 generated 1 false positive out of the same sample, but they also missed a lot more threats, so it's always a bit of a trade-off.

As our community has grown, the quality of our security intelligence has improved, so we've seen a massive decline in the number of false positives compared to the early days.

Give it another whirl and if you still have problems send your keycode to wfletcher[at]webroot.com and I'll take a look for you.

[Yorak]

Hi Yorak,

I would certainly be happy to work with you to personally address your false positive issues.

The problem with video reviews is that they can only over show the results of a sample-set which is statistically insignificant. Will we generate false positives? Absolutely, but I'd also like to think that our cloud-powered heuristics should generate less false positives versus the traditional approach.

Let's take a look at the latest AV-Test results: http://www.av-test.o...rt_no%5D=121849 (I hate these tests in general, but that's a whole other topic!)

Out of a sample of 661,176 we generated 4 false positives. Eset NOD32 generated 1 false positive out of the same sample, but they also missed a lot more threats, so it's always a bit of a trade-off.

As our community has grown, the quality of our security intelligence has improved, so we've seen a massive decline in the number of false positives compared to the early days.

Give it another whirl and if you still have problems send your keycode to wfletcher[at]webroot.com and I'll take a look for you.

Thanks for the reply, Will. :) I'm going to do a trial of it and see how it is. And thank you for the AV-Test link. Very interesting.

[Marshall Veteran]

I haven't tried Webroot nor do I know anyone personally that runs it. I've been using Nod 32 for many of years. I get great results with Nod 32 overall but am not adverse to switching to Webroot.

What advantages does Webroot have over Nod 32, specifically in the real-time protection?

Just noticed that each copy supports 3 PCs so I could either do that or support 39 PCs... sadly I only have 3 at home :p

Gimme a key and I'll give you a cookie. :D

[remixedcat]

I haven't tried Webroot nor do I know anyone personally that runs it. I've been using Nod 32 for many of years. I get great results with Nod 32 overall but am not adverse to switching to Webroot.

What advantages does Webroot have over Nod 32, specifically in the real-time protection?

Gimme a key and I'll give you a cookie. :D

Me too!

[goretsky Supervisor]

Hello,

Manually? Sometimes up to four or five times a day. Otherwise, automated systems do it automatically as part of the behavioral analysis phase of whatever enters the incoming malware queue.

Regards,

Aryeh Goretsky

I guess it kinda is an ad. The video and content came from Webroot themselves. Doesn't mean it can't stir up some interesting debate on a new approach to AV. When was the last time an AV vendor purposely infected a PC running their software....?

There is, of course, offline protection. Some of which is highlighted in the video.

[goretsky Supervisor]

Hello,

Why wouldn't a zero[day|hour|minute] exploitation of a vulnerability be detected by antimalware software, traditional or otherwise? Exploitation of a zero day vulnerability means that the attack is occurring in the wild?which could be either narrowly targeted or widespread?for which no patch exists.

It could very well be that the vulnerability is known to the vendor of the affected code (application, operating system, framework, etc.) and they are in the process of developing a fix for it. They may even notify the developers of security software about the vulnerability so that the latter may add detection of the "0day" before it becomes public knowledge. The two groups working together (the affected software vendor and the developers of security software) can then work together to do things like triangulate the spread of the "0day." Useful stuff for targeted attacks, assuming you've got enough deployments of the security software to provide high-quality telemetry.

There are lots of ways in which such a threat would be detected. Here are a few off the top of my head:

• Detection as an existing piece of malware or a variant using existing signatures.
  
• Detection as "probably a variant" of existing malware using algorithmic signatures.
  
• Detection by active heuristics, behavior blocker, passive heuristics, HIPS for its actions on the systems, e.g., warning that "a program attempting to do X was detected," where "X" is some sort of activity (or activity set) that triggered a certain threshold.
  
• Detection through computed checksum, hash, sum or other (meta)data not matching previously recorded value either locally or networked stored (e.g., whitelisting/blacklisting),.
  

Anyways, just wanted to provide a basic idea that zero[day|hour|minute] threats are not always the big, scary things they are made out to be. It's true that sometimes they are, but there are also times when they are more of an advertising, branding and marketing issue.

Regards,

Aryeh Goretsky

with 0day and 0hr infections, no antimalware software can protect you, cloud or traditional. Good luck fighting the battle you already lost.

[mattmatik]

webroot is my favorite AV by far. I just love the cloud functionality. No more worrying about database updates and I love the fact that it can wake my PC from sleep to scan - do that with MSE using just the app itself. And its always nice getting a quick scan done in under 2 minutes :)