Webroot SecureAnywhere v8 corrupts files

Discussion in 'other anti-virus software' started by qakbot, Sep 23, 2012.

Thread Status:
Not open for further replies.
  1. qakbot

    qakbot Registered Member

    Joined:
    Aug 25, 2010
    Posts:
    380
    If a piece of malware modifies certain files, Webroot tracks those modifications so that it can roll them back later when that malware is detected. They make a huge deal about this in their youtube video. However, it does a pretty poor job of this and in the process corrupts files.

    Here is the scenario:

    Original file contains: abcd
    Malware adds a string in the middle: abXYZcd
    Legitimate applications adds a string at the end: abXYZcdefg
    Malware is detected through cloud analysis or through the addition of a definition. As part of its much publicized cleanup, Webroot will attempt to rollback changes. It modifies the file to the state it was BEFORE the malicious modification is made. In the above example, it changes the file to contain "abcd". In the process it lost the other changes "defg" and corrupted the file.
     
    Last edited: Sep 23, 2012
  2. PrevxHelp

    PrevxHelp Former Prevx Moderator

    Joined:
    Sep 14, 2008
    Posts:
    8,242
    Location:
    USA/UK
    I don't see how this is a "poor job". The likelihood of a legitimate application modifying a legitimate file modified by a malicious file after the malicious file modified it is infinitesimal, and in our eyes, should be undone anyway as it would be a modification on top of the "dirty" state of the file. And, if it doesn't do so to your satisfaction, you can just undo the changes in the WSA quarantine feature. Rollback allows you to undo changes made by all types of malware, from ransomware infections to conventional malware which creates traces across the system.
     
  3. Baldrick

    Baldrick Registered Member

    Joined:
    May 11, 2002
    Posts:
    2,301
    Location:
    South Wales, UK
    Looks to me that WSA has done as advertised...the key being "...the state it was BEFORE the malicious modification is made" which was: abcd. Surely undoing so that you end up with: abcdefg, as you are suggesting is NOT undoing but removing the 'damage' caused by the malware from the CURRENT state...and Webroot have never suggested that it can or would do that as that would not...in my eyes...constitute what I understand as ROLLBACK.

    Just my halfpenny...for what it is worth.
     
  4. Victek

    Victek Registered Member

    Joined:
    Nov 30, 2007
    Posts:
    5,129
    Location:
    USA
    Once a file is corrupted by malware what do you think should be done with it? Is it realistic for any anti-malware program to parse a file corrupted by malware and try to determine if any of the changes were made by a legitimate program after the file was infected? Can any program do that? Usually when a file is corrupted all that can be done is to replace it with a clean copy and start over. If WSA can do that automatically that's a real benefit - much easier than running System File Checker or doing whatever else is necessary to get back to a clean state.
     
  5. Baldrick

    Baldrick Registered Member

    Joined:
    May 11, 2002
    Posts:
    2,301
    Location:
    South Wales, UK
    :thumb: x 100 :D
     
  6. Taliscicero

    Taliscicero Registered Member

    Joined:
    Feb 7, 2008
    Posts:
    1,439
    I think you misunderstand him, let's say you are a writer, and keep your scripts in a text file. It gets infected but nothing really happens to your story. You keep writing for a month and saving. Webroot then detects the infection and rolls back your file. Say good-bye to your story.
     
  7. Victek

    Victek Registered Member

    Joined:
    Nov 30, 2007
    Posts:
    5,129
    Location:
    USA
    I didn't misunderstand him. It is possible, as you describe, for there to be consequences for rolling back a file and losing legitimate changes. My question is what do you want an anti-malware program to do when detecting an infected file? As PrevxHelp has already stated the roll-back changes can be undone in the WSA quarantine section. Since that's the case I think automatically rolling back the file to a clean copy is desirable. I would much rather have the system cleaned immediately and figure out afterward if there were unintended consequences that need to be reversed.
     
  8. Baldrick

    Baldrick Registered Member

    Joined:
    May 11, 2002
    Posts:
    2,301
    Location:
    South Wales, UK
    Also I believe that your timescales re. the example are skewed. WSA will not take a month to detect the infection. I would be very surprised if the infection was not identified within a few hours, if not in fact minutes, after it has happened, etc.

    And in those timescales I would agree with Victek...I would prefer "...automatically rolling back the file to a clean copy is desirable. I would much rather have the system cleaned immediately and figure out afterward...".

    As ever...just my halfpenny's worth...for what it is worth.
     
  9. Taliscicero

    Taliscicero Registered Member

    Joined:
    Feb 7, 2008
    Posts:
    1,439
    I create a RAT for you, with its own crypto. You may never find its on there until years later.
     
  10. Baldrick

    Baldrick Registered Member

    Joined:
    May 11, 2002
    Posts:
    2,301
    Location:
    South Wales, UK
    You may be right and then you may not be. The point is, as far as I am concerned is that if it just sits on the hard drive doing nothing...I do not care...but I am sure that the moment it executes WSA will spot it, swing into action, and shortly afterwards 'do it's thing'. You may not quite understand how WSA works.
     
    Last edited: Sep 23, 2012
  11. fax

    fax Registered Member

    Joined:
    May 30, 2005
    Posts:
    3,731
    Location:
    localhost
    Thats the essence... only act when needed not to waste resources without a reason. :)
     
Loading...
Thread Status:
Not open for further replies.