WSA Identity Shield fails antilogging tests

As you can read in the report it fails MRG´s latest 2 simulators:
http://malwareresearchgroup.com/2011/10/05/quick-assessment-of-webroot-secureanywhere/
Plus, Prevx SOL has already been tested in August against the Crimeware simulator and it failed back then and AFAIK it failed the Financial malware simulator on x64 as well. I would have thought WSA and Prevx SOL 3.0(if possible) would be updated for protection against this techniques.

 

We're subscribed to several testing services already but we can't possibly use all of them. We're monitoring all financial/identity related malware as its released and have made several improvements within WSA to prevent future threats and as of today, we've seen no actual malware bypass its protection.

 

The simulators uses techniques used by real malware and the Financial simulator has also been tested by a 3rd party:
"This simulator has been examined by an independent IT security company and verified as using a valid MitB attack which is representative of an attack method used by real Financial Malware."
I'm not advising to subscribe to more testing services but if new methods are developed/discovered that are not covered by Identity Shield/SOL, then it would be good to work together with the testing company to expand protection to these new techniques, and MRG provides remote access to their simulators on their testing VM's.

 

I doubt Prevx/WSA would be updated to protect against the simulator in much the same way they don't detect leaktests. As far as I'm aware, the guys at MRG should be in contact with vendors if certain tests fail. I don't know whether they've been in touch with Webroot, but you are right that MRG provides remote access to the simulator to vendors.

 

It isn't about detecting them, but blocking the methods used to capture the data, which is the purpose of Identity Shield/SOL(blocking all methods to capture/log important data in order to protect against all undetected malware.)

 

There is no way for us to find out what the technique is that they're using but we're keeping on top of all actual malware and have not seen any techniques actually used in the wild or in public PoCs which bypass WSA.

 

Have you actually contacted them since they bypassed SOL back in August?

Like I quoted, they can give you access to their simulator and provide support to protect against it.

 

Disturbing news

 

Two tests Zemana was able to pass.

 

No reply from Webroot? That's disappointing.. I asked at the MRG forum and they did reply:

Joe, you posted in another thread that it's best to have MRG clarify themselves and you say you're not the person dealing with testing services.
Webroot should be the ones to contact them, it's their product, they're responsible for their users security. If someone develops a piece of software, and another person discovers a vulnerability in that software, it's logical for the developer to contact this person in order to fix it to protect his users, especially when it concerns security software. Even if you're not the person in the company dealing with this, you're aware of this issue and then you should contact the person that is and tell him to contact MRG to fix this. You may be monitoring all ID/Banking malware and haven't seen this technique used, but that doesn't mean the hole isn't there anymore. Plus it has been confirmed by a 3rd party that this attack method is representative for real financial malware. If a person has discovered a vulnerability, it means others can as well, and that there is no piece of malware ITW using this method doesn't mean it can't be used for a targeted attack.(Which have become a lot more regular recently with all the hacked companies in the headlines, and those are only the known cases.
This is nothing personal, Prevx/WSA is a nice product, and you've always delivered quality support and listened to the opinions of the users here, but Prevx/Webroot should take responsibility and fix this ASAP.

 

I've sent them an email asking for access to their systems so we'll see what they say!

Thanks for the heads up

 

Personally I think it should be MRG contacting the vendors. They already do this with missed samples. Ideally they should be saying to 'X' vendor who fails the test: "We've done a test with your product which appears to fail. Can we discuss the issue and check that your product is working for the best of everyone?" It might be that it turns out the product actually passes the test if certain conditions are met, like a specific setting is enabled/disabled.

Yes, Webroot could approach them, but it is MRG who believe they have found a weakness. If it was me, I'd be contacting the vendor and be happily proved wrong or otherwise.

 

Good to know you contacted them.