Most of the cases the root problem of a successful 0-day infectino is that the very first piece of malicious code (most likely a downloader trojan) can successfully communicate to it CC (command and control centre).
Webroot today has a default allow action if user does not block via this popup window:
First of all: surely, admins never like the idea of giving such control to the user. User will never know the exact risks of clicking the Allow button here. When he clicks, it is already late to save the network from harm. Please refer to many many Cryptolocker cases around the Globe.
Secondly, the countdown counter here gives you 120 sec to decide. Who among the users can get proper
help on what to click here in just 120 sec??? Who is that admin among us who could properly check this unknown process out it at the endpoint and advice in just 120 sec? (Anyone yes - I would employ you tomorrow and we will make big money...
(please also read this idea - it might work in some cases:
Thirdly, actually, I have never seen any firewall (perimeter or personal) that has a "default allow" implementation. Eversince we have communicating systems we all learnt quite well: for any unknown
process the only
safe action is to block
its communication, isnt' it? (Please note, blocking unknown
processes' communication will not have any effect on known good
Sure, Webroot, you might say that implementing this could result in blocking too many legitim processes, but hey, this is your constant job to classify new processes and as quickly as you can and we purchase a WSA licence it means we do trust you can do this mandatory job for us, for our safety.
Also, even without your expert job (and cloud database updates), local admins could easily deal with those untrusted processes whose communications were blocked via the Admin Console, so they could easily classify any unknown process as "Good
" if need be.
Dealing with some bloked communications is (to my opinion) still much better staff then dealing with tons of encrypted files... and neverending ransomware infcetions are just about to teach it for us all.
So why nort let us stay on the safer side?
WSA 6500+ endpoints inatalled and maintained daily, 12+ years Webroot sales & support, 2 yr Webroot MSP