Problems caused by false positives

Discussion in 'Prevx Releases' started by claudiu, Nov 10, 2012.

Thread Status:
Not open for further replies.
  1. claudiu

    claudiu Guest


    I do not think that something not detected on demand would be detected on execution based on MD5; maybe on heuristic , but then this will require user interaction.

    Anyway, this procedure will not affect FP's ; FP's are something which should't be detected!
     
  2. fax

    fax Registered Member

    Joined:
    May 30, 2005
    Posts:
    3,899
    Location:
    localhost
    WSA does not determine something new based on MD5 (as MD5 will be unknown to the cloud) but based on behaviour if the file is executed. Based on this WSA may or may not decide to allow it while if the file is not executed WSA can only determine that the file is unknown to the cloud and thus potentially dangerous.

    Again, if you have a minimum of understanding on how WSA works then all the above issues are pretty obvious to grasp and digest.
     
    Last edited: Nov 11, 2012
  3. claudiu

    claudiu Guest

    Behavior and heuristic is analyzed locally , in the cloud is submited only MD5 and not the "behavior". Decision is made on the cloud based on MD5 and locally based on behavior and heuristic.

    But I am not surprised; another entusiast WSA "expert"....


    See your own answer:

    https://www.wilderssecurity.com/showpost.php?p=2142991&postcount=24


    fax
    Very Frequent Poster Join Date: May 2005
    Posts: 2,200

    Re: Prevx 3.0 Same cloud as Webroot (Definitions)

    --------------------------------------------------------------------------------

    You clearly don't understand that in the cloud there is not personal record of you or your documents just hashes and behaviour of programs. This was explained hundred of times in here in the past several months!!
     
    Last edited by a moderator: Nov 11, 2012
  4. fax

    fax Registered Member

    Joined:
    May 30, 2005
    Posts:
    3,899
    Location:
    localhost
    It is not really believable that after all this time and the many users explaining you how WSA works you still look fully confused. On top, due to your lack of knowledge and understanding you are only capable to go personal.

    How can WSA determine if an application is safe or not if it is only send to the cloud the MD5 and not what the file does?

    The analysis to determine if a file is safe or not is done in the cloud and not locally (unless the file does something obviously wrong and you are offline - same basic analysis is also made locally). Can you follow this?
    *
     
    Last edited by a moderator: Nov 11, 2012
  5. Cudni

    Cudni Global Moderator

    Joined:
    May 24, 2009
    Posts:
    6,963
    Location:
    Somethingshire
    ot posts removed
     
  6. TonyW

    TonyW Registered Member

    Joined:
    Oct 12, 2005
    Posts:
    2,741
    Location:
    UK
    No. All data, including behaviours, is sent up to the cloud. That is why everything is correlated up there in that space, and why terabytes of storage is needed.

    So let's go over this simply:

    1. Every process, action, file information (including MD5 hash) and behaviour is sent up to the cloud.

    2. If you're offline, some analysis and journaling takes place locally. When you're back online, that information is sent up to the cloud.

    Now does that make sense?
     
  7. claudiu

    claudiu Guest

    Hi TonyW,

    Thank you for your answer!

    Some time ago an user complained about privacy and the cloud approach in WSA,

    Joe from WSA answered that no information is submitted to the cloud other that MD5 of the files being analyzed and your IP.

    In order to submit it to the cloud , you have to quantify an information; a "behavior" or "action" is difficult to quantify so, makes sense to be analyzed locally, in your PC, by behavior and heuristic modules.

    Behavior and heuristic (and a small signature database) are the only elements which will analyze a threat offline.

    Extracting MD5 and submit it to the cloud is fast and easy to implement.

    At least, this is my understanding about how WSA works, but I may be wrong though.

    Sorry for any inconvenience,
    Claudiu
     
  8. Techfox1976

    Techfox1976 Registered Member

    Joined:
    Jul 22, 2010
    Posts:
    749
    This topic is not about cloud privacy, and that's been explained elsewhere repeatedly, though feel free to source where it has been said that "Only MD5s and IP are sent to the cloud", because I don't recall that.

    That being said, I'll say it again regarding this topic:
    • The FPs test states it uses the highest possible settings.
    • The highest possible settings in WSA will cause it to display a warning when something that has never been seen before by any WSA user is scanned.
    • The warning counts as a failure for the FP test.
    • It's already been said that the files were all seen for the first time on the test.

    For all your claims to not have been born yesterday, you're definitely acting like it often during your trolling. I would honestly be a lot happier if this forum group could just make an agreement to ignore Claudiu's trolling attempts in the future because of the tremendous amount of resources wasted telling him the same things over and over.
     
  9. PrevxHelp

    PrevxHelp Former Prevx Moderator

    Joined:
    Sep 14, 2008
    Posts:
    8,242
    Location:
    USA/UK
    I am very rarely ever this badly misquoted: No I didn't.


    Sorry, your understanding is completely inaccurate. Behaviors/heuristics are all applied in the cloud alongside many signatures/additional datapoints, all of which are not personally identifiable. Yes, MD5 is used just because people want it, but that is not an efficient way to detect malware at all.
     
  10. TonyW

    TonyW Registered Member

    Joined:
    Oct 12, 2005
    Posts:
    2,741
    Location:
    UK
    No personally identifiable information is submitted to the cloud is what he means.

    Whilst some analysis is done locally, the information gathered is still sent up to the cloud. Otherwise, as fax said, how can WSA determine if an application is safe or not if it only sends the MD5 and not what the file does? It is a combination of all these bits of information that allows WSA to make its choices on file and program behaviour with the details that are already up there in the cloud.

    I think you're getting there. This is true, and in the case of unknown files, every action is journalled. Once you're online, all that information is sent to the cloud.

    Edit: typo.
     
    Last edited: Nov 11, 2012
  11. claudiu

    claudiu Guest

    "Re: Technical question: How WB scans whole PC


    06-18-2012 09:18 AM - edited 06-18-2012 10:34 AM

    Hi Claudiu,

    Your main protection while disconnected from the internet (NB--->offline) is coming from SecureAnywhere's behavioral shields/detections and local heuristics.

    Mike R
    Social Support Engineer "

    http://community.webroot.com/t5/Web...B-scans-whole-PC/m-p/6198/highlight/true#M206



    Behaviors/heuristics are all applied in the cloud
    (NB--->online)

    PrevxHelp

    https://www.wilderssecurity.com/showpost.php?p=2143197&postcount=34

    o_O
     
  12. PrevxHelp

    PrevxHelp Former Prevx Moderator

    Joined:
    Sep 14, 2008
    Posts:
    8,242
    Location:
    USA/UK
    Correct, and when online, it also uses the same, except they're sent to the cloud.
     
  13. TonyW

    TonyW Registered Member

    Joined:
    Oct 12, 2005
    Posts:
    2,741
    Location:
    UK
    So that we can be clear, claudiu:

    Offline: behavour & heuristic analysis done locally.

    Online: same as offline, but info sent to cloud.


    Think about it, claudiu. The product is cloud-based. If there's no internet connection, information can't be sent to the cloud, can it? So then it gets done locally only. When you're back online, that information is sent to the cloud.

    I don't think we can make it any clearer than that. :)
     
  14. IBK

    IBK AV Expert

    Joined:
    Dec 22, 2003
    Posts:
    1,886
    Location:
    Innsbruck (Austria)
    Not true. In case of Webroot, the settings are set on default and the FPs encountered with default settings (not highest). That the clean files are seen the *first* time is unrealistic, not only because we retested them over longer periods and also using the original paths, but also because we checked the prevalence, which in several cases is high (see the prevalence notes in the FP report).
     
  15. fax

    fax Registered Member

    Joined:
    May 30, 2005
    Posts:
    3,899
    Location:
    localhost
    "First seen" by webroot cloud... and looking to your list I hardly ever installed most of those software on my systems. False positive is like a treasure hunt exercise: if you are good at it you will find many. Otherwise more likely you will ever be able to find one. ;)
     
  16. PrevxHelp

    PrevxHelp Former Prevx Moderator

    Joined:
    Sep 14, 2008
    Posts:
    8,242
    Location:
    USA/UK
    Our cloud view is definitive here, and what we've seen is that they are indeed the "first sight" in a large number of cases. Having them retested over time doesn't make a difference as the first sight flag is maintained locally.
     
  17. Techfox1976

    Techfox1976 Registered Member

    Joined:
    Jul 22, 2010
    Posts:
    749
    Then why does the actual report say otherwise? It does have an "Except for XXX" item for another thing, but none for Webroot. If the report says "We do X", then as a testing organization, we trust that the test does X. To do otherwise does nothing except cast (more) doubt on the accuracy of the test. Testing organizations definitely should not get to the point where they are doing as badly as YouTesters, but they are starting down that route. :(

    So at that point, I wonder more how the test managed to so utterly fail to look even vaguely like reality. This isn't climate science.
     
  18. IBK

    IBK AV Expert

    Joined:
    Dec 22, 2003
    Posts:
    1,886
    Location:
    Innsbruck (Austria)
    @PrevxHelp: when we test over a longer period of time it also means with different PC's, different license keys and different locations. That's is why I say that it can't be the first and only time you saw them (also because many were scanned already also in past with your product. I would be OK if you say that you have not seen them often or only a few times, but saying "only once" is wrong. At least you just admitted that this was not the case with all files by saying that it wasn't in all cases.

    @Techfox1976: please read again and more carefully what is written in the report. I know that default was used, and so does Webroot, so I wonder why and who is spreading wrong information to make it look like the FPs never occur and only if a paranoid mode is set. If a mode would have been set which warns about every new file, the detection rate would not have been so low and the rate of FPs surely higher. Furthermore, the settings mentioned would have an effect mainly in the WPDT, not in the scan scenario, so they were not worth mentioning in the report that they were left on default.

    Anyway, Webroot surely fixed the reported FPs long time ago, so give it chance for further future improvements.
     
  19. Techfox1976

    Techfox1976 Registered Member

    Joined:
    Jul 22, 2010
    Posts:
    749
    Copy-protection on the reports prohibits cut and paste. Pain in the rear.

    "In order to get comparable results, we set the few remaining products to highest settings or leave then to lower settings - in accordance with the respective vendors." It then also lists overrides for vendors that do not include Webroot. However the information prior indicates that it uses this process on any AV that does not perform at highest settings for on-demand scans (which Webroot does not. It does the same settings for realtime and on demand (and technically has less capability for on-demand scanning). This leads me to the conclusion that either Webroot was set to higher or left to lower and not mentioned, which is a fault on the part of AV-C, or was not properly recognized for the way it functions and left at normal, which is also a fault on the part of AV-C.

    Transparency and accuracy in testing is critical. The above information is from the file farm detection, the FP test does nothing whatsoever to explain what settings the software is set to or how the test is explicitly performed. However it is an appendix to the file-detection test, so it is reasonable to assume that the main test methodology information applies to it. If it does not, then the FP test document should contain information about the testing methodology.

    I guess the real question is how the test managed to get so many FPs when, in all my time using this product on as many computers as I do, I have not been able to accomplish anything even vaguely close to as bad as the test claims. I've been doing security professionally for over a decade and even adjusting for user variables, what I've seen is nowhere vaguely close to the tests.

    What did the test do to accomplish results that utterly fail to even vaguely match directly observed reality?
     
  20. PC_Fiddler

    PC_Fiddler Registered Member

    Joined:
    Aug 18, 2012
    Posts:
    167
    Location:
    Yorkshire - UK
    I go away for a month, return & see the same questions from someone who moved on from WSA many weeks ago - Most extraordinary! :eek:
     
Thread Status:
Not open for further replies.
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.