threat overview screen and privacy question

Discussion in 'Prevx Releases' started by Jeroen1000, Oct 14, 2011.

Thread Status:
Not open for further replies.
  1. Jeroen1000

    Jeroen1000 Registered Member

    Joined:
    Aug 18, 2008
    Posts:
    162
    May I ask you Joe, when it may be coming?

    I often just block threats and keep them around until I'm sure they are indeed threats, and for a private comparison with other AV solutions I'm running. But, when WSA detects 1, there is no real easy overview of detected threats and their respective locations.

    I'm missing the kind of overview Prevx presents. The only downside it has, is that I often cannot read the full path, and hovering over the path information is a bit tricky at times.


    Second question I have is, can I exclude certain file types + directories that cannot under any terms be sent to the cloud? Confidential documents for instance?
     
  2. TonyW

    TonyW Registered Member

    Joined:
    Oct 12, 2005
    Posts:
    2,635
    Location:
    UK
    A detailed file analysis page for WSA was discussed some time ago, and that may still be being developed. It should be something like what current Prevx users can use, but with more detailed info.

    The exclusion of files/folders has been suggested by some beta users already, myself included, and is being considered.
     
  3. Jeroen1000

    Jeroen1000 Registered Member

    Joined:
    Aug 18, 2008
    Posts:
    162
    Thanks for the info. However, I'm also hinting at excluding file types like *.doc and encrypted files with a specific extension.
     
  4. PrevxHelp

    PrevxHelp Former Prevx Moderator

    Joined:
    Sep 14, 2008
    Posts:
    8,242
    Location:
    USA/UK
    Nothing personally identifiable is sent to the cloud and only data about executable files is sent up to the cloud (macro viruses/etc. are covered with local signatures to prevent the transmission of even the file hashes).
     
  5. PrevxHelp

    PrevxHelp Former Prevx Moderator

    Joined:
    Sep 14, 2008
    Posts:
    8,242
    Location:
    USA/UK
    You may want to disable automatic threat removal if you'd prefer to see the files in a scan window, or you can always look through quarantine under PC Security to see exactly what was removed.
     
  6. Jeroen1000

    Jeroen1000 Registered Member

    Joined:
    Aug 18, 2008
    Posts:
    162
    Could you please specify/elaborate on this? For instance, a self extracting RAR archive that is encrypted (I'm assuming this is counted as being an executable). Is there a chance this archive is uploaded to the cloud?

    Or PGP-encrypted files for that matter? I'd personally be more at ease if I could truly set WSA to exclude these files.

    And thanks for the tip, I had already deactivated auto removal but a detailed overview would be very nice (and it does add a certain coolness:D )

    thanks again for your speedy responses!
     
  7. Thankful

    Thankful Savings Monitor

    Joined:
    Feb 28, 2005
    Posts:
    3,744
    Location:
    New York City
    The EULA specifies the IP address, registry keys, language, Software report log(s), running processes, temporary Internet files, Internet search history, applications using ports, and other data pertaining to the contents of Your default folder custom folders, and/or downloaded program files directory ('System Information,' and collectively with Attack Data and Location Information, 'Your Information') may be sent to the Webroot database.

    If this is not true, you should change the EULA!
     
  8. Jeroen1000

    Jeroen1000 Registered Member

    Joined:
    Aug 18, 2008
    Posts:
    162
    Wow really, internet search history? IF this is true, WSA is not for the privacy minded...
     
  9. Techfox1976

    Techfox1976 Registered Member

    Joined:
    Jul 22, 2010
    Posts:
    749
    @Jeroen1000
    The files themselves are never sent up, only the signatures of the files (MD5, behavior, etc), and unless something tries to load the encrypted RAR or DOC as machine code and execute it, it wouldn't be looked at.

    @Thankful and Jeroen1000
    Sending data and keeping data linked are two different things. If the search history is sent and then converted into a count, it doesn't matter, since then all it becomes is "98% of the people who got hit with troj.Banker-GGT searched for 'baby bunny'". So for example, if you search for 'nobodyserachesforthis' and that gets sent up, it just becomes a new entry in "things people searched for" and gets a count of "1", but there is nothing at all in the database that says that you specifically are the one who searched for it and no way to find that out.

    So Webroot is required by law to say that they send the data up, but the privacy policy and legal mandates on what they are allowed to do with the data means that before it gets processed, it can't be cracked open (check your network stream), and after it gets processed it's just a tick mark with no attribution.
     
  10. Jeroen1000

    Jeroen1000 Registered Member

    Joined:
    Aug 18, 2008
    Posts:
    162
    @Techfox1976, yes you provide a valid use and acceptable explanation but how can you be sure it works that way? I'm assuming you do not work for Webroot of course:).
    But I'll try to Wireshark traffic going to Webroot as you say. I'm not too sure how much sense I'll be able to make of it though.

    Anyway, this is a good thing to know that they collect so much data. I was quite unaware of this and I feel it deserves a lot more attention than just in the EULA that I did not really read:ouch:
     
  11. Thankful

    Thankful Savings Monitor

    Joined:
    Feb 28, 2005
    Posts:
    3,744
    Location:
    New York City
    Why haven't I seen such an intrusion of privacy within the EULA of other security providers?
     
  12. Techfox1976

    Techfox1976 Registered Member

    Joined:
    Jul 22, 2010
    Posts:
    749
    @Jeroen1000
    Mostly just logic. Webroot sells internationally. If a complaint were filed, they'd be investigated by any number of countries with nearly-draconian privacy laws. If they were not in compliance, it would effectively be instantaneous corporate suicide and not something that would be a normal "cost of doing business". Since companies usually want to make money, they would need to be in compliance from the start and chances are that they have already informed the necessary watch agencies. They're not a new startup (upstart?) nor are they massive enough that they could recover from a catastrophe.

    The network stream when scanning looks pretty much like base26. Take the total network stream size, account for the base, and the data is just about the right size to be a bunch of MD5s.

    ... *Sigh* Honestly, the way I figure it is that any place or person has a huge amount of capability that they COULD do wrong. When you walk into a grocery store, you are on camera, in their building, etc. In the utmost extreme, they could install poisonous gas valves. But that doesn't occur to anybody because the likelihood they will is so slim and we trust that they won't. Webroot is giving you a program that talks to the network constantly, hooks very deeply into the computer, and has a lot of capability. They tell you what data they are sending up also. I guess it's just up to us whether we trust them to not screw us with it in ways that would destroy them if they did.

    So when I look at what they send, what law allows them to do with it, and what would happen if they abused it, I personally can't come to any conclusion other than that it's safe. Nobody, especially not a company, could be stupid enough to do something bad with that, and in the slim chance that somebody was stupid enough to do so, they wouldn't admit to even getting the data. So the very fact that the EULA admits to it supports the idea that it's safe.

    Weird logic, but it works for me.
     
  13. Techfox1976

    Techfox1976 Registered Member

    Joined:
    Jul 22, 2010
    Posts:
    749
    Almost everything else uses local defs. You can use it completely offline with a local database and have it (generally) work. They don't even have to get your IP from requesting def updates if you download off-site and install them manually. So what do all the legal portions of all the other ones that have any cloud or central reporting say?
     
  14. Thankful

    Thankful Savings Monitor

    Joined:
    Feb 28, 2005
    Posts:
    3,744
    Location:
    New York City
    Other cloud based AVs don't specify the amount of privacy intrusion that Webroot does.
     
  15. Techfox1976

    Techfox1976 Registered Member

    Joined:
    Jul 22, 2010
    Posts:
    749
    Do they work the same way?

    It really still comes down to: Webroot is telling you what it gathers. If you believe that they will do something evil to you because of this, you always have the option not to use them. Of course if they are the best thing since sliced bread and not doing anything bad, then you miss out, and if they do something bad, lots of people go to jail and they go out of business and you get to be happy they didn't get you. :)

    But it really is just whether you trust the company. If you don't, then you shouldn't use them. I went through my logic about why I trust them, so I'm fine. Your decision is up to you.

    If they are like any normal company at all, there is no 'easy' way to get a solid answer on what happens with the data. Joe writes the agent, somebody else writes the database, somebody else writes the handler. Tech support has everyday technical information, PR has "The right thing to say", and legal gets grumpy. So when the EU or US or whoever says they have to include something that sounds scary in the EULA, they will, even if the reality isn't scary.

    Edit:
    In support of the idea that everything has something that sounds scary somewhere in the legal document...
    Panda Cloud AV:
    "11.- GENERAL.- The licensee authorizes PANDA personnel to visit him/her in order to verify that the conditions of this license are met."
    They are allowed to come to my home?!
    "PANDA informs the licensee that the program or product uses data collection technology to collect technical information (including suspicious files)"
    So if they consider your encrypted RAR to be suspicious, they will collect it. Webroot doesn't even send the files themselves.

    Norton collects URLs, IPs and MAC addresses, and can send files automatically if they deem the need to do so.

    McAfee:
    "The Software and Service may also collect personally identifiable information (which may include sensitive data) stored in files on your computer."

    I guess it would make people happier if Webroot was more verbose and clear on what they do with what, but I try not to assume the worst. Reality is usually much more boring.
     
    Last edited: Oct 14, 2011
  16. PrevxHelp

    PrevxHelp Former Prevx Moderator

    Joined:
    Sep 14, 2008
    Posts:
    8,242
    Location:
    USA/UK
    Thank you for putting into words what I was failing to describe :thumb:

    This is exactly true - we are bound by several different international laws and therefore have to keep very tight control on what data we handle. The EULA has to legally state what the agent is reading but in no way are we trying to mine your private data. Not only would it be useless (we're an antimalware company looking to block malware), no server in the world could possibly cope with the volume of data from our millions of users. If this was some back-of-the-store homegrown "security software" which sent hundreds of megabytes of data up to the cloud to scan it then yes, I'd be suspicious as well and I wouldn't touch it with a 10ft pole but Webroot has over a dozen offices globally, employs hundreds of people, and is backed by some of the largest investment groups in the world.

    If you are concerned about the cloud communication in Webroot, you may as well just not use cloud based software... or conventional software (even checking for updates transmits your IP address, hostname, and various other personal pieces of information). For me, it's worth the privacy "risk" to save having to knock on a software manufacturer's door wearing a mask after driving up in a cab from a different city asking for a sealed disk of their latest update every few days :)
     
  17. fax

    fax Registered Member

    Joined:
    May 30, 2005
    Posts:
    3,731
    Location:
    localhost
    What is all this FUS about privacy with WSA and about others that don't? Take PANDA, as part of their security toolbar they also collect IPs. Its perfectly normal and intended. If you do not trust your primary line of defense then don't use it and choose something you can feel confortable with. :isay: o_O
     
  18. Thankful

    Thankful Savings Monitor

    Joined:
    Feb 28, 2005
    Posts:
    3,744
    Location:
    New York City
    The FUSS is I like to understand what will happen prior to purchasing software. I don't mind going back and forth with a software representative to understand what a piece of software will and won't do.
    I am suspicious of anything that suggests giving up privacy for extra security.
     
  19. fax

    fax Registered Member

    Joined:
    May 30, 2005
    Posts:
    3,731
    Location:
    localhost
    You have been given this answer multiple times. Even thinking WSA could harm your privacy is already an indication that you should stay away from this type of security tools.
     
  20. Jeroen1000

    Jeroen1000 Registered Member

    Joined:
    Aug 18, 2008
    Posts:
    162
    Well, yes exactly. I'm down with "trust your security vendor" thing _but_ in the time we live, it seems privacy is becoming a big issue so I was just expressing my concerns.

    Would not everyone agree that detailed information about:

    - What is getting collected and transmitted
    - How, when, why
    - how is stored, secured, processed
    -...

    would be useful information for those that care about it? And Fax, it is not as black and white as staying away from it or not. Some people just want to know the details of what happens with information gathered by security tools.

    And sorry for opening a can of worms. some of those other license agreements are well...frightening:). Everyone has raised valid points but the crux of the issue, for me at least, is knowing what happens with my data.
     
  21. Thankful

    Thankful Savings Monitor

    Joined:
    Feb 28, 2005
    Posts:
    3,744
    Location:
    New York City
    If you would read the original poster's comments, you would see he and others are interested in blocking certain content from the cloud. The concern is not only mine. Please don't decide for me what software I should be using.
     
  22. fax

    fax Registered Member

    Joined:
    May 30, 2005
    Posts:
    3,731
    Location:
    localhost
    No reputable security vendor would be so crazy to take this road intentionally. The risk far outweigh the benefits. This kind of privacy concern are more conceivable for other type of applications.
     
  23. Techfox1976

    Techfox1976 Registered Member

    Joined:
    Jul 22, 2010
    Posts:
    749
    Actually, there's a question. Where is the EULA on the web? Precise wording is often important.
     
  24. Jeroen1000

    Jeroen1000 Registered Member

    Joined:
    Aug 18, 2008
    Posts:
    162
  25. fax

    fax Registered Member

    Joined:
    May 30, 2005
    Posts:
    3,731
    Location:
    localhost
    Not at all, just underlining that privacy "paranoia" (no offense intended) has little if no reasons to exist in this specific domain. Makes no business sense. :) Yes blocking the cloud... indeed... I can't recall how many times I have seen users using security tools to control other security tools. End results... less security and conflicts. Btw, this was discussed multiple times for PREVX in the past years. The results is that users that have this type of concerns will hardly get convinced of the contrary. All comes done to the detailed design of the software that no company will like to disclose for both competitiveness and security reasons.
     
    Last edited: Oct 14, 2011
Thread Status:
Not open for further replies.