Webroot Protections as Explained by Webroot Employee

Discussion in 'Webroot' started by hjlbx, Mar 28, 2016.

  1. hjlbx

    hjlbx Guest

    Source: Reddit AMA - We are Webroot, and we are here to answer all your questions • /r/sysadmin

    Specifically addresses question regarding ransomware, but the outlined protection mechanisms and algorithms are generally applied to all malware types. Take note that the explanation below references Enterprise version of Webroot. However, once again, the protection mechanisms are essentially the same for Webroot's consumer products.

    TylerWebroot 37 points 1 year ago

    Great Question!

    So there are multiple ways we go about detecting Encrypting Ransomware.

    First - is going to be by hash detection from the cloud on the dropper. You don't just get cryptolocker immediately from a phishing email. Typically it's a zeus dropper that communicates to a command and control server which will then take already gathered info about your PC and then based on that info drop the appropriate encrypting ransomware pre-built for your PC environment. Because different operating systems may have different policies and require different commands to take control. Our Detection on Zero-day Zeus drops is some of the best around so we'll likely get the "invoice.scr" or whatever email attachment was before it even downloads Cryptolocker.

    Second - would be the scenario where the zeus drop wasn't detected and was able to download the payload from the command and control server. We would then have cloud based detection based on that MD5 hash of Crpytolocker which was just downloaded and would be detected in real time before execution.

    Third - would be the scenario where we don't get the Zeus dropper and we don't get the Encrypting ransomware payload through cloud detection. We would then have a preview analysis stage where there is behavioral and heuristics being applied before execution. A LOT of encrypting ransomware is going make sure you don't get your files back and the most common way is deleting the VSS (Volume Shadow Service) so you can't use tools like Shadow Explorer. We would detect on any unknown process trying to take action on vssadmin.exe to delete the restore points. We also have many other calssfields of heuristics based off of many other attributes common with encrypting ransomware - like unique registry entries, ect.

    Fourth- Would be a scenario in which cloud detection on dropper and encrypting ransomware AND heuristics also didn't detect it. This is the part where journaling kicks in so every action by the unknown file or process is recorded. If a file that was previously unknown, gets classified as bad, it is quarantined and all actions reversed as recorded by the journaling. This includes restoring back registry entries and backup snapshots of the files from before modification. we’ll revert all changes made to all files on the operating system once a determination is received (15min - 4hours).

    In addition to all that Jazz...Webroot has backup features built into our product that allow you to have directories constantly synced to the cloud. If you were to get infected by a zero day variant of encrypting ransomware you can just restore your files back as we save a snapshot history for each of your files up to ten previous copies.

    TL;DR We protect you from cryptolocker through cloud detection, heurisitcs, journaling, and cloud storage. WE GOT DIS
    arsh, jamescv7, Jrs30 and 5 others like this.
  2. FleischmannTV

    FleischmannTV Level 7

    Jun 12, 2014
    Windows 10
    And just shortly later in the sequel to that discussion no one less than an actual Webroot employee explains how mighty journaling is circumvented by trivial process hollowing. Maybe they've finally fixed it now and this is supposed to be the new "ENHANCED! Anti-Ransomware".

    Just think of it, a product, which supposedly places such an emphasis on process behavior monitoring, has been utterly defeated by process hollowing for all these years. Or maybe it still is, I don't know if it has actually been fixed. It's a joke regardless.
    Nightwalker likes this.
  3. hjlbx

    hjlbx Guest

    #3 hjlbx, Mar 28, 2016
    Last edited by a moderator: Mar 28, 2016
    I think with Webroot's implementation, protecting against Hollow Process might be quite difficult. Any how, from the context of the discussion I think they found a way to detect it.

    Well, anyway @FleischmannTV - you of all people know how difficult it is to get direct, accurate answers on such matters.

    My reply is not meant as a bash - it just is what it is.
  4. Morvotron

    Morvotron New Member

    Mar 24, 2015
    Wow, this is a really nice move. Thanks for the info mate.

    I can't guess why well known and high quality products such as Symantec's or Kaspersky's haven't applied sophisticated tools against ransomware. Specially Norton, since KAV did at least some job on my tests.
    davisd likes this.
  5. hjlbx

    hjlbx Guest

    Not sure what you mean here. Symantec and Kaspersky are leaders in implementation of sophisticated protections. They are just limited by money and the current state of IT technology & software engineering...
    davisd likes this.
  6. Morvotron

    Morvotron New Member

    Mar 24, 2015
    I mean on ransomware protection. The tests I did were nice fails, and I've seen on the web, mostly here, Norton needs to improve its protection against this malware.

    I totally do not mean protection at all. Just vs ransomware.
    davisd likes this.
  7. hjlbx

    hjlbx Guest

    It's kind of late for security suites to not have most ransomware covered - innit ?

    Of course, there will be exceptions. However, I would think Norton would have their problems sorted out by now. Just never know in this security soft protection game...
    davisd and Morvotron like this.
  8. Soulweave

    Soulweave Moderator
    Staff Member Content Creator

    Jan 14, 2015
    Windows 10
    Webroot's rollback feature has worked for years however improvements have been made. My only concern is when the rollback doesn't fully restore changes made.
    Same way Kaspersky has a rollback feature but again it isn't perfect.

    Claiming it protects against ransome is sill a bit of a bold statement when new variants of existing ones are developed at the current rate.

    Whether its fully sucessfull or not is yet to be seen and I'm sure I wont be dipping my foot in such waters.
    Rather analyze how the new variants work instead to be honest. @SilentWarrior your thoughts?
  9. shmu26

    shmu26 Level 53

    Jul 3, 2015
    anyone know whether kaspersky protects against process hollowing?
  10. DJ Panda

    DJ Panda Level 29

    Aug 30, 2015
    Madison, Wisconsin
    Windows 10
    Is Webroot good? My friends have used it but when I scan with Zemana most of it is undetected by Webroot.
    davisd likes this.
  11. shmu26

    shmu26 Level 53

    Jul 3, 2015
    webroot goes into action mainly when the malware executes. It doesn't focus so much on detection of non-active files, so if you judge it against an on-demand scanner, it will look bad. That is why webroot doesn't participate in most AV comparisons.

    How good is it? It might not be as strong as the top names like bitdefender and kaspersky, but it is very light. If that is important to you, go with webroot.
  12. bjm_

    bjm_ Level 3

    May 17, 2015
    Zestafoni, Georgia
    Windows 10
    Q: since directories constantly sync to the cloud...,....wouldn't all file copies also get encrypted..?
    Are snapshots\directories\files somehow isolation protected...?
  13. hjlbx

    hjlbx Guest

    #13 hjlbx, May 9, 2016
    Last edited by a moderator: May 9, 2016
    Webroot Cloud keeps the last 5 versions of a file. But I think yes... if you happen to get encrypted during a backup session, then that file that is being backed up will be encrypted and uploaded to the Webroot cloud.

    If you keep all the file versions on your local system, then ransomware would encrypt each version.

    The way WSA backup works is that it will back up a file on a schedule. Each time you modify the file, then it will be backed up to Webroot cloud. Webroot will keep the prior 4 versions.
  14. LabZero

    LabZero Guest

    I'm testing WSA in the Malware Hub from a very long time, and if I have to make a consideration I can say that it has a good static/dynamic detection.
    WSA sometimes intercepts the malware during Its runtime corrupting the processes and blocking Its execution without warning, quietly.
    In my tests, if I turn off WSA and I run the same malware, it runs in memory without problems.
    So It is necessary to consider this factor.
    XhenEd likes this.
  15. hjlbx

    hjlbx Guest

    The truth of the matter is that Webroot is good protection, but not as good as Webroot and fanboys would make you believe.

    In testing I have noticed repeatedly that Webroot does not always rollback a system to a completely clean state; sometimes undetected malicious files will remain in ProgramData and AppData.

    Generally, file monitoring & rollback does work fairly well at detecting malicious files. However, I find it curious as to why Webroot didn't make their Block = Block and Terminate. Instead, WSA Block under Control Active Processes will rollback the system at next scan and prevent future execution of a file; it does not terminate a malicious process that is already running on the system. The user must manually terminate the process and then run a manual scan to rollback the system.

    With this curious way that WSA works, I do not understand why Webroot refuses to program an alert when a file is blocked, but many requests for it have been made over the years.

    Monitoring & Rollback is nothing more than a fancy uninstaller. The problem with this model is that malware could run on a user's system for hours before WSA detects it and then rolls back the system. During the whole monitoring period, data could be stolen from the system. It depends upon a number of factors, but it is possible.

    And, by the way, I have used WSA extensively.
    XhenEd, shmu26 and LabZero like this.
  16. Umbra

    Umbra From Emsisoft

    May 16, 2011
    Community manager
    Vietnam & France
    Windows 10
    and i stopped :D
  17. bjm_

    bjm_ Level 3

    May 17, 2015
    Zestafoni, Georgia
    Windows 10
    So, Webroot synced cloud is as vulnerable as always connected local storage.
    And "just restore your files back" is best case scenario wishful thinking, not an absolute.
  18. hjlbx

    hjlbx Guest

    You have 4 prior versions. So, at least you haven't lost everything.
  19. Lord Ami

    Lord Ami Level 15
    Trusted AV Tester

    Sep 14, 2014
    #19 Lord Ami, May 10, 2016
    Last edited: May 10, 2016
    I've also tested it and while yes, it misses some files after initial execution, it still detects them later on (even on Appdata folder).
    I've executed samples and then let them run for a minute or two. After that, I shut down the system and start it back up hours later - all files are usually flagged by scan.

    When unknown file executes, it gets tied to some sort of number that Webroot uses for analyzing the file. E.g number 3 means that it can do more modification to the system and 8 means that it can not access some parts of the system. At least something like that :)
    Check: Webroot SecureAnywhere Discussion & Update Thread

    That could also explain
    Moreover - WSA Indentity Shield is really cool and offers solid protection. According to financial malware tests, it's superb in terms of protection against stealing login credentials etc.
    LabZero, DJ Panda and XhenEd like this.
  20. shmu26

    shmu26 Level 53

    Jul 3, 2015
    #20 shmu26, May 10, 2016
    Last edited: May 10, 2016
    If you want to boost the initial detection rate, try coupling Webroot with Bitdefender Free Edition. It gives you BD's excellent virus definitions, without the bloat and headache of the full program. I am running WSA + BD free, on Windows 10 x64, with no conflicts.
    BD free does not officially support win10, but it installs smoothly and it seems fully functional. Anyways, it doesn't really matter so much, when you are using it just as a supplement to WSA.
    I don't notice a drag on my system from using 2 AVs.

    EDIT: I ran a questionable file, and BD free immediately blocked it and quarantined it. I was given the option to restore, and that worked too.
    DJ Panda likes this.
Similar Threads Forum Date
Webroot SecureAnywhere Webroot Jan 10, 2018
Webroot, the only small AV left. Webroot Nov 30, 2017
VIPRE Outperforms Webroot in Head-To-Head Comparison Vipre (ThreatTrack) Nov 8, 2017