Webroot added to VirusTotal

  • 14 February 2017
  • 33 replies
  • 318 views

Userlevel 7
Badge +52
We welcome the Webroot scanner to VirusTotal. This is a machine learning engine from the US. In the words of the company:
 
"Webroot SecureAnywhere Business Endpoint Protection is a cloud-driven anti-malware solution and was the first next generation solution to offer a full replacement to conventional AV when launched in 2011.
Rather than rely on static signatures to identify malicious files and process, Webroot uses real-time monitoring and analysis of the events occurring within a device. Then, by using the extensive resources of cloud-based computing, threat and behavioral intelligence, Webroot is able to predict with negligible false positives any signs of malicious behavior. Windows PE files submitted to VirusTotal will be processed by the Webroot PE Scanner, non-PE files will not be scanned.”

Webroot has expressed its commitment to follow the recommendations of AMTSO and, in compliance with our policy, facilitates this review by MRG Effitas, an AMTSO-member tester.
 
http://blog.virustotal.com/2017/02/virustotal-webroot.html

33 replies

Userlevel 7
Badge +34
Excellent news! 😃
Userlevel 7
Badge +35
@ wrote:
I was told it would never happen? So I wonder why it is now? 😠 @ @ can you get us a comment?
"Webroot has expressed its commitment to follow the recommendations of AMTSO and, in compliance with our policy, facilitates this review by MRG Effitas, an AMTSO-member tester."
 
-Dan
Badge +1
Hi Everyone,

We decided to launch the VirusTotal scanner to provide the wider community the ability to get our opinion on files, it's taken us a little while to get here as we've been heads down focussing on servicing the needs of our customers, via our product portfolio.

Also, it should be noted that the engine we published on VT is different to our engine in the Webroot SecureAnywhere product portfolio. The engine will statically scan files submitted to VT leverage our Threat Intelligence backend to provide classifications. As you all may know, in oue SecureAnywhere agent have classification for good, bad and unknown files returned ( our log files highlight this), VT focussed purely on the Bad (malicious) classifications, so you will not be able to see whether a submitted file is Good (whitelisted) via VT, please use our SecureAnywhere agent if you'd like to verify if files are whitelisted.

If you have any questions, feel free to post here or PM me.

Regards,

Paul
Product Strategy
Userlevel 7
Badge +56
I was told it would never happen? So I wonder why it is now? 😠 @ @ can you get us a comment?
Userlevel 7
Badge +56
Come on Dan you know what I'm talking about! [u]TripleHelix on ?10-06-2016 05:52 PM Microsofthttps://ExpertWebroothttps://Experthttps:///t5/Ideas-Exchange/Adding-a-Webroot-SDK-to-VirusTotal/idc-p/270172 I have changed my mind on this!
 
Webroot is smart not to be on VT so that Malware Writers can't check to see if it's detected by WSA so it's best to keep them in the dark!
 
Daniel 🙂
Userlevel 7
So happy this finally happened! I've been asking around about this for the past year :)
Happy to hear we're getting our name out there.
Badge +1
It's a commandline scanner which is not publicly available.  It's leverages our cloud in a similar way to our SecureAnywhere product, but is missing many efficacy components seen in our production agent, which could lead to samples being potentially missed via VT vs. the public SecureAnywhere agent. Hence we have named the VT Scanner, Webroot PE Scanner, to ensure differentiation.
 
If in doubt, use our agent.
 
Paul
Userlevel 7
Hi Paul
 
Many thanks for the heads up/clarification of how Webroot is getting involved with VT. I was certain that the clever people at Webroot would figure out how to bring the benefits of a first class analysis engine to bear...without compromising the inherent security of WSA. :D
 
Look forward to seeing the Green 'W' leading the way at VT.
 
Regards, Baldrick
Userlevel 7
@ wrote:
@ wrote:
So happy this finally happened! I've been asking around about this for the past year :)
Happy to hear we're getting our name out there.
Well I asked 5 years ago.....
Indeed, you did, Daniel, as I well recall...and a number of time since then. Nice to see that it has final happened. ;)
Userlevel 7
Well, perhaps it might, or might have in the past,...but I think it is fair to assume that that the clever people at Webroot will have weighed all of that up when making the decision. ;)
 
Hopefully we might get  afuller insight in the fullness of time.
Badge +1
It's misleading so VT users need to be aware of this. We are one of the few security vendor's to proactively whitelist files, however this isn't differentiated on VT with the green ticks.
 
Green ticks can relate to unclassified malware, if in doubt scan with our agent and look at the log files.
 
Paul
Userlevel 7
Badge +56
@ wrote:
It's misleading so VT users need to be aware of this. We are one of the few security vendor's to proactively whitelist files, however this isn't differentiated on VT with the green ticks.
 
Green ticks can relate to unclassified malware, if in doubt scan with our agent and look at the log files.
 
Paul
Is VT using the Full Cloud or something like a Commandline Scanner? Any other details would be appreciated.
 
TIA,
 
Daniel
Userlevel 7
Badge +35
@ wrote:
It's a commandline scanner which is not publicly available.  It's leverages our cloud in a similar way to our SecureAnywhere product, but is missing many efficacy components seen in our production agent, which could lead to samples being potentially missed via VT vs. the public SecureAnywhere agent. Hence we have named the VT Scanner, Webroot PE Scanner, to ensure differentiation.
 
If in doubt, use our agent.
 
Paul
To add to what Paul said, all of the scanners on VT are commandline scanners and the results from any of the scanners on VT may differ from publicly available products. 
 
I highly recommend reading the About page on VirusTotal, particularly the "Important notes and remarks" section.
 
-Dan
Userlevel 7
Badge +56
@ wrote:
So happy this finally happened! I've been asking around about this for the past year :)
Happy to hear we're getting our name out there.
Well I asked 5 years ago.....and was told the above.
Userlevel 7
Badge +56
@ wrote:
@ wrote:
@ wrote:
So happy this finally happened! I've been asking around about this for the past year :)
Happy to hear we're getting our name out there.
Well I asked 5 years ago.....
Indeed, you did, Daniel, as I well recall...and a number of time since then. Nice to see that it has final happened. ;)

I don't know if it is? I was told by a few that it was not a good Idea to give Malware Writers the upper hand in checking for detections on VT. :S
Userlevel 7
Badge +56
@ wrote:
Well, perhaps it might, or might have in the past,...but I think it is fair to assume that that the clever people at Webroot will have weighed all of that up when making the decision. ;)
 
Hopefully we might get  afuller insight in the fullness of time.
Okay I will make it more clear. I was told by a few Webroot Staff that it was not a good Idea over the years so that's why I gave up asking for it to be on VT.
Userlevel 7
Badge +52
@ wrote:
 
 
Webroot is smart not to be on VT so that Malware Writers can't check to see if it's detected by WSA so it's best to keep them in the dark!
 
Daniel :)
Malware Writers don`t check (not submit) samples using virustotal ;)
To do this, they uses the scanner without sending samples or hashes to vendors (for example - hxxp://stopvir.us/  & others )
Userlevel 7
Badge +7
What splendid news that was!


 
Userlevel 7
Badge +56
@ wrote:
@ wrote:
 
 
Webroot is smart not to be on VT so that Malware Writers can't check to see if it's detected by WSA so it's best to keep them in the dark!
 
Daniel :)
Malware Writers don`t check (not submit) samples using virustotal ;)
To do this, they uses the scanner without sending samples or hashes to vendors (for example - hxxp://stopvir.us/  & others )
It's one of the things I was told by Webroot Staff not my words. See my post here from last year: https://community.webroot.com/t5/Webroot-SecureAnywhere-Antivirus/Webroot-and-VirusTotal/m-p/253372#M25323
Userlevel 7
Badge +56
Thanks Paul!
 
Daniel
Userlevel 7
Badge +62
Sounds good...Thanks Paul!
Userlevel 7
Badge +56
@ wrote:
Thanks Paul for explaining the Webroot PE Scanner on Virus Total. One question though, what exactly does PE stand for?
 
The Portable Executable (PE) format is a file format for executables, object code, DLLs, FON Font files,[1] and others used in 32-bit and 64-bit versions of Windows operating systems. The PE format is a data structure that encapsulates the information necessary for the Windows OS loader to manage the wrapped executable code. This includes dynamic library references for linking, API export and import tables, resource management data and thread-local storage (TLS) data. On NT operating systems, the PE format is used for EXE, DLL, SYS (device driver), and other file types. The Extensible Firmware Interface (EFI) specification states that PE is the standard executable format in EFI environments.
 
https://en.wikipedia.org/wiki/Portable_Executable
 
http://blog.virustotal.com/2017/02/virustotal-webroot.html
Userlevel 7
Badge +34
Thanks TH. 😃
Userlevel 2
Pigs fly and miracles do happen!   Must have been a cold day there for this to finally happen.
/me is picking his jaw up from the floor.  :mansurprised:
 
 
 
 
Userlevel 7
Badge +34
Thanks Paul for explaining the Webroot PE Scanner on Virus Total. One question though, what exactly does PE stand for?
 

Reply