threat overview screen and privacy question

Well, I would just be happy if I could get the software to ignore my sensitive files, preferably also based on the extension of said files.
I understand no company is going to spell it out if this poses risks to their competitiveness. It would just have been nice to know.

Every know and then a "paranoid" user comes along and just has to ask this

edit: do note that here in Europe (at least in my country) every company must provide all data they have on you when asked. Every single bit. Just wanted to mention this.

 

There should be no harm asking about privacy concerns. To their credit, Webroot reps certainly aren't avoiding the questions.

 

Yes, but there must be a serious issue behind. Such as cases of crime, terrorism, fraud, etc...

 

I'd have to look it up again, but I believe you are mistaken. You have the right to view this information on simply written request (in Belgium ). There was a documentary on this a while back on tv. I can't remember its name atm...

 

...and this is remarkable! If you look to some historic posts on prevx privacy issues you will see several pages of posts and contribution by them, impressive

To explain how they use the information they will need to disclose in detail how their heuristics works and this is not likely to happen any time soon

Written request by whom? I happen to be in Belgium right now
That cannot be, I can send a request to my competitor and ask for a list of all his clients ... unless you refer to citizens calling upon disclose of information in European Public Institutions.

This discussion is getting too localised, there may be privacy issues!

 

So, I'll go by example because we might be talking past each other.

Let's just say I use the member card for a big warehouse (Carrefour, Colruyt, ...). Then I, the card holder, have the right to obtain all information they have related to ME and not to anyone else.

So I, the card holder, must write to Carrefour and Colruyt asking to obtain this information.

 

Ok, yes... because those supermarkets may disclose your shopping list to third party companies and you have the right to know what is been released. But you can't get my shopping list from them.

 

Nope, I can only ask (read: obtain) information that concerns myself. Moreover, we have the right to ask its partial or total removal/destruction. We are getting well off topic here so I'll leave it as this. I'm just hinting that Webroot will have to comply with the law in every country it sells its products.

And in some countries privacy laws are very tight

 

Okay, got the details.

No file contents go up, just hashes, behavioral, lists, and "relativity" goes up.

Hashes are just stuff like the MD5s of the files.

Behavioral means, for example, if an unknown program creates a run key, that is noted about it.

Lists and relativity is sent, but immediately divorced from any identifiable data, pooled, and then conglomerated. So, for example, you have a list of file names in the temporary internet files is sent, but not attached to your IP or key code. The list goes into a big bucket for that list, then the bucket is squished down to "1x1.gif was seen 928,293 times" and so on.

Security for things that people could be worried about is provided by hashing or reduction. So the original data is lost. "Out of 7000 people who had this infection, most of them went to a web site identified by <hash>." It's count, so you can't even say WHO had the infection, just that 7000 people had it.

The data being sent up (and received back) is encrypted. It is received by an unknown one of lots (99+) of load balancing machines and then mangled, condensed, and counted, with some unknown items being queried further in.

No file contents are sent at all which means that documents, encrypted or not, will never touch the cloud. The closest possibility is that their hash and filename could reach it -if- something tries to load them into memory and then get the CPU to try to run them (which in most cases would crash the process).

The observation was: "No End User License Agreement can have a person allow a company to break the law." The main thing in this case is that the user is 'releasing' this data specifically for the program and security, so extracurricular activities with the data is right out of the question.

From an intrusion standpoint, none of the limited data that is left is identifiable based on entry into any one system and indexing specifics limit searchability. Any attempt to construct a search that would be able to piece together data based on following breadcrumbs would end up having to walk the whole list of billions of data points which would be prohibitive.

Even the information that internal employees have access to is limited simply by its condensed nature and search limitations. It's great for malware research, but that's it.

Meh. Given that Webroot was the first company ever to push back against spy cookies, I guess it's reasonable that they would have no interest in doing evil things.

I'll take a peek at the specific questions earlier in the thread and see if I can find anything about them.

 

It already does natively. The agent is only interested in machine code.

It's also already trivial and somewhat common (especially in APT's) for a scout infection to monitor what gets scanned and specifically watch for "ignored" file areas. The practice of ignoring specific locations is very common amongst advanced users and so creates a perfect hiding place for stealthy malware that prefers advanced users' systems. Since the WSA agent already ignores non-code files in non-"common" locations, the need to specifically exclude is removed, but it does watch the entire files system, so if one of those non-code files is suddenly loaded and attempts to execute, it's checked.

 

I have to say Techfox1976's observations are enlightening so thanks for sharing those.

To those worried about the sharing of IP addresses et al, it has to be remembered that conventional AVs have always gathered some of that info. For example, when downloading signature files you're connecting to their server so it's obvious they're going to see the IP address otherwise the update isn't going to work.

Kaspersky has a very detailed EULA in relation to KSN, their cloud-based service. There are phrases in that which may scare some people [if they bother to read it!]. Panda, as mentioned earlier, has some similar statements in their EULA, including reference to visitation. But I think they, and others, have to do this from a legal standpoint to cover as many jurisdictions as possible.

I really don't think we have anything to worry about in WSA's case.

 

Techfox1976 's explanation is great. Thanks for this! I'm sure there is nothing to worry about but I am glad I asked. 1 thing that might be of interest is that for some uses, it has to be made sure that *no* sensitive files are even scanned or looked at.
For instance people like lawyers or doctors may be required by law (or it may be a demand from their "paranoid" clients) to use software that complies with it.

Or for me, I would just want to make double sure things like a password database file would not be scanned (imagine that WSA deletes it by accident for instance - something a fair few vendors managed with critical Windows files). I understand it probably won't ever be scanned judging from the above information, but really being able to exclude it takes preference over "probably".

In light of this discussion, I feel that would be a fair feature to ask for?

 

We are planning on implementing the ability to exclude files/folders but there are substantial security risks associated with it - all that malware has to do is find out what folders the user is excluding and hide in there or socially engineer an unsuspecting user to exclude all folders or some key folder that an attacker is using to drop malware onto the system.

We're always very concerned about techniques like these. Additionally, file extensions can never be trusted as any file can be renamed to any other name and can still be parsed by the original program (I honestly can't understand why any AV offers scanning/excluding by file extension today).

So, while we've definitely received a great deal of requests for this feature, the security of our users has to come first. I'm sure we'll find a solution that fits both cases (possibly by using the PC Security Console so no configuration is held locally) but if you have any suggestions, please let me know!