Generic-unknown.

Discussion in 'Prevx Releases' started by Taliscicero, Jul 19, 2012.

Thread Status:
Not open for further replies.
  1. Taliscicero

    Taliscicero Registered Member

    Joined:
    Feb 7, 2008
    Posts:
    1,439
    I have been thinking, and wonder if your "first seen" detection issue could be solved with a class of "Generic-Unknown" Where you could have a pop-up alert that says something along the lines of.

    Generic-Unknown.
    File has not been seen before in cloud database.
    This file has no classification and could be potentially dangerous.

    Would you like to allow this program to run?

    (Y / N)

    (Y) This file has been added to the temporary permissions list and will continue to be monitored until a cloud classification can be found.

    (N) File has been blocked.

    This would work well, as it works similar to a HIPS but will very "rarely" go off in the rare occasion that a file has not been seen before. This gives users a chance to know a file could be dangerous before it is. It would also perhaps if integrated in the correct way stop testing organisations from giving webroot such a low score. I would also add that a push system should be put in place to make sure all "unknown" files get put at the head of the line for a webroot/prevx guy to look at and classify, this way you get your very quick turn-around for unknowns.

    Can you get where i'm coming from here guys?
     
  2. PrevxHelp

    PrevxHelp Former Prevx Moderator

    Joined:
    Sep 14, 2008
    Posts:
    8,242
    Location:
    USA/UK
    I agree, and we already have most of this in place. You can configure WSA to warn on any new, untrusted process under the Heuristics settings.

    We currently don't break it apart to show warnings specifically for brand new files (just untrusted in general) but I think this would be worthwhile.
     
  3. Taliscicero

    Taliscicero Registered Member

    Joined:
    Feb 7, 2008
    Posts:
    1,439
    You have got to. If you don't show a warning when a file is new and people get infected and then complain, you can't claim that its not WRSA's fault. If you have a pop-up that makes it very clear what has happened then if they let it through then its on the user as Webroot/PrevX has done all it can. Leaving this hole in the protection is whats getting everyone a little bothered.

    It also will make a user question if BIKINIBABES1103.exe is really a smart move when it has not been looked at before and they are the first user that has found it.
     
  4. PrevxHelp

    PrevxHelp Former Prevx Moderator

    Joined:
    Sep 14, 2008
    Posts:
    8,242
    Location:
    USA/UK
    I completely agree. We're going to do some modeling on our end to see what impact this will have.

    Thanks for the suggestion :thumb:
     
  5. Taliscicero

    Taliscicero Registered Member

    Joined:
    Feb 7, 2008
    Posts:
    1,439
    No problem, will be interesting to see what you guys come up with. :)
     
  6. STV0726

    STV0726 Registered Member

    Joined:
    Jul 29, 2010
    Posts:
    900
    I honestly think the "still taking behavior into account" was part of the problem in WSA's implementation.

    I miss the Prevx days where I could crank up age/pop and have pure age/pop blocks.
     
  7. TonyW

    TonyW Registered Member

    Joined:
    Oct 12, 2005
    Posts:
    2,634
    Location:
    UK
    You can still do that in WSA; you also have the addition of using the option 'warn when new programs execute that are not trusted'.
     
  8. PrevxHelp

    PrevxHelp Former Prevx Moderator

    Joined:
    Sep 14, 2008
    Posts:
    8,242
    Location:
    USA/UK
    We just had a meeting about this, discussing what we can do to bring this back as I agree, it is extremely valuable.

    It is definitely going to be included in one of the next updates. We're going to phase it in to measure the support impact, but I think it will make a dramatic improvement in our overall efficacy.

    Open to thoughts, as always! :)
     
  9. TonyW

    TonyW Registered Member

    Joined:
    Oct 12, 2005
    Posts:
    2,634
    Location:
    UK
    Am I missing something here? The age-popularity sliders can be raised or lowered in WSA now.
     
  10. STV0726

    STV0726 Registered Member

    Joined:
    Jul 29, 2010
    Posts:
    900
    I consider that "white-list" option unusable because it intered with Windows Updates.

    And yes, of course the slider bars are still there, but they don't do the exact same thing as they did in Prevx 3.0.

    So in summary, WSA:

    1. Changed the way age/pop sliders worked so they created less FPs but also imo weakened protection

    2. To compensate, gave people option of the "warn when untrusted..." to essentially place WSA into a "block all untrusted with no level of evaluation first mode" but it's too extreme imo. I tried it once and couldn't use it.

    So I think the ideal is to get rid of that new option and instead replace it with restoring the age/pop to the way they worked in Prevx 3.0. Instead of removing the option, at least make an indication of "for advanced only".
     
    Last edited: Jul 19, 2012
  11. Tarnak

    Tarnak Registered Member

    Joined:
    Feb 5, 2007
    Posts:
    3,875
    Oh, how I long for the days of yore!...:D

    All jokes aside, I agree wholeheartedly with the comments made by STV0726 :thumb:

    Sometimes an improvement to a program, can be made by looking to its past.
     
  12. Taliscicero

    Taliscicero Registered Member

    Joined:
    Feb 7, 2008
    Posts:
    1,439
    Please don't tell Mcafee or Norton this, they may get..... ideas. ;)
     
  13. STV0726

    STV0726 Registered Member

    Joined:
    Jul 29, 2010
    Posts:
    900
    :) Thanks

    And LOL about Norton/McAfee.
     
Thread Status:
Not open for further replies.