Webroot SecureAnywhere Discussion & Update Thread

Discussion in 'other anti-virus software' started by Triple Helix, Jun 6, 2014.

  1. Muddy3

    Muddy3 Registered Member

    Joined:
    May 31, 2010
    Posts:
    410
    Location:
    Belgium
    I've just checked. subhrobhandari is right. Turning off any of the shields makes the System Tray icon go grey.

    By default, this disable option is protected by a CAPTCHA screen.

    However, TH, here’s something I’ve just noticed. When you turn any of the shields off, a red exclamation mark also appears over the Webroot system tray icon as a warning (which Mayahana refers to). With one exception: no red exclamation mark appears for the Realtime Shield, surely the most important one of all!? Surely it would be a good idea, when someone attempts to disable this shield, if Webroot added a red exclamation mark for this one too??

    Also, perhaps when attempting to disable shields, a flashing warning telling folk of the dangers of disabling these shields might be in order as well?
     
    Last edited: Dec 22, 2014
  2. Esse

    Esse Registered Member

    Joined:
    May 26, 2011
    Posts:
    414
    WSA is a great app, but you are right in your observation as far as I am concerned.
    This is the weak spot of WSA, using the users to whitelist apps with support tickets, this needs more attention from the developing team in the future.
    For us in here and admins in general this is nothing new, but to all the "non interested in in their antivirus product users" out there, they do not even know if a file is monitored.

    /E
     
  3. Mayahana

    Mayahana Banned

    Joined:
    Sep 13, 2014
    Posts:
    2,220
    All shields were active, the program was running in default settings. Nothing was changed. In fact my father in-law doesn't even know how to disable or change the settings.. The exclamation point was because a scan was waiting to be executed to implement malware removal. After I clicked 'run scan', the exclamation point went away. Logs seem to indicate WSA was functioning perfectly, and currently updated. It just failed to protect his machine.
     
  4. ProTruckDriver

    ProTruckDriver Registered Member

    Joined:
    Sep 18, 2008
    Posts:
    1,277
    Location:
    USN Retired 1969 ~ 1992
    I believe Webroot would be very interested in seeing the logs to this incident. Please send logs to WSA Support.
     
    Last edited: Dec 22, 2014
  5. Dragon1952

    Dragon1952 Registered Member

    Joined:
    Sep 16, 2012
    Posts:
    2,175
    Location:
    Hollow Earth - Telos
    Finally someone says what everyone was thinking that this Whitlisting Apps by users calling WSA and support tickets whole thing just does not work for most people who are not even aware of the whole... monitor, allow, and deny things that are going on.
     
  6. Frank the Perv

    Frank the Perv Banned

    Joined:
    Dec 16, 2005
    Posts:
    882
    Location:
    Virginia, USA

    This apparent gaping hole obviously needs attention.

    Thanks to Mayahana for pointing out the issue.

    Hopefully WSA will fix this so that "average user" won't get infected like this.
     
  7. Mayahana

    Mayahana Banned

    Joined:
    Sep 13, 2014
    Posts:
    2,220
    I'm arranging a TeamViewer session with him tonight to pull down logs, and move him to Forticlient. But before we make the move I need to get everything Webroot will need to help this along.
     
  8. ProTruckDriver

    ProTruckDriver Registered Member

    Joined:
    Sep 18, 2008
    Posts:
    1,277
    Location:
    USN Retired 1969 ~ 1992
    Thank you. :thumb:
     
  9. Victek

    Victek Registered Member

    Joined:
    Nov 30, 2007
    Posts:
    6,064
    Location:
    USA
    It would be good if we had some statistics to put this in perspective. The experience of a single user is anecdotal to say the least and deciding that WSA is a poor program based on that is hardly logical. I've been using WSA for years on all of my machines and have never had a single infection, pup or otherwise, but that is equally anecdotal and no broad conclusion can be drawn from it. No one here has any idea how I use my computers nor do we know how the person who's machine had pups on it used his.
     
    Last edited: Dec 22, 2014
  10. Mayahana

    Mayahana Banned

    Joined:
    Sep 13, 2014
    Posts:
    2,220
    I See you use WSA with a powerful HIPS/FW (Comodo), and MBAM. In retrospect, I should have had my father in-law on MBAM to compliment WSA. Nevertheless, I will pull everything down tonight if he permits me to connect. I want to do it before he tries to install something else, he's scared right now with the huge 'red' numbers MBAM and EEK had when they were scanning.. LOL!
     
  11. Muddy3

    Muddy3 Registered Member

    Joined:
    May 31, 2010
    Posts:
    410
    Location:
    Belgium
    I have it said to me from pretty high authority that, as a general rule, unknown journalled files are not a cause for concern:
    I then mentioned concerns expressed over here about files being journalled for several days or more and he replied:
    I thought it might be worth replicating over here what he said to me at Webroot Support. So there's my two cents worth...
     
  12. Triple Helix

    Triple Helix Specialist

    Joined:
    Nov 20, 2004
    Posts:
    12,991
    Location:
    Ontario, Canada
    @Mayahana if you Please when you hook up to your Father In-Law system can you download and run Webroot's Log Gathering Utility http://download.webroot.com/wsalogs.exe
    then contact Webroot Customer Service all with the same email address and put you username Mayahana in the Subject Line and then let them know that you uploaded WSAlogs and then let me know and I will get this ticket escalated to one of Webroot's Threat Researchers.

    Also this is not directed to you but everyone I'm asking for some info about [U ] files to get a clearer picture as far as I know not every [U ] file gets Monitored that's for sure so I will wait to reply about everyone's concern about [U ] files and about the need to report them or not.

    Thanks,

    Daniel
     
  13. Mayahana

    Mayahana Banned

    Joined:
    Sep 13, 2014
    Posts:
    2,220
    Ahh yes, nice log gathering program! I have him set for remote session at 8PM tonight.(EST)
     
  14. Triple Helix

    Triple Helix Specialist

    Joined:
    Nov 20, 2004
    Posts:
    12,991
    Location:
    Ontario, Canada
    Thank you they will probably look at it tomorrow after 8:00am MST if your doing it tonight again just let me know and I will let my contact know!

    Thanks again,

    Daniel
     
  15. Triple Helix

    Triple Helix Specialist

    Joined:
    Nov 20, 2004
    Posts:
    12,991
    Location:
    Ontario, Canada
    I'm waiting for more info as I find it not a concern and have not had any issues on 15 PC's and 1 Mac that I look after for the past 3+ years.

    Thanks,

    Daniel
     
  16. WRDanP

    WRDanP Webroot Threat Expert

    Joined:
    Dec 22, 2014
    Posts:
    3
    When it comes to Unknown [U ] files in Webroot SecureAnywhere there are a few things to take into consideration. With traditional AV software files are either Bad or Not Bad - they are either detected or they are not. With Webroot SecureAnywhere files can be Good, Bad, or Unknown - and there is nothing wrong with a file being Unknown. Unknown files should only be a concern if they are malicious files or in rare cases legitimate files that are causing issues due to being monitored. Since our focus is on identifying malware, whitelisting is a lower priority and the time it takes for a legitimate file to go from Unknown to Good will depend on many factors, and it is not uncommon for files to remain Unknown.

    If you have legitimate applications or files that you want whitelisted it is best to create a Support Ticket so that we can update our whitelists for that application. You can also Submit A File and choose Safe File or Monitored file in the Reason for Submission field.

    As far as monitoring, not all Unknown files are monitored - An Unknown file just sitting on disk is not going to be monitored, a file needs to be active in order to be monitored. There are several levels of monitoring depending on the behavior of the files. I can't really go into much detail on the different levels of monitoring, but generally files with higher monitoring type numbers are more suspicious than those with lower numbers.

    I hope that helps answer some of your questions!


    -Dan[/U]
     
    Last edited: Dec 22, 2014
  17. Triple Helix

    Triple Helix Specialist

    Joined:
    Nov 20, 2004
    Posts:
    12,991
    Location:
    Ontario, Canada
    Thanks Dan for coming by and posting this information it's much appreciated!

    Cheers,

    Daniel :)
     
  18. Victek

    Victek Registered Member

    Joined:
    Nov 30, 2007
    Posts:
    6,064
    Location:
    USA
    It would be helpful if you could say more about how WSA classifies files as legitimate. There are quite a few programs loosely categorized as PUPs (potentially unwanted programs) and I'd like to know where Webroot draws the line on whether or not to detect/remove them. Is there a specific list we can view? Is there a setting in WSA to enable greater sensitivity to detect and remove these programs? Post #849 describes a situation where apparently many PUPs were allowed to remain on a computer by WSA and I'd like to know whether or not that's typical?

    And by the way thanks for stopping by Wilders. I hope you will check in regularly.:thumb:
     
  19. SweX

    SweX Registered Member

    Joined:
    Apr 21, 2007
    Posts:
    6,429
    Welcome WRDanP :)
     
  20. Triple Helix

    Triple Helix Specialist

    Joined:
    Nov 20, 2004
    Posts:
    12,991
    Location:
    Ontario, Canada
    Well this is Webroot's Position on PUA's and from there Knowledge Base and nothing has changed since and here is an Idea that members can Kudo to get the Higher ups to look at more https://community.webroot.com/t5/Ideas-Exchange/Block-All-Bundled-Software/idi-p/156643 so do your part to get it added to the list of things to do.

    Thanks,

    Daniel :thumb:
     
  21. ProTruckDriver

    ProTruckDriver Registered Member

    Joined:
    Sep 18, 2008
    Posts:
    1,277
    Location:
    USN Retired 1969 ~ 1992
    Thanks Dan for the post and Welcome to Wilders. :)
     
  22. Mayahana

    Mayahana Banned

    Joined:
    Sep 13, 2014
    Posts:
    2,220
    I sent logs in with the log extractor.. Mayahana was on the subject of the email.. Here's a copy of the logs;

    https://www.amazon.com/clouddrive/share/zbHUtwBufRMXOA6lX_RxF70nQkyUdOEz_5dIWdjob1A

    MBAM log here;
    https://www.amazon.com/clouddrive/share/KV9Lpu9p-6r5J_oPrK1kYwuD9m17GDq4nRCTI4Rv1gk

    Emsisoft Emergency Kit Log here;
    https://www.amazon.com/clouddrive/share/KV9Lpu9p-6r5J_oPrK1kYwuD9m17GDq4nRCTI4Rv1gk

    It's pretty grim, his machine was horrendously infected.. I just put Forticlient on there for him, even though he has 3 months left on WSA, he's not confident enough in it to keep using it at this time.

    ChicaPC-Shield 1.75.0.1300
    Database version: v2014.12.21.03

    Windows 7 Service Pack 1 x64 NTFS
    Internet Explorer 11.0.9600.17501
    12/21/2014 11:59:30 AM
    cpcs-log-2014-12-21 (11-59-30).txt

    Scan type: Basic scan
    Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM
    Scan options disabled: P2P
    Objects scanned: 300919
    Time elapsed: 4 minute(s), 31 second(s)
    Memory Processes Infected: 2
    Memory Modules Infected: 5
    Registry Keys Infected: 59
    Registry Values Infected: 10
    Registry Data Items Infected: 0
    Folders Infected: 31
    Files Infected: 132

    (end)
     
  23. Charyb

    Charyb Registered Member

    Joined:
    Jan 16, 2013
    Posts:
    674
    It looks like to me that all these detections by MBAM are RadioRage related which is labeled as a PUP. How did it get there? In one post you mentioned that you installed WSA on relatives 'clicker' machines.

    When a PUP ends up on a machine, it seems that nobody ever knows how it got there. Has there been any other software installed with the same installation date?

    https://www.wilderssecurity.com/threads/is-webroot-an-antivirus.371185/#post-2436384

    Your link to EEK is incorrect.
     
    Last edited: Dec 23, 2014
  24. subhrobhandari

    subhrobhandari Registered Member

    Joined:
    Nov 6, 2009
    Posts:
    779
    Just something I found, in your tasks its showing autokms in the startup, as far as I know its used for cracked office and sometimes bundled with pirated windows. Could it be what was bundled with pup? Also in the WRLog.log the entries are only since yesterday, where it should be since the installation.
     
  25. Rakanisheu

    Rakanisheu Guest

    To comment on the MBAM logs, this is one of the issue we run into. MBAM logs will show every component of a single detection as a infection. So in your case the 132 files infected. It is for one detection Radiorage (and a few mindspark), Webroot will just show one detection as we group all its components (reg entries,files,paths etc) as all part of the one one infection. I am not saying its misleading but it can cause confusion i.e Why is MBAM showing 50+ detections while WSA only shows 1? We have all that behaviour stored (journalled) and we use it to roll back.

    Every single detection in that MBAM log is for a PUA/PUP software and none of them are malicious. This PC was not infected (from looking at the MBAM logs)with anything malicious and wasn't horribly infected.

    As for Radiorage itself I am not familiar with it however I don't remember seeing any support tickets about it either. I am off for the holidays but I will test it when I get back in. I will ask one of my colleagues to test it while I am off.
     
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.