So many (techie) product questions...

  • 17 October 2014
  • 38 replies
  • 144 views

Userlevel 1
Please pardon all of my techie questions but I want to ask them before I spend more cash on yet another product that may or may not really fit my needs.
 
Are there "basic" versions that do NOT want to manage my passwords and/or credit card information? (like so many other products want to point to as some wonderful "feature" aka: wonderfully packaged and sold security risk IMHO when there is no way to actually stop the underlying processes from still gathering and storing your passwords etc...)
 
I am very particular about system resource use, running process, and communication ports being held open. (as another product  wanted to hold 24 ports open at times - in port matched loop-back pairs... totally wasted resources, running process, services, threads, and handles.)
 
Will these products potentially cause any unsolicited inbound packets to show up at my router? (I had issues with other products that were not using TCP/IP communication correctly causing hundreds a week at times)
 
All that I want and need is coverage for 3 PCs with:
  1. Basic Anti-virus that is lightweight and reliable.
  2. Basic Internet Security (without any account, identity, or credit card information storage)
  3. Basic Firewall management functionality (able to block and report attempts at intrusion)
I DO NOT want or need an on-line backup system, password manager, credit card information cache, or auto fill in for passwords and or credit cards. (I will manage all of that on my own thank you!)
 
 
Which product would fill my needs if any?
 
Thank you very much for any clear and honest information!
 

38 replies

Userlevel 7
Badge +56
Sounds like you just want the base version of our product:
http://www.webroot.com/us/en/home/products/av
 
That gives you the AV & malware protection, identity shield, and firewall, but no password manager or online backup.
Userlevel 1
@
 
Well as far as the install you are correct but I do still need to un-install my current product and get it cleaned off in entirety prior to installing the new product and thus it would require a reboot (if not 2) to ensure all remnants of the prior product is gone for good...
 
During the un-install processes and reboot(s) prior to starting the new products install I do not want to have an open Internet connection.
 
I feel pretty confident that staying disconnected up to the point of the install complaining about the lack of connection will reduce the risk to bare minimum.
 
I guess I wish security software vendors would at least lock down connectivity and only allow traffic for their proprietary software to access the Internet during these "less than secure" windows during install/authentication processes... (I also do some MSI packaging)
 
Regardless I guess the proof will be forthcoming as I intend to give this product a shot. (thanks in a big part to the helpful and knowledgeable community here)
 
Userlevel 7
@ wrote:
Well here are my thoughts on WSA.
 
Very nice and light weight, nothing extra running, but still very reactive to threats.
 
A minor issue with application version changes: IE: I am a programmer and when my software builds the version number is incremented to denote the new version, WSA then reverts to blocking the same application (all be it with a newer version) in the same location it has been told to allow prior.
I again have to tell WSA that it is okay to allow it to access the network... and then again also tell it that it is OK to access the copy buffer... (for instance I manually copy my router log to the copy buffer (ctrl+c) to then process in my application and then output the results based on type of entry and/or source IP)
Not a huge thing but a slight annoyance when you are a programmer.
 
Note: This does not seem to happen when you update a web browser like FireFox for instance (which is open source)
 
Beyond that I have had no problems with the functionality and it has passed all the tests I have put it through!
 
Thank you for doing what is needed and not forcing me to have "features" I would never use.
Yes, when you manually allow a file, once the file is changed it reverts to blocked.  This is because each file has a unique "MD5" number.  This is basically a hash number, and again is unique.  The Allow/Block files works from the MD5, not the file name.  This is so that if a good file is altered by malware it of course will be detected and blocked.
 
As you say... a bit annoying for a developer, but very effective at the same time.
 
The major browsers are of course already set 'internally' in the Cloud to be allowed globally, as is much commercial software, so you do not need to change permissions when updating.  
 
I am glad you gave us your input, and I hope you are happy with it!  Any quetions or problems, come on back and we will be glad to try to help 🙂
Userlevel 7
Hi RussH
 
Apologies if we have not been as responsive as you would like but most of us here are volunteers and therefore have day job too...and so our time available to come into the Community and help is can be irregular and sometimes limited (I knoe that my time recently has been more than I would like).
 
In terms of what yo are seeing the first thing that I would do is to review the Scan Log for each system and see if there are any significant difference in terms of the number of Good [g] and Unknown [u] files found on each...more [u]s wcan mean a longer scan time for reasons that are...well, obvious really.
 
IMHO the only option that you have is a Support Ticket so that the Support Team can investigate the make up of each system & the installation of WSA to determine is there is some conflict there.  They will most likely send you some system investigation tools and as you to gather logs and configuration details for analysis back at the ranch.
 
That is what I would do.
 
Hope that helps?
 
Regards, Baldrick
Userlevel 7
Hi RussH
 
Thanks for coming back and posting on progress.  I am not surprised at anything that you report, not even the "slight knee jerk reaction on my part was the 14 second initial scan".  A lot of people using WSA for the first time do that...the reason for this is the way that WSA works...the philosophy is that malware is only dangerous as and when it is active so WSA monitors for malware activity both using Cloud-based whitelisting, and heuristics both does nothing with any file  or app that is not active.
 
So you may have the largest repository of malware packages residing on your system but if they are all inactive/dormant then it will pay no attention to them...BUT...the merest sniff of activitty and WSA will pounce, analyse and block...in otherwords WSA does not waste time or resources on things that cannot cause damage etc., but rather focusses on those that can.  Particularly clever and effective is what it does if it cannot determine whether an active file is malicious or not...in that case it monitors/journals the file's activities (which it also limits as well) and if eventually determined to be good it then stops the monitoring/restriction, etc., but if bad it it rollsback back any journalled activity so to negate the impact of the 'now determined to be malicious' file. :D
 
I hope I have described the philosphy properly.  I am sure that with your background you have probably researched this but for more information please take a look at this previous post, especially the three vidoes, for more information on the unique way that WSA works to protect the system it is installed on.
 
Of course, post back if you have any more questions.
 
All that I will say more at this oint is sit back, relax...you are well protected.
 
Regards, Baldrick
Userlevel 4
Badge +10
Enjoyed this entire post! Paranoia vs Caution...I remember what it felt like to hang out, unprotected while removing old security---keeping offline till new security refused to go further without phoning home to validate my purchase and update definitions. All the while, holding my breath and hoping there was no breach of ports. (I was glad when RussH suggested that security may want to look at that weak link.) The others did a good job of addressing every point--explaining how WSA works well with most other security--so LAYERED security is the way around some vulnerabilities. And I learned more about how WSA works in the process. I can also identify with RussH when it comes to who controls the running processes. With a PC it was often me in charge but Mac has a different idea. I do think that computers are a lot better at handling resources today. And I can say that WSA is not a resource hog. I avoid frivolous or risky apps. The Webroot features mentioned are optional when it comes to Mac and would seem to be so for PCs too. Best wishes y'all!
Userlevel 7
Hi RussH
 
How are you doing? Many thanks for coming back and providing an update. This helps us to checked that the advice, assistance, guidance, etc. provided is appropriate and correct.
 
Glad to hear that not one but two pf your systems have WSA covering their backs now...looking forward to whenyou advise that you have the full set moved over/sorted.
 
Please do come back and hang out/contribute what you can and when...this is the big part of what this Community is about...not just issues...but so much more.:D
 
Regards, Baldrick
Userlevel 4
Badge +10
Creating a support ticket makes sense to find how to streamline WSA scans---or to put in a feature request for it. IDK what table or index the scan refers to and how it varies on other boxes but hope to hear more about this. No "bait and switch" tactics here. In this community, I found other inquisitive folks who care to help and are wise enough to know where to refer questions to. Like you, I wrote to potential internet security providers. For whatever reason, I did not get an answer from this community at the time. But in fairness, did not check for one--once I realized that WSA is the best thing available for Mac. Health permitting, I follow this community and learn. For most folks here it is probably time permitting. I appreciate the attitude and spirit of this community.
Userlevel 7
Hello RussH, welcome to the Webroot Community.
 
The list of very specific must haves and must NOT haves is rather difficult to say the least I think.  I think that this will be best answered by our Community Admin @ or a member of the Sales department.  You can reach Sales at 1-866-612-4268.  I believe the hours are 8:00 AM to 5:00 PM, Mountain Time, Monday through Friday.
 
To be quite honest, I think no matter which vendor's product you end up with, given the features that you MUST have, you are going to end up with features that you do not want.  That does not mean you have to use them.
 
As for lightweight, minimal system impact, yet reliable, WSA is the hands down winner in my opinion.
Userlevel 7
Hi RussH
 
Just tried the "Can I download... disconnect from the internet and safely install at least the base product before re-connecting to the internet and doing updates?"
 
And can confirm that WSA will not install indicating that you have no internet connection, cannot verify activation keycode and asking you to try again when an internet connection is avaialble.
 
Sorry about that...but that is just the way it is.
 
Personally, as I said before I do not believe that you are in any danger in the few minutes between the start and end of the install.
 
Regards, Baldrick
Userlevel 6
Baldrick is right, you'll need an active Internet connection in order to install WSA. You can download WSA on a different client, then connect the one on which you want to install it to the Internet and start the installation; the installation itself won't even take a minute.

There's also no need to be afraid of connecting to the Internet without an Antivirus. An active Internet connection alone can't get you infected; there always has to be an action from the user(you) like browsing the Web or running malicious applications. So as long as you only start the installation nothing can happen.
By the way depending on your operating system you could also have an basic Antivirus running by default; like in Windows 7/8/8.1 with Windows Defender.
Userlevel 7
Hi RussH
 
I think that you are splitting hairs re. what you say...as the premise for the responses is in relation to the amount of time you have to connect to the intenet to install WSA, assuming that you get a CD-based copy.
 
And, not wishing to put to fine a point on it...as I said before, and confirmed by what I tried I installed WSAC on my tablet (which is far from being a speedy beast by any means) in just under 3 minutes...and I was probably protected by WSA almost immediately I started the install...but even if for argument one discounts that then we are talking about a 3 minute window (and you are being very well protected by the Windows Firewall...re. inbound intrusions, and most likely by Windows Defender or MSE assuming that you have not disabled them as they are on by default in Windows).  And finally, if you are behind a router then you have even more protection against the intrusion you are presenting as a danager...they will not even have reached you system if the router got them.
 
I do not dispute any of the information you provide in your post (and by the way I have been in IT since 1982, and for many years a programmer and more recently a consultant...so you are not alone in knowing something of what you are talking about) I would just say that you are EXTREMELY, EXTREMELY, EXTREMELY unlikely to fall victim to an attack by malware in the circumstances  we are debating....I have never heard of it happening to a WSA user (perhaps a fellow Community member would confirm or disabuse me of this view?)...but one cannot say absolutely now way it can happen.
 
I am afraid to say, and I do respectfully, that to me you are sounding overly cautious (even paranoid).
 
And to answer your question, in terms of my router...none.
 
Anyway, I do n ot want to start a polemic on this subject.  We have provide all the information we can and therefore the decision as to how you proceed is up to you.  I hope that you chose to join the Webroot Community as a user...but if WSA is not for you then I sincerely wish you well and go luck in finding the right solution for you.
 
All the best, Baldrick 
Userlevel 7
Hi RussH
 
I do completely understand the reasons for your caution and I think that you are exceptionally wise to have that sort of precious and sensitive data/source held on extrenal drives that are hopefully disconnected from the internet unless they need to be.
 
I also think that your approach of "run the install from CD off-line until it complains about no connection" does reduce the 'window of opportunity' but sadly by very little as when I trialled the disconnected install (prior to one of my posts) it was a matter of seconds, from clicking to run the installer, to the installer advising that it could not authenticate, and offerring to abort the install....but on the positive side...it will reduce the window by a few seconds more than if connected.
 
I do hope that you do take the plunge and do finally join our Community.  Please let us know what you decide either way.
 
Regards, Baldrick
Userlevel 1
@ 
 
Yes I have only had these Port 0 attacks show up twice as I mentioned so it has not been a big issue if they persist I will obviously speak with my ISP. (I still find it odd that it only ever happened shortly after installing BitDefender and then again shortly after removing BitDefrender)
 
As to configuration my IP is configured as DHCP at the cable modem BUT... The cable modem is controlled by the ISP (including firmware version) and is serial number matched and locked with its physical MAC address to what is basically an externally static IP.
 
My router is configured to use the Modems provided local IP as DHCP so if I lose connection with my ISP(Internet) my local network (Intranet) is still functional and reverts back once the ISP is re-connected.
 
This seems to be a pretty safe configuration as the connection to the ISP is physically secured using the serial number and hardware MAC. Pretty hard to spoof something like that without having the actual Serial number and Physical MAC of the modem.
 
Even if something does get through the modem my router is then the second line of defense as I have Ping, FTP, uPNP, remote admin, wireless,  all turned off,  as well as having other specific address/site blocks set up on it.
 
Then if all of that fails each connected device still has its own firewall and anti-virus/anti-malware system installed and configured.
 
I feel I am likely much safer than many of the corporate/government networks that have outsourced their IT support... *cough* *cough* that's real safe...
Userlevel 1
Well here are my thoughts on WSA.
 
Very nice and light weight, nothing extra running, but still very reactive to threats.
 
A minor issue with application version changes: IE: I am a programmer and when my software builds the version number is incremented to denote the new version, WSA then reverts to blocking the same application (all be it with a newer version) in the same location it has been told to allow prior.
I again have to tell WSA that it is okay to allow it to access the network... and then again also tell it that it is OK to access the copy buffer... (for instance I manually copy my router log to the copy buffer (ctrl+c) to then process in my application and then output the results based on type of entry and/or source IP)
Not a huge thing but a slight annoyance when you are a programmer.
 
Note: This does not seem to happen when you update a web browser like FireFox for instance (which is open source)
 
Beyond that I have had no problems with the functionality and it has passed all the tests I have put it through!
 
Thank you for doing what is needed and not forcing me to have "features" I would never use.
Userlevel 7
Hi practicality! 
 
Good to see you again!  Admittedly we can't always fix everything, but we do always do our best to try to help.  Sometimes the best we can do is figure out who or where to refer someone to :(
 
I have been on here a while obviously, but I still learn every day.  No one ever knows everything, but I learn a lot just by trying to help others out!
Userlevel 1
Thanks and thank you for your reply!
 
The issue I have with options that you can turn off is that the "turning off" is mostly nothing more than a visual representation and in reality the underlying service/mini-driver monitoring the keyboard input (for password/credit card collection for instance) is still running. Even when the user has turned off that "feature" in most products out there.
 
Call me paranoid but I really don't want ANY software sniffing my keyboard input regardless of the up front intent...
If credentials capture and storage was not a real security issue we could all simply let Windows do it... I think we all felt a chill down our spine at that thought right?
It is really nothing more than a big bulls-eye for hackers to target and potentially exploit. (Same reason Windows credentials manager is a known target for hackers) Worst case your credit card information gets accessed by hackers without your knowledge (access anywhere - cloud types especially)
 
I have a feeling the sales department will not be in-depth technical people that would have the answers to my questions and will just read off the same product features list shown on here on the products page...
Userlevel 1
Yes I saw the product features...
 
But the real question is are those other versions "features" installed but "turned off" (off and greyed out in the settings interface for instance) via product key in the basic version and thus still leaving background services/mini drivers running as I mentioned so many others do?
 
I just don't want to purchase yet another product that installs things or leaves things running even though you turn them off or don't expect they are installed/exist due to product feature lists such as these...
 
Are they totally not installed or are they installed with all versions but other wise disabled/enabled via product key?
Userlevel 7
Me again  :)
 
You know the product features of AV, IS+ and Complete... so you know that:
 
IS+ also includes the Password Manager.  This is a separate browser extension.  I have never installed the plain AV, so I really cannot say if it will put the PM in, but I do not believe so.  Even if it does... you can of course remove.  The same goes for the Web Threat Shield extensions for the browser.
 
The Complete also provides Backup&Sync.  This is also a separate download once enabled, so your basic AV install will not install the components for this service either.
 
Does this help?
Userlevel 1
Thanks for the quick reply!
 
Well right now I am "fighting" with a different product that keeps trying to run a "password wallet" application regardless of configuration setting...
 
I have even gone so far as to boot into safe mode with the software totally off and deleting the offending executable replacing it with a blank file of the same name and then removed all permissions on the file... yes I am serious...
 
And the "auto-update" now continually tries to "update" the application and can't so it keeps telling me I need to reboot to update... I guess programmaticly they assume the file is in use if they cannot complete their update...
 
This is after I have already also disabled other "features" by stopping their services as well...
 
Sorry long story but I think you can see what I mean about unwanted things running in the background... even though they are "turned off" and unavailable for use from the end users perspective... >.< 
 
I mean really that's practically virus/malware like activity if you think about it.
 
Userlevel 1
Okay I guess the 3 PC deal is what I am thinking I will do...
 
A few last questions...
 
For the digital install (download) is this a complete install that can be run off-line as stand alone?
 
I am not going to be interested in a web-install as you are simply at risk without virus software at all while the web-install would run... (yet another flaw in many anti-virus/security products)
 
Can I download... disconnect from the internet and safely install at least the base product before re-connecting to the internet and doing updates?
 
 
Ah never mind I can just run to Best Buy and get the physical product
 
I will be sure to post back here with the answers I find...
Userlevel 7
Hi RussH
 
Let me see if I can chip in and help here:
 
"For the digital install (download) is this a complete install that can be run off-line as stand alone?"
 
No, as one needs to enter the keycode at the start of the install process and it get validated before proceeding, and during the install the installer runs a scan for which it needs to connect to the Cloud.
 
"I am not going to be interested in a web-install as you are simply at risk without virus software at all while the web-install would run... (yet another flaw in many anti-virus/security products)"
 
Apologies but I really think that you are being overly paranoid there (and I say that sincerely).  The install takes 2-3 minutes depending on processor speed and once installed, right at the beginning of thescan & optimise stage of the overall install you are already well protected.  I have uninstalled and re-installed many many times as part of the testing I do to help other users here, and my system has have never, ever been compromised at that time.
 
"Can I download... disconnect from the internet and safely install at least the base product before re-connecting to the internet and doing updates?"
 
I do not believe so but I will go away and try this and post back in about 15 minutes time withthe result.
 
Regards, Baldrick
Userlevel 7
Hi regnor
 
You make a good point about Windows Defender/Microsoft Security Essentials as a temporary backstop at that time...quite forgot about that...;)
 
Regards, Baldrick
Userlevel 1
Thank you all for trying to be helpful!

I do have to point out there is an issue with the following statement:

"There's also no need to be afraid of connecting to the Internet without an Antivirus. An active Internet connection alone can't get you infected; there always has to be an action from the user(you) like browsing the Web or running malicious applications. So as long as you only start the installation nothing can happen."

You ABSOLUTELY CAN "potentially" get infected simply by being connected to a home network that is connected to the Internet without anti-virus and firewall protection even if you do not visit any sites at all...
 
I happen to be a programmer by trade and do know a bit about how these things work...
Have you ever heard of an injection attack? What about port 0 attacks? Simple penetration testing exposes these types of security threats and if in the hands of hackers? Points them right to the open door...
 
There is always a potential risk for infection even with anti-virus and local firewall configured and running (so without?)...
 
You are however correct in that the potential for this to happen given the somewhat short time frame is lower of course but it does still exist!  (please do NOT lul yourself and potentially others into a false sense of security in that regard)
 
I can pull up my router logs right now and point out unsolicited inbound packets that it has stopped/dropped.
But obviously a router is not perfect and there are things that still get past it's simplistic firewall protection: If they didn't have flaws we would have no need for anti-virus and other security protection on the PC's connected to them.

The web-install if it has to download the remaining product and it happens to be someone that only has a dialup? then their risk is increased as the time without protection is longer...
 
Now on to the physical product on CD/DVD can it be installed (even in say a trial mode) without being connected to the Internet? That would at least give "Some" added protection while completing the authentication.
 
I don't mean to sound so negative or paranoid but we live in the real world and I do have an understanding of the very real security threats that do exist on the Internet. They are out there just waiting for any potential weakness to take advantage of.
 
Did anyone else notice the port 0 attacks on the 6th? (this was in just over 4 minutes)
 
[DoS Attack: WinNuke Attack] from source: 220.165.8.25, port 0, Monday, October 06,2014 07:34:48
[DoS Attack: WinNuke Attack] from source: 199.91.67.202, port 0, Monday, October 06,2014 07:34:33
[DoS Attack: WinNuke Attack] from source: 162.243.172.187, port 0, Monday, October 06,2014 07:34:19
[DoS Attack: WinNuke Attack] from source: 209.59.252.42, port 0, Monday, October 06,2014 07:33:49
[DoS Attack: WinNuke Attack] from source: 82.222.7.139, port 0, Monday, October 06,2014 07:33:47
[DoS Attack: WinNuke Attack] from source: 91.205.172.31, port 0, Monday, October 06,2014 07:33:15
[DoS Attack: Xmas Tress Scan] from source: 220.249.124.226, port 0, Monday, October 06,2014 07:32:01
[DoS Attack: WinNuke Attack] from source: 195.154.7.226, port 0, Monday, October 06,2014 07:31:39
[DoS Attack: IMAP Scan] from source: 184.106.142.243, port 0, Monday, October 06,2014 07:31:03
[DoS Attack: WinNuke Attack] from source: 143.107.97.106, port 0, Monday, October 06,2014 07:30:35
[DoS Attack: WinNuke Attack] from source: 211.110.212.10, port 0, Monday, October 06,2014 07:30:34
 
So you have to ask yourself how many did the router potentially miss...
Userlevel 1
"and by the way I have been in IT since 1982, and for many years a programmer and more recently a consultant"
 
Glad to hear there are knowledgeable folks helping users here!
 
1985 for myself working with both hardware and software development...
 
One of my major concerns is my huge source code repository I have built over the years though I do keep it on external drives.
 
Not to mention current client source and data that I do not want to have potentially exposed or infected...
 
Well from my perspective I suppose I can run the install from CD off-line until it complains about no connection for authenticating and then connect at that point to reduce that window of opportunity even further.
 
Thank you again for all of your insight and assistance!

Reply