Prevx 3.0 Same cloud as Webroot (Definitions)

Discussion in 'Prevx Releases' started by chabbo, Oct 25, 2012.

Thread Status:
Not open for further replies.
  1. chabbo

    chabbo Registered Member

    Joined:
    Jun 28, 2009
    Posts:
    350
    does prevx use same cloud and Definitions in the cloud with Webroot? if so,

    how does it come that prevx cleaned 300 missed sample that webroot did not found?



    http://www.prevx.com/avgraph/13/Webroot.html

    or I'm out and bicycle?
     
    Last edited: Oct 26, 2012
  2. Techfox1976

    Techfox1976 Registered Member

    Joined:
    Jul 22, 2010
    Posts:
    749
    Old version of Webroot. The 2011 and earlier stuff. 7.0 and before. Not-cloud. Prevx3.0 and WSA cannot be installed concurrently, but Prevx3 can work with old Webroot.
     
  3. Taliscicero

    Taliscicero Registered Member

    Joined:
    Feb 7, 2008
    Posts:
    1,439
    He still has a point, the signatures should be the same, even if the product is not. So something is weird fyi.
     
  4. Techfox1976

    Techfox1976 Registered Member

    Joined:
    Jul 22, 2010
    Posts:
    749
    o_O

    What gave you the mistaken idea that the SecureAnywhere stuff uses "Signatures" in the cloud and so just detects the same stuff as the 7.0 and below? If that were the case, that would be utterly silly since it would just be "The same old thing, but slower because it has to go online to find out".

    The cloud uses a 100% different system, is fed real-time, makes decisions real-time, etc. The old stuff shown in that chart uses a local signature with a conventional AV engine. The methodology is completely different between the two and the cloud data can't feed back into the old signature system (tens of terabytes of cloud data won't fit on your computer for signatures) so yes, I'd expect that the cloud will detect more stuff than the old Webroot.
     
  5. Taliscicero

    Taliscicero Registered Member

    Joined:
    Feb 7, 2008
    Posts:
    1,439
    Um... because people still use old versions of webroot, you think webroot refuses new signatures to customers using other versions that are now secureanywhere?

    You do know you are way off right? it takes nowhere near this much space to store a signature database.
     
  6. PrevxHelp

    PrevxHelp Former Prevx Moderator

    Joined:
    Sep 14, 2008
    Posts:
    8,242
    Location:
    USA/UK
    Webroot 7.0 uses Sophos for its antivirus detection and the Webroot research team has never had full control over it, which is why there is a difference in detection (and why Prevx 3.0 is finding files Webroot 7.0 missed).

    SecureAnywhere's database is indeed tens of terabytes in size and hosted in the cloud. It is different from P3 and different from 7.0. It isn't just signatures of malware - it's detailed information about every program including behavior data.
     
  7. Triple Helix

    Triple Helix Webroot Product Advisor

    Joined:
    Nov 20, 2004
    Posts:
    12,014
    Location:
    Ontario, Canada
    @CubonesCastle - Just to Quote an Article from Aug 2011.


    http://www.pcmag.com/article2/0,2817,2392059,00.asp

    TH
     
  8. TonyW

    TonyW Registered Member

    Joined:
    Oct 12, 2005
    Posts:
    2,635
    Location:
    UK
    I remember reading somewhere in which Mel Morris was quoted as saying this database can include as many as two million database rows for a single process. With that amount of information, it's not surprising, therefore, that the cloud storage for all this goes into the terabytes.

    Edit: TH beat me to it with a link to the original source! ;)
     
  9. Taliscicero

    Taliscicero Registered Member

    Joined:
    Feb 7, 2008
    Posts:
    1,439
    That seems really inefficient. I was assuming he was talking about the signature database and not "all inclusive" data on programs and services.
     
  10. fax

    fax Registered Member

    Joined:
    May 30, 2005
    Posts:
    3,731
    Location:
    localhost
    How you define inefficient? Are you, as user, impacted by the size of the cloud?
    How would record the behavior of software without recording their activity?
    Remember that Prev/WSA detect malware by its behaviour and no simply by a single fingerprint. Fingerprints are easy to fool... behaviour and action not as simply :)
     
  11. Techfox1976

    Techfox1976 Registered Member

    Joined:
    Jul 22, 2010
    Posts:
    749
    I think one of the problems here is the misunderstanding of "Signature Database". A contemporary AV's signature database is not "Files with this MD5 signature are bad". Amongst other things, I seriously doubt the way the cloud system works in 8.0 is technologically compatible with the way the AV Sophos engine signature system works. The 7.0 signature system has to use local processing power to make decisions on a file based on a certain set of specifications (definitions or signatures), while the cloud WSA/Prevx3 system would make decisions based on a different set of specifications and using much more processing power and data. So yes, I'd expect Prevx3 to detect a different set than Webroot 7.
     
  12. PrevxHelp

    PrevxHelp Former Prevx Moderator

    Joined:
    Sep 14, 2008
    Posts:
    8,242
    Location:
    USA/UK
    Exactly :thumb: And Prevx 3.0 will find a different set than WSA as well (a subset, as WSA has more generic protection/detection in addition to what P3 has, although we try to backport as much as we can during the period we're in before we can migrate all users automatically).
     
  13. Taliscicero

    Taliscicero Registered Member

    Joined:
    Feb 7, 2008
    Posts:
    1,439
    I also see a problem with privacy when this much data about what your computer is doing is being sent to the cloud. It seems like the cloud is getting all data about programs it does not know and what they are doing. I am using this as a bad example but what if your using a program to steal data off a work computer which has webroot on it, and the boss finds out. He knows how webroot works and gets a court order for the info webroot store about this unknown program and prosecute you.

    This is an extreme out-there example, but you can understand what I mean.
     
  14. PrevxHelp

    PrevxHelp Former Prevx Moderator

    Joined:
    Sep 14, 2008
    Posts:
    8,242
    Location:
    USA/UK
    It's all anonymous and we don't store/collect personally identifiable information.
     
  15. Techfox1976

    Techfox1976 Registered Member

    Joined:
    Jul 22, 2010
    Posts:
    749
    Good news bad news.

    The good news is that the information is anonymized and genericized, so the above case isn't possible.

    The bad news is that better information about the unknown program can be acquired by direct analysis and other security tools than through the Webroot cloud, so you'd get caught anyway. ^.^
     
  16. Taliscicero

    Taliscicero Registered Member

    Joined:
    Feb 7, 2008
    Posts:
    1,439
    I don't get it. If X program runs on computer 3001, and its not trusted so webroot gathers info on it, how does webroot know which computer to send relevant data to and from if its anonymity is central.

    3001 X
    3001 X untrust.
    3001 X is doing Y
    3001 X is doing Z
    3001 X is malware
    3001 X delete.

    How can X be followed if X is nowhere. X is on one clients machine and there has to be some way of tracking machine 3001 or X cannot be re-wound.
     
  17. fax

    fax Registered Member

    Joined:
    May 30, 2005
    Posts:
    3,731
    Location:
    localhost
    You said it... its 3001. A code is enough info.
     
  18. Taliscicero

    Taliscicero Registered Member

    Joined:
    Feb 7, 2008
    Posts:
    1,439
    Myself and smarter men have tracked with less.
     
  19. Taliscicero

    Taliscicero Registered Member

    Joined:
    Feb 7, 2008
    Posts:
    1,439
    Myself and smarter men have tracked with less.

    Your IP is as good as your real name and address, and is tethered with 3001. Therefore 3001 is as good as your name and address. I am not sure where webroot servers are located but if they are on USA soil then all data on those servers are already breached with a MITM attack by uncle sam, which stores all that data which could later be used to track what you did with your computer at any time webroot was installed.
     
  20. fax

    fax Registered Member

    Joined:
    May 30, 2005
    Posts:
    3,731
    Location:
    localhost
    This is valid anywhere with any software including the OS... you need an IP. Did you only discover it now? Your ISP know you very well. :) You can use proxy IPs to try to be anonymous if you are scared to be traced on the internet for whatever reason. Anyway this is going off-topic and discussed several times in here.
     
  21. Taliscicero

    Taliscicero Registered Member

    Joined:
    Feb 7, 2008
    Posts:
    1,439
    You clearly are missing the point and this is clearly a waste of my time.
     
  22. TheWindBringeth

    TheWindBringeth Registered Member

    Joined:
    Feb 29, 2012
    Posts:
    2,088
    I think it would be appropriate to assume that information sent to the AV vendor's cloud is logged or entered into a database with timestamps. So it would be appropriate start with a view like:

    <Timestamp> <Client IP Address> <Information>

    Timestamp + IP Address would usually be sufficient to track back to an individual through their ISP via valid subpoena. There are alternate means of using just that information to identify someone which sometimes work and sometimes don't work. I think many, possibly even most or all, of these cloud AV clients are sending a per machine or account GUID along with that. So even if your IP Address changes or you direct the traffic through an anonymous proxy they can still correlate information sent to the cloud. Which makes it:

    <Timestamp> <Client IP Address> <GUID> <Information>

    You must investigate whether a GUID is used and assess the possibility that it has been or could be correlated to an online account for which personal information is known. Furthermore, you have to really dig into what <information> is and try to determine for yourself what it could contain. You have to look for things like filenames and/or pathnames (which sometimes contain personal info) being sent along with file signatures, URLs (which sometimes contain personal info) being sent as part of malicious URL checking, and also look for other information about the environment/context being sent to the cloud as part of a standard query and/or as part of a more descriptive report about things deemed new or suspicious and/or in metrics.
     
  23. Taliscicero

    Taliscicero Registered Member

    Joined:
    Feb 7, 2008
    Posts:
    1,439
    Thank you! At least someone understands where I'm coming from. Very good post!
     
  24. fax

    fax Registered Member

    Joined:
    May 30, 2005
    Posts:
    3,731
    Location:
    localhost
    You clearly don't understand that in the cloud there is not personal record of you or your documents just hashes and behaviour of programs. This was explained hundred of times in here in the past several months!!

    The result of all discussion is that if you are so paranoid you should not use windows systems (to be able to inspect source codes) as well as using anonymous services not to be traced by IP.
     
  25. fax

    fax Registered Member

    Joined:
    May 30, 2005
    Posts:
    3,731
    Location:
    localhost
    This is valid for any AV or software and happening normally based on license keys. Why this is discussed in PREVX 3.0 definitions thread its a mystery to me. If you have privacy issue then I am not sure how you can use MS. Windows. You give up your privacy as soon as you connect to the internet. AMEN.
     
    Last edited: Nov 11, 2012
Thread Status:
Not open for further replies.