Webroot Protections as Explained by Webroot Employee

[hjlbx]

Source: Reddit AMA - We are Webroot, and we are here to answer all your questions • /r/sysadmin

Specifically addresses question regarding ransomware, but the outlined protection mechanisms and algorithms are generally applied to all malware types. Take note that the explanation below references Enterprise version of Webroot. However, once again, the protection mechanisms are essentially the same for Webroot's consumer products.

TylerWebroot 37 points 1 year ago

Great Question!

So there are multiple ways we go about detecting Encrypting Ransomware.

First - is going to be by hash detection from the cloud on the dropper. You don't just get cryptolocker immediately from a phishing email. Typically it's a zeus dropper that communicates to a command and control server which will then take already gathered info about your PC and then based on that info drop the appropriate encrypting ransomware pre-built for your PC environment. Because different operating systems may have different policies and require different commands to take control. Our Detection on Zero-day Zeus drops is some of the best around so we'll likely get the "invoice.scr" or whatever email attachment was before it even downloads Cryptolocker.

Second - would be the scenario where the zeus drop wasn't detected and was able to download the payload from the command and control server. We would then have cloud based detection based on that MD5 hash of Crpytolocker which was just downloaded and would be detected in real time before execution.

Third - would be the scenario where we don't get the Zeus dropper and we don't get the Encrypting ransomware payload through cloud detection. We would then have a preview analysis stage where there is behavioral and heuristics being applied before execution. A LOT of encrypting ransomware is going make sure you don't get your files back and the most common way is deleting the VSS (Volume Shadow Service) so you can't use tools like Shadow Explorer. We would detect on any unknown process trying to take action on vssadmin.exe to delete the restore points. We also have many other calssfields of heuristics based off of many other attributes common with encrypting ransomware - like unique registry entries, ect.

Fourth- Would be a scenario in which cloud detection on dropper and encrypting ransomware AND heuristics also didn't detect it. This is the part where journaling kicks in so every action by the unknown file or process is recorded. If a file that was previously unknown, gets classified as bad, it is quarantined and all actions reversed as recorded by the journaling. This includes restoring back registry entries and backup snapshots of the files from before modification. we’ll revert all changes made to all files on the operating system once a determination is received (15min - 4hours).

In addition to all that Jazz...Webroot has backup features built into our product that allow you to have directories constantly synced to the cloud. If you were to get infected by a zero day variant of encrypting ransomware you can just restore your files back as we save a snapshot history for each of your files up to ten previous copies.

TL;DR We protect you from cryptolocker through cloud detection, heurisitcs, journaling, and cloud storage. WE GOT DIS

 

[FleischmannTV]

And just shortly later in the sequel to that discussion no one less than an actual Webroot employee explains how mighty journaling is circumvented by trivial process hollowing. Maybe they've finally fixed it now and this is supposed to be the new "ENHANCED! Anti-Ransomware".

Just think of it, a product, which supposedly places such an emphasis on process behavior monitoring, has been utterly defeated by process hollowing for all these years. Or maybe it still is, I don't know if it has actually been fixed. It's a joke regardless.

 

[hjlbx]

And just shortly later in the sequel to that discussion no one less than an actual Webroot employee explains how mighty journaling is circumvented by trivial process hollowing. Maybe they've finally fixed it now and this is supposed to be the new "ENHANCED! Anti-Ransomware".

Just think of it, a product, which supposedly places such an emphasis on process behavior monitoring, has been utterly defeated by process hollowing for all these years. Or maybe it still is, I don't know if it has actually been fixed. It's a joke regardless.

I think with Webroot's implementation, protecting against Hollow Process might be quite difficult. Any how, from the context of the discussion I think they found a way to detect it.

Well, anyway @FleischmannTV - you of all people know how difficult it is to get direct, accurate answers on such matters.

My reply is not meant as a bash - it just is what it is.

 

[Morvotron]

Wow, this is a really nice move. Thanks for the info mate.

I can't guess why well known and high quality products such as Symantec's or Kaspersky's haven't applied sophisticated tools against ransomware. Specially Norton, since KAV did at least some job on my tests.

 

[hjlbx]

Wow, this is a really nice move. Thanks for the info mate.

I can't guess why well known and high quality products such as Symantec's or Kaspersky's haven't applied sophisticated tools against ransomware. Specially Norton, since KAV did at least some job on my tests.

Not sure what you mean here. Symantec and Kaspersky are leaders in implementation of sophisticated protections. They are just limited by money and the current state of IT technology & software engineering...

 

[Morvotron]

Not sure what you mean here. Symantec and Kaspersky are leaders in implementation of sophisticated protections. They are just limited by money and the current state of IT technology & software engineering...

I mean on ransomware protection. The tests I did were nice fails, and I've seen on the web, mostly here, Norton needs to improve its protection against this malware.

I totally do not mean protection at all. Just vs ransomware.

 

[hjlbx]

I mean on ransomware protection. The tests I did were nice fails, and I've seen on the web, mostly here, Norton needs to improve its protection against this malware.

I totally do not mean protection at all. Just vs ransomware.

It's kind of late for security suites to not have most ransomware covered - innit ?

Of course, there will be exceptions. However, I would think Norton would have their problems sorted out by now. Just never know in this security soft protection game...

 

[Soulbound]

Webroot's rollback feature has worked for years however improvements have been made. My only concern is when the rollback doesn't fully restore changes made.
Same way Kaspersky has a rollback feature but again it isn't perfect.

Claiming it protects against ransome is sill a bit of a bold statement when new variants of existing ones are developed at the current rate.

Whether its fully sucessfull or not is yet to be seen and I'm sure I wont be dipping my foot in such waters.
Rather analyze how the new variants work instead to be honest. @SilentWarrior your thoughts?

 

[shmu26]

And just shortly later in the sequel to that discussion no one less than an actual Webroot employee explains how mighty journaling is circumvented by trivial process hollowing. Maybe they've finally fixed it now and this is supposed to be the new "ENHANCED! Anti-Ransomware".

Just think of it, a product, which supposedly places such an emphasis on process behavior monitoring, has been utterly defeated by process hollowing for all these years. Or maybe it still is, I don't know if it has actually been fixed. It's a joke regardless.

anyone know whether kaspersky protects against process hollowing?

 

[DJ Panda]

Is Webroot good? My friends have used it but when I scan with Zemana most of it is undetected by Webroot.

 

[shmu26]

Is Webroot good? My friends have used it but when I scan with Zemana most of it is undetected by Webroot.

webroot goes into action mainly when the malware executes. It doesn't focus so much on detection of non-active files, so if you judge it against an on-demand scanner, it will look bad. That is why webroot doesn't participate in most AV comparisons.

How good is it? It might not be as strong as the top names like bitdefender and kaspersky, but it is very light. If that is important to you, go with webroot.

 

[bjm_]

In addition to all that Jazz...Webroot has backup features built into our product that allow you to have directories constantly synced to the cloud. If you were to get infected by a zero day variant of encrypting ransomware you can just restore your files back as we save a snapshot history for each of your files up to ten previous copies.

Q: since directories constantly sync to the cloud...,....wouldn't all file copies also get encrypted..?
Are snapshots\directories\files somehow isolation protected...?
Thanks

 

[hjlbx]

Q: since directories constantly sync to the cloud...,....wouldn't all file copies also get encrypted..?
Are snapshots\directories\files somehow isolation protected...?
Thanks

Webroot Cloud keeps the last 5 versions of a file. But I think yes... if you happen to get encrypted during a backup session, then that file that is being backed up will be encrypted and uploaded to the Webroot cloud.

If you keep all the file versions on your local system, then ransomware would encrypt each version.

The way WSA backup works is that it will back up a file on a schedule. Each time you modify the file, then it will be backed up to Webroot cloud. Webroot will keep the prior 4 versions.

 

[LabZero]

Is Webroot good? My friends have used it but when I scan with Zemana most of it is undetected by Webroot.

I'm testing WSA in the Malware Hub from a very long time, and if I have to make a consideration I can say that it has a good static/dynamic detection.
WSA sometimes intercepts the malware during Its runtime corrupting the processes and blocking Its execution without warning, quietly.
In my tests, if I turn off WSA and I run the same malware, it runs in memory without problems.
So It is necessary to consider this factor.

 

[hjlbx]

Is Webroot good? My friends have used it but when I scan with Zemana most of it is undetected by Webroot.

The truth of the matter is that Webroot is good protection, but not as good as Webroot and fanboys would make you believe.

In testing I have noticed repeatedly that Webroot does not always rollback a system to a completely clean state; sometimes undetected malicious files will remain in ProgramData and AppData.

Generally, file monitoring & rollback does work fairly well at detecting malicious files. However, I find it curious as to why Webroot didn't make their Block = Block and Terminate. Instead, WSA Block under Control Active Processes will rollback the system at next scan and prevent future execution of a file; it does not terminate a malicious process that is already running on the system. The user must manually terminate the process and then run a manual scan to rollback the system.

With this curious way that WSA works, I do not understand why Webroot refuses to program an alert when a file is blocked, but many requests for it have been made over the years.

Monitoring & Rollback is nothing more than a fancy uninstaller. The problem with this model is that malware could run on a user's system for hours before WSA detects it and then rolls back the system. During the whole monitoring period, data could be stolen from the system. It depends upon a number of factors, but it is possible.

And, by the way, I have used WSA extensively.

 

[Deleted member 178]

And, by the way, I have used WSA extensively.

and i stopped

 

[bjm_]

Webroot Cloud keeps the last 5 versions of a file. But I think yes... if you happen to get encrypted during a backup session, then that file that is being backed up will be encrypted and uploaded to the Webroot cloud.

If you keep all the file versions on your local system, then ransomware would encrypt each version.

The way WSA backup works is that it will back up a file on a schedule. Each time you modify the file, then it will be backed up to Webroot cloud. Webroot will keep the prior 4 versions.

So, Webroot synced cloud is as vulnerable as always connected local storage.
And "just restore your files back" is best case scenario wishful thinking, not an absolute.

 

[hjlbx]

So, Webroot synced cloud is as vulnerable as always connected local storage.
And "just restore your files back" is best case scenario wishful thinking, not an absolute.

You have 4 prior versions. So, at least you haven't lost everything.

 

[Lord Ami]

The truth of the matter is that Webroot is good protection, but not as good as Webroot and fanboys would make you believe.

In testing I have noticed repeatedly that Webroot does not always rollback a system to a completely clean state; sometimes undetected malicious files will remain in ProgramData and AppData.

Generally, file monitoring & rollback does work fairly well at detecting malicious files. However, I find it curious as to why Webroot didn't make their Block = Block and Terminate. Instead, WSA Block under Control Active Processes will rollback the system at next scan and prevent future execution of a file; it does not terminate a malicious process that is already running on the system. The user must manually terminate the process and then run a manual scan to rollback the system.

With this curious way that WSA works, I do not understand why Webroot refuses to program an alert when a file is blocked, but many requests for it have been made over the years.

Monitoring & Rollback is nothing more than a fancy uninstaller. The problem with this model is that malware could run on a user's system for hours before WSA detects it and then rolls back the system. During the whole monitoring period, data could be stolen from the system. It depends upon a number of factors, but it is possible.

And, by the way, I have used WSA extensively.

I've also tested it and while yes, it misses some files after initial execution, it still detects them later on (even on Appdata folder).
I've executed samples and then let them run for a minute or two. After that, I shut down the system and start it back up hours later - all files are usually flagged by scan.

When unknown file executes, it gets tied to some sort of number that Webroot uses for analyzing the file. E.g number 3 means that it can do more modification to the system and 8 means that it can not access some parts of the system. At least something like that
Check: Webroot SecureAnywhere Discussion & Update Thread

That could also explain

WSA sometimes intercepts the malware during Its runtime corrupting the processes and blocking Its execution without warning, quietly.

Moreover - WSA Indentity Shield is really cool and offers solid protection. According to financial malware tests, it's superb in terms of protection against stealing login credentials etc.

 

[shmu26]

If you want to boost the initial detection rate, try coupling Webroot with Bitdefender Free Edition. It gives you BD's excellent virus definitions, without the bloat and headache of the full program. I am running WSA + BD free, on Windows 10 x64, with no conflicts.
BD free does not officially support win10, but it installs smoothly and it seems fully functional. Anyways, it doesn't really matter so much, when you are using it just as a supplement to WSA.
I don't notice a drag on my system from using 2 AVs.

EDIT: I ran a questionable file, and BD free immediately blocked it and quarantined it. I was given the option to restore, and that worked too.