Why did Webroot missed infected files?

And don't forget [ U] Unknown then Journaling starts and in 99% of the cases it will rollback to a pre-infection state once detection is added.

Daniel

 

So the response I had from webroot was that as it wasn't active webroot just ignored it.

However something about this bugged me....

It turns out the kb..... .exe file was previously marked as infected back in June (something I didn't know till today) but the actual file was left behind. On the basis it was no longer active I could understand this, but I came up with a little test and before I tried it based on what webroot told me I thought I knew what would happen.

I disabled the other AV and then restored the kb.... .exe file from the other AV quarantine, I thought webroot would simply ignore it (well take no action anyway as it wasn't executed) like it had been doing. I was wrong as soon as the file was created (restored) in the temp folder webroot found it and quarantined it. So either webroot does detect files that aren't active or the restoring of the file prompted it to execute, if it was executed by the restore then surely when it was first created it should cleaned/quarantined for the same reason.

 

Many explanations... for example, at the time of the dropping there was no signature in WSA for that specific file and WSA acted only by behaviour (removing active elements? or doing nothing because there was no infection?) or possibly the user disabled temporarely WSA while doing something (i.e. infecting himself) then activated WSA again, so WSA could not see the live dropping of the file but only the active components? and many other explanations possible...

The main point is, the users was not actively infected (i.e. otherwise it would not operate the system at all due the type of malware ). So WSA did its job.

I would suggest you add a policy not to allow WSA to be shutdown...

 

Right and see this Thread and notice what the Webroot Threat Researcher Rakanisheu has to say! https://community.webroot.com/t5/We...-does-Webroot-detect-Malware/m-p/141053#M8271

TH

 

Thanks again Fax.

I wasn't here back in June so I can't say either way on those possible reasons, but they are possible reasons which is what I was looking for. I need to get use to the webroot way of classifying and reactive action a little more I think, as it just does differ enough to raise that question with me at the moment. That said I enough now to be more confident about the product.

 

Actually the ransomware (Filecoder) was run on that computer, otherwise ESET wouldn't have detected files with instructions how to obtain a decoder for encrypted files. These files are created by Filecoders after they've successfully encrypted files in a particular folder.