Webroot Rollback Feature?

Discussion in 'other anti-virus software' started by ttomm1946, Sep 26, 2014.

  1. ttomm1946

    ttomm1946 Registered Member

    Joined:
    Jul 23, 2014
    Posts:
    111
    I'm confused............Since it rollbacks changes made by malware....Does it make traditional anti virus programs obsoleteo_O ..

    It's my only protection right now?

    :confused:
     
  2. Mayahana

    Mayahana Banned

    Joined:
    Sep 13, 2014
    Posts:
    2,220
    Short answer: Webroot doesn't make AV's obsolete, otherwise we'd all run it.
     
  3. Baldrick

    Baldrick Registered Member

    Joined:
    May 11, 2002
    Posts:
    2,299
    Location:
    South Wales, UK
    Whilst it may not make other AVs obsolete it provides much better protection than most other AVs...and interestingly enough a number of other AV producers are starting to copy some of the key WSA features, such as the rollback on, amongst other.
     
  4. Thankful

    Thankful Savings Monitor

    Joined:
    Feb 28, 2005
    Posts:
    3,731
    Location:
    New York City
    That's hard to prove since it doesn't appear in independent tests anymore. There may be some scenaro(s) where the rollback/identity shield doesn't work.
     
  5. ttomm1946

    ttomm1946 Registered Member

    Joined:
    Jul 23, 2014
    Posts:
    111
    I saw the Malware Dr. do a rollback test..Seemed to rollback everything.....He never liked it first time he tested it but the rollback appeared to work ok..Maybe i should add something else for good measure?:)
     
  6. Mayahana

    Mayahana Banned

    Joined:
    Sep 13, 2014
    Posts:
    2,220
    PCMag tested it, and found it 81% in detecting/stopping Malware if I recall. That was actually at the lower end of the products he tested.
     
  7. Triple Helix

    Triple Helix Webroot Product Advisor

    Joined:
    Nov 20, 2004
    Posts:
    12,011
    Location:
    Ontario, Canada
  8. vojta

    vojta Registered Member

    Joined:
    Feb 26, 2010
    Posts:
    830
    I spent 10 seconds doing a Google search for "PCMag test Webroot 2014", something that you could have done before writing that post:

    http://www.pcmag.com/article2/0,2817,2425546,00.asp

    "Webroot earned a very good malware cleanup score.. It detected 89 percent of the samples, a new high detection rate among products tested with this same malware collection."
     
  9. Behold Eck

    Behold Eck Registered Member

    Joined:
    Aug 23, 2013
    Posts:
    437
    Location:
    The Outer Limits
    Probably the same test I saw over at Malwaretips in different parts that specifically tested the rollback feature and it worked.

    Regards Eck:)
     
  10. Baldrick

    Baldrick Registered Member

    Joined:
    May 11, 2002
    Posts:
    2,299
    Location:
    South Wales, UK
    I think that part of the issue is that the approach is far from traditional and therefore current tests are not able to fairly judge the efficiency of the approach, but ad I stated before other vendors, such as Panda, are now claiming to employ the approach...so perhaps in future the tests will need to take this approach into consideration. After all, is one way to rid yourself of an infection not to apply an image of the system prior to the infection? What the rollback feature does is to effectively do the same thing only very selectively to the files damaged by the infection.

    The other thing that one needs to bear in mid re. WSA is the philosophy that inert or inactive malware is NOT a threat...and that only when active/attempting to execute it's malicious intent is it a threat...so that will colour/bias the current test against WSA.

    Anyway, this is just my view...but I am cool with it and with using WSA as my primary layer of defense against the nasties...:)

    Regards, Baldrick
     
  11. Muddy3

    Muddy3 Registered Member

    Joined:
    May 31, 2010
    Posts:
    243
    Location:
    Belgium
    I completely agree that these two features (which incidentally I consider to be among the strongest and most positive of Webroot's features), because they are not currently able to be taken account of in tests by major AV testing organisations, unfortunately negatively and strongly distort Webroot’s test results.


    My personal experience of Webroot is actually quite the opposite of results we see in tests.
     
  12. Esse

    Esse Registered Member

    Joined:
    May 26, 2011
    Posts:
    383
    WSA is great in protection, as far as I am concerned anyway.
    The only thing I have against WSA it is before the rollback feature kicks in, the file have been "Monitored" for some time.
    This "time" can go on for months if you do not contact WSA support with a sample of the file.
    If you have legit apps that is not widely used there can be faulty installations because of the "Monitor" feature.
    Sure, we can contact support some will say, but if it is people not like us here in Wilders, interested in these kind of software, they do not even know what a "Monitored" file is?

    What I wish for is that when the cloud detects these files and they are not resolved with automated features, a manual check should be done.
    But with the amount of new files occurring, maybe this is not possible.

    /E
     
    Last edited: Sep 29, 2014
  13. FleischmannTV

    FleischmannTV Registered Member

    Joined:
    Apr 7, 2013
    Posts:
    1,069
    Location:
    Germany
    In my opinion there might be scenarios where journaling could be circumvented. Please bear in mind that I am not too familiar with how it works exactly, so I could be wrong.

    Lately we've been seeing attacks where malware is simply a .dll loaded inside the browser process after a successful exploit. Malicious actions are then performed by the browser itself and not a new process. I wonder if journaling is abtle to track and undo malicious actions of an "allowed" process. From my understanding it does not. Further this could be used to create an autorun registry key and then establish a permanent infection, like Win32/Poweliks, which is again not a new process but a parent-less dllhost.exe process, which might be "allowed" as well.

    I am really curious if journaling would be of any use in this scenario.
     
  14. Rasheed187

    Rasheed187 Registered Member

    Joined:
    Jul 10, 2004
    Posts:
    8,010
    Location:
    The Netherlands
    I must say that this "rollback" feature looks kinda cool. :)

    @ FleischmannTV

    I would sure like to know a bit more about this malware. I still do not understand completely how "memory-only" malware operates, can a hacker really control the system without starting a new process and without code-injection into other processes? I highly doubt that. Also, a browser should be restricted by HIPS to prevent any damage, but that may be hard to do if the malware is running inside memory only.
     
  15. Triple Helix

    Triple Helix Webroot Product Advisor

    Joined:
    Nov 20, 2004
    Posts:
    12,011
    Location:
    Ontario, Canada
    I'm asking one of Webroot's Threat Researchers and hopefully I can get a quote on this!

    Thanks,

    Daniel ;)
     
  16. qakbot

    qakbot Registered Member

    Joined:
    Aug 25, 2010
    Posts:
    380
    If its using its own driver, then likely it any changes from kernel rootkits will be or can be made invisible to it, especially if they using SCSI IOCTLs and other low level techniques.

    If they are using NTFS journaling, then obviously this doesn't work on non-NTFS systems.

    Overall, I would depend too heavily on rollback features in Webroot.
     
  17. Muddy3

    Muddy3 Registered Member

    Joined:
    May 31, 2010
    Posts:
    243
    Location:
    Belgium
    Any update on this yet?
     
  18. Triple Helix

    Triple Helix Webroot Product Advisor

    Joined:
    Nov 20, 2004
    Posts:
    12,011
    Location:
    Ontario, Canada
    Not at this Point I will ping them again!

    Thanks,

    Daniel
     
  19. EraserHW

    EraserHW Malware Expert

    Joined:
    Oct 19, 2005
    Posts:
    588
    Location:
    Italy
    Using SCSI IOCTLs to encrypt files and thus working at file system level? Then I'd definitely clap my hands, the malware absolutely deserve to encrypt your files :D ;)
     
  20. Triple Helix

    Triple Helix Webroot Product Advisor

    Joined:
    Nov 20, 2004
    Posts:
    12,011
    Location:
    Ontario, Canada
    Thank you Marco stay well my friend!

    Daniel ;)
     
  21. qakbot

    qakbot Registered Member

    Joined:
    Aug 25, 2010
    Posts:
    380
    Yeah, some versions of Tidserv, ZeroAccess. But you don't even need to go that far, any kernel-mode malware using directed I/O with an altitude below Webroot's file system driver will bypass its rollback.

    There are some good features in Webroot, but also A LOT of hype.
     
  22. fax

    fax Registered Member

    Joined:
    May 30, 2005
    Posts:
    3,723
    Location:
    localhost
    uuuhm, you need first to go down to kernel and luckily webroot is not only composed by a roll back feature..lol.
     
  23. EraserHW

    EraserHW Malware Expert

    Joined:
    Oct 19, 2005
    Posts:
    588
    Location:
    Italy
    I think you're confusing direct I/O when overwriting specific sectors with file activities ;)
     
  24. qakbot

    qakbot Registered Member

    Joined:
    Aug 25, 2010
    Posts:
    380
    I didn't say they were the same thing. Please read my post. I said "But you don't need to go that far". Direct I/O and IOCTLs are two different approaches, and neither will be rolled back by Webroot. :)
     
  25. qakbot

    qakbot Registered Member

    Joined:
    Aug 25, 2010
    Posts:
    380
    So Rollback (which is lots of limitations) is compensated by Good Detection ? :) But Webroot has Poor detection, which they say is compensated by great rollback. Both rollback and detection are not that great.