Rediculous Impasse

Discussion in 'Prevx Releases' started by STV0726, Jan 18, 2013.

Thread Status:
Not open for further replies.
  1. STV0726

    STV0726 Registered Member

    Joined:
    Jul 29, 2010
    Posts:
    900
    Hi,

    I just discovered a ridiculous and dangerous impasse. If you use Access Control in WSA, Webroot will still allow non-administrator users to decide not to remove a threat found (by unchecking it). Then, when it asks you to "select how to act upon files that were not selected for removal", you can allow it (default), block, or monitor. I go to change the action to monitor, and it stops me due to not being an administrator. So a non-administrator can allow malware on my computer but can't put it in monitor mode? That's backwards how it ought to be! MAJOR SECURITY FLAW! MAJOR! :argh:

    And wait a second...why am I getting this prompt anyway? I have it set all the way to "set and forget protection". Why am I seeing prompts?

    I fear that WSA detection/removal prompt system is still not working the way it should be. Moreover, it seems that even as far as WSA has come, it still suffers from one of the most aggravating drawbacks that Prevx 3.0 did for me which was, it is seemingly designed for users that run always admin and don't care about stopping other users on the computer from doing things they shouldn't do. While Access Control has solved some of these problems, things like this still happen and giving non-administrative users (and guest accounts...hello!) the ability to allow malware detected is just bad. Really, really bad.

    As for non-administrative users, they should either be:

    A) Forced to block/remove detected malware to ensure safety of the system until the administrator can approve of any file they encountered and make a decision

    -or-

    B) Given the option to block it or monitor it, but NEVER allow it, unless no Access Control settings were enabled on the client.

    I don't get it.
     
    Last edited: Jan 18, 2013
  2. Techfox1976

    Techfox1976 Registered Member

    Joined:
    Jul 22, 2010
    Posts:
    749
    Your post wasn't clear. You said that if you change it to "Monitor", it won't let you do that.

    You did not explicitly say that if you leave it on the default "allow", it will let you do that. Is that the case?
     
  3. STV0726

    STV0726 Registered Member

    Joined:
    Jul 29, 2010
    Posts:
    900
    Let's you allow because that seems to be the default.

    And yes, cannot switch actions.

    But what I'm arguing is:

    1. Non-admin user accounts should be forced to either remove or put in monitor mode but NEVER allow. (Do you really want a guest or your girlfriend who isn't a nerd like you to make allow file decisions on your computer?)

    2. No prompt should have even been seen since it is set to Set & Forget Protection.

    So...yeah. Certainly not good the way it is functioning presently.
     
  4. Techfox1976

    Techfox1976 Registered Member

    Joined:
    Jul 22, 2010
    Posts:
    749
    Yeah, if it lets a non-admin account allow malware when it shouldn't be allowed to allow, that strikes me as Not Good.
     
  5. PrevxHelp

    PrevxHelp Former Prevx Moderator

    Joined:
    Sep 14, 2008
    Posts:
    8,242
    Location:
    USA/UK
    We've had it this way to avoid "punishing" users in the event of false positives, but I see your point and agree that this should be changed. Set & Forget can apply in almost all cases, but in the event where a series of infections are detected which may require a reboot, it needs to interact with the user to avoid just suddenly rebooting the system and causing them to lose their work.

    Thanks for the feedback :thumb:
     
  6. guest

    guest Guest

    I am one of those (running Win7 with UAC enabled - windows 7 "default" setting) who DO WANT the choice to un-check false positives at the moment they are "discovered" by WSA. - I would hate if there was something changed in the way I can do it now:

    I let the WSA window open (where it asks me what to do), then I am checking with for example virustotal, already knowing for sure in most cases that it is of course a false positive again (I run a few programs WSA always categorizes as "suspicious" like components of DVBViewer in every new version) and after being sure I un-check the so called "malware" (= false positive!) so the problem is solved - at least for me on my computer. I have to deal with issues on systems of relatives separately.

    If for some reason this thread leads to a change that does take away this kind of easy solution in case of false positives (and sparing me so far automatic quarantine etc.) I won't be happy at all!

    The thing is: I don't know what the windows 7 default is (UAC enabled) but I think I am not using an ADMIN account as it was referred to in this thread, right? - I would not like at all having to change to some (in my case never used) "real" (?) admin account just to get rid of false positive detections.

    Probably I misunderstood something here but I wanted to make very clear that I do want me (and my relatives) having the possibility with normal, default Win 7 installments to un-check those false positives and in result having them NOT deleted, quarantined or whatever!

    I HATE AV-solutions that automatically delete false positives and will uninstall them!

    And I don't get infected anyway, so those detections are all and always (!) false positives (I am speaking of years of experience with Prevx/WSA), being someone who keeps his system updated and doing no shady stuff (like keygens etc.).

    I don't want to be "punished" for whatever good reason, please keep that in mind. :)

    And being the one that always told all of you my experience with Prevx and false positives in the past, seeing the latest tests of WSA confirming my experiences ... I would say you should consider that there ARE false positives with your product even if some people here claim they never had one. I had hundreds over the last years and it's always a pain to deal with them. Making it even harder (and I hope you don't go that route), by eliminating choice for me when I come across a false positive, would not help me. ;)

    Of course I do see that the mentioned problem is a real problem and should be addressed! So please let's have an option for those like me who want to decide what WSA is doing after a "detection". - Not forcing me to login into some never used admin-account if that would be the case (which I don't know as I said - just using the default win 7 settings).

    To make it very clear: my issue is at this moment NOT ... having false positives with WSA (I am used to that and accept it, it's fine, really!) but I don't want any more hassle dealing with them on a normal windows 7 system with UAC enabled, okay? :)

    That is just a feedback for Joe because he made that comment and I don't want to stir up old things! So no need for you telling again your story that you never had a false positive with WSA (defending it etc.), I am not doubting that but please don't doubt me in my NEED to have an easy way to deal with the false positives I DO get on a regular basis with WSA! No more hassle please. :)

    I do like WSA very much (because of it's lightness!) and I tolerate false positives (and not so good test results etc.) without a problem ... but probably not making my life harder fighting false positive detections that shouldn't be there in the first place. :)

    And I want WSA to get (even) better in the fields where improvement is needed so please find a way, Joe, to make us *ALL* happy, thank you! :)
     
  7. PrevxHelp

    PrevxHelp Former Prevx Moderator

    Joined:
    Sep 14, 2008
    Posts:
    8,242
    Location:
    USA/UK
    Don't worry - we won't make it hard for you to use the product :) Your use case is exactly why it is how it is today, so we may end up needing to add another configuration option to control this specific use case. And for what it's worth, in the next week or so (after testing) we are working on rolling out a brand new anti-FP measure which will also improve system performance.
     
  8. guest

    guest Guest

    @ Joe:

    THANK YOU VERY MUCH! :thumb:

    (And yes, I am pretty much excited now about the next version, well done! :D)
     
  9. zfactor

    zfactor Registered Member

    Joined:
    Mar 10, 2005
    Posts:
    6,012
    Location:
    on my zx10-r
    i agree with both sides here. so i think the option would be the best idea, sincs as mat where i have relatives using it they would want the set and forget thing but i know i would not. glad to hear something is being worked on for it though.
     
  10. STV0726

    STV0726 Registered Member

    Joined:
    Jul 29, 2010
    Posts:
    900
    No problem...

    I would argue that preventing non-administrators from allowing malware should be the default, however, I agree that this should remain a choice and I certainly would NOT want my suggestion to take away the usage scenario/option some have described below.

    Again, I must emphasize that this is a security risk though -- pretty severe too. It would be one thing to let non-admins choose to monitor instead of block...at least then it is pseudo-running. But to let them alloiw stuff...by default?

    I think the default should be the inverse of how it presently is.

    This rrally is separate from the set and forget vs hands on slider. This needs an option in the advanced settings.

    My suggestions:

    By the checkboxes that deal wiith allowing non-admins to scan and what not....

    * Allow non-administrators to decide how to respond to detections

    Or

    * Allow non-administraotrs to allow detections

    Or

    * Force non-administrators to block detections

    Or if you want to get real specific

    * Allow non-administrators to monitor detections instead of removal

    * Allow non-adminatrators to allow detections instead of removal

    Something like that/those.
     
Thread Status:
Not open for further replies.