Webroot and a talkative virus

[woodrowbone]

Hi guys, this is not a review of any kind but I just had to share this with you, maybe someone else saw this behavior from one of the files in the malware hub today? (See pic further down)
The virus started to chat with me, it took a couple of seconds between the "chats" and it looked real, hehe!
I was a bit baffled when the Webroot line came up , did anyone else see this? I think the file is named chekv.exe, and by the way it is named this was probably what it did, checked out what antivirus you did use. Like the virus in the good old days, more fun less serious, I do not know.

I am test driving WSA in Virtualbox, and infected it like 10 hours ago and got a bunch of files in a "monitored" state by WSA.
It is interesting to see WSA "work" its way with the files during the day, one by one, hours later they got detected and removed with a rollback of all changes made by the files.
It is strange to see an infected computer that is not compromised at the same time.
The Identity Shield locks down all the monitored files, and does not let them communicate with the outside world until deemed safe. As they were not safe (unknown) all outgoing connections from the files were blocked.
They have a very interesting way of detecting threats by their behavior, their cloud functions must be among the best out there.

Have great weekend!

/W

 

[Malware1]

Could you upload the file somewhere?

 

[woodrowbone]

Sorry, deleted.
But you will find it in the malware hub thread, I think it was a 4 files zip from today or yesterday?

EDIT! Here you are:https://malwaretips.com/threads/4-malwares.56685/#post-485302

/W

 

[Deleted Member 333v73x]

Well that malware wasn't automated, it new you had Webroot and clearly someone is waiting until someone downloads their malware and they can literally chat with you , very boring but malware developers deserve it!

 

[hjlbx]

LOL... malwares wants to taunt you and mess with your mind.

That's funny...

Anyhow, @woodrowbone, did you monitor the network to verify that Webroot (Identity Shield module) did, indeed, block network access to all the monitored processes ?

You can do this using Windows' built-in Resource Monitor (resmon.exe).

A lot of MT members would be very interested in your findings...

 

[Deleted member 2913]

I am test driving WSA in Virtualbox, and infected it like 10 hours ago and got a bunch of files in a "monitored" state by WSA.

"Monitored" state by WSA

Do you mean after execution they were set to "Monitored" automatically by WSA or you manually set those to Monitor?

 

[woodrowbone]

@ hjlbx I did not monitor this, just did believe Webroot, but I will try again, if I find malware that is monitored that is.

@ yesnoo After execution the files gets monitored by WSA itself.

/W

 

[hjlbx]

@ hjlbx I did not monitor this, just did believe Webroot, but I will try again, if I find malware that is monitored that is.

@ yesnoo After execution the files gets monitored by WSA itself.

/W

@woodrowbone

I suggest try sample that talks back to you...

 

[hjlbx]

@woodrowbone

WSA does not block network activity for Monitored programs until verified safe. It will allow them until the Webroot Intelligence Network deems the file unsafe - and then blocks network access and\or rollback the system.

WSA on W8\10 relies upon Windows Firewall to block suspcious\malicious network activity.

Built-in Windows Firewall has limited detection and blocking capabilities.

On W8\10 the WSA Firewall Controls are non-functional - but Webroot does not openly let users know this before installation of WSA !

WSA Firewall Controls only work on W7.

The reason the WSA Firewall Controls are non-functiona on W8/10 l is because of the way that Microsoft implemented Windows Firewall on W8\10.

So it really isn't a Webroot issue, but - despite Microsoft making the changes since W8 - it is a long-standing user gripe that Webroot refuses to implement simple outbound firewall notifications on W8\10.

Webroot can do it, they just refuse to do it - for whatever reason(s) - since 2012.

I personally have a real problem with the fact that Webroot:

Does not inform potential users or during installation of the fact that WSA Firewall Controls are non-functional on W8/10 - anywhere.

Webroot does not officially state anything about the non-functional WSA Firewall Controls on W8/10 in their product data sheets, website, EULA, etc.

Only mention of it can be found on the Webroot Community forum:

My Webroot firewall and Windows 10 - Webroot Community

The Webroot Community members that state that Windows Firewall provides sufficient security shows that they have a lack of understanding of how Windows Firewall works; Windows Firewall with Advance Security blocks outbound notifications - and generates alerts - only in very specific cases.

Here is an explanation of built-in Windows Firewall and outbound notifications - and a whole lot of other rubbish...:

Network Security: Windows Firewall: Your System’s Best DefenseNetwork Security: Windows Firewall: Your System’s Best Defense

NOTE this sentence in the above article: "This means that you will see prompts from the Windows Firewall on occasion, generally when you install programs that do not add their own exceptions to the Windows Firewall’s list."

It is rare for an installer not to add firewall exceptions ! So that means in the vast majority of cases, Windows Firewall will not generate any firewall alerts.

The other case is when an installer\program attempts to modify Windows Firewall rules so that it can act as a server:

Why You Don’t Need an Outbound Firewall On Your Laptop or Desktop PC

It appears that Webroot adheres to the perspective in the above HowToGeek article - that a firewall is not necessary for most users to increase security - I guess in the case of W8/10 it is convenient for Webroot to adopt this perspective.

However, if Windows Firewall is so good at securing the system, then why did Webroot implement Firewall Controls to begin with - starting with W7 ?

 

[Venustus]

@woodrowbone

WSA does not block network activity for Monitored programs until verified safe. It will allow them until the Webroot Intelligence Network deems the file unsafe - and then rollback the system.

WSA on W8\10 relies upon Windows Firewall to block suspcious\malicious network activity.

Built-in Windows Firewall has limited detection and blocking capabilities.

On W8\10 the WSA Firewall Controls are non-functional - but Webroot does not openly let users know this before installation of WSA !

WSA Firewall Controls only work on W7.

The reason the WSA Firewall Controls are non-functiona on W8/10 l is because of the way that Microsoft implemented Windows Firewall on W8\10.

So it really isn't a Webroot issue, but - despite Microsoft making the changes since W8 - it is a long-standing user gripe that Webroot refuses to implement simple outbound firewall notifications on W8\10.

Webroot can do it, they just refuse to do it - for whatever reason(s) - since 2012.

I personally have a real problem with the fact that Webroot:

Does not inform potential users or during installation of the fact that WSA Firewall Controls are non-functional on W8/10 - anywhere.

I found this out too,ONLY after installing it, that there was no independent firewall component in WSA!
Nevertheless, Win10 firewall is pretty good for the average user!!

 

[Triple Helix]

More trash talk that's why I still don't like this place @illumination

Daniel

 

[Triple Helix]

 

[hjlbx]

More trash talk that's why I still don't like this place @illumination

Daniel

How are cold, hard facts trash ?

The truth about Webroot hurts - dunnit ?

Webroot needs to be open and forthright about its limitations on W8/10 - you know, the whole "transparency" thing.

I personally think Webroot doesn't tell potential users about it because of one thing - $$$.

If Webroot were to communicate the facts about the WSA Firewall Controls, then fewer users will subscribe - and that's a cold, hard fact too.

 

[Janl1992l]

What have this videos todo with the thread? I dont understand. Its a fact that the wsa firewall is not working on 8/10 and webroot does simply does not inform costumers about it the way it should. If u do not like this place, u dont need to write here.

 

[hjlbx]

That's the point people don't understand, so they don't understand and they trash talk about what things they know nothing of! Learn to use it before trash talking. I have been in this field for over 20 years I used them all, now I don't I stick with what works.

I do understand - completely.

WSA Windows Firewall controls do not function on W8/10 - and Windows Firewall is entirely insufficient for outbound attacks.

For the average home user, the attack is not external, but internal for 99.9999 % of infections.

Anyone that knows even the most basic thing about Windows Firewall - understands that it is very limited in its outbound capabilities.

 

[hjlbx]

Your a noobie here and at Wilders so is Trolling your only gift to mankind? Cya.

Now who doesn't know what they're talking about... LOL.

Webroot Fanboy can't accept the truth - so lashes out at others ?

 

[Azure]

That's the point people don't understand, so they don't understand and they trash talk about what things they know nothing of! Learn to use it before trash talking. I have been in this field for over 20 years I used them all, now I don't I stick with what works.

Simple question: Why doesn't Webroot inform users on their webpage that their firewall component doesn't work properly for Win8/10?
And please no "Windows firewall is sufficient" because that would be irrelevant.

 

[Triple Helix]

It does work! If malware tries to call out it's blocked! The granular control is gone because Windows 8 to 10 had changed the way vendors are able to use the Firewall Controls: Outbound connections fw control in Win 8/ Win 8.1 - Webroot Community

PrevxHelp( JoeJ, VP of Development )

wrote:

The firewall in Windows 8 is much easier to work with than previous platforms because of the built in OS controls. Every vendor needs to use the same APIs now (the older methods are deprecated), but that's exactly why we aren't doing it currently - no matter what vendor wraps the APIs, it will be exactly the same underlying calls which are built into the OS, and you can use the OS UI to do the same job if you want to customize it.

The reason why we have the functionality on Windows 7 and not Windows 8 is because Microsoft doesn't expose the same normalized interfaces on Windows 7 (or require vendors to use the new APIs).

So Webroot doesn't use the new API's so why duplicate them. And yes all vendors have to use Windows API's in there Firewall for Windows 8 to 10.

 

[hjlbx]

It does work! If malware tries to call out it's blocked! The granular control is gone because Windows 8 to 10 had changed the way vendors are able to use the Firewall Controls: Outbound connections fw control in Win 8/ Win 8.1 - Webroot Community



So Webroot doesn't use the new API's so why duplicate them. And yes all vendors have to use Windows API's in there Firewall for Windows 8 to 10.

Really ?

Take malicious script, *.js, that is a downloader.

Windows Firewall won't block outbound connections for it - nor any of a whole host of other malwares.

Windows Firewall will only alert to outbound connections for very specific cases - and those cases are uncommon - and that is how Microsoft designed Windows Firewall.

Those limitations are the very reason why Webroot included the Firewall Controls years ago...

I recall a Webroot staff or comunnity member that posted on the Webroot Community forum to use BiniSoft's Windows Firewall Control - since WSA Firewall Controls do not function on W8/10 !

The point is not that WSA Firewall Controls do not work. If you read through the entire thread, you will see the real issue is that Webroot doesn't inform potential users that the controls are legitimately non-functional.

Anyhow, anyone interested to test out Windows Firewall outbound notifications themselves has free access to a virtually unlimited supply of samples in the Malware Hub.

It is trivial to verify what I have posted in this thread...

 

[Triple Helix]

Re: Malvertising, weaponized documents continue to... - Webroot Community