Did a MDL download of some July 18th and July 17th samples and many went through.

Just a heads up that I did a MDL URL download of some July 18th and July 17th samples and they went through the Webroot Defences quiet fine. I have the heuritics, Age and Popularity maxed out to the fullest among all the tabs (Offline, Online, USB etc).
The only peep I heard was from the firewall shield so you might say that it blocked it...in terms of dialing out, but the infector was still there.
I actually let the file pass through the firewall. It downloaded an infector that also wasn't detected.
The same was with the fake AV from July 17th. Fake AV installed and ran fine yesterday.

Sorry I dont have the samples since I ran the browser in Sandboxie and once I closed the browser, the sandboxie killed it.

If the devs need my webroot account I can provide it.

 

It would be worth contacting our support team as the researchers will be able to work with you there. With settings maximized, it should block literally everything as long as it actually is malicious so there could be an incompatibility here.

 

Joe since he had the malware running in Sandboxie would WSA still see inside the sandbox?

Daniel

 

Thanks - I didn't see that in the original post. No, it wouldn't be able to monitor the browser and it wouldnt see the threats executing fully. It could possibly see them as they're written to disk, but testing the strength of a security product when running browsers in a sandbox isn't accurate.

 

I tested it in sandboxie and it does read inside sandboxie as most other AV do.here is what I got for the ones not blocked by Norton DNS or google.I have a lot of interference going on for proper testing of WSA as you can see if norton does not block it google does or the URLs are dead to begin with.

 

Here are the step by step that I checked again right now (19:53 EST on July 18th) same file and it allowed execution without a peep except for the firewall, when allowed via firewall it downloaded another component that was also not detected and allowed to run. (as you can see maxed out settings)

I had to dismiss Malwarebyte alarm twice (which didn't occur yesterday).
So the question is not of things looking into sandboxie since as can be seen malwarebytes can see it perfectly (I am not willing to run it without sandboxie since I don't trust that I be protected). It's the question of non detection at max settings, even after 1 day. I can still contact tech folks, but I am not infected and they can easily navigate to the URL in the screenshot (just match the name to the url list) to see the infection by itself. There were few more on that page but I figured this is as good of an example as any. (The last image is the Malware bytes detection of the malware code downloaded by the first intentionally downloaded code) The images are in sequence of events.

http://imgur.com/a/1U7fv
http://imgur.com/a/Jv5Jg
http://imgur.com/a/UmBu9
http://imgur.com/a/beBqS

 

Webroot software version used in the system
http://imgur.com/L3wTd

Don't get me wrong I don't want to "diss" Webroot. Just I keep seeing the "webroot users are never infected" reply or "yet to see an infected user in real life" well...here. Altough I am not infected, just bored sitting at an airport waiting for my 15 hour delayed plane.

 

The problem is not so much the failure to detect at maximum settings. The issue is with the browser being sandboxed and how nothing is allowed to communicate out making it harder for WSA to do what it would find easy to do outside of the sandbox. This has been discussed a few times before, but this post might help to explain things a little regarding the complexities involved.

 

^ This is why home-grown tests are not reliable or valid in any way, shape or form.

Seriously guys? How long's it going to take before you start complying with Wilders policy and if not that common sense...

You can't judge it by writing in Sandboxie unless you are actually RUNNING the threats...virtual machine is the only way to go for formal aka actual testing.

Let's not turn this into a "dude ur too harsh I trust home-growners" argument. Let's just ignore this thread and move on.

 

Well if you trust Webroot soo explicitly then I recommend you run the test in a non sandboxed system.
You have the URL in the pictures see if it detects it with maximum settings.
I for one am not buying the "It's a sandboxed browser issue". Nor I trust webroot enough to have it detected without a sandbox.
But you gotta act fast since the detection can be added any minute now (now that the pics are up).

 

From what I can see you have heuristics maxed on local are they same on internet.

 

Same for everything.
I just didn't want to post 5 pictures of each tab but if you want I can.
I always run security maxed...well except for Nod32 which when maxed brings my system to the knees and by maxed I mean AH on everything.

 

Got it thanks.

 

I said I trusted Webroot "soo explicitly"? Where?
You've put those words together from some place but certainly not from me.

I actually don't advise running malware tests (or running malware period) on an actual usage PC. Use a VM or separate, isolated PC.

I actually have placed "my recommendation status" for WSA on hold due to failure to improve on and "settle into" 3rd party major testing organizations' results by mid-2012...NOT because of YouTesters/informal testers (like what you did) that run essentially non-tests and post misleading results.

Please read TOS of Wilders. It explains why homegrown tests are not in any way useful. There's more too it than your Sandboxie usage.

**I'm not trying to speak for the admin/mod staff here just trying to be a good forum citizen and pass the word on.

 

next time do it in your real system with a backup image ready.

 

And more importantly - don't post your results. PM them to people interested, specifically, Joe (PrevxHelp) or Triple Helix.

 

It most certainly is the sandboxed browser issue for the exact same reason why WSA's Identity Shield can't monitor the browser to protect it. WSA isn't able to see inside the browser and isn't able to communicate in both directions so it can't provide full protection from there.

However, it shouldn't have to as Sandboxie should be blocking it. If something escaped the sandbox, WSA would see it.