Webroot added to VirusTotal

  • 14 February 2017
  • 33 replies
  • 318 views

Userlevel 7
Badge +52
We welcome the Webroot scanner to VirusTotal. This is a machine learning engine from the US. In the words of the company:
 
"Webroot SecureAnywhere Business Endpoint Protection is a cloud-driven anti-malware solution and was the first next generation solution to offer a full replacement to conventional AV when launched in 2011.
Rather than rely on static signatures to identify malicious files and process, Webroot uses real-time monitoring and analysis of the events occurring within a device. Then, by using the extensive resources of cloud-based computing, threat and behavioral intelligence, Webroot is able to predict with negligible false positives any signs of malicious behavior. Windows PE files submitted to VirusTotal will be processed by the Webroot PE Scanner, non-PE files will not be scanned.”

Webroot has expressed its commitment to follow the recommendations of AMTSO and, in compliance with our policy, facilitates this review by MRG Effitas, an AMTSO-member tester.
 
http://blog.virustotal.com/2017/02/virustotal-webroot.html

33 replies

Will we see BrightCloud URL determinations available on VT?
@ wrote:
The antivirus result displays a green circle with a white tick mark, what does this mean?



VirusTotal makes use of the symbol to indicate that the given file was not detected in any way by the antivirus under consideration. We do not use the word "clean" or "innocuous" because antivirus solutions do not tell you whether a file is goodware, they just flag maliciousness.
https://www.virustotal.com/en/faq/
The new VirusTotal website is available here. Google says the new interface is still under testing and it might change prior to its official launch.

Userlevel 6
FINALLY it has happened for webroot too! nice for this company for getting this kind of recognition after all these years of hard labour!!! 😛
Userlevel 7
Badge +35
@ wrote:
It's a commandline scanner which is not publicly available.  It's leverages our cloud in a similar way to our SecureAnywhere product, but is missing many efficacy components seen in our production agent, which could lead to samples being potentially missed via VT vs. the public SecureAnywhere agent. Hence we have named the VT Scanner, Webroot PE Scanner, to ensure differentiation.
 
If in doubt, use our agent.
 
Paul
To add to what Paul said, all of the scanners on VT are commandline scanners and the results from any of the scanners on VT may differ from publicly available products. 
 
I highly recommend reading the About page on VirusTotal, particularly the "Important notes and remarks" section.
 
-Dan
Userlevel 7
Badge +56
@ wrote:
Pigs fly and miracles do happen!   Must have been a cold day there for this to finally happen.
/me is picking his jaw up from the floor.  :mansurprised:
 
 
 
 
That's how I feel.....I thought it would never happen by some Webroot Staff I have talked to over the years. But I guess Times change.....
Userlevel 2
Pigs fly and miracles do happen!   Must have been a cold day there for this to finally happen.
/me is picking his jaw up from the floor.  :mansurprised:
 
 
 
 
Userlevel 7
Badge +34
Thanks TH. 😃
Userlevel 7
Badge +56
@ wrote:
Thanks Paul for explaining the Webroot PE Scanner on Virus Total. One question though, what exactly does PE stand for?
 
The Portable Executable (PE) format is a file format for executables, object code, DLLs, FON Font files,[1] and others used in 32-bit and 64-bit versions of Windows operating systems. The PE format is a data structure that encapsulates the information necessary for the Windows OS loader to manage the wrapped executable code. This includes dynamic library references for linking, API export and import tables, resource management data and thread-local storage (TLS) data. On NT operating systems, the PE format is used for EXE, DLL, SYS (device driver), and other file types. The Extensible Firmware Interface (EFI) specification states that PE is the standard executable format in EFI environments.
 
https://en.wikipedia.org/wiki/Portable_Executable
 
http://blog.virustotal.com/2017/02/virustotal-webroot.html
Userlevel 7
Badge +56
@ wrote:
It's a commandline scanner which is not publicly available.  It's leverages our cloud in a similar way to our SecureAnywhere product, but is missing many efficacy components seen in our production agent, which could lead to samples being potentially missed via VT vs. the public SecureAnywhere agent. Hence we have named the VT Scanner, Webroot PE Scanner, to ensure differentiation.
 
If in doubt, use our agent.
 
Paul
I fully understand what your saying as the old Prevx was on VT back before WSA so thanks for that info! https://community.webroot.com/t5/Ideas-Exchange/Adding-a-Webroot-SDK-to-VirusTotal/idi-p/7462
Userlevel 7
Badge +34
Thanks Paul for explaining the Webroot PE Scanner on Virus Total. One question though, what exactly does PE stand for?
 
Badge +1
It's a commandline scanner which is not publicly available.  It's leverages our cloud in a similar way to our SecureAnywhere product, but is missing many efficacy components seen in our production agent, which could lead to samples being potentially missed via VT vs. the public SecureAnywhere agent. Hence we have named the VT Scanner, Webroot PE Scanner, to ensure differentiation.
 
If in doubt, use our agent.
 
Paul
Userlevel 7
Badge +56
@ wrote:
It's misleading so VT users need to be aware of this. We are one of the few security vendor's to proactively whitelist files, however this isn't differentiated on VT with the green ticks.
 
Green ticks can relate to unclassified malware, if in doubt scan with our agent and look at the log files.
 
Paul
Is VT using the Full Cloud or something like a Commandline Scanner? Any other details would be appreciated.
 
TIA,
 
Daniel
Badge +1
It's misleading so VT users need to be aware of this. We are one of the few security vendor's to proactively whitelist files, however this isn't differentiated on VT with the green ticks.
 
Green ticks can relate to unclassified malware, if in doubt scan with our agent and look at the log files.
 
Paul
Userlevel 7
Hi Paul
 
Many thanks for the heads up/clarification of how Webroot is getting involved with VT. I was certain that the clever people at Webroot would figure out how to bring the benefits of a first class analysis engine to bear...without compromising the inherent security of WSA. :D
 
Look forward to seeing the Green 'W' leading the way at VT.
 
Regards, Baldrick
The antivirus result displays a green circle with a white tick mark, what does this mean?



VirusTotal makes use of the symbol to indicate that the given file was not detected in any way by the antivirus under consideration. We do not use the word "clean" or "innocuous" because antivirus solutions do not tell you whether a file is goodware, they just flag maliciousness.
https://www.virustotal.com/en/faq/
Userlevel 7
Badge +62
Sounds good...Thanks Paul!
Userlevel 7
Badge +56
Thanks Paul!
 
Daniel
Badge +1
Hi Everyone,

We decided to launch the VirusTotal scanner to provide the wider community the ability to get our opinion on files, it's taken us a little while to get here as we've been heads down focussing on servicing the needs of our customers, via our product portfolio.

Also, it should be noted that the engine we published on VT is different to our engine in the Webroot SecureAnywhere product portfolio. The engine will statically scan files submitted to VT leverage our Threat Intelligence backend to provide classifications. As you all may know, in oue SecureAnywhere agent have classification for good, bad and unknown files returned ( our log files highlight this), VT focussed purely on the Bad (malicious) classifications, so you will not be able to see whether a submitted file is Good (whitelisted) via VT, please use our SecureAnywhere agent if you'd like to verify if files are whitelisted.

If you have any questions, feel free to post here or PM me.

Regards,

Paul
Product Strategy
Userlevel 7
Badge +56
@ most of us that has already posted in this thread and when you make so many edit's we get an email for every edit so I wanted to let you know.
Now that Webroot has been added to VirusTotal.

What does 'File not detected' mean on VirusTotal.
VirusTotal shows green check with mouse hover ...File not detected.... at
https://www.virustotal.com/en/file/d4f3b9593be74983ae195168c2163e793fedb746698612a902ac24d7c65d329f/analysis/



Does 'File not detected' on VirusTotal mean the same as Unclassified on Webroot
[u] c:usersjmsdesktophmpalert3.exe [MD5: ADB038237CC1B7B5B7E7B12695B39CA4] [Flags: 00081001.3124]

MD5 adb038237cc1b7b5b7e7b12695b39ca4
Determination: Unclassified
Determined on: February 10 2017, 12:57
File Size: 4.7 MB
First Seen: February 10 2017, 12:44
PC Count: 60

Or does 'File not detected' on VirusTotal mean 'No threat found' as file is Safe as malware threats not detected?

File name: hmpalert3.exe
Detection ratio: 0 / 58
Analysis date: 2017-02-16

Scan with Webroot client reports Threats detected 0.

So I'm confused as to what 0 means.
0 on VirusTotal and 0 on Webroot client.

Webroot consumer client reports Threats detected 0 and also reports [u].
And Webroot SecureAnywhere Business Endpoint Protection on VirusTotal reports Detection 0 and 'File not detected'.

And since file is not moving.  What does 0 & [u] & 'File not detected' mean in relation to a static / dormant file.
 
As far as I know. 
Security soft vendors do not install every piece of software and watch every single thing that the software does and then create a signature for it.
And.
Rather than rely on static signatures to identify malicious files and process, Webroot uses real-time monitoring and analysis of the events occurring within a device.
 
So, what does 0 mean.
0 on VirusTotal and 0 on Webroot client.
And should I give weight to WSA Business Endpoint Protection VirusTotal 0 vs Webroot consumer client [u].
 
Userlevel 7
Badge +56
@ wrote:
@ wrote:
 
 
Webroot is smart not to be on VT so that Malware Writers can't check to see if it's detected by WSA so it's best to keep them in the dark!
 
Daniel :)
Malware Writers don`t check (not submit) samples using virustotal ;)
To do this, they uses the scanner without sending samples or hashes to vendors (for example - hxxp://stopvir.us/  & others )
It's one of the things I was told by Webroot Staff not my words. See my post here from last year: https://community.webroot.com/t5/Webroot-SecureAnywhere-Antivirus/Webroot-and-VirusTotal/m-p/253372#M25323
Userlevel 7
Badge +7
What splendid news that was!


 
Userlevel 7
Badge +52
@ wrote:
 
 
Webroot is smart not to be on VT so that Malware Writers can't check to see if it's detected by WSA so it's best to keep them in the dark!
 
Daniel :)
Malware Writers don`t check (not submit) samples using virustotal ;)
To do this, they uses the scanner without sending samples or hashes to vendors (for example - hxxp://stopvir.us/  & others )
Userlevel 7
Badge +56
@ wrote:
Well, perhaps it might, or might have in the past,...but I think it is fair to assume that that the clever people at Webroot will have weighed all of that up when making the decision. ;)
 
Hopefully we might get  afuller insight in the fullness of time.
Okay I will make it more clear. I was told by a few Webroot Staff that it was not a good Idea over the years so that's why I gave up asking for it to be on VT.
Userlevel 7
Well, perhaps it might, or might have in the past,...but I think it is fair to assume that that the clever people at Webroot will have weighed all of that up when making the decision. ;)
 
Hopefully we might get  afuller insight in the fullness of time.

Reply