WSA protection against unknown files & journaling process

[TonyW]

I've decided to open this thread here to allow discussion on how WSA protects users against unknown files, or when they lose internet connectivity for whatever reason. There are a lot of people who don't understand how this works or are worried about being properly protected during the timeframe until file is marked as malicious. Questions get asked in other threads in other parts of this forum, which may derail the topic of that thread so I thought it would be pertinent to start one here to try get some understanding for everyone.

For example, Beethoven said in another thread:

Quote:

You say the system is rolled backed before the infection occured.Correct me if im wrong here but isnt this like using a sytem restore after ive been infected.

I stated that it's not a system restore per se; I said any rollback only reverses the changes that the suspicious file made to the system. Beethoven, and I'm sure others have thought the same, made the point:

Quote:

But doesnt this present a danger because how long before webroot detects the suspicious file? By the time it is detected the file could have done serious harm to the computer

Others make the leap to wonder what happens if an unknown piece of malware has already stolen banking info in that timeframe.

I can understand these concerns, and admittedly WSA's approach is different to its competitors. I think it would be pertinent to discuss how WSA does indeed deal with these situations.

Whilst there is much to understand about the journaling process, WSA does have other techniques in play, such as behaviour analysis and heuristics. The Identity Shield is also helpful, and I believe is useful in blocking attempts to steal banking info as in the scenario above. There is a video over at Webroot Community showing how some actions fail when infected by an unknown file because of the Identity Shield, for example. (Here's that video for those that may have missed it: -http://www.youtube.com/watch?feature=player_embedded&v=uKMZ1Ukw_7I-)

[AMIGA500]

This thread will indeed be an education for me.Im looking forward to the feedback on this one.

[Tarnak]

Quote:

Originally Posted by Beethoven1770

This thread will indeed be an education for me.Im looking forward to the feedback on this one.

Me too, but I was already thrown by this word, "journaling" , then I found this - Journaling file system > http://en.wikipedia.org/wiki/Journaling_file_system , and became somewhat enlightened.

[Triple Helix]

Also I would like to keep this thread completely On Topic and nothing else! Off Topic posts are subject to deletion or moved to another thread without warning.

Thanks,

TH

[TonyW]

Quote:

Originally Posted by Triple Helix

Here is a Webroot video already posted here somewhere but it's a good start! -http://www.youtube.com/watch?v=uKMZ1Ukw_7I

I did include that video in my first post.

[Triple Helix]

Quote:

Originally Posted by TonyW

I did include that video in my first post.

See I deleted my own post Thanks Tony!

Daniel

[TonyW]

Webroot certainly have their work cut out in trying to convince users at forums like this that their approach is workable. Only today has silverfox made these comments:

Quote:

Weighing everything up i think i'd rather have an AV with a reliable high level of detection of all malicious files resident, than WSA which has lower detection of reident files *if not executing* at time of scan. I appreciate the journaling facility WSA has, just my preference is to know what is sitting on my machine - even if it's doing nothing at any particular time.

How does Webroot envisage persuading these type of users that although their methodology is different to other AVs, it is also worth considering? I know there is that video mentioned above, but perhaps more should be done in this arena.

[PrevxHelp]

Quote:

Originally Posted by TonyW

Webroot certainly have their work cut out in trying to convince users at forums like this that their approach is workable. Only today has silverfox made these comments:How does Webroot envisage persuading these type of users that although their methodology is different to other AVs, it is also worth considering? I know there is that video mentioned above, but perhaps more should be done in this arena.

Honestly, I don't know what our response would be in this case. Our focus is on live infections (whether they're about to execute or have already executed and the system is pre-infected). Personally, I simply can't understand why an on-demand scan of static files that haven't infected the system would be considered more important. I suppose those users will fall into the bucket of "you can't please everyone". The other many millions of users of WSA have been very satisfied with how it works so we aren't going to change our fundamentals.

[Esse]

Great initiative TonyW!
My questions when it comes to unknown files is:
1/ What happens to a unknown file scanned by WSA, is it uploaded to the cloud for examination or does this only happen during execution?
2/ In that case why?
Would it not be in Webroots interest to collect as many files as possible to boost on demand scan detections?
I hope this is inside the perimeter of Tonys intentions of this thread.

Cheers

/E

Removal of further malicious components and remediation of critical system modifications ---->78%

Removal of all active components of widespread malware (including Rootkits and stealth malware)------> 93%

http://www.av-test.org/no_cache/en/t...t_no%5D=122643


Better than industry average, but why not 100% ?
Shouldn't Jurnaling restore 100%

Thanks,
Claudiu

[PrevxHelp]

Quote:

Originally Posted by claudiu

Removal of further malicious components and remediation of critical system modifications ---->78%

Removal of all active components of widespread malware (including Rootkits and stealth malware)------> 93%

http://www.av-test.org/no_cache/en/t...t_no%5D=122643


Better than industry average, but why not 100% ?
Shouldn't Jurnaling restore 100%

Thanks,
Claudiu

AV-Test first infects the system, then installs WSA, so the test doesn't cover journaling, just the static generic removal engine.

[Baldrick]

Really do not understand why AV-Test are not prepared to accept that WSA is different and therefore test in a different way...after all, I certainly do not wait for an infection to hit my PC and THEN install an AV/IS suite. Surely it would be better, in their tests, if they installed the AV/IS suite and then infected the system?

Or is that just my view

Quote:

Originally Posted by PrevxHelp

AV-Test first infects the system, then installs WSA, so the test doesn't cover journaling, just the static generic removal engine.

So, basically, is the same procedure like AV Comparatives. Why the results are so different, though?

Thanks,
Claudiu

[kdcdq]

Quote:

Originally Posted by Baldrick

... Surely it would be better, in their tests, if they installed the AV/IS suite and then infected the system?

I understand both ways of infection testing but the order that you suggest, seems to me, would be more likely to represent what actually happens in the real world...

[Baldrick]

Quote:

Originally Posted by kdcdq

I understand both ways of infection testing but the order that you suggest, seems to me, would be more likely to represent what actually happens in the real world...

My point indeed...hence my surprise at the fact that they use an approach that does not seem to represent what happens in real life...but then again I am not the one preparing & undertaking the tests...so perhaps I should not speak.

I am just glad that WSA operates the way it does as that makes sense to me (and I suspect a growing number of others?).

[PC_Fiddler]

Quote:

Originally Posted by Baldrick

Really do not understand why AV-Test are not prepared to accept that WSA is different and therefore test in a different way...after all, I certainly do not wait for an infection to hit my PC and THEN install an AV/IS suite. Surely it would be better, in their tests, if they installed the AV/IS suite and then infected the system?

Or is that just my view

I agree Baldrers but WSA is for people living on planet Earth, & who are partially normal - I'm unlikely to infect my system with every virus I can find gleaned from the darkest part of the net with no AV whatsoever - Then install an AV then see if it's 100% efficient & then rate it according to that system for everyday use - It's not living in the real world, it's plain stupid - I have a friend who has more security than the bank of England & still gets infected regularly (don't use WSA) whereas I for an unknown reasons have used the net for 17 years with 1700 bookmarks had a couple of viruses, at large (actually one) & have 4 children who have used my PC's & 3 who have WSA on their own PC's & never hear any complaints?

It's like testing a vacuum cleaner by emptying your full wheely bin on your lounge floor & testing a new vacuum cleaner by seeing how it cleans up then rating it how it managed with the 40 kg of crap, it's an unrealistic situation & so are some of the AV testing systems & some of the same mad questions from people who don't use WSA anymore anyway, why the same questions, why not select a new AV, buy it, use it, then post on the appropriate forum with your questions.

Actually the next post I read from someone who is infested with viruses when using WSA on here will be the first for some time, some are sensible questions from people who are wondering how WSA works, some are from those with grudges (and life issues) with the same questions that were answered three times last week (trolls) - Few if any are from those ridden with infections? Or am I missing something? Is my mouse not scrolling correctly?

Edited for dreadful grammar -

[silverfox99]

What we need is a test that goes something like this.....

1. WSA installed on clean machine
2. Folder with 1000 malware files introduced on machine to desktop, none executed as yet.
3. On demand scan with WSA
4. .............say WSA correctly identifies 90% of the 1000 as malicious files (lets ignore the 'Crazy FP' potential for the moment..).:

OK, so now WSA has correctly identified 900 malicious files and we have 100 'dormant' malicious files still remaining on desktop not yet identified by WSA.
This is where most test outfits stop.
What we need is for the test outfit to continue and...

execute each and and every last one of the 100 remaining files, one by one

......And watch what WSA does.......
Out of the remaining 100 files, how many does WSA correctly identify as malicious when the file is executed? All..., some..., none...?
That would be great to know, (and of course for other AVs too - how exactly do they compare to WSA in this regard?)
.....and we could see what 'journalising' does in these test conditions.
For bells and whistles could re-test files not classified as malicious at 6 and 12 hours as well.... is WSA a quick learner?

Would any of the AV test outfits consider this approach.......? I for one would welcome it. If anything it would show the benefits of WSA approach over other AVs.

For example in a situation where WSA and another AV have the same or similar detection of say 90% out of the 1000 malicious files, but then WSA stops another 90% when the remaining 100 are activated Vs another AV that does no more than when it first scanned then..... WOW, that would be powerful, wouldn't it?

[Baldrick]

Quote:

Originally Posted by PC_Fiddler

I agree Baldrers but WSA is for people living on planet Earth, & who are partially normal - I'm unlikely to infect my system with every virus I can find gleaned from the darkest part of the net with no AV whatsoever - Then install an AV then see if it's 100& efficient & then rate it according to that system for everyday use - It's not living in the real world, it's plain stupid - I have a friend who has more security than the bank of England & still gets infected regularly, whereas I for an unknown reasons have used the net for 17 years with 1700 bookmarks had a couple of viruses, at large (actually one) & have 4 children use my PC's -

Very much the situation for me PC...have been online for...well, longer than I would like to admit and have yet to be infected...and I would not say I say that I avoid danger on the web.

Quote:

Originally Posted by PC_Fiddler

It's like testing a vacuum cleaner by emptying your full wheely bin on your lounge floor & testing a new vacuum cleaner by seeing how it cleans up then rating it how it managed with the 30 kg of crap, it's an unrealistic situation & so are some of the AV testing systems & some of the same mad questions from people who don't use WSA anymore anyway.

Oh, that is downright rank...but the analogy made me chuckle ...and in fact I remember when a new vacuum cleaner (the first one with no bags ) came out the in store party piece was indeed to empty the contents of a bin (not wheely) on the floor and vacuum it up

Quote:

Originally Posted by PC_Fiddler

Actually the next post I read from someone who is infested with viruses when using WSA on here will be the first for some time, most are sensible questions from people who are wondering how WSA works, some are from those with grudges with the same questions that were answered three times last week (trolls) - Few if any are from those ridden with infections? Or am I missing something? Is my mouse not scrolling correctly?

No, you are quite sane PC and as far as I can see your mouse is scrolling fine...you are just one of the enlightened ones.

[Cudni]

ot posts removed

[PC_Fiddler]

Quote:

Originally Posted by silverfox99

[*]Folder with 1000 malware files introduced on machine to desktop, none executed as yet

What are the realistic chances of ending up with 1000 malware files on your PC though? I agree it's a better system but maybe that system is beyond the realms of probability? If you have 1000 files of that type ought you really ought to be looking at something other than an AV solution?

[silverfox99]

Quote:

Originally Posted by PC_Fiddler

What are the realistic chances of ending up with 1000 malware files on your PC though? I agree it's a better system but maybe that system is beyond the realms of probability? If you have 1000 files of that type ought you really ought to be looking at something other than an AV solution?

I guess so, does't really matter how many files, just that someone somewhere tests WSA in the way i describe to answer the question, if WSA misses some resident malicious files, will it correctly determine the files as malicious when they execute, or not?

WSA seems to be a question of faith. Do you believe? True what some believers say that if WSA did miss a lot of malware on execution, surely this board would have a few people posting their problems, but there is no one posting problems which is a good sign for WSA if only they could construct a test to illustrate the power. As i'm sure some have said before if you go take a look Norton, McAfee and many others, their forums are full of users asking for helps to get rid of ZeroAccess or Alureon (the solution suggested is oftem to run Malwarebytes). And yet here on an open forum....nothing about WSA issues. So i have high hopes for WSA that it can prove how good it really is.

[PC_Fiddler]

Quote:

Originally Posted by silverfox99

WSA seems to be a question of faith. Do you believe?

Part quote -

I agree with that.

Actually for me WSA has been experimental but having used it for well over a year & been impressed & only recently have been suggesting to others who ask for advice to try WSA, & so far I've had no problems, actually less so than them using other AV's?

Personally I image (very) regularly, back-up religiously & keep everything in multiple locations so there is no worst case scenario for me - I also have other scanners on that are passive other than Mbam Pro which is on background protection - So far so good - I have full licenses for other traditional AV's & install & run them from time to time & look if WSA is missing anything & so far it hasn't (I them image back) So my faith is increasing with time but I am always open to other options, but yes at the moment it could be said I believe

[fax]

Quote:

Originally Posted by silverfox99

WSA seems to be a question of faith. Do you believe?

yes, either you have faith or you try it yourself.