Send Unknown Files From GUI

Hi Joe,

It would be great if we can send unknown from Webroot GUI itself and get information about the file (Date first seen, PC Count) like on web upload feature.

So then we only need to contact support for a virus incident or any other critical system issue. By automation of this process to send unknown files will make life much easier and faster whitelisting for Webroot.

Actually I personally is not a fan to contact support just for whitelisting files.

Also till this feature get introduced, it would be a great great help for us "Joe" to upload multiple files at once (keeping the old rule less than 10MB) on the current web file upload feature

Plus having long textboxes for each file path rather than browsing for each file manually
During previous old GUI, the long file path textbox helped us to paste the unknown file path straight from scan log and click send button (no need to manually browse it).


Regards,
Dark Lord

 

We have a new web form which is used instead of the local UI and it lets you upload the file directly to our threat team.

 

Hi Joe,

I think you didn't get my point

Yeah their is a new web form but it NOT user friendly for end user when going to submit many unknown files to Webroot threat research team

I request to make it able upload more than file, so we can select many files at once an upload.
Second I request to make it easy having the browse button PLUS having a blank textbox or something just to copy paste the unknown file path.
So we don't need to manually search and submit 20 times if we have around 20 unknown files in our system.

Hope you understood

Regards,
Dark Lord

 

uuuhm... you save the log, cut and paste on support page and done.
Am I missing something? You don't need to upload files just the MD5/FLAG.

 

I agree with fax. Copying the lines from a scan log and pasting them in a support ticket is far quicker than uploading files of varying sizes, some of which may take a while to be sent through.

I did this recently with 24 files marked as unknown; Support replied after determining they were all good, and they're all now marked with the [G] flag.

 

Agreed - this is the process we encourage users to take as it is by far the fastest and easiest way for us to handle them. We don't need samples, just the hashes from the log, as it will point us to the rest of the data in our database.

 

What is the difference here?
If I scan the files they automatically gets in to your systems as unknown right?
Is it just a matter of time until they are dealt with if I send in the log compare to if I scan them?
I understand that there are a lot of unknown files coming in via WSA itself, but they must have a high priority to get looked at by your team?
Or is all this automated with the chance that something, good or bad get missed in the process?

/E

 

Faster whitelisting... otherwise, depending on prevalence and diffusion you may wait months or forever

 

Faster White/Blacklisting, true but how many user send in their logs?

Collecting unknowns must be done during scanning, execution etc.
To me this is were the cloud solution should shine.
All "unknowns" passing numerous checkpoints in the cloud, were in the end there should be only a few left to examine by hand.

I have seen something like this in Kingsoft PC Doctor, when they had the security feature incorporated.
Information regarding unknown files came back from their cloud, sometimes a couple of days later, with a popup telling me that the file/app was safe or dangerous.

I think that monitored files in WSA should work this way, if you choose to. You should get a popup telling you what the solution to the file is going to be, after it has passed all instances at WSA threat center.
I would even like to have a popup telling me when a file is considered monitored. Optional of course, helping me having a more granular control.

I guess that monitored files that the user allows/blocks are examined by WSA as well?

/E

 

They are and will be in due course (and I have seen some sorted in a few hours or so...but not all) but as fax posted earlier (as did PrevxHelp) if you want them checked and potentially whitelisted quicker then the recommended method is to cut & paste the relevant log entries.

Personally, I tend to only cut & paste to a Support Ticket occasionally, after a periodic review of the log file, as a classification (which leads to added monitoring I believe) does tend to really impede things on my system.

Regards


Balders

 

Thx Baldrick, I understand the recommended method.
But that does not mean that it is the best method (as a user), I guess 99% of the user base will never do this.

As an example, I have Pandas url filter installed (Panda_Url_Filtering.exe).
When I did install WSA a few weeks back on this PC, I did move it from Monitor to Allow.

(Today I did empty quarantined files and removed all history in the Block/Allow files section. I did this because I throw a lot of malware at this PC, and I like to keep it clean inside WSA.)

Pandas url filter went back to Monitored, leading me to believe that no action has been taken by WSA whitelist team during the weeks I have had it running as allowed.

/E

 

How many folks use it?
Does it do something wonky, like messing around with browser data, that could get it watched for longer?
Did you know that while you put it from Monitored to Allowed, your agent stops collecting data from monitoring it, so isn't feeding the cloud that data to make a decision?
Did it do an update in that time that would have made it a new item? (unlikely, but "Why is Chrome monitored! It's been around for years!" ... "Because it is monitored for the first 15 minutes or so after the global update and you updated fast.")

 

As this is integrated in Panda Cloud AV and as a standalone install, millions of users.
I have had files monitored for weeks, and from what I read here in the forum I am not alone in waiting for good apps to get approved.
Joe also told us that it will take longer time to approve legit apps.
My point was if there is a certain "flag" raised when a monitored file is allowed/blocked by the user.

/E

 

Most general users would use the submit file and support(Community & ticket system) on the WSA interface. When they visit the Community for help they'll be directed towards using the fastest method - support ticket. And people wo visit Wilders will have no prob understanding the quickest way.

 

One problem I have seen with unknowns is not everyone who uses WSA has any idea what unknowns are or does not understand about monitoring or even wants to (all my relatives) - A friend who I visited recently who I introduced to WSA some time ago had gigantic monitoring files (gigs) in program data (some files going back months) due to him running PC cleanup & media producing/changing programs that even the most bloated AV would not use the room WSA was using in program data & he had no idea about sending unknowns to support & really had no intention of wanting to as in his words: 'I've never had to do that with Eset SS'.

Although I've read that WSA cleans up program data this had not happened in this case - When the files in program data reach a certain size or a huge amount of unknowns are running isn't there some was WSA can either warn the user or trigger something in the program itself to advise the user to submit files & maybe a more simplistic (semi automated) way of doing this as some of my relatives would not have a clue how to with the present system so I end up advising.

Some programs which are IMO reasonably common don't get whitelisted & if these programs are making changes to the system as in cleaning up or changing files such as (photographic/media) can run up very large monitoring files & the user in this case was wondering where his space on C:\ was going he has actually gone back to Eset because of this.

The same guy was annoyed some time ago when he couldn't paste into a word processor which had just had an update (softmaker) yet had no idea (or any warning) it was because of WSA doing it's job but had no idea this was happening either - I think the lack of whitelisting is perhaps the only weak point of WSA for users who use good but not overly common but not rare software (Serif software for example) & why WSA is not on this PC but is on my other PC's - A PC I cleaned up recently had a huge WRData file that also was many, many gigs in size - Webroot are justifiably proud of how small the setup file & the initial on disc size the program uses yet many users end up with very large files in program data do to lack of whitelisting that may be (far) in excess of traditional AV solutions if they use often updated/uncommon or IMO not common programs.

This post is not meant to be critical just an observation & reflects some of the negative feedback I've had from users I've introduced to WSA, it's OK telling people to submit unknowns to support but some people want a fit & forget solution or some automated process for dealing with unknowns on a particular PC & perhaps more pertinent users don't know or have any reason to contact support when they don't realise there is a problem ? This does seem to have happened to some users on here recently - I do think this can be a major issue at least for some users.

 

Exactly People do want "Setup & Forget" or "Install & Forget" software from cloud applications. Its good "Joe" if you can automate this unknown files issue and making it classified automatically from the agent itself without end user needing to contact support

Regards,
Dark Lord

 

Our backend is already aware of every unknown file - submitting it in any means will just make our threat team aware of it at a higher priority, but we look at everything.

 

@ PC_Fiddler & Dark_Lord: Exactly my point of view here.
Average users will almost never submit anything.

It is us "Enthusiasts" if I may call us that?
We are the ones that will submit files, and help shaping a product that we are trying to make perfect for our purpose.

My suggestion to WSA is that when a file/app is moved by the user from one state to another in Monitored files a flag will be raised.
This flag will move it up the herarki "as a submitted file would" just because the action taken, is probably from a more experienced user.
I know this could open for non savvy users to fiddle around with this, but it is unlikely as they hardly never are interested in this.

(See PC_Fiddlers post, head on the nail)

Does this idea make any sense to you guys?
And foremost:If so, is it possible to achieve in WSA Joe?

/E

 

I think we may be at cross purposes here. I thought we were talking about files marked in scan logs, not about moving files from one state to another. In any case, I believe, and Joe can correct me if I'm wrong, that if you move a file to either allow, block or monitor, the WSA backend automatically knows of the action taken.

In my example that I posted earlier, the 24 unknown files I submitted weren't in a monitored state. In fact, I have no files set to be monitored. I could run any of these files without problem before submitting them as they weren't blocked or quarantined. An average user would be in the same position. All us more technically-inclined users are doing is expediting the process of getting those unknown files classified/determined quicker as Webroot is already aware of them. Ordinary users who don't know about any of this need not worry as the files will get determined in time.

 

My point is that some unknowns don't get verified ever automatically & if unknowns start to make changes to files which can happen perhaps only occasionally then they may be monitored albeit for a short period & some users have no idea about monitoring or that it even takes place so they then build up large monitoring files in WRData? as in the two examples I mentioned.

Also as in for example word processor that's unknown (recently updated) WSA may prevent copy pasting etc. the user has no idea its WSA that is preventing the program working correctly so I feel there needs to be some warning that programs may have restrictions placed on them by WSA - In a cleaner which may remove 100s of meg daily all these are changes are monitored.

Am I wrong here?

 

Considering the new hundred thousand files per day recorded by WSA its unlike that WSA development can find a better method to whitelist than looking to the user base and prioritising based on that and on the type of file (system file). This means that files used by few are unlikely to get whitelisted any time soon.

On the other hand, average users with standard tools (emailing, wordprocessing, etc) will not have to dig into WSA nor to be aware about the 's or the [G]'s... these files get whitelisted rather fast.

In fact, as you can see from here, only experienced users playing around with all WSA features tends to see it as an issue...

 

A growing user-base also has to be a good thing & the posts I've made (on this thread) are merely observations & I hope they haven't come across as nit picking as that certainly wasn't my intention! - I still feel for most people WSA is a first class AV & any downsides to it are certainly outnumbered by the positives & I will continue to recommend it without hesitation - Most people who I know that use WSA are very happy with it & I yet to have anyone who has been infested by malware which I would think it the main point - So I wont post again on this thread or on this subject ~