Cryptolocker/Webroot fail

Given the apparent single try at rolling back it certainly would be effective it seems, particularly given the amount of time it appeared to need in order to roll back, after 12 hrs it did not look like it was even almost done.
 
This is what I thought as well but we have been harrassing support for about 3 weeks now and the only answer we get is that nothing is recoverable. I mean I wouldnt have thought this to be the case considering we still have the original 2Gb DB file so surely the journalled changes are still recorded and selected data could be rolled back but unless this particular support engineer (Have asked numerous times for it to be escalated but so far Webroot have refused to do this) is very bad at his job this is the case.
 
We are currently in a worse place than when we were first infected with Cryptolocker as now Webroot has removed the infection we cannot even go to the last resort of actually paying the ransom, thankfully the user was not in his office with network access at the time and it was just a single PC that was compromised!

@ 
 
Wondering if you have had any success with Webroot support . Surely rollback ability goes to the heart of the  Webroot approach ?

 
Rocky

@ is there any additional information on this situation?
As a fellow Webroot customer this is worrying to me. As noted, Cryptolocker is a threat WSA is supposed to be uniquely capable of dealing with.

Thank you for the information Nic.
I agree with what you say, of course. Was hoping WSA was going to fly under the radar a bit longer for direct mitigations, but, hey, you made it. Congratulations....

Thanks Nic for the upfront explanation. Are you saying that we should use traditional AV as well as Webroot ?
 
Would the "outgoing" firewall in WSA not pick up the attempt to dial home ?
 
Rocky

Hi@nic,
 
With all due respect, I think this shows very clearly that Webroot does not have us covered - the infection was not blocked nor able to be rolled back (Mustve missed the memo about Webroot no longer being able to do this as there are still plenty of references to ~4 or 5 months ago that say you can and nothing official that says you now cannot that i've found!) In fact had Webroot not been installed we wouldve been much better off time wise, wouldnt have burnt ~20 hrs with support and if the client ends up paying the ransom then they'd have been much better off doing it initially instead of after this waste of time and having to pay the higher amount, an argument could most certainly be made that had we been using Trend etc. we'd have the same net result but would've got to this point a lot quicker and recovered the data cheaper.
 
As a MSP provider I am now VERY concerned for our other clients using this AV, basically from what you have just alluded to they are completely open to infection by Cryptolocker and should be relying on backups - thats fine long term but recovering a few terrabytes of data for a file server is not a quick process. Surely this is not that hard to detect, a file that tries to encrypt all documents on your system doesnt really sound legit and I wouldve thought behaviour analytics could detect that pretty easily...sure we wouldnt be able to save all documents but at least we'd still have some.

Cheers @ we have brought them in and I think they have asked for some senior people to look into this but I'm trying to keep as many avenues open as possible in the hopes that someone comes through with some breakthrough answer.
 
No thats fine, ask away - the system is running Windows 7 Pro x64.

Just a quick update to let anyone who is following this thread know that our threat research team is still working on this issue to figure out what happened so that we can address it in the future.

Hi All,
 
I am also very much surprised readind through this thread now. I was always believing that journaling and rollback was meant to be something that malware could not trick. I really wonder what could be the real issue with the Webroot software because if we experience that one malware could trick it today then we absolutely cannot be sure this technology will work with other new threats.
 
Can anyone explain how could a malware stop WSA journaling?
 
Maybe, if automatic rollback would not even work (that I could imagine better in rare cases) but I still would like to believe that journaling should always do its job good and that in worse case Webroot could do the rollback manually for us. If not, then really, how can we trust Webroot's unique technology anymore? The things I read here are degrading WSA to the effectiveness of any AV in the world.
 
I am very much frustrated becuase we are just in the middle of preparing big marketing campaigns in our country through lots of marketing channels (facebook, TV, email, news sites, etc.) and the main marketing message would be that Webroot's journalling and rollback technology can cure everything, all zero-days and even Cryptolocker-like malware infections. Now I have big doubts if we should run the campaings at all??? Hmmm.
 
------------
 
On the other hand, taking a look at the issue technically: we all know the heart of all modern malware is to communicate with its control center (CC). If Webroot would block any network communication for unknown processes that would protect us. I think this is the main thing to focus on. Even APTs rely on communications to the CCs. This has to be the first and main thing to block. Cryptolocker cannot do its encyrpting job without communication to the CC either. Do I feel that a really good personal firewall performs better than an AV? If I were the Webroot development director, I would focus on doing this job the best first and then journaling and rollback. Show me a modern malware that would do its job without network communication!
 
And actually, I found a very bad default setting in WSA as well. I already told our Webroot rep. some time ago that it is a very big mistake (at least in the consumer version for sure it is like this) when you get an alert about a new unknown process trying to to connect to the network and the alert window counts down 120 sec and the default is to allow after 120 sec. So what if I have to go to the 2nd door just that time? Or I left for lunch or to my boss? Or I do not know what to do (allow/block) and I call the IT guys? Well, WSA defaults to allow the connection! Absolutely unsafe default action! (Not to mention, nothing happened so far, you can check it for yourselves.)
 
Here's the screenshot I am talking about:
 

I didn't really want to post an update yet as technically nothing has changed however this is currently with some of the developers being reviewed. From the updates I have seen it appears the journaling is still working correctly but something causes Webroot to hang or go into a loop whilst trying to roll back these changes. From what I have heard the developers seem to be thinking the data will be able to be recovered however I'll post back when I actually have a final outcome.

@ I think his contention is that WSA should be configured to be fail-secure and not fail-deadly. He is totally correct.
 
@ I'm not sure how you're even seeing that screen in an enterprise configuration, I've never seen it on any of my clients, only on the consumer version.
 

@I get this screen even with the Enterprise version. Recetly I did many real-life tests, downloading some 0-day samples (at least WSA really monitored them so they were 0-day for WSA at least).
 
Experience #1: WSA showed this alert screen which I think is really bad.
 
Experience #2: WSA did not roll back many-many things. Actually, eg. when I started with a downloader app, it downloaded some other and those downloaded even more and more and most of them downloaded again more and WSA monitored each of these but could not remove them. I still have the video of the test, but I do not want to make it public.
 I sent this to ou Webroot rep. but he did not even replied that he got it... 😞