WSA Poor Detection Result

Discussion in 'Prevx Releases' started by james246, Sep 18, 2013.

Thread Status:
Not open for further replies.
  1. trjam

    trjam Registered Member

    Joined:
    Aug 18, 2006
    Posts:
    9,102
    Location:
    North Carolina USA
    keep I mind, code doesn't always have to modify system components to do its damage.
     
  2. Triple Helix

    Triple Helix Specialist

    Joined:
    Nov 20, 2004
    Posts:
    13,269
    Location:
    Ontario, Canada
    That's not true you have the other Shields protecting you such as ID Shield, Control Active Processes Monitoring even if you are infected nothing has changed that's why it can't be tested properly at this time but they are working with some AV testing organizations to test WSA's true ability as Joe said above.

    TH
     
  3. fax

    fax Registered Member

    Joined:
    May 30, 2005
    Posts:
    3,899
    Location:
    localhost
    I am surprised, this has been mentioned at least 30 times before. Depending on the type of activity the malware is blocked earlier then later.

    So it cannot damage the system as this would trigger the WSA blocking. While more sophisticated threads more silent or less damaging will take more time to identify.

    Meanwhile identity shield will avoid the leak of sensitive information. Is this so hard to understand? o_O
     
  4. trjam

    trjam Registered Member

    Joined:
    Aug 18, 2006
    Posts:
    9,102
    Location:
    North Carolina USA
    When was was first released it detected very well and did well by testing organizations. So what has changed. I mean honestly I don't know. I know it had issues with some FPs but it is like the detection ability was toned down to much to offset that issue. Now very few FPs but not so great detection.i mean if you would have asked me 2 years ago we would be here debating this issue I would have thought you were crazy but here we are
     
  5. Thankful

    Thankful Savings Monitor

    Joined:
    Feb 28, 2005
    Posts:
    6,555
    Location:
    New York City
    Still can't detect the FBI virus. Luckily, the system lock can be broken via the task manager, at least for this variant. Otherwise, you would be out of luck.
     
  6. Techfox1976

    Techfox1976 Registered Member

    Joined:
    Jul 22, 2010
    Posts:
    749
    I'll stick to this simple measurement:

    Before WSA across the users I support: 12-20+ visible infections per month reached me.

    After WSA: 0 visible infections reach me in the past nearly two years.

    So either all the infections it doesn't catch are 100% hidden and never do ANYTHING that the user notices (including swiping financial credentials, which I had to deal with 4-6 times a month or so before and now, also none), or it's working.

    I have yet to even begin to understand how some of you are getting accidentally infected with anything bypassing WSA, given that even my absolutely worst users have not managed it. I have a hard time comprehending the idea that you could be worse than them. Unless you're... like... not doing what even a horrible user does and are trying very hard to get infected, including bypassing security and setting things badly on your WSA, clicking "allow" to everything even more than they do, etc. (Mind you, I don't allow them to click "Allow" on WSA.)

    By the way, "Journalling roll back" does not equate to "delete the infection". That's old school thinking and obsolete. However I would like to know what nasty things you think a threat could accomplish prior to detection that would not be undone or cause permanent damage past the rollback.
     
  7. Thankful

    Thankful Savings Monitor

    Joined:
    Feb 28, 2005
    Posts:
    6,555
    Location:
    New York City
    Why even allow the user to click "Allow" ? This was supposed to be eliminated a long time ago.
     
  8. PrevxHelp

    PrevxHelp Former Prevx Moderator

    Joined:
    Sep 14, 2008
    Posts:
    8,242
    Location:
    USA/UK
    'Allow' is for the cases where someone wants to run something they shouldn't (keygens, crack tools, and other 'possibly unwanted software', for example).
     
  9. PrevxHelp

    PrevxHelp Former Prevx Moderator

    Joined:
    Sep 14, 2008
    Posts:
    8,242
    Location:
    USA/UK
    Threats have been changing, and we put less of a focus on the upfront signatures, instead looking at what a file actually does.

    A large portion of the problem today (which was not happening two years ago) is this: when a new infection starts running (which was never seen by any WSA user besides the tester who just ran it), most files immediately do absolutely nothing and instead sit idle for 15, 30, 45 minutes... or perhaps waiting for a certain user action to start executing (a keystroke, a mouse click, etc. to prevent automated analysis).

    WSA may indeed let it run during this period but as soon as it starts to do something, anything, WSA will kick in and collect its behavior, send it to the cloud, and run a more detailed analysis of the file.

    Virtually every testing organization today just runs the file and then reimages the machine. The wait period is extremely small because of the economics of malware testing: there are a lot of AVs and a lot of files which need to be run through them, which takes time, not to mention the cost and time associated with reimaging a box.

    Files are also often run out of context, not coming from a browser or through the exploit paths as a normal user would encounter them, which is a significant portion of how we block files upfront.

    The FPs which we've fixed have not been at the risk of lowering our protection, rather, our automated systems are just smarter now and we're seeing unpopular programs faster.

    As for upfront blocking: yes, we can block any file we know about, but for whatever reason (perhaps the geographic makeup of our userbase, or just the nature of who is using WSA), our users are simply not seeing the vast majority of the files that we're being tested against. Our cloud lets us see this very accurately and it's a difficult case to handle as there are entire families of malware which have never been seen by a single Webroot user until a testing firm runs it. Personally, I'm quite surprised by this considering the size of our userbase and the fact that malware generally doesn't target a specific geography, but it is what it is.

    As I've said earlier, we are actively working with the major testing firms and several "up and coming" testing firms to come up with a methodology which will work for WSA. These tests would be meaningless if WSA were the only product tested (as there would be nothing to compare it to) so we're spearheading the initiative across the industry to have all products tested using a new methodology. It isn't just us who are "suffering" from the current testing methodologies, we've just specifically avoided making certain decisions about how we function to cater towards tests. Instead, we're focused on protecting our real users, something that we're very good at.
     
  10. trjam

    trjam Registered Member

    Joined:
    Aug 18, 2006
    Posts:
    9,102
    Location:
    North Carolina USA
    thanks Joe :thumb:
     
  11. shadek

    shadek Registered Member

    Joined:
    Feb 26, 2008
    Posts:
    2,538
    Location:
    Sweden
    New, unknown, not yet maliciously classed processes are run as 'monitored'.

    Are 'monitored' processes run with restricted rights? If so, would manually setting 'monitor' to all vulnerable Internet facing applications making my computer more safe from malicious and harmful activities?
     
  12. PrevxHelp

    PrevxHelp Former Prevx Moderator

    Joined:
    Sep 14, 2008
    Posts:
    8,242
    Location:
    USA/UK
    Yes they are, and WSA already automatically restricts internet facing applications (although if they're known good, it doesn't block them from making any change, as that would get quite irritating, but any application coming from an internet facing application [i.e. a download/exploit/etc.] is scrutinized much more closely).

    The 2014 release has a few big improvements in this regard, specifically targeting changes made from internet facing applications.
     
  13. shadek

    shadek Registered Member

    Joined:
    Feb 26, 2008
    Posts:
    2,538
    Location:
    Sweden
    Great to know. The Help Section at Webroot.com isn't clear about this. :) It just says "Monitor: Webroot SecureAnywhere will watch the process and open an alert on suspicious activity." It doesn't go into the specifics. :) Thanks for the clarification!
     
  14. Thankful

    Thankful Savings Monitor

    Joined:
    Feb 28, 2005
    Posts:
    6,555
    Location:
    New York City
    Is there a way to set default action to "Block/Close"?
    Thanks.
     
  15. PrevxHelp

    PrevxHelp Former Prevx Moderator

    Joined:
    Sep 14, 2008
    Posts:
    8,242
    Location:
    USA/UK
    Except the firewall, all of the default actions are Block (and if you don't answer within two minutes, it will be auto-blocked).
     
  16. Thankful

    Thankful Savings Monitor

    Joined:
    Feb 28, 2005
    Posts:
    6,555
    Location:
    New York City
    I would prefer not to have to click anything. I would like this automatically blocked.
     
  17. PrevxHelp

    PrevxHelp Former Prevx Moderator

    Joined:
    Sep 14, 2008
    Posts:
    8,242
    Location:
    USA/UK
    That's correct, if you don't click anything, it will automatically block it.
     
  18. BoerenkoolMetWorst

    BoerenkoolMetWorst Registered Member

    Joined:
    Dec 22, 2009
    Posts:
    4,868
    Location:
    Outer space
    I understand WSA's concept and I like it, BUT imo it can't be claimed that sensitive information is protected while malware runs. Yes, sensitive information entered into the browser is protected by Identity Shield, but how about locally stored emails, documents etc?
     
  19. PrevxHelp

    PrevxHelp Former Prevx Moderator

    Joined:
    Sep 14, 2008
    Posts:
    8,242
    Location:
    USA/UK
    Those would be protected from the firewall, if a program attempts to go outbound. But in the scenarios of malware testing, none of these areas count - it is only the upfront detection (at which point, the infection will have done nothing, and in most cases today, the infection will continue doing nothing for X minutes). One of our datapoints for behavior analysis is "does it touch user files".
     
  20. Dark Star 72

    Dark Star 72 Registered Member

    Joined:
    May 27, 2007
    Posts:
    778
    Joe,
    How does WSA deal with PUP's, intrusive advertising toolbars etc. As they are in general not a 'threat' does WSA detect these - if so will it only stop ones there is a signature for or does it have some inbuilt generic/heuristic wizardry to stop the installation?
     
  21. fax

    fax Registered Member

    Joined:
    May 30, 2005
    Posts:
    3,899
    Location:
    localhost
    I see them detected as PUP (from Babylon to even recent versions of winzip components) so there is certainly signature for them and WSA does remove PUP. Not sure about heuristics tough...
     
  22. TonyW

    TonyW Registered Member

    Joined:
    Oct 12, 2005
    Posts:
    2,741
    Location:
    UK
    I think I also read somewhere that the 2014 line will have more emphasis on PUPs than before.
     
  23. fax

    fax Registered Member

    Joined:
    May 30, 2005
    Posts:
    3,899
    Location:
    localhost
    Yes, it was reported that a specific selectable detection option will be available in the GUI.
     
  24. BoerenkoolMetWorst

    BoerenkoolMetWorst Registered Member

    Joined:
    Dec 22, 2009
    Posts:
    4,868
    Location:
    Outer space
    Ah thanks. But about the firewall, by default it only warns when infected afaik, so unless it is set to a higher level it won't help, and even then, unless a firewall has a full-fledged HIPS, most are easily bypassed.
    How about creating a new feature for future versions that only allows whitelisted programs access to certain folders; folders specified by the user and a preconfigured list which already includes stored emails for populair mail clients, chat history from popular IM programs etc.
     
  25. CloneRanger

    CloneRanger Registered Member

    Joined:
    Jan 4, 2006
    Posts:
    4,978
    @ PrevxHelp

    Your recent explanations of how WSA actually works, was Very welcome ;) but long overdue :(
     
Thread Status:
Not open for further replies.
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.