Webroot Rollback Discussion

[hjlbx]

Requesting Webroot Secure Anywhere review with their "Back Track" ability that showcases the ability of their "security app" to return the system to the normal status after being infected with a variant not initially detected by their system.

webroot rollback - YouTube

If you carefully watch most of the videos - you will see a lot of problems - especially the 0, 5 and 12 day rollback videos.

Most are over 2 years old videos - but Webroot performance has not really changed.

The tester doesn't know how to configure Webroot - so the keylog test is wrong but all of the other tests are valid - because he didn't add his browser to Privacy Shield.

* * * * *

All that being said - in my tests WSA did not live up to Webroot's claim of "Perfectly and precisely restore your system to a pre-infection state - every time."

Even after allowing the infected system to run for 5 days continuously...there was no rollback against certain types of malware. I reported the malwares and what they did to Webroot repeatedly. Webroot just black-listed the submitted the file and didn't investigate any further...

 

[Tempnexus]

webroot rollback - YouTube

If you carefully watch most of the videos - you will see a lot of problems - especially the 0, 5 and 12 day rollback videos.

Most are over 2 years old videos - but Webroot performance has not really changed.

The tester doesn't know how to configure Webroot - so the keylog test is wrong but all of the other tests are valid - because he didn't add his browser to Privacy Shield.

* * * * *

All that being said - in my tests WSA did not live up to Webroot's claim of "Perfectly and precisely restore your system to a pre-infection state - every time."

Even after allowing the infected system to run for 5 days continuously...there was no rollback against certain types of malware. I reported the malwares and what they did to Webroot repeatedly. Webroot just black-listed the submitted the file and didn't investigate any further...

Ahh SO WB took the JPMorgan solution to a problem.

 

[FleischmannTV]

Up until recently, and I don't even know if that has changed, all it took to bypass rollback was process hollowing.

 

[hjlbx]

Up until recently, and I don't even know if that has changed, all it took to bypass rollback was process hollowing.

More infos ?

What I am asking is - you mean to bypass the System Process Control = monitoring and\or rollback ?

 

[FleischmannTV]

AMA the sequal - We are Webroot, and we are here to answer all your questions • /r/sysadmin

 

[hjlbx]

AMA the sequal - We are Webroot, and we are here to answer all your questions • /r/sysadmin

Thanks @FleishmannTV - I read that one long ago, but forgot about it. I think it has been fixed, but with Webroot one just never knows - since Webroot won't tell anyone explicitly what has, and has not, been fixed.

 

[Shran]

Thanks @FleishmannTV - I read that one long ago, but forgot about it. I think it has been fixed, but with Webroot one just never knows - since Webroot won't tell anyone explicitly what has, and has not, been fixed.

It hasn't. Webroot is still completely fooled by process hollowing, as it always has been. I test Webroot often, and it hasn't been fixed. I can also confirm that all they do is blacklist the file, rather than looking into fixing this issue. Yet Webroot themselves proudly boast that detection isn't as important... then why do you always say "contact support to have the file blacklisted" instead of looking into the issue itself? Process hollowing completely negates Webroot's touted "journaling and rollback", they know about this, yet they continue to toute it on their own forums, saying things like "you are well protected with Webroot and even if it does miss a file it will completely remove and restore your computer back to pre-infection state."

When someone does bring up an inherent issue with Webroot (not something like "it won't install on my computer, how do I change settings, I mean a real issue, like the one discussed here), they usually respond with a typical non-answer answer. This is something I do not like.

I use Webroot on some of my computers, and I like it, really I do. I'm not a Webroot hater or bashing it just because. It's because I care about Webroot & them improving it that I mention this issue, it's really something they need to fix, but sadly they haven't.

I'm also a bit tired of their answer regarding firewall controls (it really wouldn't be that hard or add much to resource usage to add back granular controls). Not to mention the false statement of "even without manual controls Webroot's firewall is intelligent and will block malware from communicating to its host automatically"; if this was true then many ransomware's wouldn't even be able to function under Webroot as they need an internet connection to work...but that's a discussion for another topic.

 

[FleischmannTV]

Not to mention the false statement of "even without manual controls Webroot's firewall is intelligent and will block malware from communicating to its host automatically"

Not to mention, if a product is blindsided by process hollowing, malware can transmit traffic through whitelisted hollowed processes. So many people still think that managing internet access for virus.exe is proper outbound control

Aside from that, thank you for your insights, Shran.

 

[hjlbx]

It hasn't. Webroot is still completely fooled by process hollowing, as it always has been. I test Webroot often, and it hasn't been fixed. I can also confirm that all they do is blacklist the file, rather than looking into fixing this issue. Yet Webroot themselves proudly boast that detection isn't as important... then why do you always say "contact support to have the file blacklisted" instead of looking into the issue itself? Process hollowing completely negates Webroot's touted "journaling and rollback", they know about this, yet they continue to toute it on their own forums, saying things like "you are well protected with Webroot and even if it does miss a file it will completely remove and restore your computer back to pre-infection state."

When someone does bring up an inherent issue with Webroot (not something like "it won't install on my computer, how do I change settings, I mean a real issue, like the one discussed here), they usually respond with a typical non-answer answer. This is something I do not like.

I use Webroot on some of my computers, and I like it, really I do. I'm not a Webroot hater or bashing it just because. It's because I care about Webroot & them improving it that I mention this issue, it's really something they need to fix, but sadly they haven't.

I'm also a bit tired of their answer regarding firewall controls (it really wouldn't be that hard or add much to resource usage to add back granular controls). Not to mention the false statement of "even without manual controls Webroot's firewall is intelligent and will block malware from communicating to its host automatically"; if this was true then many ransomware's wouldn't even be able to function under Webroot as they need an internet connection to work...but that's a discussion for another topic.

A lot of ransomware uses hollow process - but Webroot seems to be able to rollback most. So not sure about hollow process negating journaling & rollback.

What Webroot does not tell anyone is that you might have to wait 4 hours or more for rollback to initiate. I got that one from a Webroot employee on a Enterprise thread at Reddit.

I'm not going to say that they lied or do lie about their firewall, but I will state that it does not work as most people would expect it to based on prior experience with firewalls. Plus, some their marketing materials are most definitely mis-leading - about both the firewall and the rollback features. The Webroot firewall will only throw an alert under specific circumstances - but I have yet to get Webroot to reveal what those specific circumstances are. As always with Webroot "We don't reveal those infos..."

It's a fine line of mis-leading users... and that's what I personally think they do - mislead users that don't know any better.

In my testing, Webroot firewall has NEVER blocked a single malware from connecting out - it has always been Windows Firewall when the malware tries to behave as a server.

I like Webroot - the product, but at the same time I bash the company for their lack of fixes and transparency - and the fanboys for their denial and defense of Webroot the company. Baldrick and TripleHelix live in complete denial. Plus, TripleHelix is always saying "No malware testing" - even on threads where he has no right to say such things - malware testing isn't "real world." For real, for real ? Downloading a malicious file from zippyshare is no different than a drive-by download or a malicious file.

They don't want anyone to openly report any kind of issues on the Webroot community - and if you do give intricate details - they will descend upon that person and bash what has been posted. I get that they love Webroot, but to bash people that are submitting issues so that the product can be improved is unforgivable. And that Webroot will never respond and just ignores such reports is unforgivable too.

It's a complete joke. Webroot won't give home users general technical infos ("It will give malc0ders ideas"), but if you search the internet regarding the Enterprise products, then you will find all manner of detailed discussions visible to anyone on the web.

My experience is the same as yours @Shran...

It makes no sense to allow malware to run on your system - in the first place - and then deal with any and all consequences afterwards. That protection model is the absolute face of stupidity...

I have seen malware cases that once run on a Webroot protected system cause WSA
multiple GUI failures, no rollback and bad persistent infection with difficult clean-up.

@FleischmannTV - an outbound firewall is of only limited value - as you point out - because malware can easily "mis-lead" a firewall or just plain bypass it completely through various means.

 

[Shran]

A lot of ransomware uses hollow process - but Webroot seems to be able to rollback most. So not sure about hollow process negating journaling & rollback.

The only time I've seen Webroot rollback a ransomware is when it didn't use hollowing. Of course I don't claim to know all situations. I speak of only my personal experience. In my personal experience I've never seen Webroot able to rollback something that used hollow process. It couldn't even detect that the process had been tampered with. I've left malwares to run on a Webroot protected machine for days; the original file ends up being blacklisted, but the rollback never occurs because everything happened under explorer.exe or svchost.exe.

I'm not going to say that they lied or do lie about their firewall...In my testing, Webroot firewall has NEVER blocked a single malware from connecting out

Well I won't accuse a company of lying either, lest they take legal action, plus as I said earlier I don't claim to know all circumstances. There could be situations where it does block it automatically, like, maybe when it's an already blacklisted file. But if it was an already blacklisted file it wouldn't be running in the first place?
I've also never seen Webroot automatically block outbound access for anything, or even throw up a prompt on Win8+. Sidenote: I've never heard from an official Webroot employee that Webroot will auto block internet access for malware. I've only heard this from non staff members.

I've heard statements from Webroot forum members (I won't use names but you probably know them if you've visited the Webroot forums) "Webroot's firewall is intelligent and will block malware from communicating to its host automatically" like I mentioned earlier. Again, this kind of begs the question though, if Webroot is intelligent enough to know it's attempting malware communication, then why is it letting it run at all...?

I like Webroot - the product, but at the same time I bash the company for their lack of fixes and transparency - and the fanboys for their denial and defense of Webroot the company.

+1 Upvote.

I have seen malware cases that once run on a Webroot protected system cause WSA multiple GUI failures, no rollback and bad persistent infection with difficult clean-up.

I also remember that malware was able to cause a blue screen during Webroot's rollback and stop the rollback function there. Not sure if this has been fixed or not yet.

@FleischmannTV - an outbound firewall is of only limited value - as you point out - because malware can easily "mis-lead" a firewall or just plain bypass it completely through various means.

Very, very true.

Even the company themselves stopped officially saying that Webroot could rollback all malwares (they used to say this, but have quietly ceased saying this). It's only members that don't know about the ways around rollback that continue to tout this. One of their favorite responses is providing a couple videos and info-graphics about the Webroot cloud and why Webroot is all you need, why the cloud and rollback is so good, etc.

They don't want anyone to openly report any kind of issues on the Webroot community - and if you do give intricate details - they will descend upon that person and bash what has been posted

I also really don't like the way the expect you to just take the info you are given and be happy with it; it's almost like they want you to just blindly believe the above mentioned infographics and videos about how Webroot is the greatest and will protect you all the time, or how they try to just shut you down when you mention a flaw, as you stated above.

but at the same time I bash the company for their lack of fixes and transparency

Regarding the lack of fix info, this is something that really irks me. "Improvements to scan engine. Bug fixes. Improvements to engine. Enhanced this, enhanced that." What kind of changelog/release notes are that? Look at the latest Norton updates. They made an entire, detailed page on the vulnerabilities and the patches that were released to fix them. I feel like Webroot's version of this would have been "Fixed a bug in scan engine" if they had to fix a vulnerability.

 

[hjlbx]

It makes no sense to allow malware to run on your system - in the first place - and then deal with any and all consequences afterwards. That protection model is the absolute face of stupidity...

This is true of any anti-virus or internet security solution. Execute any malware on a "protected" system and below is just a partial list of potential consequences:

• Malware can leverage vulnerability or bug in UAC and elevate without UAC prompt.
• Malware can disable services - even ones that supposedly cannot be disabled.
• Malware can disable Windows Defender, Windows Firewall, and Security Center.
• Malware can bypass any firewall\network protections through various means.
• Malware can bypass sandboxes of various types.
  
• Malware can exploit vulnerability in the security solution itself.
• Malware can exploit vulnerabilities in Windows OS itself.
• Malware can completely disable the security solution.
• Malware can bypass everything and infect the MBR\kernel.
  
• etc
• etc
• etc

Windows' own Limited User Account\Standard User Account with some tweaks is more safe than most any anti-virus... LOL.

LUA\SUA makes the argument for anything more than Windows Defender or Windows Firewall pointless...

Everybody knows this correct ? - Windows was designed with LUA\SUA and intended for day-to-day computing to always be done using LUA\SUA...

 

[Shran]

It makes no sense to allow malware to run on your system - in the first place - and then deal with any and all consequences afterwards. That protection model is the absolute face of stupidity...

This is true of any anti-virus or internet security solution. Execute any malware on a "protected" system and below is just a partial list of potential consequences:

This is why prevention is so much more important than detection in the first place

 

[Shran]

It's a fine line of mis-leading users... and that's what I personally think they do - mislead users that don't know any better.

This is better worded than me saying it was a false statement. I can't claim it to be entirely false, as there may be some situations where it does auto block internet access for a process. Misleading is much better worded, as they way they say it is almost alluding that Webroot will block internet access for malwares, but they don't actually say it will block all malwares from internet access. The way they describe it kind of leads you to believe it will, but they don't actually say it will block all. Misleading is a better way of describing it, thank you for that.

 

[Azure]

Regarding the lack of fix info, this is something that really irks me. "Improvements to scan engine. Bug fixes. Improvements to engine. Enhanced this, enhanced that." What kind of changelog/release notes are that? Look at the latest Norton updates. They made an entire, detailed page on the vulnerabilities and the patches that were released to fix them. I feel like Webroot's version of this would have been "Fixed a bug in scan engine" if they had to fix a vulnerability.

Well, according to Triple Helix they don't like to give out details(though on this case they apparently did)
Webroot SecureAnywhere Discussion & Update Thread

Now whether one feel that's bad or not might depend on each individual user.

 

[Shran]

Well, according to Triple Helix they don't like to give out details(though on this case they apparently did)
Webroot SecureAnywhere Discussion & Update Thread

Now whether one feel that's bad or not might depend on each individual user.

I'm aware of their policy regarding changelogs/release notes; I myself am I Community Leader on the Webroot forums & a beta tester.
Thank you for the link though

 

[hjlbx]

Well, according to Triple Helix they don't like to give out details(though on this case they apparently did)
Webroot SecureAnywhere Discussion & Update Thread

Now whether one feel that's bad or not might depend on each individual user.

They don't give out details... only to home consumers.

"If we tell you home consumers then malc0ders might get some bright ideas" -- meanwhile, general low-level technical infos are openly discussed all the time on SpiceWorks, Reddit, etc - about Enterprise Webroot.

A user asks for some generic technical infos on the WSA community forum - and all you get is flack. User goes to Enterprise Webroot threads at Reddit, Spiceworks, etc - and user gets the infos that are helpful.

"Bug Fixes" - what is that ? How can users test to see if something has been fixed if they aren't told what has been fixed ?

The whole Webroot program for consumers - from the community Mods to interacting with Webroot support is sickening...

There are two individuals on the Webroot community - Baldrick and TripleHelix - that can't handle the truth and anyone that gives evidence that is contrary to what they believe is correct - openly report a problem that calls into question the "quality" of WSA and those two Mods will gang up and bash those posts.

 

[Solarlynx]

Thank you for information!

What always embarrassed me in WR is that they allow unknown process to run then "rollback" it if find it malicious. In general as I see AV companies apply "default allow" approach to make their products more user friendly at the price of making it more malware friendly. Though "default deny" approach is more secure meanwhile it's more challenging for a company to make their product comfortable for a user and requires more proficiency from the user.

I cannot resist pleasure to quote what was already told in this thread:

It makes no sense to allow malware to run on your system - in the first place - and then deal with any and all consequences afterwards. That protection model is the absolute face of stupidity...

This is true of any anti-virus or internet security solution. Execute any malware on a "protected" system and below is just a partial list of potential consequences:

• Malware can leverage vulnerability or bug in UAC and elevate without UAC prompt.
• Malware can disable services - even ones that supposedly cannot be disabled.
• Malware can disable Windows Defender, Windows Firewall, and Security Center.
• Malware can bypass any firewall\network protections through various means.
• Malware can bypass sandboxes of various types.
  
• Malware can exploit vulnerability in the security solution itself.
• Malware can exploit vulnerabilities in Windows OS itself.
• Malware can completely disable the security solution.
• Malware can bypass everything and infect the MBR\kernel.
  
• etc
• etc
• etc

This is why prevention is so much more important than detection in the first place