Why did Webroot missed infected files?

Discussion in 'other anti-virus software' started by Drifter104, Aug 18, 2014.

Thread Status:
Not open for further replies.
  1. Triple Helix

    Triple Helix Specialist

    Joined:
    Nov 20, 2004
    Posts:
    13,037
    Location:
    Ontario, Canada
    And don't forget [ U] Unknown then Journaling starts and in 99% of the cases it will rollback to a pre-infection state once detection is added.

    Daniel ;)
     
  2. Drifter104

    Drifter104 Registered Member

    Joined:
    Mar 25, 2010
    Posts:
    12
    So the response I had from webroot was that as it wasn't active webroot just ignored it.

    However something about this bugged me....

    It turns out the kb..... .exe file was previously marked as infected back in June (something I didn't know till today) but the actual file was left behind. On the basis it was no longer active I could understand this, but I came up with a little test and before I tried it based on what webroot told me I thought I knew what would happen.

    I disabled the other AV and then restored the kb.... .exe file from the other AV quarantine, I thought webroot would simply ignore it (well take no action anyway as it wasn't executed) like it had been doing. I was wrong as soon as the file was created (restored) in the temp folder webroot found it and quarantined it. So either webroot does detect files that aren't active or the restoring of the file prompted it to execute, if it was executed by the restore then surely when it was first created it should cleaned/quarantined for the same reason.
     
  3. fax

    fax Registered Member

    Joined:
    May 30, 2005
    Posts:
    3,899
    Location:
    localhost
    Many explanations... for example, at the time of the dropping there was no signature in WSA for that specific file and WSA acted only by behaviour (removing active elements? or doing nothing because there was no infection?) or possibly the user disabled temporarely WSA while doing something (i.e. infecting himself) then activated WSA again, so WSA could not see the live dropping of the file but only the active components? and many other explanations possible...

    The main point is, the users was not actively infected (i.e. otherwise it would not operate the system at all due the type of malware :) ). So WSA did its job.

    I would suggest you add a policy not to allow WSA to be shutdown...
     
  4. Triple Helix

    Triple Helix Specialist

    Joined:
    Nov 20, 2004
    Posts:
    13,037
    Location:
    Ontario, Canada
    Right and see this Thread and notice what the Webroot Threat Researcher Rakanisheu has to say! https://community.webroot.com/t5/We...-does-Webroot-detect-Malware/m-p/141053#M8271

    TH :)
     
    Last edited: Aug 21, 2014
  5. Drifter104

    Drifter104 Registered Member

    Joined:
    Mar 25, 2010
    Posts:
    12
    Thanks again Fax.

    I wasn't here back in June so I can't say either way on those possible reasons, but they are possible reasons which is what I was looking for. I need to get use to the webroot way of classifying and reactive action a little more I think, as it just does differ enough to raise that question with me at the moment. That said I enough now to be more confident about the product.
     
  6. Marcos

    Marcos Eset Staff Account

    Joined:
    Nov 22, 2002
    Posts:
    14,441
    Actually the ransomware (Filecoder) was run on that computer, otherwise ESET wouldn't have detected files with instructions how to obtain a decoder for encrypted files. These files are created by Filecoders after they've successfully encrypted files in a particular folder.
     
Thread Status:
Not open for further replies.
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.