69 replies to this topic 3 votes

[+Yorak]

Webroot_Will, on 29 August 2012 - 18:52, said:

Hi Yorak,

I would certainly be happy to work with you to personally address your false positive issues.

The problem with video reviews is that they can only over show the results of a sample-set which is statistically insignificant. Will we generate false positives? Absolutely, but I'd also like to think that our cloud-powered heuristics should generate less false positives versus the traditional approach.

Let's take a look at the latest AV-Test results: http://www.av-test.o...rt_no%5D=121849 (I hate these tests in general, but that's a whole other topic!)

Out of a sample of 661,176 we generated 4 false positives. Eset NOD32 generated 1 false positive out of the same sample, but they also missed a lot more threats, so it's always a bit of a trade-off.

As our community has grown, the quality of our security intelligence has improved, so we've seen a massive decline in the number of false positives compared to the early days.

Give it another whirl and if you still have problems send your keycode to wfletcher[at]webroot.com and I'll take a look for you.

Thanks for the reply, Will. I'm going to do a trial of it and see how it is. And thank you for the AV-Test link. Very interesting.

[Marshall]

I haven't tried Webroot nor do I know anyone personally that runs it. I've been using Nod 32 for many of years. I get great results with Nod 32 overall but am not adverse to switching to Webroot.

What advantages does Webroot have over Nod 32, specifically in the real-time protection?

PalletTown, on 29 August 2012 - 17:18, said:

Just noticed that each copy supports 3 PCs so I could either do that or support 39 PCs... sadly I only have 3 at home

Gimme a key and I'll give you a cookie.

[+remixedcat]

Marshall, on 29 August 2012 - 22:34, said:

I haven't tried Webroot nor do I know anyone personally that runs it. I've been using Nod 32 for many of years. I get great results with Nod 32 overall but am not adverse to switching to Webroot.

What advantages does Webroot have over Nod 32, specifically in the real-time protection?




Gimme a key and I'll give you a cookie.

Me too!

[+goretsky]

Hello,

Manually? Sometimes up to four or five times a day. Otherwise, automated systems do it automatically as part of the behavioral analysis phase of whatever enters the incoming malware queue.

Regards,

Aryeh Goretsky

er0n, on 28 August 2012 - 11:18, said:

I guess it kinda is an ad. The video and content came from Webroot themselves. Doesn't mean it can't stir up some interesting debate on a new approach to AV. When was the last time an AV vendor purposely infected a PC running their software....?

There is, of course, offline protection. Some of which is highlighted in the video.

[+goretsky]

Hello,

Why wouldn't a zero[day|hour|minute] exploitation of a vulnerability be detected by antimalware software, traditional or otherwise? Exploitation of a zero day vulnerability means that the attack is occurring in the wild—which could be either narrowly targeted or widespread—for which no patch exists.

It could very well be that the vulnerability is known to the vendor of the affected code (application, operating system, framework, etc.) and they are in the process of developing a fix for it. They may even notify the developers of security software about the vulnerability so that the latter may add detection of the "0day" before it becomes public knowledge. The two groups working together (the affected software vendor and the developers of security software) can then work together to do things like triangulate the spread of the "0day." Useful stuff for targeted attacks, assuming you've got enough deployments of the security software to provide high-quality telemetry.

There are lots of ways in which such a threat would be detected. Here are a few off the top of my head:

• Detection as an existing piece of malware or a variant using existing signatures.
  
• Detection as "probably a variant" of existing malware using algorithmic signatures.
  
• Detection by active heuristics, behavior blocker, passive heuristics, HIPS for its actions on the systems, e.g., warning that "a program attempting to do X was detected," where "X" is some sort of activity (or activity set) that triggered a certain threshold.
  
• Detection through computed checksum, hash, sum or other (meta)data not matching previously recorded value either locally or networked stored (e.g., whitelisting/blacklisting),.

Anyways, just wanted to provide a basic idea that zero[day|hour|minute] threats are not always the big, scary things they are made out to be. It's true that sometimes they are, but there are also times when they are more of an advertising, branding and marketing issue.

Regards,

Aryeh Goretsky

sc302, on 29 August 2012 - 11:32, said:

with 0day and 0hr infections, no antimalware software can protect you, cloud or traditional. Good luck fighting the battle you already lost.

[mattmatik]

webroot is my favorite AV by far. I just love the cloud functionality. No more worrying about database updates and I love the fact that it can wake my PC from sleep to scan - do that with MSE using just the app itself. And its always nice getting a quick scan done in under 2 minutes

[+goretsky]

Hello,

Not to complain about AV-Test, since this is more of a general issue facing all testers, but as I am sure you are aware, in any kind of sample set containing files not specifically verified by a human being there can be files which are incorrectly identified as malicious code when, in fact, they do not contain any executable code at all, or contain code that does not perform a threatening action, even though the behavior may initially be diagnosed as malicious (for example, a license key mechanism that injects the key into a runtime executable or library). While rare, reports of "false 'false positives'" can occur in tests involving samples, and investigating and balancing out those cases can be labor-intensive for both the tester and the testee.

Regards,

Aryeh Goretsky

Webroot_Will, on 29 August 2012 - 18:52, said:

Hi Yorak,

I would certainly be happy to work with you to personally address your false positive issues.

The problem with video reviews is that they can only over show the results of a sample-set which is statistically insignificant. Will we generate false positives? Absolutely, but I'd also like to think that our cloud-powered heuristics should generate less false positives versus the traditional approach.

Let's take a look at the latest AV-Test results: http://www.av-test.o...rt_no%5D=121849 (I hate these tests in general, but that's a whole other topic!)

Out of a sample of 661,176 we generated 4 false positives. Eset NOD32 generated 1 false positive out of the same sample, but they also missed a lot more threats, so it's always a bit of a trade-off.

As our community has grown, the quality of our security intelligence has improved, so we've seen a massive decline in the number of false positives compared to the early days.

Give it another whirl and if you still have problems send your keycode to wfletcher[at]webroot.com and I'll take a look for you.

[Webroot_Will]

Marshall, on 29 August 2012 - 22:34, said:

I haven't tried Webroot nor do I know anyone personally that runs it. I've been using Nod 32 for many of years. I get great results with Nod 32 overall but am not adverse to switching to Webroot.

What advantages does Webroot have over Nod 32, specifically in the real-time protection?




Gimme a key and I'll give you a cookie.

Hi Marshall,

Webroot SecureAnywhere and NOD32 work very differently to eachother. NOD32 is an excellent product and it wouldn't be fair for me to provide competitive analysis on this thread. Make sure you do a review of the market when your renewal is due and pick the best product! :-)

[Webroot_Will]

goretsky, on 30 August 2012 - 07:28, said:

Hello,

Not to complain about AV-Test, since this is more of a general issue facing all testers, but as I am sure you are aware, in any kind of sample set containing files not specifically verified by a human being there can be files which are incorrectly identified as malicious code when, in fact, they do not contain any executable code at all, or contain code that does not perform a threatening action, even though the behavior may initially be diagnosed as malicious (for example, a license key mechanism that injects the key into a runtime executable or library). While rare, reports of "false 'false positives'" can occur in tests involving samples, and investigating and balancing out those cases can be labor-intensive for both the tester and the testee.

Regards,

Aryeh Goretsky

Hi Goretsky,

I completely agree.

In my opinion, these tests are not representative of reality, but they can be useful as long as the reader understands the data. I remember a few months ago we absolutely bombed one of these tests because we generated hundreds of false positives. The tester installed us on a machine with thousands of infections and we (rightfully, in my opinion) automatically ramped up the heuristics to maximum, so we started to treat every file on the PC with maximum suspicion. Of course we generated lots of false positives and they trashed the product! In the real world, if one of our customers installed us on a machine with thousands of infections, the last thing they'll be concerned about is a false positive! Not to mention it would be pretty much impossible to get a PC into that state with Webroot SecureAnywhere installed!

One of the biggest problems I have with these tests is that the testers have to manually update the signature definitions before testing their sample malware. In the real-world, we don't get the luxury of updating our definitions the second before an infection strikes. With ~50,000 new threats every day, there's a huge window of exposure between updates which is not accounted for in the tests.

The 0-day tests they perform are also very weak. They tend to scan the virus and if the security vendor fails to detect it, the virus will be executed. If the virus is then running in memory, the security vendor is assumed to have failed. They don't take into consideration the monitoring capability of Webroot SecureAnywhere and the fact that the endpoint is protected from the threat, even though it's running (as you can see in the video in the OP).

The performance tests they perform can be very useful, though. :-)

[+sc302]

Webroot_Will, on 30 August 2012 - 11:42, said:

Hi Marshall,

Webroot SecureAnywhere and NOD32 work very differently to eachother. NOD32 is an excellent product and it wouldn't be fair for me to provide competitive analysis on this thread. Make sure you do a review of the market when your renewal is due and pick the best product! :-)

I don't know about that Will, I think it may be very entertaining.....


but I do agree, do your own homework on the product and pick the best one for you.

[+sc302]

Webroot_Will, on 30 August 2012 - 11:57, said:

Hi Goretsky,

The 0-day tests they perform are also very weak. They tend to scan the virus and if the security vendor fails to detect it, the virus will be executed. If the virus is then running in memory, the security vendor is assumed to have failed. They don't take into consideration the monitoring capability of Webroot SecureAnywhere and the fact that the endpoint is protected from the threat, even though it's running (as you can see in the video in the OP).

Complete success would be that it doesn't execute. If it doesn't execute it isn't taking up processor cycles. If it doesn't take processor cycles, it isn't going to take any part of it away from applications or other system processes. While the endpoint isn't going to allow the application/service to communication to the internet in essence it has failed to keep the machine clean and free from infection. It has given the end user the illusion that they are malware free because it stopped malware-x from communicating. So in my point of view it has failed from doing its job properly.

[Marshall]

Webroot_Will, on 30 August 2012 - 11:42, said:

Hi Marshall,

Webroot SecureAnywhere and NOD32 work very differently to eachother. NOD32 is an excellent product and it wouldn't be fair for me to provide competitive analysis on this thread. Make sure you do a review of the market when your renewal is due and pick the best product! :-)

Do you or could you offer a 30-day trial period? I see no option for this on your website.

[Webroot_Will]

Marshall, on 30 August 2012 - 14:35, said:

Do you or could you offer a 30-day trial period? I see no option for this on your website.

Here you go: http://www.webroot.c...mer-trials.html

The home products are Webroot SecureAnywhere Complete, Essentials and Antivirus. The business product comes with a much more advanced management console.

[Marshall]

I've downloaded and am currently using your product, however I have one problem. Why is it I get no notification pop-up when an executable containing malicious code is blocked? I have to manually open the Webroot program and go to the quarantine to see this.

Every malicious test file that I've downloaded has been successfully blocked by Webroot, but I'd like be notified instantly of the block. I see no option in the settings to allow this to happen, am I overlooking it?

Thanks for your time.

[Webroot_Will]

Marshall, on 01 September 2012 - 04:53, said:

I've downloaded and am currently using your product, however I have one problem. Why is it I get no notification pop-up when an executable containing malicious code is blocked? I have to manually open the Webroot program and go to the quarantine to see this.

Every malicious test file that I've downloaded has been successfully blocked by Webroot, but I'd like be notified instantly of the block. I see no option in the settings to allow this to happen, am I overlooking it?

Thanks for your time.

Hi Marshall,

I'm just wondering if you may have downloaded our business product instead of the home user product(s)?

If the latter, I'll have a member of our consumer support team reach out to you, because you should be at least alerted by default.