Question regarding Protected Applications

Today I installed a small service pack for Softmaker Office which is similar to MS Office. As it's new & released yesterday WSA it seems does not yet know if it safe or not as I noticed I was unable to use the mail client properly or cut & paste into the Textmaker application. Looking into Protected Applications I noticed the all four program modules were on deny.

I them moved these to allow so I could use the modules, the size of WRData then climbed 50 Meg to just under 200 meg which shows (to me) WSA is keeping further track of changes. There is also another program I noticed was on deny & which is a cleaner which also hasn't been running properly, I moved this also to allow, WRData then increased to well over 200Meg.

My question(s) is/are will the size of WRData continue to climb as I continue to use the programs until classified & what happens if a much used program is never classified by WSA as neither good or bad which 'seems' to be happening with the program 'Wise Disc Cleaner'? I use this program frequently & it makes a fair number of changes to the system as it's function is to remove unneeded data in large quantities - Perhaps to make matters worse this program is updated frequently. I notice 'Stardock Window Blinds' is always on deny despite moving it to allow it reverts back on next reboot, why is this?

Thanks !

 

The best thing to do is save a scan log and post the lines to the program into a WSA Support Ticket to get them whitelisted! https://www.webrootanywhere.com/servicewelcome.asp?

TH

 

Hi TH!
Is this the backside of the "revert" feature you showed me in the video?
How a "legal" program (False positive) is under constant monitoring or is the issue posted here only a bug?
I mean just as well as a malware will get detected sooner or later by WSA, so should false positives right?

Cheers

/E

 

The recent video is the reason I've been looking at Protected Applications with interest, & as WSA operates on a different system than other AV solutions (although I used Prevx for some years) I've not really been aware of actually how the WSA monitoring works until recently & as others who I introduce to WSA may ask me similar questions it's good to have a basic working knowledge (or I'm going to look a right fool) - How does Webroot identity FP's or unknowns? Is some (most?) of this info gleaned from users who submit unknown files or is this unnecessary or even unhelpful to WSA support? (is this being a pain in the posterior?) - Someone has to ask the stupid questions so it might as well be me - Thanks for the replies TC

 

Every program starts as untrusted and is therefore journaled. Users submitting false positives is a negligible number - we primarily prevent false positives generically by being aware of what a centrally created rule will catch and being able to white list files automatically.

 

OK, thanks for replying - Sorted

 

I just like add to this thread as some users use not commonly known programs to the Webroot Cloud database and if someone does have issues with a certain program and want to get them Whitelisted sooner the best thing is to do a scan and save a scan log and start a WSA support ticket and put all the lines with in the front in the support ticket then if another user installs that same program the files will already be whitelisted in the cloud database. And personally I can't remember the last time I had a false positive

TH

 

yep TH, that old complaint of mine seems, to be a thing of the past. Never thought I would say it but, WSA is pretty much perfect when it comes to FPs.

 

Done that & I wish support the very best of luck

 

You will see for yourself!

TH

 

Glad to hear it

 

Well support was excellent, there were quite a few unknowns actually including a few uncommon photo & music editing programs I use. I send a report to Webroot last night & received a reply this morning & all issues sorted.

Great service & then some.

 

Great to hear! I knew that the support inbox would help you and you would be happy!

Cheers,

TH

 

Joe and TH, I saw this test of the rollback feature by Biozfear, and like to hear your point of view regarding this simple test, were the feature "missed" a bit.

http://www.youtube.com/watch?v=MJ7KAINQqfQ&feature=plcp

Hope this works, having problem posting the link??

Cheers

/E

 

I don't have a youtube account but I'll post a reply here (in case you want to pass it on to the video creator).

We should have definitely cleaned up the shortcut - that looks like a bug which we're going to be investigating in the next build. Shortcuts are created slightly differently in the OS than other files so it's possible that this would change how it's handled. As for Ransomware which blocks the OS from working, you can boot into Safemode with Networking and still use WSA. From what I've seen, that's usually sufficient to get around these infections. As for our detection rates, right clicking on a folder of files uses only a fraction of the detection abilities of WSA so we'll always score worse there than how we'd score on-execution. That aside, the test was overall very well thought out and I really appreciate the help in improving our product If he has any additional suggestions or feedback, send me an email to my username at gmail.com and we'll definitely work to fix anything we can!

Thanks for letting me know

 

Done, he got your answer.

/E

 

Hi there, I was the one who did the test in the video.

There are some ransomware variations that even in safe mode you can't get into windows (safemode, safemode with network). In these cases, such roll back feature becomes defenseless.

As for the detection rate, I will do a re-test with a few days old samples and then execute them and then lets see how will WSA hold its grounds.

I still believe there should be more work done on prevention aspect of WSA but let's see what the test could do.

 

Thank you for reaching out! I'd be interested in obtaining samples of ransomware which affects the system in this manner so that we can look into preventing it from occurring by blocking the change generically. If you could send them to my username at gmail.com, I'd appreciate it.

Thank you!

 

email sent. hope it helps.

Happy hunting

 

webroot should buy out hitman pro

 

Why does WSA include CCleaner as a protected application even though it is set to "deny"?
Windows 7 Ultimate, SP1
IE 9

 

Applications are added to Deny when they try to access the system - I suspect it was just because CCleaner has read cookies from disk, but it shouldn't have any negative effects when listed as Deny.

 

Thank you.