Prevx 3.0 Same cloud as Webroot (Definitions)

does prevx use same cloud and Definitions in the cloud with Webroot? if so,

how does it come that prevx cleaned 300 missed sample that webroot did not found?



http://www.prevx.com/avgraph/13/Webroot.html

or I'm out and bicycle?

 

Old version of Webroot. The 2011 and earlier stuff. 7.0 and before. Not-cloud. Prevx3.0 and WSA cannot be installed concurrently, but Prevx3 can work with old Webroot.

 

He still has a point, the signatures should be the same, even if the product is not. So something is weird fyi.

 

What gave you the mistaken idea that the SecureAnywhere stuff uses "Signatures" in the cloud and so just detects the same stuff as the 7.0 and below? If that were the case, that would be utterly silly since it would just be "The same old thing, but slower because it has to go online to find out".

The cloud uses a 100% different system, is fed real-time, makes decisions real-time, etc. The old stuff shown in that chart uses a local signature with a conventional AV engine. The methodology is completely different between the two and the cloud data can't feed back into the old signature system (tens of terabytes of cloud data won't fit on your computer for signatures) so yes, I'd expect that the cloud will detect more stuff than the old Webroot.

 

Um... because people still use old versions of webroot, you think webroot refuses new signatures to customers using other versions that are now secureanywhere?

You do know you are way off right? it takes nowhere near this much space to store a signature database.

 

Webroot 7.0 uses Sophos for its antivirus detection and the Webroot research team has never had full control over it, which is why there is a difference in detection (and why Prevx 3.0 is finding files Webroot 7.0 missed).

SecureAnywhere's database is indeed tens of terabytes in size and hosted in the cloud. It is different from P3 and different from 7.0. It isn't just signatures of malware - it's detailed information about every program including behavior data.

 

@CubonesCastle - Just to Quote an Article from Aug 2011.

http://www.pcmag.com/article2/0,2817,2392059,00.asp

TH

 

I remember reading somewhere in which Mel Morris was quoted as saying this database can include as many as two million database rows for a single process. With that amount of information, it's not surprising, therefore, that the cloud storage for all this goes into the terabytes.

Edit: TH beat me to it with a link to the original source!

 

That seems really inefficient. I was assuming he was talking about the signature database and not "all inclusive" data on programs and services.

 

How you define inefficient? Are you, as user, impacted by the size of the cloud?
How would record the behavior of software without recording their activity?
Remember that Prev/WSA detect malware by its behaviour and no simply by a single fingerprint. Fingerprints are easy to fool... behaviour and action not as simply

 

I think one of the problems here is the misunderstanding of "Signature Database". A contemporary AV's signature database is not "Files with this MD5 signature are bad". Amongst other things, I seriously doubt the way the cloud system works in 8.0 is technologically compatible with the way the AV Sophos engine signature system works. The 7.0 signature system has to use local processing power to make decisions on a file based on a certain set of specifications (definitions or signatures), while the cloud WSA/Prevx3 system would make decisions based on a different set of specifications and using much more processing power and data. So yes, I'd expect Prevx3 to detect a different set than Webroot 7.

 

Exactly And Prevx 3.0 will find a different set than WSA as well (a subset, as WSA has more generic protection/detection in addition to what P3 has, although we try to backport as much as we can during the period we're in before we can migrate all users automatically).

 

I also see a problem with privacy when this much data about what your computer is doing is being sent to the cloud. It seems like the cloud is getting all data about programs it does not know and what they are doing. I am using this as a bad example but what if your using a program to steal data off a work computer which has webroot on it, and the boss finds out. He knows how webroot works and gets a court order for the info webroot store about this unknown program and prosecute you.

This is an extreme out-there example, but you can understand what I mean.

 

It's all anonymous and we don't store/collect personally identifiable information.

 

Good news bad news.

The good news is that the information is anonymized and genericized, so the above case isn't possible.

The bad news is that better information about the unknown program can be acquired by direct analysis and other security tools than through the Webroot cloud, so you'd get caught anyway. ^.^

 

I don't get it. If X program runs on computer 3001, and its not trusted so webroot gathers info on it, how does webroot know which computer to send relevant data to and from if its anonymity is central.

3001 X
3001 X untrust.
3001 X is doing Y
3001 X is doing Z
3001 X is malware
3001 X delete.

How can X be followed if X is nowhere. X is on one clients machine and there has to be some way of tracking machine 3001 or X cannot be re-wound.

 

You said it... its 3001. A code is enough info.

 

Myself and smarter men have tracked with less.

 

Myself and smarter men have tracked with less.

Your IP is as good as your real name and address, and is tethered with 3001. Therefore 3001 is as good as your name and address. I am not sure where webroot servers are located but if they are on USA soil then all data on those servers are already breached with a MITM attack by uncle sam, which stores all that data which could later be used to track what you did with your computer at any time webroot was installed.

 

This is valid anywhere with any software including the OS... you need an IP. Did you only discover it now? Your ISP know you very well. You can use proxy IPs to try to be anonymous if you are scared to be traced on the internet for whatever reason. Anyway this is going off-topic and discussed several times in here.

 

You clearly are missing the point and this is clearly a waste of my time.

 

I think it would be appropriate to assume that information sent to the AV vendor's cloud is logged or entered into a database with timestamps. So it would be appropriate start with a view like:

<Timestamp> <Client IP Address> <Information>

Timestamp + IP Address would usually be sufficient to track back to an individual through their ISP via valid subpoena. There are alternate means of using just that information to identify someone which sometimes work and sometimes don't work. I think many, possibly even most or all, of these cloud AV clients are sending a per machine or account GUID along with that. So even if your IP Address changes or you direct the traffic through an anonymous proxy they can still correlate information sent to the cloud. Which makes it:

<Timestamp> <Client IP Address> <GUID> <Information>

You must investigate whether a GUID is used and assess the possibility that it has been or could be correlated to an online account for which personal information is known. Furthermore, you have to really dig into what <information> is and try to determine for yourself what it could contain. You have to look for things like filenames and/or pathnames (which sometimes contain personal info) being sent along with file signatures, URLs (which sometimes contain personal info) being sent as part of malicious URL checking, and also look for other information about the environment/context being sent to the cloud as part of a standard query and/or as part of a more descriptive report about things deemed new or suspicious and/or in metrics.

 

Thank you! At least someone understands where I'm coming from. Very good post!

 

You clearly don't understand that in the cloud there is not personal record of you or your documents just hashes and behaviour of programs. This was explained hundred of times in here in the past several months!!

The result of all discussion is that if you are so paranoid you should not use windows systems (to be able to inspect source codes) as well as using anonymous services not to be traced by IP.

 

This is valid for any AV or software and happening normally based on license keys. Why this is discussed in PREVX 3.0 definitions thread its a mystery to me. If you have privacy issue then I am not sure how you can use MS. Windows. You give up your privacy as soon as you connect to the internet. AMEN.