How Long Does Webroot Take to Classify an Unkown Process as Good or Bad?

Discussion in 'Prevx Releases' started by GreekGuy, Feb 13, 2014.

Thread Status:
Not open for further replies.
  1. GreekGuy

    GreekGuy Registered Member

    Joined:
    Oct 6, 2011
    Posts:
    41
    Location:
    Toronto, CANADA
    I had an unknown process called "msdn.exe" running on my system that was been flagged as by Webroot (and was being monitored.) This unknown process ran in the state for three days at which time a scheduled MalwareBytes scan ran and detected the file as a trojan and removed it along with 4 other associated registry entries.

    On average, how long does it take for Webroot to classify processes? Is it faster to e-mail the files to tech support as soon as we notice them?

    It's not a comfortable feeling knowing that I had a trojan running for three days on my system doing who knows what.
     
  2. Esse

    Esse Registered Member

    Joined:
    May 26, 2011
    Posts:
    383
    I agree that the classification of files (good or bad) takes to long.
    The good thing is that your system is safe while the file is monitored.
    I guess Joe will jump in here and explain how they achieve this.

    For users who like more info on these files, would it be possible to see were in the processes a monitored file is?
    Is it checked by the automated process, reviewed by the staff etc.

    /E
     
  3. shadek

    shadek Registered Member

    Joined:
    Feb 26, 2008
    Posts:
    2,363
    Location:
    Sweden
    The more users that have the monitored file on their computer, the shorter the time before it gets "good" or "bad". I think it also depends on how much suspicious activity the monitored process do.

    I've seen a few cases with some small, not so famous, indie games I bought of Steam where they were being monitored for months before I finally uninstalled the game. I didn't bother to contact support.

    EDIT: I certainly don't pretend I know the complete process. I base my thoughts on my own experience. The complexity of WSA is insane so of course I don't know exactly.
     
    Last edited: Feb 13, 2014
  4. fax

    fax Registered Member

    Joined:
    May 30, 2005
    Posts:
    3,728
    Location:
    localhost
    Indeed, the type of activity of the application on the local system (or other systems with WSA) will trigger the action/reaction. More aggressive they are faster they will be blocked/classified. No specific actions (dormant elements) slower will be classification as classification for "unknowns", amongst other factors, is based on behavior. i.e. what they do.

    Meanwhile the other parts of WSA (e.g. identity shield) will protect the data anyway from leaking/erasing/etc. At the same time WSA will monitor all changes and revert back them in case of malware classification.

    NOTE: having another tool cleaning the system can be potentially damaging if the tool does not revert back the changes of the malware but simply remove its traces.
     
    Last edited: Feb 13, 2014
  5. PrevxHelp

    PrevxHelp Former Prevx Moderator

    Joined:
    Sep 14, 2008
    Posts:
    8,242
    Location:
    USA/UK
    It really depends on the file - we intentionally take longer to move a file from unknown to good as we need to be certain it really is good (which requires wider observation). Bad files are usually easier to jump on, but even then, some malware doesn't do anything for a number of days or is more of a "potentially unwanted application" which is grey rather than obviously bad.
     
  6. Esse

    Esse Registered Member

    Joined:
    May 26, 2011
    Posts:
    383
    A couple of days in monitored mode seems ok, but as shadek says "months"?
    That is a very long time.
    What about if the file is good, will the monitored mode cripple it in any way function wise?
    I work almost only with small company's, and they use cheaper "unknown" software a lot, as their budget does not allow for big more expensive well known brands with digital signature etc.
    I am talking admin programs here for salary, time reporting etc.
    I did not dare to keep some of these files in monitored mode, as I did not know if WSA would let them "work" 100% while monitored.
    Do I need to worry about this?

    /E
     
  7. PrevxHelp

    PrevxHelp Former Prevx Moderator

    Joined:
    Sep 14, 2008
    Posts:
    8,242
    Location:
    USA/UK
    A file being marked as unknown will not negatively impact it or cause it to function poorly. Worst case, you can whitelist it locally or write into our support team to have it escalated.
     
  8. Techfox1976

    Techfox1976 Registered Member

    Joined:
    Jul 22, 2010
    Posts:
    749
    A PROPERLY-CODED file marked as unknown will not negative impact it...

    I have found plenty of badly-coded files that react poorly to the monitoring, however these cases when explored with the file's originating coders has ALWAYS ended up being a case of poor coding practice on their part. For example, "Send request, wait for data, process data" without any limit or bound on "wait for data" is bad, but the idea is that the request will always return "Data" or "<Empty Data>". The assumption is that it will always return though. Add the ID shield in and suddenly it may get no return at all, not "Yes there is data or yes there is nothing in the data". Then it harfs because the coders didn't follow proper coding procedure.
     
  9. Esse

    Esse Registered Member

    Joined:
    May 26, 2011
    Posts:
    383
    Whitelist is what I do in these cases, it is the time in between my visits I worry about. The users does not touch these things, for good reasons ;)

    /E
     
  10. MrBrian

    MrBrian Registered Member

    Joined:
    Feb 24, 2008
    Posts:
    6,032
    Location:
    USA
    A related question: Of those files that are classified as malware, what is the distribution of (time that the file was first classified as malware minus time that the file was first seen by Webroot).
     
  11. fax

    fax Registered Member

    Joined:
    May 30, 2005
    Posts:
    3,728
    Location:
    localhost
    Few seconds, minutes to hours or days depending on behaviour of the malware.
    Normally a matter of few minutes.
     
  12. Thankful

    Thankful Savings Monitor

    Joined:
    Feb 28, 2005
    Posts:
    3,731
    Location:
    New York City
  13. Triple Helix

    Triple Helix Webroot Product Advisor

    Joined:
    Nov 20, 2004
    Posts:
    12,011
    Location:
    Ontario, Canada
  14. Thankful

    Thankful Savings Monitor

    Joined:
    Feb 28, 2005
    Posts:
    3,731
    Location:
    New York City
  15. vojta

    vojta Registered Member

    Joined:
    Feb 26, 2010
    Posts:
    830
    That's the average for the few samples that Webroot missed the first time. 98.6% of them were detected right away. MGR defines the samples used as 'early life'.
     
Thread Status:
Not open for further replies.