How Long Does Webroot Take to Classify an Unkown Process as Good or Bad?

I had an unknown process called "msdn.exe" running on my system that was been flagged as by Webroot (and was being monitored.) This unknown process ran in the state for three days at which time a scheduled MalwareBytes scan ran and detected the file as a trojan and removed it along with 4 other associated registry entries.

On average, how long does it take for Webroot to classify processes? Is it faster to e-mail the files to tech support as soon as we notice them?

It's not a comfortable feeling knowing that I had a trojan running for three days on my system doing who knows what.

 

I agree that the classification of files (good or bad) takes to long.
The good thing is that your system is safe while the file is monitored.
I guess Joe will jump in here and explain how they achieve this.

For users who like more info on these files, would it be possible to see were in the processes a monitored file is?
Is it checked by the automated process, reviewed by the staff etc.

/E

 

The more users that have the monitored file on their computer, the shorter the time before it gets "good" or "bad". I think it also depends on how much suspicious activity the monitored process do.

I've seen a few cases with some small, not so famous, indie games I bought of Steam where they were being monitored for months before I finally uninstalled the game. I didn't bother to contact support.

EDIT: I certainly don't pretend I know the complete process. I base my thoughts on my own experience. The complexity of WSA is insane so of course I don't know exactly.

 

Indeed, the type of activity of the application on the local system (or other systems with WSA) will trigger the action/reaction. More aggressive they are faster they will be blocked/classified. No specific actions (dormant elements) slower will be classification as classification for "unknowns", amongst other factors, is based on behavior. i.e. what they do.

Meanwhile the other parts of WSA (e.g. identity shield) will protect the data anyway from leaking/erasing/etc. At the same time WSA will monitor all changes and revert back them in case of malware classification.

NOTE: having another tool cleaning the system can be potentially damaging if the tool does not revert back the changes of the malware but simply remove its traces.

 

It really depends on the file - we intentionally take longer to move a file from unknown to good as we need to be certain it really is good (which requires wider observation). Bad files are usually easier to jump on, but even then, some malware doesn't do anything for a number of days or is more of a "potentially unwanted application" which is grey rather than obviously bad.

 

A couple of days in monitored mode seems ok, but as shadek says "months"?
That is a very long time.
What about if the file is good, will the monitored mode cripple it in any way function wise?
I work almost only with small company's, and they use cheaper "unknown" software a lot, as their budget does not allow for big more expensive well known brands with digital signature etc.
I am talking admin programs here for salary, time reporting etc.
I did not dare to keep some of these files in monitored mode, as I did not know if WSA would let them "work" 100% while monitored.
Do I need to worry about this?

/E

 

A file being marked as unknown will not negatively impact it or cause it to function poorly. Worst case, you can whitelist it locally or write into our support team to have it escalated.

 

A PROPERLY-CODED file marked as unknown will not negative impact it...

I have found plenty of badly-coded files that react poorly to the monitoring, however these cases when explored with the file's originating coders has ALWAYS ended up being a case of poor coding practice on their part. For example, "Send request, wait for data, process data" without any limit or bound on "wait for data" is bad, but the idea is that the request will always return "Data" or "<Empty Data>". The assumption is that it will always return though. Add the ID shield in and suddenly it may get no return at all, not "Yes there is data or yes there is nothing in the data". Then it harfs because the coders didn't follow proper coding procedure.

 

Whitelist is what I do in these cases, it is the time in between my visits I worry about. The users does not touch these things, for good reasons

/E

 

A related question: Of those files that are classified as malware, what is the distribution of (time that the file was first classified as malware minus time that the file was first seen by Webroot).

 

Few seconds, minutes to hours or days depending on behaviour of the malware.
Normally a matter of few minutes.

 

A couple of tests that measure "time to detect":
http://www.mrg-effitas.com/current-tests/

 

Here is how Webroot does everything in the Cloud.

http://www.webroot.com/us/en/partners/technology-partners/webroot-intelligence-network

http://www.webroot.com/us/en/partners/technology-partners/web-content-classification

TH

 

Average time to detect for Webroot for sample of malware is eight hours.
https://www.wilderssecurity.com/showthread.php?t=360632

 

That's the average for the few samples that Webroot missed the first time. 98.6% of them were detected right away. MGR defines the samples used as 'early life'.