Webroot and a talkative virus

Discussion in 'Webroot' started by woodrowbone, Feb 26, 2016.

  1. woodrowbone

    woodrowbone Level 8

    Dec 24, 2011
    Hi guys, this is not a review of any kind but I just had to share this with you, maybe someone else saw this behavior from one of the files in the malware hub today? (See pic further down)
    The virus started to chat with me, it took a couple of seconds between the "chats" and it looked real, hehe!
    I was a bit baffled when the Webroot line came up :eek:, did anyone else see this? I think the file is named chekv.exe, and by the way it is named this was probably what it did, checked out what antivirus you did use. Like the virus in the good old days, more fun less serious, I do not know.

    I am test driving WSA in Virtualbox, and infected it like 10 hours ago and got a bunch of files in a "monitored" state by WSA.
    It is interesting to see WSA "work" its way with the files during the day, one by one, hours later they got detected and removed with a rollback of all changes made by the files.
    It is strange to see an infected computer that is not compromised at the same time.
    The Identity Shield locks down all the monitored files, and does not let them communicate with the outside world until deemed safe. As they were not safe (unknown) all outgoing connections from the files were blocked.
    They have a very interesting way of detecting threats by their behavior, their cloud functions must be among the best out there.

    Have great weekend!

    KGBagent47, Jrs30, cLcL and 10 others like this.
  2. Malware1

    Malware1 New Member

    Sep 28, 2011
    Could you upload the file somewhere?
  3. woodrowbone

    woodrowbone Level 8

    Dec 24, 2011
    Tornado likes this.
  4. Tornado

    Tornado New Member

    Nov 22, 2015
    Well that malware wasn't automated, it new you had Webroot and clearly someone is waiting until someone downloads their malware and they can literally chat with you :p, very boring but malware developers deserve it!
    jamescv7, safe1st, venustus and 2 others like this.
  5. hjlbx

    hjlbx Guest

    LOL... malwares wants to taunt you and mess with your mind.

    That's funny...

    Anyhow, @woodrowbone, did you monitor the network to verify that Webroot (Identity Shield module) did, indeed, block network access to all the monitored processes ?

    You can do this using Windows' built-in Resource Monitor (resmon.exe).

    A lot of MT members would be very interested in your findings...
  6. Yash Khan

    Yash Khan Level 51

    Oct 22, 2012
    "Monitored" state by WSA

    Do you mean after execution they were set to "Monitored" automatically by WSA or you manually set those to Monitor?
    safe1st, venustus and CySecy825 like this.
  7. woodrowbone

    woodrowbone Level 8

    Dec 24, 2011
    @ hjlbx I did not monitor this, just did believe Webroot, but I will try again, if I find malware that is monitored that is.

    @ yesnoo After execution the files gets monitored by WSA itself.

  8. hjlbx

    hjlbx Guest


    I suggest try sample that talks back to you... :D
    venustus likes this.
  9. hjlbx

    hjlbx Guest

    #9 hjlbx, Feb 26, 2016
    Last edited by a moderator: Mar 1, 2016

    WSA does not block network activity for Monitored programs until verified safe. It will allow them until the Webroot Intelligence Network deems the file unsafe - and then blocks network access and\or rollback the system.

    WSA on W8\10 relies upon Windows Firewall to block suspcious\malicious network activity.

    Built-in Windows Firewall has limited detection and blocking capabilities.

    On W8\10 the WSA Firewall Controls are non-functional - but Webroot does not openly let users know this before installation of WSA !

    WSA Firewall Controls only work on W7.

    The reason the WSA Firewall Controls are non-functiona on W8/10 l is because of the way that Microsoft implemented Windows Firewall on W8\10.

    So it really isn't a Webroot issue, but - despite Microsoft making the changes since W8 - it is a long-standing user gripe that Webroot refuses to implement simple outbound firewall notifications on W8\10.

    Webroot can do it, they just refuse to do it - for whatever reason(s) - since 2012.

    I personally have a real problem with the fact that Webroot:

    Does not inform potential users or during installation of the fact that WSA Firewall Controls are non-functional on W8/10 - anywhere.

    Webroot does not officially state anything about the non-functional WSA Firewall Controls on W8/10 in their product data sheets, website, EULA, etc.

    Only mention of it can be found on the Webroot Community forum:

    My Webroot firewall and Windows 10 - Webroot Community

    The Webroot Community members that state that Windows Firewall provides sufficient security shows that they have a lack of understanding of how Windows Firewall works; Windows Firewall with Advance Security blocks outbound notifications - and generates alerts - only in very specific cases.

    Here is an explanation of built-in Windows Firewall and outbound notifications - and a whole lot of other rubbish...:

    Network Security: Windows Firewall: Your System’s Best DefenseNetwork Security: Windows Firewall: Your System’s Best Defense

    NOTE this sentence in the above article: "This means that you will see prompts from the Windows Firewall on occasion, generally when you install programs that do not add their own exceptions to the Windows Firewall’s list."

    It is rare for an installer not to add firewall exceptions ! So that means in the vast majority of cases, Windows Firewall will not generate any firewall alerts.

    The other case is when an installer\program attempts to modify Windows Firewall rules so that it can act as a server:

    Why You Don’t Need an Outbound Firewall On Your Laptop or Desktop PC

    It appears that Webroot adheres to the perspective in the above HowToGeek article - that a firewall is not necessary for most users to increase security - I guess in the case of W8/10 it is convenient for Webroot to adopt this perspective.

    However, if Windows Firewall is so good at securing the system, then why did Webroot implement Firewall Controls to begin with - starting with W7 ?


  10. venustus

    venustus Level 43
    Content Creator Trusted

    Dec 30, 2012
    Windows 10
    I found this out too,ONLY after installing it, that there was no independent firewall component in WSA!:rolleyes:
    Nevertheless, Win10 firewall is pretty good for the average user!!;)
  11. Triple Helix

    Triple Helix New Member

    Jan 18, 2015
    More trash talk that's why I still don't like this place @illumination

    Daniel :rolleyes:
  12. Triple Helix

    Triple Helix New Member

    Jan 18, 2015
  13. hjlbx

    hjlbx Guest

    #13 hjlbx, Feb 26, 2016
    Last edited by a moderator: Feb 26, 2016
    How are cold, hard facts trash ?

    The truth about Webroot hurts - dunnit ?

    Webroot needs to be open and forthright about its limitations on W8/10 - you know, the whole "transparency" thing.

    I personally think Webroot doesn't tell potential users about it because of one thing - $$$.

    If Webroot were to communicate the facts about the WSA Firewall Controls, then fewer users will subscribe - and that's a cold, hard fact too.
    Online_Sword, Rishi, SHvFl and 3 others like this.
  14. Janl1992l

    Janl1992l Level 10

    Feb 14, 2016
    Windows 10
    What have this videos todo with the thread? I dont understand. Its a fact that the wsa firewall is not working on 8/10 and webroot does simply does not inform costumers about it the way it should. If u do not like this place, u dont need to write here.
    Online_Sword and Nightwalker like this.
  15. hjlbx

    hjlbx Guest

    I do understand - completely.

    WSA Windows Firewall controls do not function on W8/10 - and Windows Firewall is entirely insufficient for outbound attacks.

    For the average home user, the attack is not external, but internal for 99.9999 % of infections.

    Anyone that knows even the most basic thing about Windows Firewall - understands that it is very limited in its outbound capabilities.
  16. hjlbx

    hjlbx Guest

    Now who doesn't know what they're talking about... LOL.

    Webroot Fanboy can't accept the truth - so lashes out at others ?
  17. Azure Phoenix

    Azure Phoenix Level 20

    Oct 23, 2014
    Puerto Rico
    Simple question: Why doesn't Webroot inform users on their webpage that their firewall component doesn't work properly for Win8/10?
    And please no "Windows firewall is sufficient" because that would be irrelevant.
    Online_Sword likes this.
  18. Triple Helix

    Triple Helix New Member

    Jan 18, 2015
    It does work! If malware tries to call out it's blocked! The granular control is gone because Windows 8 to 10 had changed the way vendors are able to use the Firewall Controls: Outbound connections fw control in Win 8/ Win 8.1 - Webroot Community

    So Webroot doesn't use the new API's so why duplicate them. And yes all vendors have to use Windows API's in there Firewall for Windows 8 to 10.
    cLcL likes this.
  19. hjlbx

    hjlbx Guest

    #19 hjlbx, Feb 26, 2016
    Last edited by a moderator: Feb 26, 2016
    Really ?

    Take malicious script, *.js, that is a downloader.

    Windows Firewall won't block outbound connections for it - nor any of a whole host of other malwares.

    Windows Firewall will only alert to outbound connections for very specific cases - and those cases are uncommon - and that is how Microsoft designed Windows Firewall.

    Those limitations are the very reason why Webroot included the Firewall Controls years ago...

    I recall a Webroot staff or comunnity member that posted on the Webroot Community forum to use BiniSoft's Windows Firewall Control - since WSA Firewall Controls do not function on W8/10 !

    The point is not that WSA Firewall Controls do not work. If you read through the entire thread, you will see the real issue is that Webroot doesn't inform potential users that the controls are legitimately non-functional.

    Anyhow, anyone interested to test out Windows Firewall outbound notifications themselves has free access to a virtually unlimited supply of samples in the Malware Hub.

    It is trivial to verify what I have posted in this thread...
Similar Threads Forum Date
Webroot SecureAnywhere Webroot Jan 10, 2018
Webroot, the only small AV left. Webroot Nov 30, 2017
VIPRE Outperforms Webroot in Head-To-Head Comparison Vipre (ThreatTrack) Nov 8, 2017
  • About Us

    Our community has been around since 2010, and we pride ourselves on offering unbiased, critical discussion among people of all different backgrounds about security and technology . We are working every day to make sure our community is one of the best.
  • Need Malware Removal Help?

    If you're being redirected from a site you’re trying to visit, seeing constant pop-up ads, unwanted toolbars or strange search results, your computer may be infected with malware. We offer free malware removal assistance to our members in the Malware Removal Assistance forum.
  • Quick Tip

    Without meaning to, you may click a link that installs malware on your computer. To keep your computer safe, only click links and downloads from sites that you trust. Don’t open any unknown file types, or download programs from pop-ups that appear in your browser.