Webroot and a talkative virus

Status
Not open for further replies.
H

hjlbx

It does work! If malware tries to call out it's blocked! The granular control is gone because Windows 8 to 10 had changed the way vendors are able to use the Firewall Controls: Outbound connections fw control in Win 8/ Win 8.1 - Webroot Community



So Webroot doesn't use the new API's so why duplicate them. And yes all vendors have to use Windows API's in there Firewall for Windows 8 to 10.

Other vendors have firewall controls that work with the current Windows API's. Webroot WSA does not.

The way Webroot promotes WSA for W8/10, the average person who reads their website, literature, etc, expects to have functional firewall controls on W8/10.

The bottom line of it, is that there is very little outbound network control with Webroot - because it relies upon Windows Firewall.
 

Triple Helix

Level 1
Jan 18, 2015
11
Other vendors have firewall controls that work with the current Windows API's. Webroot WSA does not.

The way Webroot promotes WSA for W8/10, the average person who reads their website, literature, etc, expects to have functional firewall controls on W8/10.

The bottom line of it, is that there is very little outbound network control with Webroot - because it relies upon Windows Firewall.
Can you read?


PrevxHelp( JoeJ, VP of Development )
wrote:

The firewall in Windows 8 is much easier to work with than previous platforms because of the built in OS controls. Every vendor needs to use the same APIs now (the older methods are deprecated), but that's exactly why we aren't doing it currently - no matter what vendor wraps the APIs, it will be exactly the same underlying calls which are built into the OS, and you can use the OS UI to do the same job if you want to customize it.

The reason why we have the functionality on Windows 7 and not Windows 8 is because Microsoft doesn't expose the same normalized interfaces on Windows 7 (or require vendors to use the new APIs).


So Webroot doesn't use the new API's so why duplicate them. And yes all vendors have to use Windows API's in there Firewall for Windows 8 to 10.

Webroot doesn't duplicate the API's but all vendors have to in there Firewalls. But WSA still has outbound protection if malware tries to call out and you will get a pop-up.

You know I really hate repeating myself so Webroot doesn't want to duplicate the API's that are already there in Win 8 to 10.

31260_377.gif
 
  • Like
Reactions: cLcL
H

hjlbx

But WSA still has outbound protection if malware tries to call out and you will get a pop-up.

It will not in most cases since WSA uses Windows Firewall. Windows Firewall will only throw an outbound alert if the installer\soft does not create WFwAS exceptions - or - it tries to create firewall rules that will permit it to act as a server. This is how Microsoft designed Windows Firewall.

I can send you a bunch of malware samples that trigger no outbound network notification from either WSA or Windows Firewall.

I've thoroughly tested WSA against malware, so I know what it does and does not do.
 
Last edited by a moderator:

Azure

Level 28
Verified
Top Poster
Content Creator
Oct 23, 2014
1,712
Webroot doesn't duplicate the API's but all vendors have to in there Firewalls. But WSA still has outbound protection if malware tries to call out and you will get a pop-up.

You know I really hate repeating myself so Webroot doesn't want to duplicate the API's that are already there in Win 8 to 10.

31260_377.gif
That's very good. But what about files that are deemed unknown by Webroot, would users also get a pop-up if they attempt to connect to the internet?
 
H

hjlbx

Webroot doesn't duplicate the API's but all vendors have to in there Firewalls. But WSA still has outbound protection if malware tries to call out and you will get a pop-up.

When a vendor promotes their product as having a firewall, then the vast majority of users expect - and reasonably so - to have granular firewall controls - and not some pseudo-IDS based upon file tracking.
 
  • Like
Reactions: Online_Sword

Triple Helix

Level 1
Jan 18, 2015
11
There are many levels of Monitoring Unknown Files if a unknown process hits that certain level it will be blocked and during that time ENZO The WIN Cloud is picking it apart see my video's people need to learn before they can judge a product. Also note you don't see me bitching about other Anti-Malwares but I have learned over the years so I know whats best for me and my customers.

Here is some history: Webroot Totally Revamps Product Line
 
H

hjlbx

There are many levels of Monitoring Unknown Files if a unknown process hits that certain level it will be blocked and during that time ENZO The WIN Cloud is picking it apart see my video's people need to learn before they can judge a product. Also note you don't see me bitching about other Anti-Malwares but I have learned over the years so I know whats best for me and my customers.

Here is some history: Webroot Totally Revamps Product Line

It is not user's fault.

It is the manner in which Webroot markets WSA.

In its various marketing materials, Webroot promotes WSA as having integrated firewall.

Most reasonable users interpret this as having firewall controls that function - identical to just about every other internet security suite on the market today.

If I had known WSA did not have granular firewall controls on W8/10, then I - as well as countless others - would not have purchased a license.

This last point is the real issue with Webroot - and not WSA itself. ;)

I suppose the real lesson is this - when it comes to security softs: Try-It-Before-You-Buy-It.

Like I said, most users do not want to rely solely upon file tracking (monitoring) to make network decisions. Their expectation is that WSA will offer granular control - just like it does on W7 - and just like it is marketed.

Afterall, like I've said repeatedly, if Webroot didn't think granular firewall control was worthwhile - then why did they integrate it years ago ?

As it stands, using WSA does not generate outbound firewall notifications. That function is relegated to Windows Firewall - and its capabilities in this area quite limited.
 
Last edited by a moderator:
  • Like
Reactions: Online_Sword
H

hjlbx

There are many levels of Monitoring Unknown Files if a unknown process hits that certain level it will be blocked and during that time ENZO The WIN Cloud is picking it apart see my video's people need to learn before they can judge a product. Also note you don't see me bitching about other Anti-Malwares but I have learned over the years so I know whats best for me and my customers.

Here is some history: Webroot Totally Revamps Product Line

If the monitoring is so good, that firewall is no longer needed, then why did Webroot integrate firewall controls ? Why don't they remove it even for W7 ?

If the monitoring is so good and no need of firewall controls, then why has malware demonstated that malware can accomplish these things with WSA installed:
  • hidden download
  • hidden installation
  • hidden execution
  • hidden install of *.job files for Scheduled Tasks
  • disable UAC
  • disable Windows Firewall
  • disable Task Manager
  • disable Regsitry Editor
  • disable Security Center
  • abuse NET assemblies
  • lock-out user from hidden Admin account
  • lock-out user from Desktop
  • lock-out user from Safe Mode
  • etc
???

Webroot Intelligence Network is not replacement for user granular control(s).
 
Last edited by a moderator:

cLcL

Level 1
Verified
Jan 6, 2015
31
If the monitoring is so good, that firewall is no longer needed, then why did Webroot integrate firewall controls ? Why don't they remove it even for W7 ?

If the monitoring is so good and no need of firewall controls, then why has malware demonstated that malware can accomplish these things with WSA installed:
  • hidden download
  • hidden installation
  • hidden execution
  • hidden install of *.job files for Scheduled Tasks
  • disable UAC
  • disable Windows Firewall
  • disable Task Manager
  • disable Regsitry Editor
  • disable Security Center
  • abuse NET assemblies
  • lock-out user from hidden Admin account
  • lock-out user from Desktop
  • lock-out user from Safe Mode
  • etc
???
Webroot Intelligence Network is not replacement for user granular control(s).
from what you've stated, that means Webroot is bad antivirus. :D for me, Webroot works well in all my PCs so that's that. maybe it's not for testing malware and stuffs. :)

i want to answer some questions though:
for monitored programs (processes): Webroot didn't block monitored programs (processed) to access network. once you allow the programs via windows firewall, they can access the internet (thought they still being monitored by Webroot, so rollback, etc is supposed to be working)

why in w7 there is still firewall control in Webroot:
i think you already knew about this. the firewall method is changed from w8 upward, so *maybe* Webroot thinks it'll take more resource for that capability in W8 upward, and since WF supposedly better in W8 upward (more user friendly and all), Webroot choose to not implement it.
Webroot still has Active Connections viewer and you can make the rule to block unwanted processes in the WF if you want (it's bit annoying, but works OK, i think :D )

and beside, Webroot supposedly has "smart firewall" so i think when some programs/processes want to access to "dangerous" network, it got blocked by Webroot.

and from what you've stated, it looks like that it doesnt work, so (according to you) Webroot is bad av... that's fine though :)
 
Last edited:

Azure

Level 28
Verified
Top Poster
Content Creator
Oct 23, 2014
1,712
There are already products with firewall control on Win8/10. Webroot should be able to easily implement the same. All of Webroot products are paid, so I don't see how they wouldn't have the resources to that.

I don't think @hjlbx is saying that Webroot is a bad antivirus. Simply that they should be honest with their customers, so that customers can be aware of the limitations of the product they intent to buy.
 
H

hjlbx

Webroot still has Active Connections viewer and you can make the rule to block unwanted processes in the WF if you want (it's bit annoying, but works OK, i think :D )

This is non-functional on W8/10.

Webroot relies upon file monitoring\tracking - similar to Bitdefender & Norton. Once a file reaches a certain "threshold" of behavior(s), it will trigger Webroot to block\deny further action(s) on the system.

They can call it whatever they wish - "Smart Firewall", Intrusion Detection System - or just firewall. I have seen their "Smart Firewall" in action - and it will allow the download of malware to the system.

So will Bitdefender, but at least Bitdefender gives the user the option to get firewall alerts and allow\block connections manually.

There is no substitute for manual control over the network.

Disable Webroot's antivirus module and throw a Virussign pack at it.

That pack will smash your system - even with Webroot installed.
 
  • Like
Reactions: Online_Sword

cLcL

Level 1
Verified
Jan 6, 2015
31
There are already products with firewall control on Win8/10. Webroot should be able to easily implement the same. All of Webroot products are paid, so I don't see how they wouldn't have the resources to that.

I don't think @hjlbx is saying that Webroot is a bad antivirus. Simply that they should be honest with their customers, so that customers can be aware of the limitations of the product they intent to buy.
what i meant was the resource for the program, so it wont become bloated or something like that. it still a maybe though.
well, if what @hjlbx post happened in Webroot, so it's a bad antivirus. i cant think otherwise.
well (again), it still has firewall (maybe, supposedly :) ), only the firewall control (granular firewall control) wont work in w8/w10.

This is non-functional on W8/10.

Webroot relies upon file monitoring\tracking - similar to Bitdefender & Norton. Once a file reaches a certain "threshold" of behavior(s), it will trigger Webroot to block\deny further action(s) on the system.

They can call it whatever they wish - "Smart Firewall", Intrusion Detection System - or just firewall. I have seen their "Smart Firewall" in action - and it will allow the download of malware to the system.

So will Bitdefender, but at least Bitdefender gives the user the option to get firewall alerts and allow\block connections manually.

There is no substitute for manual control over the network.

Disable Webroot's antivirus module and throw a Virussign pack at it.

That pack will smash your system - even with Webroot installed.
the viewer is still there. you can see it in PC Security - View Active Connection. the difference (in w7), there are block and allow (and stop iirc) selection. if you found something "weird" there, you can block it using WF (bit annoying though :) )

so that means the WF didnt pop up too? i think it's supposed to be WF's job. if a program want to access network, WF should pop up (psiphon can bypass this, but i dont think any firewall will pop up when running psiphon), if malwares able to bypass WF, then WF is not good, better use another firewall. if the malware able to smash the system when webroot installed, then it means Webroot isnt good, better use other AV/AM. simple isnt it? :D

i'm not Webroot fanboy though, i just think i understand the reason why Webroot doesnt put firewall control in W8/W10 (though it'll be better if it does have, without increasing the resource needed to run it though).

thanks. and do cmiiw :)
 
H

hjlbx

what i meant was the resource for the program, so it wont become bloated or something like that. it still a maybe though.
well, if what @hjlbx post happened in Webroot, so it's a bad antivirus. i cant think otherwise.
well (again), it still has firewall (maybe, supposedly :) ), only the firewall control (granular firewall control) wont work in w8/w10.


the viewer is still there. you can see it in PC Security - View Active Connection. the difference (in w7), there are block and allow (and stop iirc) selection. if you found something "weird" there, you can block it using WF (bit annoying though :) )

so that means the WF didnt pop up too? i think it's supposed to be WF's job. if a program want to access network, WF should pop up (psiphon can bypass this, but i dont think any firewall will pop up when running psiphon), if malwares able to bypass WF, then WF is not good, better use another firewall. if the malware able to smash the system when webroot installed, then it means Webroot isnt good, better use other AV/AM. simple isnt it? :D

i'm not Webroot fanboy though, i just think i understand the reason why Webroot doesnt put firewall control in W8/W10 (though it'll be better if it does have, without increasing the resource needed to run it though).

thanks. and do cmiiw :)

Windows Firewall only alerts for outbound connection for very specific circumstances - if program doesn't create exceptions or it tries to act as Network Server.
 

bjm_

Level 14
Verified
Top Poster
Well-known
May 17, 2015
667
FWIW ~ An example. Installed program update by stand-alone installer. Installed program and new installer are safe as per Norton. Upon update install program reaches out to re-register license. Norton Smart Firewall throws Norton Firewall dialog / alert. xyz program is asking to connect to IP123. Do you want to allow always, allow one time, block always, block one time, etc. Windows Firewall is being managed by vendor application Norton. I don't know what's under Webroot or Norton's hood. I'm aware of Norton settings that prompt with Norton dialog when xyz program asks for outbound connect. I'm home user aware of what Windows tells me. Windows Firewall by default allows outbound.
Am I evil in incarnate by simply asking what WSA will show me for known safe outbound and/or unknown/unknown safe outbound calls. Am I evil in incarnate by simply asking what WSA does with unknown outbound calls until Webroot back end makes a determinate. Am I evil in incarnate by simply asking will WSA journal/roll-back be able to retrieve data sent out prior to Webroot back end determinate.
On my honor. I am not trolling.
 
H

hjlbx

@hjlbx
You probably already read this in Wilders. But it seems TH is starting a push to add granular firewall control
Webroot SecureAnywhere Discussion & Update Thread
Outbound connections fw control in Win 8/ Win 8.1 - Page 2 - Webroot Community

Since I assume other users are interested in the subject, I thought it would be nice to keep them up to date.

The only way to get Webroot to add the firewall controls to W8/10 is for people to be active on the Webroot Community - and keep asking for it. Webroot will not do anything unless people are very vocal about what they want. And I mean you need to be tough-skinned and determined.

Webroot has not really made any significant changes to WSA for years now. I am not sure why this is the case. I remember @Petrovic making a request for some type of notification whenever WSA starts to monitor a file. That is a really good feature request. However, it has not been implemented.

Looking through the Feature Requests on the Webroot Community, it appears most of them have not even been reviewed by Webroot - going back as far as 2012.

Users have to be vocal to get what they want - because it is clearly evident Webroot isn't motivated to make any changes.

With regards to the firewall controls, they have been "considering" their options for years now.

Don't expect this issue to be resolved any time soon.
 
Last edited by a moderator:
H

hjlbx

I challenge anyone to produce a video that shows Webroot Secure Anywhere throwing up an outbound firewall notification; a Webroot alert - and not a Windows Firewall one.
 
H

hjlbx

The truth is Webroot just isn't very good protection without supplementing it with other security softs - like AppGuard, NVT ERP, VooDooShield, Windows Firewall Control, etc.
 

blueblackwow65

Level 23
Verified
Well-known
Dec 19, 2012
1,243
What settings in advanced settings can be unticked ..for example prevent interruption I have unticked and silently and automatically block untrusted to user data unticked .with these 2 unticked will i now just get alerts for me to know ahead if a certain file should be blocked?
I say this because WSA was blocking files from acronis and aomei which made them not work properly ..so what is the best way to go about this.Thks
 
Status
Not open for further replies.

About us

  • MalwareTips is a community-driven platform providing the latest information and resources on malware and cyber threats. Our team of experienced professionals and passionate volunteers work to keep the internet safe and secure. We provide accurate, up-to-date information and strive to build a strong and supportive community dedicated to cybersecurity.

User Menu

Follow us

Follow us on Facebook or Twitter to know first about the latest cybersecurity incidents and malware threats.

Top