Why WSA just wont work for some.

I decided to do a test, based on my 2 teenagers using WSA. What I thought would happen, did. The few times my son actually got a hit, he clicked Allow instead of Block. When it ask to run a scan to do a removal, he passed on that and kept surfing. Still ok, because the tray icon was showing a infection that still needed to be dealt with.

Both computers are set to scan once a week. On rebooting his, I was a little shocked to say the least because the tray icon came up as normal. No scan had been performed. So it to me looked as if everything was ok, when in reality I knew it wasnt.

I ran a scan with MBAM and the trojan file was still there and also in memory. Now WSA would eventually re-discover this infection and clean it on a subsequent scan, but in my case that would be a week later based on my choice and the choice WSA offers. To me, that isnt good. The other thing is, no where in WSA did it retain a record of the detection before the reboot. So even if I were to check his computer, and no scan had been run, there still should be some evidence of a detection being previously made and in reality, that it still needed to be cleaned.


Of course none of this would happen to any of you because, for one, you are not a mindless teenager. But there are quite a few owners of this product that might have this happen. WSA needs to ensure it is dummiefide. Meaning it has the brain, not the user. It needs to make the choice and act on it just as all AV products do if you choose for them to.

WSA is a great product but I look at it like, in the above scenario, who is going to get the blame from me. Correct, WSA because it didnt do what I thought it should do, but the reality is, it is my son I should be blaming for not having some common sense.

 

Maybe, as you said, they haven't thought of all kinds of events the a user might go through . It would be corrected soon though as based on WSA support here, they act fast.

 

May be an option (tick box) should be envisaged not to allow WSA tasks to be postponed or canceled. This could be linked to the password protection to avoid users UNticking it.

 

I highly suggested directly to Joe to make a new option in Access Control to prohibit non-administrators from canceling a cleanup scan, since it has an adverse effect on WSA's performance...

...He agreed there should be a prompt if you try and cancel (which to his credit was added in the next public build) but I still feel there should be a way to flat out stop people from canceling it.

Also, if you have WSA set to the defaults (I'm pretty sure) isn't it set to automatically handle threats and then your son shouldn't even get the allow vs block prompt? If it is still prompting him even with the automatic settings checked then that's bad.

Going further, if for some reason the auto settings still really need to prompt on some occasions currently then that should be fixed so they do NOT as that is a security risk. The whole purpose of the automatic mode is to eliminate the error-prone human element in PC security. If WSA's auto modes are still prompting AT ALL, that defeats the purpose, ESPECIALLY if they are giving non-admins an option to allow a detection. That's a no-no!

 

I had to ticked to automatically handle threats and still got yhe Block or Allow box on top left of screen.

 

If you know the file to be safe or a part of a safe and known application; in this case the detection is a false positive and you would want a way to cancel the clean-up. I agree that in automatic mode (or whatever its called in WSA) the file should at least be quarantined without prompt and logged so the user can decide later if the file is safe or not.

However, if Trjam's son was running AppGuard (or other anti-exec) he still wouldn't have been infected even after a wrong decision on a WSA prompt.

 

Check the settings again to see if they've reverted to "defaults". I just looked and mine have. That may be the result of a version update...?

Edit: My comment about WSA reverting to defaults is incorrect - I was looking at a different system where I hadn't changed the settings (duh). On the system where I made changes to settings those changes stayed in place after updating.

 

nope, test run after update. Prevx was like this at the start and Joe addressed it to make sure a scenario like this could not happen. I am sure he will look into it.

 

Yes and no and for instance, Faronics Anti-Excutable would have prompt for allow or deny,Good or bad. If allow was selected then game over and if its of malicious content it would have been allowed to run and do it's thing.

Appguard on the other hand a different story and in lock down mode its automatic default deny of the excutables,goof proof if you will.As in Trjams case it would have been blocked from execution and no harm done.

 

The biggest security threat to any computer is not the software, or the hardware, or the firmware, but indeed the wetware. User error will always be the number one hole in any security system, and as such, user education is more critical than any automated process.

I could get into a huge rant about all the misguided ways in which people try to demand that automations protect them, but I'll just leave it at the idea that we need smarter people, and we need those people to be better-informed and educated on the issues.

An associate of mine's son bypassed AV to let an infection in. Said associate wiped out the drive with a 100% secure erase (MBR gone and all, and all the music, and games and everything), handed the son a Windows CD and keycode, and said "Have at it. The virus you got wasn't too bad, but -you- let it in, which is the worst possible thing. You can use your computer again when you've recovered from the virus attack. And anytime you bypass security in the future and let a virus in, the same thing will be done." Two weeks of fighting with recovery later, the kid was security paranoid.

 

I must remember this "fix" to recommend to customers with kids You're quite right that the user is always the weakest link. Automating security software is a no-win situation. Norton Internet Security is a case in point - it regularly gets slammed for automatically removing files that prove to be FPs.

 

You just need to ensure that whatever automatic decision can be undone. For the case of WSA this seems already possible. So, I don't see a major problem to allow for automatic processing for very specific scenario (e.g. kids allowing whatever). It should not be the default but a specific setting in the interface

 

Apart from user "error" does not anyone feel that there should be

a) a log entry
b) after a reboot, the icon should not turn to the green "ok" state if there is still an infection

That is why I've asked for an overview screen like in PrevX. I feel it is quite hard to find where the threat is with WSA.

 

That's definitely strange and not what should be happening. Did you happen to get a screenshot of the Allow/Block dialog or do you know what else was written on it? There are a couple different ones but by default, they should all be answered Block automatically.

Can you send me an email with a System Tools - Reports - Save as... scan log from the affected system so that I can see exactly what happened? We store a pretty accurate log of what actions the user took and WSA took automatically and I'd like to get to the bottom of this ASAP.

Thanks for the help!

 

Exactly - your comments are exactly reflective of how WSA should work. Hopefully trjam's scan log/report will clarify what happened here. I'll keep everyone in the loop!

 

Joe, for now it isnt on his computer. I know I had ticked the option to handle automatically instead of warning. All I did was go to malware domain and start loading up some IPs they had listed and sure enough the Block/Allow box popped up in upper left part of screen. If you really need me to I can load it all up again and do it, but I am pretty sure this cant just be on me.

 

now my computers are set up as admins. The only options I untic from WSA are the 2 with the captcha headings that are ticked by default.

 

Okay so it seems that Joe has come back and stated that WSA SHOULD in fact be 100% automatic if you have the automatic options ticked. Most of them are ticked by default which is good. Webroot's auto-block uses quarantine so you can always have an administrator get the files back if they are FPs. Advanced users who do not want automatic remediation can uncheck the settings and get the prompts.

There is, however, one automatic setting that is OFF by default and it is in the "behavior shield" options. I turn this ON so WSA is 100% automatic for me. The setting is something like...

"Automatically have Webroot decide what to do instead of showing a prompt." For whatever reason this one is in manual mode by default.

Trjam, perhaps your son encountered one of these behavioral-based prompts instead of the normal real-time shield prompts which should be automatic by default.

Now about the cleanup scan, this is still something I consider a potential weakness to WSA. Non-admins can stop a paramount function only being shown a prompt they can ignore. Joe has infered that there are consequences of terminating the cleanup scan so I am a proponent that those should be either "invisibilized" (aka run them in the background without showing them at all) or give an option to prevent their termination.

Thanks.

 

But you can restore it if its a FP.

 

Joe,

Automatic block or not, should not WSA keep indicating malware was found until I either remove it, or add it as a detection override?

I have disabled automatic block in the sense that I can decide for myself I should block the file or not.