question / possible issue reg web blocking

Discussion in 'Prevx Releases' started by zfactor, Feb 17, 2013.

Thread Status:
Not open for further replies.
  1. zfactor

    zfactor Registered Member

    Joined:
    Mar 10, 2005
    Posts:
    6,013
    Location:
    on my zx10-r
    have a issue with wsa i found. today i was downloading a file sent from my mom which was a rar file with lots of pictures. was downloading great. while it was downloading i was browsing the web. i got the webroot pop up about a site with malicious content and my download failed. i thought it was a fluke. so i started the download again and this time (will explain this part in a a bit) refreshed the page that was originally blocked. saw the pop up and once again downloads were terminated.

    i was able to repeat this many times. why when wsa blocks one specific page does it kill all downloads that are in the process of downloading? eset, avast etc do not do this. they simply block that page. this is a bit annoying because i can not browse the web while downloading anything that i want to make sure finishes. otherwise i may get a download failed message.

    i then disabled webroot and tested this (knowing the page was supposed to be malicious this was a test) and this time had zero problems. i went to the same page again i know it had the pop up but i wanted to test this to make sure what i was seeing was caused from wsa. and it in fact is.

    is there a way to set wsa to not kill the entire connection when it blocks a page from loading and allow the downloads to continue? this is very annoying imo. i also run eset and others and when they block a page they do not cut off the connection and kill any items being downloaded. i do not have this problem every day granted but this file was about 500mb that my mom uploaded for us to download. and i could not figure out at first why i kept getting failed on firefox. but without wsa enabled it worked perfect. it is in fact only happening when wsa is enabled.

    ---------------------------------------

    second issue.... when wsa pops up and "blocks" a page if you do not click anything and just wait the page will show up again behind the pop up. and if you are quick you can simply click anything on that page. its like this wsa pops up when the page loads, the screen goes white with the pop up in the corner. if you wait without click block or allow the page will come back with the pop up in front of it. and then again quickly go white again. then come back etc..... and when you can see the page during this happening i can click links on the page without a issue if i am quick.

    ------------------------------------------------
    why is this happening. i verified this on many systems it works exactly the same way. and that when a page gets blocked it cuts off my connection briefly which kills any items i was downloading or watching etc?? like netflix or hulu etc i get a pause when i see this message on that machine. and as stated above it kills off my downloads that might be running as soon as that pops up. i hope i described this well enough but i can provide more info if needed. i do feel when it blocks a web page it should not cut off the connections during that though that is very annoying.

    any thoughts on this joe??
     
    Last edited: Feb 17, 2013
  2. Triple Helix

    Triple Helix Webroot Product Advisor

    Joined:
    Nov 20, 2004
    Posts:
    12,014
    Location:
    Ontario, Canada
  3. Techfox1976

    Techfox1976 Registered Member

    Joined:
    Jul 22, 2010
    Posts:
    749
    The "Cut off the connections" behavior is expected. When the browser hits a known-malicious location, all other connections in the browser are also killed as there is a very strong likelihood that one of them is an unknown bad site.

    You'll see that in the logs too:
    Sun 2012-09-02 15:56:07.0376 Blocked website: http://<stripped>/forums/showthread.php?t=31440
    Sun 2012-09-02 15:56:07.0379 Closed network connection: [0100007F.42435 - 0100007F.42691]
    Sun 2012-09-02 15:56:07.0379 Closed network connection: [0100007F.42691 - 0100007F.42435]
    Sun 2012-09-02 15:56:07.0379 Closed network connection: [0801A8C0.40668 - BDE356D1.47873]
    Sun 2012-09-02 15:56:07.0379 Closed network connection: [0801A8C0.32991 - 0796FBE7.47873]
    Sun 2012-09-02 15:56:07.0379 Closed network connection: [0801A8C0.33503 - 239F9652.20480]

    (Logs modified for privacy as well)
     
  4. zfactor

    zfactor Registered Member

    Joined:
    Mar 10, 2005
    Posts:
    6,013
    Location:
    on my zx10-r
    very annoying though. as i said most others do not work this way. when eset for example finds a web threat and blocks it my downloads or video do not get cut off...
     
  5. Techfox1976

    Techfox1976 Registered Member

    Joined:
    Jul 22, 2010
    Posts:
    749
    True. That's one of the reasons ESET isn't as effective. There are tradeoffs to everything. You can do deep packet inspection at the cost of network latency and speed and CPU, for example. You can block based on network information, but then all it takes is getting one attempt past it to evade. Try ten possibilities at once and one might get by. Even on deep packet inspection, the ten tries at once can get by stuff.

    WSA doesn't slow things down by doing deep packet inspection, and it stops the ten-tries-at-once evasion route too. Security over convenience.

    Though now you have me wondering how you end up finding so many bad sites to have this affect you so frequently. Firefox and Adblock on my side and I have hit one bad site precisely when I used IE instead.
     
  6. zfactor

    zfactor Registered Member

    Joined:
    Mar 10, 2005
    Posts:
    6,013
    Location:
    on my zx10-r
    there are a couple sites i use that always have lots of ads and even with ad block some get through. these few sites always throw a pop up from wsa. i have notified the admin and was told they would look into those ads causing the issue. i also do a lot of av testing and am always browsing around other places also but not on my main machine i only do that on my test machine.

    it would be nice if they could somehow include a switch to have it not totally stop all connections for those who want that instead of totally cutting it off.
     
  7. PrevxHelp

    PrevxHelp Former Prevx Moderator

    Joined:
    Sep 14, 2008
    Posts:
    8,242
    Location:
    USA/UK
    We will be likely be opening up some of the configuration at some point for this as we move to rework some of the Web Threat Shield for improved integration into our other URL classification services, but in the meantime, it does indeed err on the side of blocking everything off if it sees something malicious taking place.

    The reasoning is that if you somehow ended up on a malicious website, you likely came from somewhere that was compromised or is semi-malicious. Users don't just type into their browser the exact URL of a malicious domain, so we try to be overly cautious and block everything that has a current connection even if we don't necessarily see it as bad at that point.
     
Thread Status:
Not open for further replies.