WSA protection against unknown files & journaling process

Discussion in 'Prevx Releases' started by TonyW, Oct 10, 2012.

Thread Status:
Not open for further replies.
  1. TonyW

    TonyW Registered Member

    Joined:
    Oct 12, 2005
    Posts:
    2,635
    Location:
    UK
    I've decided to open this thread here to allow discussion on how WSA protects users against unknown files, or when they lose internet connectivity for whatever reason. There are a lot of people who don't understand how this works or are worried about being properly protected during the timeframe until file is marked as malicious. Questions get asked in other threads in other parts of this forum, which may derail the topic of that thread so I thought it would be pertinent to start one here to try get some understanding for everyone.

    For example, Beethoven said in another thread:
    I stated that it's not a system restore per se; I said any rollback only reverses the changes that the suspicious file made to the system. Beethoven, and I'm sure others have thought the same, made the point:
    Others make the leap to wonder what happens if an unknown piece of malware has already stolen banking info in that timeframe.

    I can understand these concerns, and admittedly WSA's approach is different to its competitors. I think it would be pertinent to discuss how WSA does indeed deal with these situations.

    Whilst there is much to understand about the journaling process, WSA does have other techniques in play, such as behaviour analysis and heuristics. The Identity Shield is also helpful, and I believe is useful in blocking attempts to steal banking info as in the scenario above. There is a video over at Webroot Community showing how some actions fail when infected by an unknown file because of the Identity Shield, for example. (Here's that video for those that may have missed it: -http://www.youtube.com/watch?feature=player_embedded&v=uKMZ1Ukw_7I-)
     
    Last edited: Oct 10, 2012
  2. The Red Moon

    The Red Moon Registered Member

    Joined:
    May 17, 2012
    Posts:
    3,872
    This thread will indeed be an education for me.Im looking forward to the feedback on this one.:thumb: :thumb:
     
  3. Tarnak

    Tarnak Registered Member

    Joined:
    Feb 5, 2007
    Posts:
    3,892
    Me too, but I was already thrown by this word, "journaling" :argh: , then I found this - Journaling file system > http://en.wikipedia.org/wiki/Journaling_file_system , and became somewhat enlightened. :eek:
     
  4. Triple Helix

    Triple Helix Webroot Product Advisor

    Joined:
    Nov 20, 2004
    Posts:
    12,014
    Location:
    Ontario, Canada
    Also I would like to keep this thread completely On Topic and nothing else! Off Topic posts are subject to deletion or moved to another thread without warning.

    Thanks,

    TH
     
  5. TonyW

    TonyW Registered Member

    Joined:
    Oct 12, 2005
    Posts:
    2,635
    Location:
    UK
    I did include that video in my first post. ;)
     
  6. Triple Helix

    Triple Helix Webroot Product Advisor

    Joined:
    Nov 20, 2004
    Posts:
    12,014
    Location:
    Ontario, Canada
    See I deleted my own post :D Thanks Tony!

    Daniel
     
  7. TonyW

    TonyW Registered Member

    Joined:
    Oct 12, 2005
    Posts:
    2,635
    Location:
    UK
    Webroot certainly have their work cut out in trying to convince users at forums like this that their approach is workable. Only today has silverfox made these comments:
    How does Webroot envisage persuading these type of users that although their methodology is different to other AVs, it is also worth considering? I know there is that video mentioned above, but perhaps more should be done in this arena.
     
  8. PrevxHelp

    PrevxHelp Former Prevx Moderator

    Joined:
    Sep 14, 2008
    Posts:
    8,242
    Location:
    USA/UK
    Honestly, I don't know what our response would be in this case. Our focus is on live infections (whether they're about to execute or have already executed and the system is pre-infected). Personally, I simply can't understand why an on-demand scan of static files that haven't infected the system would be considered more important. I suppose those users will fall into the bucket of "you can't please everyone". The other many millions of users of WSA have been very satisfied with how it works so we aren't going to change our fundamentals.
     
  9. Esse

    Esse Registered Member

    Joined:
    May 26, 2011
    Posts:
    383
    Great initiative TonyW!
    My questions when it comes to unknown files is:
    1/ What happens to a unknown file scanned by WSA, is it uploaded to the cloud for examination or does this only happen during execution?
    2/ In that case why?
    Would it not be in Webroots interest to collect as many files as possible to boost on demand scan detections?
    I hope this is inside the perimeter of Tonys intentions of this thread.

    Cheers

    /E
     
  10. claudiu

    claudiu Guest

  11. PrevxHelp

    PrevxHelp Former Prevx Moderator

    Joined:
    Sep 14, 2008
    Posts:
    8,242
    Location:
    USA/UK
    AV-Test first infects the system, then installs WSA, so the test doesn't cover journaling, just the static generic removal engine.
     
  12. Baldrick

    Baldrick Registered Member

    Joined:
    May 11, 2002
    Posts:
    2,301
    Location:
    South Wales, UK
    Really do not understand why AV-Test are not prepared to accept that WSA is different and therefore test in a different way...after all, I certainly do not wait for an infection to hit my PC and THEN install an AV/IS suite. Surely it would be better, in their tests, if they installed the AV/IS suite and then infected the system?

    Or is that just my view o_O
     
  13. claudiu

    claudiu Guest

    So, basically, is the same procedure like AV Comparatives. Why the results are so different, though?

    Thanks,
    Claudiu
     
  14. kdcdq

    kdcdq Registered Member

    Joined:
    Apr 19, 2002
    Posts:
    657
    Location:
    Southwestern Massachusetts
    I understand both ways of infection testing but the order that you suggest, seems to me, would be more likely to represent what actually happens in the real world... :cautious:
     
  15. Baldrick

    Baldrick Registered Member

    Joined:
    May 11, 2002
    Posts:
    2,301
    Location:
    South Wales, UK
    My point indeed...hence my surprise at the fact that they use an approach that does not seem to represent what happens in real life...but then again I am not the one preparing & undertaking the tests...so perhaps I should not speak.

    I am just glad that WSA operates the way it does as that makes sense to me (and I suspect a growing number of others?).
     
  16. PC_Fiddler

    PC_Fiddler Registered Member

    Joined:
    Aug 18, 2012
    Posts:
    167
    Location:
    Yorkshire - UK
    I agree Baldrers but WSA is for people living on planet Earth, & who are partially normal - I'm unlikely to infect my system with every virus I can find gleaned from the darkest part of the net with no AV whatsoever - Then install an AV then see if it's 100% efficient & then rate it according to that system for everyday use - It's not living in the real world, it's plain stupid - I have a friend who has more security than the bank of England & still gets infected regularly (don't use WSA) whereas I for an unknown reasons have used the net for 17 years with 1700 bookmarks had a couple of viruses, at large (actually one) & have 4 children who have used my PC's & 3 who have WSA on their own PC's & never hear any complaints?

    It's like testing a vacuum cleaner by emptying your full wheely bin on your lounge floor & testing a new vacuum cleaner by seeing how it cleans up then rating it how it managed with the 40 kg of crap, it's an unrealistic situation & so are some of the AV testing systems & some of the same mad questions from people who don't use WSA anymore anyway, why the same questions, why not select a new AV, buy it, use it, then post on the appropriate forum with your questions.

    Actually the next post I read from someone who is infested with viruses when using WSA on here will be the first for some time, some are sensible questions from people who are wondering how WSA works, some are from those with grudges (and life issues) with the same questions that were answered three times last week (trolls) - Few if any are from those ridden with infections? Or am I missing something? Is my mouse not scrolling correctly?

    Edited for dreadful grammar -
     
    Last edited: Oct 14, 2012
  17. silverfox99

    silverfox99 Registered Member

    Joined:
    Jul 14, 2006
    Posts:
    204
    What we need is a test that goes something like this.....

    1. WSA installed on clean machine
    2. Folder with 1000 malware files introduced on machine to desktop, none executed as yet.
    3. On demand scan with WSA
    4. .............say WSA correctly identifies 90% of the 1000 as malicious files (lets ignore the 'Crazy FP' potential for the moment..).:;)
    OK, so now WSA has correctly identified 900 malicious files and we have 100 'dormant' malicious files still remaining on desktop not yet identified by WSA.
    This is where most test outfits stop.
    What we need is for the test outfit to continue and...

    execute each and and every last one of the 100 remaining files, one by one

    ......And watch what WSA does.......
    Out of the remaining 100 files, how many does WSA correctly identify as malicious when the file is executed? All..., some..., none...?
    That would be great to know, (and of course for other AVs too - how exactly do they compare to WSA in this regard?)
    .....and we could see what 'journalising' does in these test conditions.
    For bells and whistles could re-test files not classified as malicious at 6 and 12 hours as well.... is WSA a quick learner?

    Would any of the AV test outfits consider this approach.......? I for one would welcome it. If anything it would show the benefits of WSA approach over other AVs.

    For example in a situation where WSA and another AV have the same or similar detection of say 90% out of the 1000 malicious files, but then WSA stops another 90% when the remaining 100 are activated Vs another AV that does no more than when it first scanned then..... WOW, that would be powerful, wouldn't it?
     
  18. Baldrick

    Baldrick Registered Member

    Joined:
    May 11, 2002
    Posts:
    2,301
    Location:
    South Wales, UK
    Very much the situation for me PC...have been online for...well, longer than I would like to admit ;) and have yet to be infected...and I would not say I say that I avoid danger on the web.

    Oh, that is downright rank...but the analogy made me chuckle :argh: ...and in fact I remember when a new vacuum cleaner (the first one with no bags ;) ) came out the in store party piece was indeed to empty the contents of a bin (not wheely) on the floor and vacuum it up

    No, you are quite sane PC and as far as I can see your mouse is scrolling fine...you are just one of the enlightened ones. :cool:
     
  19. Cudni

    Cudni Global Moderator

    Joined:
    May 24, 2009
    Posts:
    6,956
    Location:
    Somethingshire
    ot posts removed
     
  20. PC_Fiddler

    PC_Fiddler Registered Member

    Joined:
    Aug 18, 2012
    Posts:
    167
    Location:
    Yorkshire - UK
    What are the realistic chances of ending up with 1000 malware files on your PC though? I agree it's a better system but maybe that system is beyond the realms of probability? If you have 1000 files of that type ought you really ought to be looking at something other than an AV solution?
     
  21. silverfox99

    silverfox99 Registered Member

    Joined:
    Jul 14, 2006
    Posts:
    204
    I guess so, does't really matter how many files, just that someone somewhere tests WSA in the way i describe to answer the question, if WSA misses some resident malicious files, will it correctly determine the files as malicious when they execute, or not?

    WSA seems to be a question of faith. Do you believe? True what some believers say that if WSA did miss a lot of malware on execution, surely this board would have a few people posting their problems, but there is no one posting problems which is a good sign for WSA if only they could construct a test to illustrate the power. As i'm sure some have said before if you go take a look Norton, McAfee and many others, their forums are full of users asking for helps to get rid of ZeroAccess or Alureon (the solution suggested is oftem to run Malwarebytes). And yet here on an open forum....nothing about WSA issues. So i have high hopes for WSA that it can prove how good it really is.
     
  22. PC_Fiddler

    PC_Fiddler Registered Member

    Joined:
    Aug 18, 2012
    Posts:
    167
    Location:
    Yorkshire - UK
    Part quote -

    I agree with that.

    Actually for me WSA has been experimental but having used it for well over a year & been impressed & only recently have been suggesting to others who ask for advice to try WSA, & so far I've had no problems, actually less so than them using other AV's?

    Personally I image (very) regularly, back-up religiously & keep everything in multiple locations so there is no worst case scenario for me - I also have other scanners on that are passive other than Mbam Pro which is on background protection - So far so good :thumb: - I have full licenses for other traditional AV's & install & run them from time to time & look if WSA is missing anything & so far it hasn't (I them image back) So my faith is increasing with time but I am always open to other options, but yes at the moment it could be said I believe :D
     
    Last edited: Oct 16, 2012
  23. fax

    fax Registered Member

    Joined:
    May 30, 2005
    Posts:
    3,731
    Location:
    localhost
    yes, either you have faith or you try it yourself. :thumb:
     
Thread Status:
Not open for further replies.