Guide | How To How to setup Webroot SA alongside another Antivirus

[Deleted member 178]

Hi,

Ok, if you bought a copy of Webroot SA, you already knows that you can run it alongside another antivirus/suite without conflicts; it is called a "companion AV"

But for that , we need to tweak a bit both of them, so there is my quick guide:

The other Antivirus

depending the product, the settings are different but all of them have the same kind of options:

Exclusions/Whitelist

important step, you must exclude WRSA.exe from the protection of your other AV, so WSA will not trigger a monitoring from it, so less resources used. You do it generally in these fields:

1- Antivirus scans (exclude WRSA.exe)
2- Real-time scans/modules (exclude WRSA.exe)
3- HIPS/Behavior Blocker/Sandbox : add/trust/allow WRSA.exe
4- Firewall (add/trust/allow WRSA.exe, Webroot is cloud, means it need to connect to internet)


Webroot SA

Webroot SA is very simple to use, so you don't have to be a super-geek to set it up, so we will do it to perform as a companion AV.

Now we open Webroot's GUI and go to settings:

A- Settings:

1- Basic configuration

[attachment=2030]

we will check if these boxes are ticked:

- operate background functions using fewer CPU resources (your main AV may be greedy on resources so we will operate WSA with minimum consumption)

- Favor Low disk usage over verbose logging (i like to save the life duration of my HDD )

- Lower resource usage when intensive applications or games are detected (no need to explain why )

- Force non-critical notifications into the background (to avoid useless popups)


2- Scan Settings

[attachment=2031]

we can tick all boxes. some of them depend of your personal taste.

3- Self protection

[attachment=2032]

the important part : Enable self protection response cloacking -> minimum (it is explained why there)

4- Heuristics

[attachment=2033]

I selected High for all "Advanced Heuristics" , personal choice, it may generates more False positives but you can let it as Medium. this field is really depending of your taste, feel free to do as you wish

5- Real-time Shield

[attachment=2034]

you can untick scan files when written or modified, WSA will react only on executed files.

6- Behavior Shield

[attachment=2035]

tick all except automatically perform the recommended action... ( i like to know what is authorized on my system)

7- Core System Shield

[attachment=2036]

tick all, if your other product have a feature that modify the HOSTs file, you can untick, "prevent any program from modifying the Host file" but i suggest you to tick it after the modification is done.

8- Webshield

[attachment=2037]

Tick all

9- Identity Shields

[attachment=2038]

Tick all

Click "Save All" , WE ARE DONE for the settings tab but not finished the setup ^^


B- PC Security

1- Firewall

[attachment=2039]

enable, it ! some says hey i have a firewall already ! it will conflict !
In fact not, Webroot is not a "traditionnal firewall" , it works differently, it is more a "malware firewall" or outbound connection monitor, it functions as an "additional firewall layer" (if i can say that)
note: Win8 users will not have the possibility to choose a setting.

- network Application -> view network application

[attachment=2040]

check that your other product is allowed.

2- Quarantine

- Detection configuration -> configure

[attachment=2041]

yes it is weird but it is one of the exclusions place...

add every executable of your other security product (example for Comodo IS : cfp.exe, cmdagent.exe, cavscan.exe,etc...)

Quarantine section is not necessary. Webroot maintains a global listing of good files in addition to bad ones and unknown ones. Third-party antivirus software is included in this list. It takes less time for WSA to ask the cloud if the software in question is good, bad, or unknown than it does for you to manually tell it to flag all of those files as good. Additionally, the third-party software is probably going to update a lot, being that it's antivirus software (most-likely old-school definitions based stuff too). When it updates, those files change, and for all real purposes they are new files. The original whitelisting action you would have taken would have whitelisted a certain set of files locally, but it wouldn't account for updates. However, our cloud-based whitelisting does that automatically, which is why you notice no ill effects.

C- System Tool

1- Control Active Processes -> Start

[attachment=2042]

check that all exe of your other product are "allowed" (if monitored their efficiency may be reduced)

On Step C, I'd caution that you want to know for sure what you're telling it to Allow. If you see programs you use all the time in that list and you are positive they are not threats, you can toss them into the Allow column. However, there are two things to consider about this:
1. Don't just go by the name. Some threats will name themselves something convincing in an effort to evade manual detection (think "windows.exe" or even real file names like "smss.exe").
2. Uncertainty should raise suspicion. Obscure names can be bad stuff too. If you see something like aphwef876.exe (I just hit random keys there like a polymorphic infection would rename itself), and it's sitting in a Monitor or Block status, there's a good chance that's an infection.
While some users are tech-savvy enough to be able to investigate entries that are unjustifiably set to Monitor and decide to Allow them, other users who are less tech-savvy would be wise to either A) leave those in Monitor status in case they are later flagged as Bad and need to be automatically rolled back to before WSA first saw them or B) contact Support to determine if such movement to Allow is justified. B is preferred, because any time you ask Support about a file that we are currently marking as Unknown, it prompts us to look at that file right away and determine it. That doesn't just help you - that helps everyone with WSA installed, which is pretty cool when you think about it.

WE ARE FINISHED.

normally Webroot SA should run now with a low CPU & RAM (less than 10mb Working Set on idle.

[attachment=2043]

Edit: i may add other changes if the case is needed.
Edit 2 : procedure to add Webroot to exclusions of various security products will be added by others members and me on the following posts , thanks

note: Thanks to Jim (Webroot Community Leader) to gave me some feedbacks and corrections to the guide.

 

[Plexx]

Thanks for the guide. Much appreciated

 

[Deleted member 178]

no problem

For excluding Webroot from Comodo AV/FW/CIS/


Antivirus -> scanner setting -> exclusions -> add -> browse running processes -> WRSA.exe

[attachment=2044]

Firewall -> define a new trusted application -> predefined policy : trusted -> select -> running processes -> WRSA.exe

[attachment=2045]

Defense+ -> trusted files -> add -> browse running processes -> WRSA.exe

[attachment=2046]

 

[Deleted member 178]

For excluding Webroot from Emsisoft AM (full version)

Guard -> Application rules -> Add new rule -> application path (browse to your webroot folder) -> click WRSA.exe -> always allow this application -> ok

Guard -> File Guard -> Manage whitelist -> Type : folder / Item : browse to Webroot folder -> select it -> ok

or

Guard -> File Guard -> Manage whitelist -> Type : file / Item : browse to WRSA.exe -> select it -> ok

or

Guard -> File Guard -> Manage whitelist -> Type : Process / Item : browse to WRSA.exe -> select it -> ok

 

[Plexx]

Appreciate the CAV exclusions guide. I knew I forgot to do something there.

Its now all set in VM to give a test run (image of my own system).

 

[Deleted member 178]

give us the feedback ^^

 

[Overkill]

Would it be a pain to add screenshots? I think it would help certain people

 

[Deleted member 178]

i will do but it is a lot of screens

 

[Overkill]

No prob bud lol, ty

 

[Deleted member 178]

Done, includes screenshots in the original post and for CIS

 

[Overkill]

Thanks Umbra, man alot of icons in your tray lol
Hey, how convinced are you that your system is almost bulletproof?
Have you ever tried malicious links on your host machine? not that it is a smart thing to do but...lol

 

[Deleted member 178]

im almost sure im bullet proof, why?

My whole system under Shadow defender's Shadow Mode, my browser and download folders are under Sandboxie , in the background my Combo (CIS + EAM + WSA + Spyshelter Premium) is watching . not saying i know what exe i click on

ok imagine i download then click a file with malwares packed-in :

0- the file is in my Sandboxie-watched folders.
1- Sandboxie is activated since i set it to force-sandbox everything is running from those folders.
2- My combo is activated, if the malware is 0-hour, CIS & Spyshelter'HIPS and EAM' BB will surely react, if "old" malwares one of my AVs will surely detect it. not mentionning UAC set as max.
3-if none of the step above contains the malware, highly improbable...i reboot since my system is still under Shadow Mode then no traces of malwares.
4- if in the very very inexpected case, the malware bypass all of them (means i found the super-malware), my Backup image is ready, and in 15mn my system is brand new.

i know Earth will say "so just use SB and SD"



edit: HMP, MBAM, CCE and my malwares removal tools are also in the party ^^

 

[malbky]

The Webroot firewall also needs Windows Firewall to be on. Its same as Trend Micros Firewall. Great guide umbra but I wont be using webroot.

 

[Deleted member 178]

Thanks Malbky, all taste are in the wild

 

[Overkill]

im almost sure im bullet proof, why?

My whole system under Shadow defender's Shadow Mode, my browser and download folders are under Sandboxie , in the background my Combo (CIS + EAM + WSA + Spyshelter Premium) is watching . not saying i know what exe i click on

ok imagine i download then click a file with malwares packed-in :

0- the file is in my Sandboxie-watched folders.
1- Sandboxie is activated since i set it to force-sandbox everything is running from those folders.
2- My combo is activated, if the malware is 0-hour, CIS & Spyshelter'HIPS and EAM' BB will surely react, if "old" malwares one of my AVs will surely detect it. not mentionning UAC set as max.
3-if none of the step above contains the malware, highly improbable...i reboot since my system is still under Shadow Mode then no traces of malwares.
4- if in the very very inexpected case, the malware bypass all of them (means i found the super-malware), my Backup image is ready, and in 15mn my system is brand new.

i know Earth will say "so just use SB and SD"



edit: HMP, MBAM, CCE and my malwares removal tools are also in the party ^^

It's a very rare case indeed, but as we all know nothing is 100%
I'm sure your thread maybe one of the most if not the most popular one on this site!
BTW...How do you have your sandbox configured?

 

[Deleted member 178]

Thanks, if my config thread can help, i will be satisfied ^^

1-My "Download" folder is forced into Sandboxie, ( so everything running from it is isolated) with rights dropped.
2- Comodo Dragon is forced at start into a dedicated sandbox made for banking, right dropped, CD set as leader, CD restricted as the only apps allowed to reach internet and to run into this sandbox, (i emulate OAP banking mode ^^)
3- my DVD/CD drive is forced into its own sandbox, rights dropped.

i am planning to create a "malware testing" dedicated sandbox.

i am a beginner with Sandboxie, so i need some time to master it as i did for CIS ^^

btw, i trying to create another sandbox dedicated to µtorrent where the torrent file is downloaded with Icedragon then my torrent client start automatically to download the file to that folder (forced into a sandbox, if something inside is running). My issue is that it doesn't seems to work.

 

[Plexx]

It's a very rare case indeed, but as we all know nothing is 100%
I'm sure your thread maybe one of the most if not the most popular one on this site!
BTW...How do you have your sandbox configured?

According to statistics, there are 2 configurations that are on the top. umbra's viruses which are spreading out and the antidote (mine).

Ok now seriously, umbra's and my main config are the ones that are most viewed. Umbra still leads in terms of posts

I am also curious to see how did umbra configures his sanboxie. Remember he has SD as a backbone, so I doubt he went heavy on some of the settings.

Nevertheless, I actually got a question: Umbra, do you have SD in shadow mode constantly? And how would you consider Spyshelter's HIPS?

 

[Deleted member 178]

According to statistics, there are 2 configurations that are on the top. umbra's viruses which are spreading out and the antidote (mine).
Ok now seriously, umbra's and my main config are the ones that are most viewed. Umbra still leads in terms of posts

yes coz im older in the forum and changes my config more than you

I am also curious to see how did umbra configures his sanboxie. Remember he has SD as a backbone, so I doubt he went heavy on some of the settings.

posted above

Nevertheless, I actually got a question: Umbra, do you have SD in shadow mode constantly? And how would you consider Spyshelter's HIPS?

depend sometimes i disable shadow mode when i doing safe things or make big change on my system, if not im mostly on Shadow Mode.

About Spyshelter, the HIPS is quite reactive, it is based on rules, means if a process try to affect a component watched by those rules, it trigger the HIPS, then depending the setting you choose , it will ask/auto-deny/auto-allow. one interesting thing, is that those "rules" can be disabled.

[attachment=2062]

SS also has a kind of policy-based Sandbox¨(means it can restricts the selected apps' rights)

[attachment=2063]

also if a process is detected , you can upload it to Virus Total directly from SS Gui.

i will do a review, when i will know more about it.

 

[Plexx]

I shall wait for the review.

I tried played around with Sandboxie in vm, but still unable to come to some sort of a stable way. I know the games I play cant run inside Sandboxie. The patcher which happens to be the launcher gets crippled somehow. I can still launch 2 clients via a batch file that was used to stop gold spammer's on the game's chat channels (yeah its bad I know).

So I perhaps will try to simply have a setting for browsing and perhaps one for downloads but still I am rather beginner on it. On the other laptop I set to run the browser in Sandboxie, but downloads are out of it. Since there has been hardly any downloads that is.

Umbra: as for view popularity, yes you joined the forums before me so you got more views, but not by far (32,449 views vs 17,358 views) <-- Still not bad considering both our configs being totally different A virus is always more popular than the antidote

 

[Deleted member 178]

and when you type on google: "spyshelter comodo compatibility" my config is among the first results