Solved

Question about rootkits and Webroot

  • 4 November 2021
  • 7 replies
  • 363 views

Userlevel 2

I recently switched over to Webroot for my personal machines, and joined this community. While I am a software developer of many years, there's a lot I don't understand about cyber security in general. Here’s something specific…

If you already have a rootkit unknowingly installed on your Windows machine, and the rootkit is smart enough to expect and trick Webroot, then the only way Webroot can defeat it, is to boot itself from independent start-up media (USB flash drive), then scan & quarantine/disable the rootkit before your OS can start from the Windows boot drive.

But all I was required to do after purchasing, is download and install. It started up, scanned, and detected no issues. But how could Webroot be so sure it's not being tricked or defeated in some way? I could find no "boot-from-start-up-media-and-scan" options for this product.

Thanks for your patience. 
Scott.

icon

Best answer by TylerM 4 November 2021, 17:01

View original

7 replies

Userlevel 7
Badge +63

Hello @smcintosh 

 

Webroot is very good against Rootkits and WSA it always scanning your system with it’s Realtime Shield and it has a Rootkit Shield as well! Maybe @DanP  or @TylerM  can give you more insight!

 

See here: https://docs.webroot.com/us/en/home/wsa_pc_userguide/wsa_pc_userguide.htm#ShieldingYourPC/PCShieldsOverview.htm

Types of Shields

SecureAnywhere includes the following types of shields:

  • Realtime ShieldMonitors unknown programs to determine whether or not they contain threats. Blocks known threats from running on your computer that are listed in Webroot’s threat definitions and in our community database. You should never disable this shield.
  • Rootkit ShieldBlocks rootkits from being installed on your computer and removes any that are present.
  • Web Shield — Blocks known threats encountered on the Internet and displays a warning. The Web shield maintains information on more than 200 million URLs and IP addresses to comprise the most accurate and comprehensive data available for classifying content and detecting malicious sites.
  • USB Shield — Monitors an installed USB flash drive for threats, blocks and removes any threats that it finds.
  • Offline Shield — Protects your system from threats while your computer is not connected to the Internet.
  • Script Shield — Protects your system from malicious scripts.
  • Foreign Code Shield — Protects your system from the latest advanced threats.

 

 

 

HTH,

Userlevel 7
Badge +63

 

Userlevel 7
Badge +24

Hey @smcintosh 

Welcome to the community!

Rootkits are not new and definitely something our software can handle. Some of our most important drivers are at the kernel level and can identify rootkits. Signature scanning and monitoring of injected processes can help identify rootkit infection. Also, the introduction of UEFI over a traditional BIOS was Microsoft and Intel’s attempt at preventing rootkits at the MBR level.

However, by all means if you are not convinced that you aren’t infected with a rootkit and would like us to take a look at the machine we’re more than happy to do so by contacting our support team.

https://www.webroot.com/us/en/support/home-contact

 

Userlevel 2

Thanks for the response Tyler. 

It’s not really that I believe there’s a problem with any of my Windows machines. Though there was a recent allegation from my web/email hosting provider of malware traffic coming from my LAN, after some joint investigation I discovered that the origin was Indonesia. This episode and subsequent investigation triggered me to switch to Webroot, after doing some reading about it.

So my question was more of a hypothetical question. If there was a sufficiently sophisticated rootkit already present on a Windows 10 installation, up and running, and it has enough smarts to expect a future Webroot install, could it secretly and effectively disarm Webroot so that this particular rootkit can’t be detected by it? 

Scott.

Userlevel 7
Badge +24

Hmmm

 

I highly doubt that the rootkit could “secretly disarm Webroot” and what we’ve usually seen as potential issues with rootkit removal is Webroot will need a restart to remediate the malware and then upon restart Webroot see the malware and again wants to remove it and start the cycle again. Ultimately this requires a call to support where we can assist. 

 

However, a specifically designed rootkit or targeted attack against a certain vendor or business that is sophisticated and has enough effort in its development can defeat just about any environment (in my opinion).

Userlevel 2

Thanks Tyler. Another thing that prompted the question was my reading of rootkits way back in the early days (15-20 years ago?). I had read that early solutions to the rootkit problem seemed to always involve special boot media on CD/DVD that had the solitary purpose of scanning and removing rootkits on volumes where the OS resides. The claim was, at the time, this was the only way. But I suppose the anti-malware tech has evolved a lot, for the better, since that time.

Thanks again for your insights.

Scott.

Userlevel 7
Badge +63

@smcintosh  do you remember this?

 

Sony BMG copy protection rootkit scandal

 

https://en.wikipedia.org/wiki/Sony_BMG_copy_protection_rootkit_scandal

 

I was using Prevx at the time and was one of the first to detect and remove this Rootkit without issues, then in Nov 2010 Webroot acquired Prevx and has made it better ever since! https://www.prnewswire.com/news-releases/webroot-acquires-prevx-106436478.html

Reply