Webroot Rollback Discussion

Discussion in 'Webroot' started by hjlbx, Jul 3, 2016.

  1. hjlbx

    hjlbx Guest

    #1 hjlbx, Jul 3, 2016
    Last edited by a moderator: Jul 3, 2016
    webroot rollback - YouTube

    If you carefully watch most of the videos - you will see a lot of problems - especially the 0, 5 and 12 day rollback videos.

    Most are over 2 years old videos - but Webroot performance has not really changed.

    The tester doesn't know how to configure Webroot - so the keylog test is wrong but all of the other tests are valid - because he didn't add his browser to Privacy Shield.

    * * * * *

    All that being said - in my tests WSA did not live up to Webroot's claim of "Perfectly and precisely restore your system to a pre-infection state - every time."

    Even after allowing the infected system to run for 5 days continuously...there was no rollback against certain types of malware. I reported the malwares and what they did to Webroot repeatedly. Webroot just black-listed the submitted the file and didn't investigate any further...
  2. Tempnexus

    Tempnexus Level 3

    Nov 25, 2015
    Ahh SO WB took the JPMorgan solution to a problem.
    bjm_ and Cats-4_Owners-2 like this.
  3. FleischmannTV

    FleischmannTV Level 7

    Jun 12, 2014
    Windows 10
    Up until recently, and I don't even know if that has changed, all it took to bypass rollback was process hollowing.
  4. hjlbx

    hjlbx Guest

    #4 hjlbx, Jul 4, 2016
    Last edited by a moderator: Jul 4, 2016
    More infos ?

    What I am asking is - you mean to bypass the System Process Control = monitoring and\or rollback ?
    bjm_, Cats-4_Owners-2 and Solarlynx like this.
  5. hjlbx

    hjlbx Guest

    bjm_, Cats-4_Owners-2, davisd and 4 others like this.
  6. Shran

    Shran Level 5

    Jan 19, 2015
    It hasn't. Webroot is still completely fooled by process hollowing, as it always has been. I test Webroot often, and it hasn't been fixed. I can also confirm that all they do is blacklist the file, rather than looking into fixing this issue. Yet Webroot themselves proudly boast that detection isn't as important... then why do you always say "contact support to have the file blacklisted" instead of looking into the issue itself? Process hollowing completely negates Webroot's touted "journaling and rollback", they know about this, yet they continue to toute it on their own forums, saying things like "you are well protected with Webroot and even if it does miss a file it will completely remove and restore your computer back to pre-infection state."

    When someone does bring up an inherent issue with Webroot (not something like "it won't install on my computer, how do I change settings, I mean a real issue, like the one discussed here), they usually respond with a typical non-answer answer. This is something I do not like.

    I use Webroot on some of my computers, and I like it, really I do. I'm not a Webroot hater or bashing it just because. It's because I care about Webroot & them improving it that I mention this issue, it's really something they need to fix, but sadly they haven't.

    I'm also a bit tired of their answer regarding firewall controls (it really wouldn't be that hard or add much to resource usage to add back granular controls). Not to mention the false statement of "even without manual controls Webroot's firewall is intelligent and will block malware from communicating to its host automatically"; if this was true then many ransomware's wouldn't even be able to function under Webroot as they need an internet connection to work...but that's a discussion for another topic.
  7. FleischmannTV

    FleischmannTV Level 7

    Jun 12, 2014
    Windows 10
    Not to mention, if a product is blindsided by process hollowing, malware can transmit traffic through whitelisted hollowed processes. So many people still think that managing internet access for virus.exe is proper outbound control :(

    Aside from that, thank you for your insights, Shran.
  8. hjlbx

    hjlbx Guest

    #9 hjlbx, Jul 6, 2016
    Last edited by a moderator: Jul 6, 2016
    A lot of ransomware uses hollow process - but Webroot seems to be able to rollback most. So not sure about hollow process negating journaling & rollback.

    What Webroot does not tell anyone is that you might have to wait 4 hours or more for rollback to initiate. I got that one from a Webroot employee on a Enterprise thread at Reddit.

    I'm not going to say that they lied or do lie about their firewall, but I will state that it does not work as most people would expect it to based on prior experience with firewalls. Plus, some their marketing materials are most definitely mis-leading - about both the firewall and the rollback features. The Webroot firewall will only throw an alert under specific circumstances - but I have yet to get Webroot to reveal what those specific circumstances are. As always with Webroot "We don't reveal those infos..."

    It's a fine line of mis-leading users... and that's what I personally think they do - mislead users that don't know any better.

    In my testing, Webroot firewall has NEVER blocked a single malware from connecting out - it has always been Windows Firewall when the malware tries to behave as a server.

    I like Webroot - the product, but at the same time I bash the company for their lack of fixes and transparency - and the fanboys for their denial and defense of Webroot the company. Baldrick and TripleHelix live in complete denial. Plus, TripleHelix is always saying "No malware testing" - even on threads where he has no right to say such things - malware testing isn't "real world." For real, for real ? Downloading a malicious file from zippyshare is no different than a drive-by download or a malicious file.

    They don't want anyone to openly report any kind of issues on the Webroot community - and if you do give intricate details - they will descend upon that person and bash what has been posted. I get that they love Webroot, but to bash people that are submitting issues so that the product can be improved is unforgivable. And that Webroot will never respond and just ignores such reports is unforgivable too.

    It's a complete joke. Webroot won't give home users general technical infos ("It will give malc0ders ideas"), but if you search the internet regarding the Enterprise products, then you will find all manner of detailed discussions visible to anyone on the web.

    My experience is the same as yours @Shran...

    It makes no sense to allow malware to run on your system - in the first place - and then deal with any and all consequences afterwards. That protection model is the absolute face of stupidity...

    I have seen malware cases that once run on a Webroot protected system cause WSA
    multiple GUI failures, no rollback and bad persistent infection with difficult clean-up.

    @FleischmannTV - an outbound firewall is of only limited value - as you point out - because malware can easily "mis-lead" a firewall or just plain bypass it completely through various means.
    bjm_, Cats-4_Owners-2 and Solarlynx like this.
  9. Shran

    Shran Level 5

    Jan 19, 2015
    #10 Shran, Jul 6, 2016
    Last edited: Jul 6, 2016
    The only time I've seen Webroot rollback a ransomware is when it didn't use hollowing. Of course I don't claim to know all situations. I speak of only my personal experience. In my personal experience I've never seen Webroot able to rollback something that used hollow process. It couldn't even detect that the process had been tampered with. I've left malwares to run on a Webroot protected machine for days; the original file ends up being blacklisted, but the rollback never occurs because everything happened under explorer.exe or svchost.exe.

    Well I won't accuse a company of lying either, lest they take legal action, plus as I said earlier I don't claim to know all circumstances. There could be situations where it does block it automatically, like, maybe when it's an already blacklisted file. But if it was an already blacklisted file it wouldn't be running in the first place?
    I've also never seen Webroot automatically block outbound access for anything, or even throw up a prompt on Win8+. Sidenote: I've never heard from an official Webroot employee that Webroot will auto block internet access for malware. I've only heard this from non staff members.

    I've heard statements from Webroot forum members (I won't use names but you probably know them if you've visited the Webroot forums) "Webroot's firewall is intelligent and will block malware from communicating to its host automatically" like I mentioned earlier. Again, this kind of begs the question though, if Webroot is intelligent enough to know it's attempting malware communication, then why is it letting it run at all...?

    +1 Upvote.

    I also remember that malware was able to cause a blue screen during Webroot's rollback and stop the rollback function there. Not sure if this has been fixed or not yet.

    Very, very true.

    Even the company themselves stopped officially saying that Webroot could rollback all malwares (they used to say this, but have quietly ceased saying this). It's only members that don't know about the ways around rollback that continue to tout this. One of their favorite responses is providing a couple videos and info-graphics about the Webroot cloud and why Webroot is all you need, why the cloud and rollback is so good, etc.

    I also really don't like the way the expect you to just take the info you are given and be happy with it; it's almost like they want you to just blindly believe the above mentioned infographics and videos about how Webroot is the greatest and will protect you all the time, or how they try to just shut you down when you mention a flaw, as you stated above.

    Regarding the lack of fix info, this is something that really irks me. "Improvements to scan engine. Bug fixes. Improvements to engine. Enhanced this, enhanced that." What kind of changelog/release notes are that? Look at the latest Norton updates. They made an entire, detailed page on the vulnerabilities and the patches that were released to fix them. I feel like Webroot's version of this would have been "Fixed a bug in scan engine" if they had to fix a vulnerability.
    bjm_, Cats-4_Owners-2 and XhenEd like this.
  10. hjlbx

    hjlbx Guest

    It makes no sense to allow malware to run on your system - in the first place - and then deal with any and all consequences afterwards. That protection model is the absolute face of stupidity...

    This is true of any anti-virus or internet security solution. Execute any malware on a "protected" system and below is just a partial list of potential consequences:

    • Malware can leverage vulnerability or bug in UAC and elevate without UAC prompt.
    • Malware can disable services - even ones that supposedly cannot be disabled.
    • Malware can disable Windows Defender, Windows Firewall, and Security Center.
    • Malware can bypass any firewall\network protections through various means.
    • Malware can bypass sandboxes of various types.
    • Malware can exploit vulnerability in the security solution itself.
    • Malware can exploit vulnerabilities in Windows OS itself.
    • Malware can completely disable the security solution.
    • Malware can bypass everything and infect the MBR\kernel.
    • etc
    • etc
    • etc
    Windows' own Limited User Account\Standard User Account with some tweaks is more safe than most any anti-virus... LOL.

    LUA\SUA makes the argument for anything more than Windows Defender or Windows Firewall pointless... :D

    Everybody knows this correct ? - Windows was designed with LUA\SUA and intended for day-to-day computing to always be done using LUA\SUA...
    bjm_, davisd, Cats-4_Owners-2 and 3 others like this.
  11. Shran

    Shran Level 5

    Jan 19, 2015
    This is why prevention is so much more important than detection in the first place
    bjm_, davisd, Cats-4_Owners-2 and 2 others like this.
  12. Shran

    Shran Level 5

    Jan 19, 2015
    This is better worded than me saying it was a false statement. I can't claim it to be entirely false, as there may be some situations where it does auto block internet access for a process. Misleading is much better worded, as they way they say it is almost alluding that Webroot will block internet access for malwares, but they don't actually say it will block all malwares from internet access. The way they describe it kind of leads you to believe it will, but they don't actually say it will block all. Misleading is a better way of describing it, thank you for that.
    bjm_ likes this.
  13. Azure Phoenix

    Azure Phoenix Level 19

    Oct 23, 2014
    Puerto Rico
    Well, according to Triple Helix they don't like to give out details(though on this case they apparently did)
    Webroot SecureAnywhere Discussion & Update Thread

    Now whether one feel that's bad or not might depend on each individual user.
    bjm_ and Cats-4_Owners-2 like this.
  14. Shran

    Shran Level 5

    Jan 19, 2015
    I'm aware of their policy regarding changelogs/release notes; I myself am I Community Leader on the Webroot forums & a beta tester.
    Thank you for the link though :)
  15. hjlbx

    hjlbx Guest

    They don't give out details... only to home consumers.

    "If we tell you home consumers then malc0ders might get some bright ideas" -- meanwhile, general low-level technical infos are openly discussed all the time on SpiceWorks, Reddit, etc - about Enterprise Webroot.

    A user asks for some generic technical infos on the WSA community forum - and all you get is flack. User goes to Enterprise Webroot threads at Reddit, Spiceworks, etc - and user gets the infos that are helpful.

    "Bug Fixes" - what is that ? How can users test to see if something has been fixed if they aren't told what has been fixed ?

    The whole Webroot program for consumers - from the community Mods to interacting with Webroot support is sickening...

    There are two individuals on the Webroot community - Baldrick and TripleHelix - that can't handle the truth and anyone that gives evidence that is contrary to what they believe is correct - openly report a problem that calls into question the "quality" of WSA and those two Mods will gang up and bash those posts.
  16. Solarlynx

    Solarlynx Level 14

    Apr 30, 2012
    #17 Solarlynx, Jul 6, 2016
    Last edited: Jul 7, 2016
    Thank you for information!

    What always embarrassed me in WR is that they allow unknown process to run then "rollback" it if find it malicious. In general as I see AV companies apply "default allow" approach to make their products more user friendly at the price of making it more malware friendly. Though "default deny" approach is more secure meanwhile it's more challenging for a company to make their product comfortable for a user and requires more proficiency from the user.

    I cannot resist pleasure to quote what was already told in this thread:

    bjm_ and XhenEd like this.
Similar Threads Forum Date
Q&A Has anyone made a video recently testing the Webroot RollBack Infection claim? Webroot Jun 11, 2016
Video Review Webroot Secure Anywhere (Rollback Test Day 12) Video Reviews Nov 8, 2014
Video Review Webroot Secure Anywhere (Rollback Test Day 5) Video Reviews Oct 31, 2014