How WSA works

Umbra

Level 61
Content Creator
Trusted
Joined
May 16, 2011
Messages
17,786
OS
Windows 10
Antivirus
Default-Deny
#1
Many people doesn't how webroot SA protect a computer, many users think that the detection rate is the most important factor when choosing a security solution

WSA's detection rate is one of the lowest one, if we believe some so-called "trustfull and independant" tests labs (personally i dont trust any of them but my own experience).

After many request from our beloved members asking me how it protects and why i keep using it despite its low test-lab's results; i ask Webroot some explanation about WSA functionalities

there my questions on Webroot beta tester channel :

Umbra Corp. said:
hi,

i have a question, i heard that WSA can rollback an infection after a new database signature is released, how it works exactly?

also , how my sensitive files are protected during the "infection"

On the security forum where i am member , many people interested to try WSA asked me about that.
then there is the answer from Webroot

Webroot said:
A unique capability that sets Webroot SecureAnywhere apart from every other antivirus solution is the way unknown or ‘undetermined’ malware is handled, and the automatic remediation that is provided. If a new program is introduced to the machine protected by Webroot SecureAnywhere, and it has no existing relationship to anything else on that machine, then local heuristics and other defenses are automatically applied to make a good or bad determination.

For example, if a suspicious or undetermined program has passed the several layers of local and Webroot Intelligence Network checks, it is monitored extremely closely, and watched to see which files, registry keys and memory locations it alters.

If a monitored program is later found to be behaving maliciously, Webroot SecureAnywhere can step-in to block and quarantine it, alert the user and administrator, and proceed to automatically clean-up the threat. The journaling function has recorded and remembered the before and after state of each change made (including changes made to local files). So in the rare case that a threat does get through the heuristics, sandbox, and other defenses, the journaling and monitoring of behavior ensures it cannot do any permanent damage to a user’s machine.
i hope it can help people who want to try WSA
 

Umbra

Level 61
Content Creator
Trusted
Joined
May 16, 2011
Messages
17,786
OS
Windows 10
Antivirus
Default-Deny
#2
in latest version, WSA Identity Shield is now compatible with Sandboxie; so your browsing is now isolated and secured.

Sandboxie by default can't block keyloggers, so now with WSA ,it will add to sandboxie an increased security.
 

Umbra

Level 61
Content Creator
Trusted
Joined
May 16, 2011
Messages
17,786
OS
Windows 10
Antivirus
Default-Deny
#3
New Post about why there is no need to set up exclusions from other security softs in Webroot SA :

Jim (Webroot Community Leader said:
Webroot maintains a global listing of good files in addition to bad ones and unknown ones. Third-party antivirus software is included in this list. It takes less time for WSA to ask the cloud if the software in question is good, bad, or unknown than it does for you to manually tell it to flag all of those files as good. Additionally, the third-party software is probably going to update a lot, being that it's antivirus software (most-likely old-school definitions based stuff too). When it updates, those files change, and for all real purposes they are new files. The original whitelisting action you would have taken would have whitelisted a certain set of files locally, but it wouldn't account for updates. However, our cloud-based whitelisting does that automatically, which is why you notice no ill effects.
good to know, it will save me lot of time ^^

i suppose that is the reason why we can't exclude folders in WSA.
 

bitbizket

New Member
Joined
Jul 26, 2011
Messages
256
#4
Quoting a source regarding WSA's HIPS like protection,

Kit wrote:
HIPS, or a Host Intrusion Prevention System is a fancy name for a more complex form of heuristics based on pre-examination of the code for certain attributes that may indicate a malicious payload, and/or runtime analysis of the PE. Calling it "Perfect" or "The best" is more faulty than people realize, simply due to the fact that it's almost if not fully impossible for a computer to make a decision about a program based entirely on its behavior. Attempting to do so either will miss subtle things at a dramatic rate, or end up with so many FPs that it's unusable, or require user input. The third item is the number one way to annoy users.



What is the programmatically-observable behavior difference between a threat and an IRC chat program? Anybody with a decent bit of coding knowledge could write a threat that does only a subset of the things that the mIRC client does, for example. Yet what makes the threat a threat and the IRC client not? The end use of the internal operations, which are impossible for a program to make a decision on. Traditional HIPS is trivial to bypass.



Anyway, it's a moot point, since WSA already does HIPS, and in fact does much more extensive HIPS than a local process alone can perform. Unknown machine code is primed in a sandbox and the code inspected with zero access to system resources. Also, code entry points are investigated, activity is determined, and behavior is compared not just based on local information, but on constant live updates on the cloud, supplemented by live threat researchers. Should something be present and undetected by traditional HIPS alone on, say, 100 machines, the moment it does something bad on one of them, it's wiped off all of them.



More importantly, unlike conventional HIPS that relies on a one-time inspection, anything that hasn't already been defined as known-good is constantly monitored and inspected. Even in cases where initial code inspection and activity monitoring will find nothing suspicious due to a delayed action in the malicious code, the ongoing monitoring can catch it the moment it does something odd.



So we've got you covered on HIPS too, with the intelligence of the cloud data and analysis behind it.
Thanks :)
 
Joined
Feb 5, 2013
Messages
169
OS
Windows 10
Antivirus
Emsisoft
#6
i'm trying webroot SA and I find it very special.
I had some doubts about his capacity of protecting a computer.

One day after, it founds a malware that was'nt detected by avast IS and Emsisoft AM.
Now I understand why it falls on AV-test and comparative-test. This software takes time to analyze, it has a different comportment...
The tests of this laboratories are not adapted to him...And now I understand umbra corp's comments

My protection:

Avast IS 8 + emsisoft AM + webroot SA

MBAM+ Superantispyware+oibit AM on demand...
 

kelton

New Member
Joined
Dec 28, 2012
Messages
47
#8
bob974 said:
My protection:

Avast IS 8 + emsisoft AM + webroot SA

MBAM+ Superantispyware+oibit AM on demand...
Are you using three realtime engines (or four if you count EAM as two)?
 
Joined
Feb 5, 2013
Messages
169
OS
Windows 10
Antivirus
Emsisoft
#9
no, avast is in realtime, emsisoft is in scheduler scan (guardian is desactived)and Webroot is in realtime.

webroot is a good companion and his scan is permanent

Now I've put in sandbox of sandboxie a 134 malware pack.
I don't execute scan on demand, I'm just waiting...
Webroot found 42 on permanent scan, I wait the reaction of emsisoft and avast (scheduled scan)...By now no detection....
I want to test my protection on real conditions when malwares are always on my computer.
 

iPanik

New Member
Joined
Feb 28, 2011
Messages
495
#10
For example, if a suspicious or undetermined program has passed the several layers of local and Webroot Intelligence Network checks, it is monitored extremely closely, and watched to see which files, registry keys and memory locations it alters.

If a monitored program is later found to be behaving maliciously, Webroot SecureAnywhere can step-in to block and quarantine it, alert the user and administrator, and proceed to automatically clean-up the threat.
Does that mean that WSA will only interfere after malware has done its dirty deed?

My main issue with WSA is the lack of exclusions. I have a folder where all of my own code lives. I do not want any AV near that place, whatever goes on in that folder leave it alone.
I also like to put games and other stuff on exclusion lists. The risk of shady stuff going on in the Spotify cache for example is remote at best, so scanning or monitoring that stuff is a waste of resources.
 

Petrovic

Level 61
Trusted
Joined
Apr 25, 2013
Messages
5,276
#11
Why Traditional Antivirus is failing -- Webroot Webinar



Here's 3 Great Video's with Webroot CEO, Dick Williams and Michael Malloy, Executive VP of Product and Strategy of Webroot Inc.





 
Likes: venustus

Purshu_Pro

Level 29
Trusted
Joined
Aug 3, 2013
Messages
1,845
OS
Windows 10
Antivirus
Emsisoft
#13
Who can you believe, WSA guys or other AV guys, every one tells his product best.
Ya every one says the same thing, but its up to u to choose the right one! Yeah u & ur PC requirements are primary, next comes with what kind u r comfortable, like price, size, what u use and other stuffs.
 

RuJN

New Member
Joined
Feb 8, 2014
Messages
48
#17
Twister also has good proactive detection like Webroot, but the malicious behavior of an unknown program is detected much faster by Twister than Webroot and it's actions are also rolled back. Twister's proactive security is also good offline but Webroot's is not I suppose.
 

Wax

New Member
Joined
May 28, 2014
Messages
24
#18
I was just wondering what happens if some malware that Webroot doesn't recognize is deleted by a secondary scanner. Let's say for example you run some variant of cryptolocker. Webroot doesn't recognize it but monitors and logs all changes it's making to other files. You later run Hitman Pro which deletes the offending process and file. Now what happens to the rollback function of Webroot? Can it still rollback the changes to the files or are they now permanently encrypted?
 

Umbra

Level 61
Content Creator
Trusted
Joined
May 16, 2011
Messages
17,786
OS
Windows 10
Antivirus
Default-Deny
#19
Now i have a question . Can WSA rollback a cryptolocker ransomeware changes? :D
I was just wondering what happens if some malware that Webroot doesn't recognize is deleted by a secondary scanner. Let's say for example you run some variant of cryptolocker. Webroot doesn't recognize it but monitors and logs all changes it's making to other files. You later run Hitman Pro which deletes the offending process and file. Now what happens to the rollback function of Webroot? Can it still rollback the changes to the files or are they now permanently encrypted?
never tried, but i heard that WSA has a space limit of monitored files, but not sure about it.
 

Wax

New Member
Joined
May 28, 2014
Messages
24
#20
never tried, but i heard that WSA has a space limit of monitored files, but not sure about it.
Thanks for replying. I read about the space limit of monitored files, but I was wondering what happens if the malware is detected and deleted by another scanner. Does that mean that Webroot no longer has a file to monitor and all logging is discarded? If so, maybe it's a bad idea to have a secondary scanner when you're using Webroot.