Change firewall action to default block UNKNOWN processes

  • 22 March 2016
  • 7 replies

Userlevel 6
Most of the cases the root problem of a successful 0-day infectino is that the very first piece of malicious code (most likely a downloader trojan) can successfully communicate to it CC (command and control centre).
Webroot today has a default allow action if user does not block via this popup window:

First of all: surely, admins never like the idea of giving such control to the user. User will never know the exact risks of clicking the Allow button here. When he clicks, it is already late to save the network from harm. Please refer to many many Cryptolocker cases around the Globe.
Secondly, the countdown counter here gives you 120 sec to decide. Who among the users can get proper help on what to click here in just 120 sec??? Who is that admin among us who could properly check this unknown process out it at the endpoint and advice in just 120 sec? (Anyone yes - I would employ you tomorrow and we will make big money... 🙂 )
(please also read this idea - it might work in some cases:
Thirdly, actually, I have never seen any firewall (perimeter or personal) that has a "default allow" implementation. Eversince we have communicating systems we all learnt quite well: for any unknown process the only safe action is to block its communication, isnt' it? (Please note, blocking unknown processes' communication will not have any effect on known good processes.)
Sure, Webroot, you might say that implementing this could result in blocking too many legitim processes, but hey, this is your constant job to classify new processes and as quickly as you can and we purchase a WSA licence it means we do trust you can do this mandatory job for us, for our safety.
Also, even without your expert job (and cloud database updates), local admins could easily deal with those untrusted processes whose communications were blocked via the Admin Console, so they could easily classify any unknown process as "Good" if need be.
Dealing with some bloked communications is (to my opinion) still much better staff then dealing with tons of encrypted files... and neverending ransomware infcetions are just about to teach it for us all.
So why nort let us stay on the safer side?
Kind regards,

WSA 6500+ endpoints inatalled and maintained daily, 12+ years Webroot sales & support, 2 yr Webroot MSP

7 replies

 Good suggestion.
I have just set it to block by default at my end.
Badge +3
Since newer cryptos are not reaching out to the C&C until AFTER the files are encrypted, would a better approach be for all new processes to be blocked by default unless they are known to be good (using the webroot cloud).
If an end-user has legitimately installed a new software and it is blocked from running until the WSA admin has specifically allowed it, then what harm?
Userlevel 6
Hi, edanto!
I agree with you - that will make Webroot software become a white-listing solution and there are several others out there like that (and maintaining a white-listing solution is really really hard, but it does the job in return - as long as we do not care about malware running in already started processes' memory space only and not even being written to disk).
Probably Webroot insists on keeping the unique (?) "journaling and rollback" technology rather than become another white-listing software which sounds good but maybe needs more advanced behaviour detection (e.g. HIPS) and blocking functionalities besides...
Anyway, Webroot does not seem to take care of changing current behaviour any way, actually, as you can see my original post is still "New" status eversince ?2016-03-22... that means they have not even read it.
In the meanwhile, here is what Comodo will be proud of in 2017 (pleasre note, I only add the screenshot for showing you how they emphasize the "unique defualt block" feature):

After all, I think maybe a feature, a new setting that would allow admins to set "Block all unknown processes from running" (as you said) would be very welcome, so admins could decide themselves if they want to use it or not. Webroot should just understand the needs of the market (listen to the ideas) and provide more and more features in their products. And admins will like it better :)
I have not used Comodo for years. I have used webroot since it was prevx. Everything else is bloatware. Kaspersky is available to me free of charge and Kaspersky Endpoint at a ridiculously cheap price BUT I remain with Webroot.
Badge +3
Gyozok, a weeoot employee on a different thread explaned how the person/people that used to admin the forum are no longer active so it would seem that no consideration of the idea will come here on the forum.

I'll stand back unless I hear differenty, no point in adding my wasted effort to your ignored good work.
Userlevel 7
I am afraid to say that yo are majorly mistaken in what you say...the Community Manager has left but that is only a temporary 'hole' and another will be appointed shortly as far as I understand it.
As for "no consideration"...well, the Development Team review this part of the Forum regularly and they are the ones who decide as to whether an idea has merit or not and whether those that have merit warrant being pursued.
Therefore not commenting or adding to ideas is not the way to go.
Having said that just because an idea is made does not mean it will be accepted or followed up...but a number case in point was the reinstatement of the granular control in View Active Connections; this was dropped with the release of Window 8 & in the changes made by Microsoft in terms of how 3rd party application are allowed to interact with the built in firewall...but has since been reinstalled after ideas & support for them in this forum.
Regards, Baldrick
Userlevel 7
Badge +25
I like this idea.  You can't get enough protection.  Correct me if I'm wrong, why can't you created a rule of "Block Unknown Processes" in the existing windows firewall ?