Question regarding Protected Applications

Discussion in 'Prevx Releases' started by PC_Fiddler, Sep 12, 2012.

Thread Status:
Not open for further replies.
  1. PC_Fiddler

    PC_Fiddler Registered Member

    Joined:
    Aug 18, 2012
    Posts:
    167
    Location:
    Yorkshire - UK
    Today I installed a small service pack for Softmaker Office which is similar to MS Office. As it's new & released yesterday WSA it seems does not yet know if it safe or not as I noticed I was unable to use the mail client properly or cut & paste into the Textmaker application. Looking into Protected Applications I noticed the all four program modules were on deny.

    I them moved these to allow so I could use the modules, the size of WRData then climbed 50 Meg to just under 200 meg which shows (to me) WSA is keeping further track of changes. There is also another program I noticed was on deny & which is a cleaner which also hasn't been running properly, I moved this also to allow, WRData then increased to well over 200Meg.

    My question(s) is/are will the size of WRData continue to climb as I continue to use the programs until classified & what happens if a much used program is never classified by WSA as neither good or bad which 'seems' to be happening with the program 'Wise Disc Cleaner'? I use this program frequently & it makes a fair number of changes to the system as it's function is to remove unneeded data in large quantities - Perhaps to make matters worse this program is updated frequently. I notice 'Stardock Window Blinds' is always on deny despite moving it to allow it reverts back on next reboot, why is this?

    Thanks !
     
  2. Triple Helix

    Triple Helix Webroot Product Advisor

    Joined:
    Nov 20, 2004
    Posts:
    12,011
    Location:
    Ontario, Canada
  3. Esse

    Esse Registered Member

    Joined:
    May 26, 2011
    Posts:
    383
    Hi TH!
    Is this the backside of the "revert" feature you showed me in the video?
    How a "legal" program (False positive) is under constant monitoring or is the issue posted here only a bug?
    I mean just as well as a malware will get detected sooner or later by WSA, so should false positives right?

    Cheers

    /E
     
  4. PC_Fiddler

    PC_Fiddler Registered Member

    Joined:
    Aug 18, 2012
    Posts:
    167
    Location:
    Yorkshire - UK
    The recent video is the reason I've been looking at Protected Applications with interest, & as WSA operates on a different system than other AV solutions (although I used Prevx for some years) I've not really been aware of actually how the WSA monitoring works until recently & as others who I introduce to WSA may ask me similar questions it's good to have a basic working knowledge (or I'm going to look a right fool) - How does Webroot identity FP's or unknowns? Is some (most?) of this info gleaned from users who submit unknown files or is this unnecessary or even unhelpful to WSA support? (is this being a pain in the posterior?) - Someone has to ask the stupid questions so it might as well be me :argh: - Thanks for the replies TC
     
    Last edited: Sep 13, 2012
  5. PrevxHelp

    PrevxHelp Former Prevx Moderator

    Joined:
    Sep 14, 2008
    Posts:
    8,242
    Location:
    USA/UK
    Every program starts as untrusted and is therefore journaled. Users submitting false positives is a negligible number - we primarily prevent false positives generically by being aware of what a centrally created rule will catch and being able to white list files automatically.
     
  6. PC_Fiddler

    PC_Fiddler Registered Member

    Joined:
    Aug 18, 2012
    Posts:
    167
    Location:
    Yorkshire - UK
    OK, thanks for replying - Sorted :)
     
  7. Triple Helix

    Triple Helix Webroot Product Advisor

    Joined:
    Nov 20, 2004
    Posts:
    12,011
    Location:
    Ontario, Canada
    I just like add to this thread as some users use not commonly known programs to the Webroot Cloud database and if someone does have issues with a certain program and want to get them Whitelisted sooner the best thing is to do a scan and save a scan log and start a WSA support ticket and put all the lines with in the front in the support ticket then if another user installs that same program the files will already be whitelisted in the cloud database. ;) And personally I can't remember the last time I had a false positive :thumb:

    TH
     
  8. trjam

    trjam Registered Member

    Joined:
    Aug 18, 2006
    Posts:
    9,057
    Location:
    North Carolina
    yep TH, that old complaint of mine seems, to be a thing of the past. Never thought I would say it but, WSA is pretty much perfect when it comes to FPs.
     
  9. PC_Fiddler

    PC_Fiddler Registered Member

    Joined:
    Aug 18, 2012
    Posts:
    167
    Location:
    Yorkshire - UK


    Done that & I wish support the very best of luck :eek:
     
  10. Triple Helix

    Triple Helix Webroot Product Advisor

    Joined:
    Nov 20, 2004
    Posts:
    12,011
    Location:
    Ontario, Canada
    You will see for yourself! ;)

    TH
     
  11. PrevxHelp

    PrevxHelp Former Prevx Moderator

    Joined:
    Sep 14, 2008
    Posts:
    8,242
    Location:
    USA/UK
    Glad to hear it :thumb:
     
  12. PC_Fiddler

    PC_Fiddler Registered Member

    Joined:
    Aug 18, 2012
    Posts:
    167
    Location:
    Yorkshire - UK
    Well support was excellent, there were quite a few unknowns actually including a few uncommon photo & music editing programs I use. I send a report to Webroot last night & received a reply this morning & all issues sorted.

    Great service & then some. :D
     
  13. Triple Helix

    Triple Helix Webroot Product Advisor

    Joined:
    Nov 20, 2004
    Posts:
    12,011
    Location:
    Ontario, Canada
    Great to hear! I knew that the support inbox would help you and you would be happy! ;)

    Cheers,

    TH
     
  14. Esse

    Esse Registered Member

    Joined:
    May 26, 2011
    Posts:
    383
    Joe and TH, I saw this test of the rollback feature by Biozfear, and like to hear your point of view regarding this simple test, were the feature "missed" a bit.

    http://www.youtube.com/watch?v=MJ7KAINQqfQ&feature=plcp

    Hope this works, having problem posting the link??

    Cheers

    /E
     
  15. PrevxHelp

    PrevxHelp Former Prevx Moderator

    Joined:
    Sep 14, 2008
    Posts:
    8,242
    Location:
    USA/UK
    I don't have a youtube account but I'll post a reply here (in case you want to pass it on to the video creator).

    We should have definitely cleaned up the shortcut - that looks like a bug which we're going to be investigating in the next build. Shortcuts are created slightly differently in the OS than other files so it's possible that this would change how it's handled. As for Ransomware which blocks the OS from working, you can boot into Safemode with Networking and still use WSA. From what I've seen, that's usually sufficient to get around these infections. As for our detection rates, right clicking on a folder of files uses only a fraction of the detection abilities of WSA so we'll always score worse there than how we'd score on-execution. That aside, the test was overall very well thought out and I really appreciate the help in improving our product :thumb: If he has any additional suggestions or feedback, send me an email to my username at gmail.com and we'll definitely work to fix anything we can!

    Thanks for letting me know :)
     
  16. Esse

    Esse Registered Member

    Joined:
    May 26, 2011
    Posts:
    383
    Done, he got your answer.

    /E
     
  17. Biozfear

    Biozfear Registered Member

    Joined:
    Aug 15, 2012
    Posts:
    10
    Location:
    Gibraltar
    Hi there, I was the one who did the test in the video.

    There are some ransomware variations that even in safe mode you can't get into windows (safemode, safemode with network). In these cases, such roll back feature becomes defenseless.

    As for the detection rate, I will do a re-test with a few days old samples and then execute them and then lets see how will WSA hold its grounds.

    I still believe there should be more work done on prevention aspect of WSA but let's see what the test could do.
     
  18. PrevxHelp

    PrevxHelp Former Prevx Moderator

    Joined:
    Sep 14, 2008
    Posts:
    8,242
    Location:
    USA/UK
    Thank you for reaching out! I'd be interested in obtaining samples of ransomware which affects the system in this manner so that we can look into preventing it from occurring by blocking the change generically. If you could send them to my username at gmail.com, I'd appreciate it.

    Thank you!
     
  19. Biozfear

    Biozfear Registered Member

    Joined:
    Aug 15, 2012
    Posts:
    10
    Location:
    Gibraltar
    email sent. hope it helps.

    Happy hunting:)
     
  20. volvic

    volvic Registered Member

    Joined:
    Aug 17, 2009
    Posts:
    220
    webroot should buy out hitman pro
     
  21. Thankful

    Thankful Savings Monitor

    Joined:
    Feb 28, 2005
    Posts:
    3,731
    Location:
    New York City
    Why does WSA include CCleaner as a protected application even though it is set to "deny"?
    Windows 7 Ultimate, SP1
    IE 9
     
  22. PrevxHelp

    PrevxHelp Former Prevx Moderator

    Joined:
    Sep 14, 2008
    Posts:
    8,242
    Location:
    USA/UK
    Applications are added to Deny when they try to access the system - I suspect it was just because CCleaner has read cookies from disk, but it shouldn't have any negative effects when listed as Deny.
     
  23. Thankful

    Thankful Savings Monitor

    Joined:
    Feb 28, 2005
    Posts:
    3,731
    Location:
    New York City
    Thank you.
     
Thread Status:
Not open for further replies.