I have been thinking, and wonder if your "first seen" detection issue could be solved with a class of "Generic-Unknown" Where you could have a pop-up alert that says something along the lines of. Generic-Unknown. File has not been seen before in cloud database. This file has no classification and could be potentially dangerous. Would you like to allow this program to run? (Y / N) (Y) This file has been added to the temporary permissions list and will continue to be monitored until a cloud classification can be found. (N) File has been blocked. This would work well, as it works similar to a HIPS but will very "rarely" go off in the rare occasion that a file has not been seen before. This gives users a chance to know a file could be dangerous before it is. It would also perhaps if integrated in the correct way stop testing organisations from giving webroot such a low score. I would also add that a push system should be put in place to make sure all "unknown" files get put at the head of the line for a webroot/prevx guy to look at and classify, this way you get your very quick turn-around for unknowns. Can you get where i'm coming from here guys?
I agree, and we already have most of this in place. You can configure WSA to warn on any new, untrusted process under the Heuristics settings. We currently don't break it apart to show warnings specifically for brand new files (just untrusted in general) but I think this would be worthwhile.
You have got to. If you don't show a warning when a file is new and people get infected and then complain, you can't claim that its not WRSA's fault. If you have a pop-up that makes it very clear what has happened then if they let it through then its on the user as Webroot/PrevX has done all it can. Leaving this hole in the protection is whats getting everyone a little bothered. It also will make a user question if BIKINIBABES1103.exe is really a smart move when it has not been looked at before and they are the first user that has found it.
I completely agree. We're going to do some modeling on our end to see what impact this will have. Thanks for the suggestion
I honestly think the "still taking behavior into account" was part of the problem in WSA's implementation. I miss the Prevx days where I could crank up age/pop and have pure age/pop blocks.
You can still do that in WSA; you also have the addition of using the option 'warn when new programs execute that are not trusted'.
We just had a meeting about this, discussing what we can do to bring this back as I agree, it is extremely valuable. It is definitely going to be included in one of the next updates. We're going to phase it in to measure the support impact, but I think it will make a dramatic improvement in our overall efficacy. Open to thoughts, as always!
I consider that "white-list" option unusable because it intered with Windows Updates. And yes, of course the slider bars are still there, but they don't do the exact same thing as they did in Prevx 3.0. So in summary, WSA: 1. Changed the way age/pop sliders worked so they created less FPs but also imo weakened protection 2. To compensate, gave people option of the "warn when untrusted..." to essentially place WSA into a "block all untrusted with no level of evaluation first mode" but it's too extreme imo. I tried it once and couldn't use it. So I think the ideal is to get rid of that new option and instead replace it with restoring the age/pop to the way they worked in Prevx 3.0. Instead of removing the option, at least make an indication of "for advanced only".
Oh, how I long for the days of yore!... All jokes aside, I agree wholeheartedly with the comments made by STV0726 Sometimes an improvement to a program, can be made by looking to its past.