Did a MDL download of some July 18th and July 17th samples and many went through.

Discussion in 'Prevx Releases' started by GrammatonCleric, Jul 18, 2012.

Thread Status:
Not open for further replies.
  1. GrammatonCleric

    GrammatonCleric Registered Member

    Joined:
    Jan 8, 2009
    Posts:
    372
    Just a heads up that I did a MDL URL download of some July 18th and July 17th samples and they went through the Webroot Defences quiet fine. I have the heuritics, Age and Popularity maxed out to the fullest among all the tabs (Offline, Online, USB etc).
    The only peep I heard was from the firewall shield so you might say that it blocked it...in terms of dialing out, but the infector was still there.
    I actually let the file pass through the firewall. It downloaded an infector that also wasn't detected.
    The same was with the fake AV from July 17th. Fake AV installed and ran fine yesterday.

    Sorry I dont have the samples since I ran the browser in Sandboxie and once I closed the browser, the sandboxie killed it.

    If the devs need my webroot account I can provide it.
     
  2. PrevxHelp

    PrevxHelp Former Prevx Moderator

    Joined:
    Sep 14, 2008
    Posts:
    8,242
    Location:
    USA/UK
    It would be worth contacting our support team as the researchers will be able to work with you there. With settings maximized, it should block literally everything as long as it actually is malicious so there could be an incompatibility here.
     
  3. Triple Helix

    Triple Helix Webroot Product Advisor

    Joined:
    Nov 20, 2004
    Posts:
    12,011
    Location:
    Ontario, Canada
    Joe since he had the malware running in Sandboxie would WSA still see inside the sandbox?

    Daniel
     
  4. PrevxHelp

    PrevxHelp Former Prevx Moderator

    Joined:
    Sep 14, 2008
    Posts:
    8,242
    Location:
    USA/UK
    Thanks - I didn't see that in the original post. No, it wouldn't be able to monitor the browser and it wouldnt see the threats executing fully. It could possibly see them as they're written to disk, but testing the strength of a security product when running browsers in a sandbox isn't accurate.
     
  5. Dark Shadow

    Dark Shadow Registered Member

    Joined:
    Oct 11, 2007
    Posts:
    4,553
    Location:
    USA
    I tested it in sandboxie and it does read inside sandboxie as most other AV do.here is what I got for the ones not blocked by Norton DNS or google.I have a lot of interference going on for proper testing of WSA as you can see if norton does not block it google does or the URLs are dead to begin with.
     

    Attached Files:

  6. GrammatonCleric

    GrammatonCleric Registered Member

    Joined:
    Jan 8, 2009
    Posts:
    372
    Here are the step by step that I checked again right now (19:53 EST on July 18th) same file and it allowed execution without a peep except for the firewall, when allowed via firewall it downloaded another component that was also not detected and allowed to run. (as you can see maxed out settings)

    I had to dismiss Malwarebyte alarm twice (which didn't occur yesterday).
    So the question is not of things looking into sandboxie since as can be seen malwarebytes can see it perfectly (I am not willing to run it without sandboxie since I don't trust that I be protected). It's the question of non detection at max settings, even after 1 day. I can still contact tech folks, but I am not infected and they can easily navigate to the URL in the screenshot (just match the name to the url list) to see the infection by itself. There were few more on that page but I figured this is as good of an example as any. (The last image is the Malware bytes detection of the malware code downloaded by the first intentionally downloaded code) The images are in sequence of events.

    http://imgur.com/a/1U7fv
    http://imgur.com/a/Jv5Jg
    http://imgur.com/a/UmBu9
    http://imgur.com/a/beBqS
     
  7. GrammatonCleric

    GrammatonCleric Registered Member

    Joined:
    Jan 8, 2009
    Posts:
    372
    Webroot software version used in the system
    http://imgur.com/L3wTd

    Don't get me wrong I don't want to "diss" Webroot. Just I keep seeing the "webroot users are never infected" reply or "yet to see an infected user in real life" well...here. :) Altough I am not infected, just bored sitting at an airport waiting for my 15 hour delayed plane.
     
    Last edited: Jul 18, 2012
  8. TonyW

    TonyW Registered Member

    Joined:
    Oct 12, 2005
    Posts:
    2,633
    Location:
    UK
    The problem is not so much the failure to detect at maximum settings. The issue is with the browser being sandboxed and how nothing is allowed to communicate out making it harder for WSA to do what it would find easy to do outside of the sandbox. This has been discussed a few times before, but this post might help to explain things a little regarding the complexities involved.
     
  9. STV0726

    STV0726 Registered Member

    Joined:
    Jul 29, 2010
    Posts:
    900
    ^ This is why home-grown tests are not reliable or valid in any way, shape or form.

    Seriously guys? How long's it going to take before you start complying with Wilders policy and if not that common sense...

    You can't judge it by writing in Sandboxie unless you are actually RUNNING the threats...virtual machine is the only way to go for formal aka actual testing.

    Let's not turn this into a "dude ur too harsh I trust home-growners" argument. Let's just ignore this thread and move on.
     
    Last edited: Jul 18, 2012
  10. GrammatonCleric

    GrammatonCleric Registered Member

    Joined:
    Jan 8, 2009
    Posts:
    372
    Well if you trust Webroot soo explicitly then I recommend you run the test in a non sandboxed system.
    You have the URL in the pictures see if it detects it with maximum settings.
    I for one am not buying the "It's a sandboxed browser issue". Nor I trust webroot enough to have it detected without a sandbox.
    But you gotta act fast since the detection can be added any minute now (now that the pics are up).
     
  11. Dark Shadow

    Dark Shadow Registered Member

    Joined:
    Oct 11, 2007
    Posts:
    4,553
    Location:
    USA
    From what I can see you have heuristics maxed on local are they same on internet.
     
  12. GrammatonCleric

    GrammatonCleric Registered Member

    Joined:
    Jan 8, 2009
    Posts:
    372
    Same for everything.
    I just didn't want to post 5 pictures of each tab but if you want I can.
    I always run security maxed...well except for Nod32 which when maxed brings my system to the knees and by maxed I mean AH on everything.
     
  13. Dark Shadow

    Dark Shadow Registered Member

    Joined:
    Oct 11, 2007
    Posts:
    4,553
    Location:
    USA
    Got it thanks.
     
  14. STV0726

    STV0726 Registered Member

    Joined:
    Jul 29, 2010
    Posts:
    900

    I said I trusted Webroot "soo explicitly"? Where?
    You've put those words together from some place but certainly not from me.

    I actually don't advise running malware tests (or running malware period) on an actual usage PC. Use a VM or separate, isolated PC.

    I actually have placed "my recommendation status" for WSA on hold due to failure to improve on and "settle into" 3rd party major testing organizations' results by mid-2012...NOT because of YouTesters/informal testers (like what you did) that run essentially non-tests and post misleading results.

    Please read TOS of Wilders. It explains why homegrown tests are not in any way useful. There's more too it than your Sandboxie usage.

    **I'm not trying to speak for the admin/mod staff here just trying to be a good forum citizen and pass the word on.
     
  15. Umbra

    Umbra Registered Member

    Joined:
    Feb 10, 2011
    Posts:
    2,146
    Location:
    in a remote land :)
    next time do it in your real system with a backup image ready.
     
  16. STV0726

    STV0726 Registered Member

    Joined:
    Jul 29, 2010
    Posts:
    900
    And more importantly - don't post your results. PM them to people interested, specifically, Joe (PrevxHelp) or Triple Helix.
     
  17. PrevxHelp

    PrevxHelp Former Prevx Moderator

    Joined:
    Sep 14, 2008
    Posts:
    8,242
    Location:
    USA/UK
    It most certainly is the sandboxed browser issue for the exact same reason why WSA's Identity Shield can't monitor the browser to protect it. WSA isn't able to see inside the browser and isn't able to communicate in both directions so it can't provide full protection from there.

    However, it shouldn't have to as Sandboxie should be blocking it. If something escaped the sandbox, WSA would see it.
     
Thread Status:
Not open for further replies.