Downgrade WSA key

Discussion in 'Prevx Releases' started by treehouse786, Jun 15, 2012.

Thread Status:
Not open for further replies.
  1. treehouse786

    treehouse786 Registered Member

    Joined:
    Jun 6, 2010
    Posts:
    1,388
    Location:
    Lancashire
    i have received a boxed version of WSA Essentials with a new pc. i want to give it a whirl but i dont want to enable all of the extra features due to my anality about bloat.

    would it be possible to downgrade my key to a WSA Antivirus licence instead of Essentials?
     
  2. PrevxHelp

    PrevxHelp Former Prevx Moderator

    Joined:
    Sep 14, 2008
    Posts:
    8,242
    Location:
    USA/UK
    Just don't install/configure Backup & Sync when installing WSA. That's the only component which will require additional resources/disk space.
     
  3. treehouse786

    treehouse786 Registered Member

    Joined:
    Jun 6, 2010
    Posts:
    1,388
    Location:
    Lancashire
    there is also identity protection in my version which i am guessing is not disabled when disabling Backup & Sync?
     
  4. PrevxHelp

    PrevxHelp Former Prevx Moderator

    Joined:
    Sep 14, 2008
    Posts:
    8,242
    Location:
    USA/UK
    It isn't, but I would think you would want it enabled. It is the equivalent of SafeOnline from Prevx 3.0 and built into the binary so it requires nothing else. Password management is not in the Essentials product.
     
  5. treehouse786

    treehouse786 Registered Member

    Joined:
    Jun 6, 2010
    Posts:
    1,388
    Location:
    Lancashire
    i used prevx 3.0 for a year and each time i installed it i used the command line trick which you posted ages ago which would install prevx 3.0 without the safeonline component touching my system.

    no i would not like any other bells and whistles as i have all other attack vectors covered, i am looking for a light simple antivirus to trial with my setup. i have just installed the product and now realise there is a firewall in my version too which when disabled shows a horrible 'firewall disabled' message right in the middle of the GUI.

    please could you just downgrade my licence to the basic one, otherwise i will just have to give the licence away

    edit- disabling the firewall also turns the prevx icon orange as if there is a fault with the configuration, not ideal as if the real-time component stopped for whatever reason then i would not know as i would be used to the orange from disabling the firewall
     
    Last edited: Jun 15, 2012
  6. PrevxHelp

    PrevxHelp Former Prevx Moderator

    Joined:
    Sep 14, 2008
    Posts:
    8,242
    Location:
    USA/UK
    Could you PM me your license?

    Thanks!
     
  7. treehouse786

    treehouse786 Registered Member

    Joined:
    Jun 6, 2010
    Posts:
    1,388
    Location:
    Lancashire
    many thanks Joe. sent
     
  8. Techfox1976

    Techfox1976 Registered Member

    Joined:
    Jul 22, 2010
    Posts:
    749
    I was going to say, if you don't install the separate Sync component (requires pushing a button to do so manually), it's darn hard to say the Essentials version has any bloat.

    The firewall co-exists perfectly fine with every other firewall anybody here has ever seen, since it is an egress firewall only, and with the normal configuration, only does anything specifically to block malware from connecting to the internet. It doesn't pop up alerts asking people to make choices at all or anything.

    The ID shield causes a "Warning" state if you disable it, and some people have cause to strip some of it. Most of us here who do have found that simply changing browsers from "Protect" to "Allow" under Protected Applications works perfectly sufficiently for taking away the potentially-odd parts of the ID shield while keeping nothing that causes conflict but does provide a benefit.

    Looks like Joe's helping you out. Alternately you could also have potentially gotten a free trial of AV from the web site to try that.

    I personally would have held onto the Essentials license, because the firewall gives enough added benefit (Silently and intelligently blocking only known-bad things as determined by the AV from the network) that the hassle of changing the Protected Applications is worth it. Especially if you don't have to spend any extra on it. But whichever works best for you. :)
     
  9. treehouse786

    treehouse786 Registered Member

    Joined:
    Jun 6, 2010
    Posts:
    1,388
    Location:
    Lancashire
    @Techfox1976
    maybe bloat is the wrong word and 'too many cooks spoil the broth' is a more apt phrase, but i dont like installing modules which hook into the system at any level when i wont be using the said modules.

    like i said, i am very happy with my current setup without a real time component but i thought i would try out WSA to fill the 'real-time' gap hence me not wanting a firewall, backup sync, browser protection, ID protection, web history cleaner, network connection monitor, file wiper etc to be on my system when i have other programs fulfilling the same role more aggressively :thumb:
     
  10. Techfox1976

    Techfox1976 Registered Member

    Joined:
    Jul 22, 2010
    Posts:
    749
    Like I said, whatever works best for you. :)

    Sync - Needs to be manually installed. Doesn't hook unless that is done.

    All cleaner stuff - Needs to be manually run. Doesn't hook anything. (I don't use it)

    Browser/ID Protection - Doesn't hook most stuff unless you have the browser set to Protect, and is also re-uses universal hooks to perform certain checks that are just a small extra layer of security (Doesn't conflict with anything).

    All network stuff (Firewall included) uses the same network stack hook from the kernel driver and that hook exists in AV as well, since the AV engine looks at network activity as part of its heuristics. So when the Firewall is included, it gives extra information and also an extra layer of protection in the event that malware gets onto the machine. Honestly, the impact is so minimal (microseconds) that it doesn't hurt to have in a multi-layered security setup.

    Don't take my sig as "Oh, it's a security-clueless Webroot FanBoy" mind you. I just use what I do because I can't be bothered to have everything bug me every time. I'm confident in the security for the uses I perform and the impact on the system and need for user input is near nothing, but I still have all the data at my fingertips. I also know how to implement SPI firewalls, automated IDS/IPS across my whole network, PE interdiction, OS tuning, what's actually -SAFE- to clean up, manual Not-Present hardware cleanup (Which not a single ruddy cleanup utility I've seen knows how to do properly. If you know of one, let me know), and many other things. :)

    The only reason I jumped in at all was to make sure you're aware of how the things work so that none of your choices to change things are based on misunderstanding or misinformation. The "Cooks ruin the broth" can go for the user Cook thinking that something is unnecessary or useless or bad as well. ;) I'd expect a lot of people rip out the WSA firewall or decide to get AV instead of E because of it just because they don't know how it works, what it does, or what impact it will (not) have.

    Either way, again, whatever works best for you. Just, knowledge is power, so I offer knowledge. :)
     
  11. fax

    fax Registered Member

    Joined:
    May 30, 2005
    Posts:
    3,728
    Location:
    localhost
    Very well put...if I can add its really a waste to get rid of the identity shield, one of the best implementation (if not the best out there) of web surfing protection.
     
  12. treehouse786

    treehouse786 Registered Member

    Joined:
    Jun 6, 2010
    Posts:
    1,388
    Location:
    Lancashire
    many thanks Techfox1976 for the insight, yes knowledge is power. although i think you have misunderstood my objective, everything you said is correct but i already have all those things (browser -ID protection, firewall etc) done by other programs and as i am sure you will agree, having multiple programs do the same thing is not a clever idea.

    maybe your wondering why i dont get rid of the other programs and let one program (WSA) take care of it? well because i like to 'modularize' my approach to security so a semi targeted attack would have to get through many implementations of self protection mechanisms.

    for example if a programmer wrote a 0 day malware which disabled the self protection mechanism of webroot software then i would be still be pretty much safe as the other programs i have would kick in.
    if someone relies on WSA as their sole protector for multiple attack vectors then they would definitely be more exposed than i would be should they come across a 0 day malware which specifically disables a sole companies security product (not too uncommon).

    maybe i am approaching the above scenario the wrong way but it has worked for me for many years and if it aint broke, why fix it. thanks once again for your insight though :thumb:
     
  13. Techfox1976

    Techfox1976 Registered Member

    Joined:
    Jul 22, 2010
    Posts:
    749
    Everything you point out makes complete sense.

    Just one thing that I'm trying to point out, that I seem to have failed at:
    With WSA, doing the same thing as something else doesn't cause a problem.

    That's one of the best parts about it, in fact. ^.^

    You can run the WSA firewall and Windows Firewall or Comodo Firewall or any network firewall at all together at the same time and it will not conflict. Any other two firewalls likely will, but the WSA network firewall doesn't have any known conflicts with any other network firewalls and if any arise, they are fixed in very short order.

    The ID shield stuff doesn't get in the way of other browser protections. It will even get OUT of the way of other browser protection. There have been several instances where people want to see the annotations on search results and can't because it got out of the way of something else. It still blocks a malicious page it knows about at load, but it doesn't try to add annotations to the search results if it knows or thinks the other protection will object.

    Even the real-time AV portion is made to be able to run along with other realtime AV and avoid conflicts. That in and of itself is serious business.

    So the portions of WSA, each individually and as a whole, will get along with pretty much anything else out there at all, and if it doesn't, tell Joe and chances are it will within a release or two (About 1-3 weeks we've noticed).

    Thus, with each individual part and protection, you can still have WSAE's parts as extra safety nets and double-checks under each one with no problem and no system or user impact unless you specifically try to get an impact. And trust me, after well over a decade of sighing at "Two AV Programs on one computer", this is pretty serious technology here.

    Check the sigs of pretty much anybody using WSA and you'll find it with Comodo, Norton, AVG, Sandboxie, various HIPSs, and pretty much anything else you can think of. :)
     
  14. treehouse786

    treehouse786 Registered Member

    Joined:
    Jun 6, 2010
    Posts:
    1,388
    Location:
    Lancashire
    whilst this has always been Prevx's/WSA's strong point, i have had mixed results in the pass and although i am sure Joe/Webroot team can fix errors and incompatibilities fairly quick, i cant say i dont mind experiencing the problems in the first place.

    webroot saying that their product is compatible with product B is one thing and product B recommending not to allow overlap is another. so although webroot are 'okaying' usage of their firewall with for example comodo firewall, i will also look into whether comodo are okay allowing the webroot firewall coexisting with their own.

    we all have our cardinal rules when it comes to computer security and one of mine happens to be- "thou shall not use 2 security programs which cover the same attack vector"

    and if that means i am less protected as a result then am sure my (un?)common sense and daily full disk imaging will come to the rescue :thumb:
     
  15. Techfox1976

    Techfox1976 Registered Member

    Joined:
    Jul 22, 2010
    Posts:
    749
    Of course Comodo won't okay it. :) Besides the fact that troubleshooting becomes a pain if there is any hole in the blanket ban on multi-layering the firewalls, it's VERY RARE for a security company to want to encourage people to be safe rather than trust them entirely. ;)

    But technically their firewall doesn't cover the same attack vector precisely as the WSA one.

    The Comodo firewall, last time I checked, is a network-rules based firewall, similar to ipchains effectively: Block packets that match specifications met in SPI and based on user-determined application rules. The end effect is based entirely on a combination of pre-existing rules and user input when the firewall asks "Do you want to allow this to connect?"

    The Webroot firewall is a non-invasive firewall extender that uses the universal Webroot kernel driver network hook to allow it to block packets as well as watch them as they go by. It normally only uses this ability in coordination with the AV detection and unless it's specifically set to ask all the time, it never asks the user.

    Knowing the reason behind a blanket statement is what makes the difference between the average end user and a highly-knowledgeable technician or user. The reason to not have two firewalls at once, for example, comes from a few things.

    The first is based on the network layer race condition. Both firewall hooks want to be in the same place and fight each other for the location. Problem to say the least.

    The second is that it's not uncommon for firewall drivers to cut corners and strip data in a way that causes the next one in the chain to fail. For example, if you have a McAfee firewall, even if it's just the driver loading and nothing else, everything comes out of the firewall driver as being from the "System" application. Then if you install a firewall that wants to block everything from the System application (Kernel communications) with only an explicit whitelist of things that the kernel normally does do, suddenly everything breaks and there is no network at all.

    WSA's kernel hook into the network layer exists in all versions. Notably, there is almost no AV program that doesn't hook into the network layer. Kind of like if you load WinPCap - for Wireshark for example - the driver is present in the network stack in the kernel. So the chunk of pipe is there. The only difference in WSAE is that the "Firewall" tells the kernel driver to NOT pass a packet through in the event that (under default rules), the packet is directly related to a known-bad piece of PE code, or the packet is related to an unknown piece of code when a known-bad is also determined to be on the system.

    I can say that dozens of users are using the Comodo Firewall with the WSA firewall at the same time and I know of zero issues in the nine months it's been this way. If there is no third party firewall at all, WSA still wants the Windows firewall to be enabled. And if there's anything out there that people know, it's that even Windows itself says "DON'T USE TWO FIREWALLS!" (In great big red text) and no other firewall is copacetic with the Windows firewall.

    I personally don't use the Comodo firewall because the last time I tried to use it, it wouldn't allow ICMP or RDP through unless I set it to "Minimal" and there was not enough granularity in the control. But at Minimal setting, it also allowed W+D through, so was mostly useless. If they've fixed the granularity issue, I'd have no problems running both myself, and with more than a 17 years in the security industry and way too much info about the stuff, that's saying something.

    By the way, the only reason I keep replying rather than just sticking to the "Whatever you feel is best" is because of the fact that a lot of the things that are Standard and Common Knowledge in the security industry that I've been preaching for over a decade do not necessarily apply with WSA. So anytime somebody has a blanket concept that doesn't apply, or has a justification or logic path that doesn't apply to WSA, I like to at least point out the extra information that may help their understanding of what is going on. But I do understand that it always will come down to whatever works best for you. I just don't want you to lose out on something that might be useful to you because of a blanket concept that doesn't apply in this case. :)

    The extra security with little or no negative impact is my goal, and I weigh more on the impact. So I agree that I do mind experiencing problems. However with what I know about WSA, I expect less than than 1% more chance for problems with the WSA layered portion, versus a multi-thousand-percent greater chance for problems with any other combos. (McAfee + PrivacyWare Personal Firewall = Almost Guaranteed Issue in fact).

    Edit:
    I've had a failure on both RAID5 and a full disk backup system at the same time. Even multi-layers aren't always a guarantee.

    Which is worse in the event of a problem: Having to restore a full-disk backup old enough to not contain a sleeper infection (and any data loss involved since that backup), or seeing a red indicator in the UI for a week or two while still protected by the original firewall? ;)

    Common sense is the most critical. Common sense has kept me from even having a chirp from an AV program ever. ... However I've still been infected one time by a user-mode rootkit that was not detected by anything at all on VT. That being AFTER observing the infection inside the very-wrong-looking malware installer. But an over-exuberant moment of thinking I had found the correct file on a full disk search resulted in my running the self-same infection installer. XD

    And heck, if you have an Intel CPU, not even a sandbox or VM is safe. :)
     
    Last edited: Jun 18, 2012
  16. treehouse786

    treehouse786 Registered Member

    Joined:
    Jun 6, 2010
    Posts:
    1,388
    Location:
    Lancashire
    first of all if there was 'favourite post' function on this forum then your above post would be included :thumb:
    you seem to be an expert on firewalls so please correct me if i am wrong but it seems as though the WSA firewall is only useful/active when your system has already compromised? in which case it would be of no use to me. my aim is to keep the machine clean in the first place, if something gets through (yet to happen) then i would put a clean image on. i have no important/personal data on my computers.
    i use the default settings and yes your right it did block RDP for me without showing alerts but i removed all the default rules and created new ones over time, i was able to increase the alert level at the same time, maybe you might want to give it another shot with default rules deleted.
    data backup is one area i dont make compromises and nothing short of a new world war would affect my data, but i will PM you my strategy if you are interested as it is rather long winded.


    i have been using WSA for only a couple days and i am already having headaches with it (cant believe you cant exclude drive/folders..). i was having trouble watching a movie on the portable version of VLC media player (see here for similar issue with prevx 3.0) and it wasn't until i disabled the behavior blocker of WSA that VLC would run properly, its things like that which annoy the heck out of me and i used prevx 3.0 (mostly happily) for over a year so i knew what i was letting myself into with trialling WSA hence the reason for creating this thread.

    i got married last month and i dont have the same time as i used to (for experimenting and troubleshooting) as the wife is quite high maintenance hence my trepidation for trialling the WSA. i used avast for a while with no issues but i had a feeling it was conflicting with something on my system to make it BSOD so i thought i would give WSA a whirl (turned out it was the 4.7GHZ overclock on my i5-2500K, silly me!)

    now this i am interested in as i do alot of work in virtualbox with an intel cpu, is virtualbox part of the vulnerable group? if so is there a sample which can bypass virtualbox? as i have heard similar stories in the past but no one could produce a sample which confirmed their claims. or have i got this wrong and you mean the VM's can be exploited in a way not reminiscent of a normal 'click this exe' way?
     
  17. Techfox1976

    Techfox1976 Registered Member

    Joined:
    Jul 22, 2010
    Posts:
    749
    I'm not going to inline quotes because my brain is dead from no sleep (darn cats).

    You are correct, the firewall is, by default, a firewall extender and is specifically made to mitigate escalation of threat activity. One of the ideas behind WSA is that with completely undetected items on conventional AV, a re-image was generally necessary with no alternative. With WSA, even something that is zero-minute, detected by nothing, and highly invasive, can normally be fully removed from the system by the client without requiring a reimage.

    I'll take a peek at Comodo again, or PWPF, one of the above. The granularity of the Windows Firewall has gotten disturbingly good though.

    Now, I'm really curious about the VLC problem. I use VLC for a plethora of things on my network and I haven't had any issues. Based on the information you provide below and in the other thread, it sounds like it may simply be a case of the portable version using something odd DLL-wise or something similar and the DLLs not being in the database. A quick message off to support gets them checked out and whitelisted (Or blacklisted if they are actually threats, which is hopefully unlikely) and then the scan on load just involves hashing thereafter, which is trivial in performance impact. You can check your scan logs for next to the DLLs or PEs to see what may be impacted. Also, anything monitored with a Level 9 is likely to get hit with impact once for that monitoring. Otherwise it shouldn't normally be an issue.

    On the Virtual vulnerability see http://www.kb.cert.org/vuls/id/649219 for details, but primarily a function in the x64 instruction set in the hardware itself results in a general protection fault and executes arbitrary code on ring 0 of the host. I know of nothing in the wild (yet), and VMWare doesn't use the SYSRET instruction. I'm not familiar enough with Virtualbox to say whether it's liable to use that instruction or not, so it would be best to do a bit of research. Most vulnerable systems have issued advisories.
     
Thread Status:
Not open for further replies.