Webroot added to VirusTotal

  • 14 February 2017
  • 33 replies
  • 319 views

Userlevel 7
Badge +52
We welcome the Webroot scanner to VirusTotal. This is a machine learning engine from the US. In the words of the company:
 
"Webroot SecureAnywhere Business Endpoint Protection is a cloud-driven anti-malware solution and was the first next generation solution to offer a full replacement to conventional AV when launched in 2011.
Rather than rely on static signatures to identify malicious files and process, Webroot uses real-time monitoring and analysis of the events occurring within a device. Then, by using the extensive resources of cloud-based computing, threat and behavioral intelligence, Webroot is able to predict with negligible false positives any signs of malicious behavior. Windows PE files submitted to VirusTotal will be processed by the Webroot PE Scanner, non-PE files will not be scanned.”

Webroot has expressed its commitment to follow the recommendations of AMTSO and, in compliance with our policy, facilitates this review by MRG Effitas, an AMTSO-member tester.
 
http://blog.virustotal.com/2017/02/virustotal-webroot.html

33 replies

Userlevel 7
Badge +34
Excellent news! 😃
Userlevel 7
Badge +56
I was told it would never happen? So I wonder why it is now? 😠 @ @ can you get us a comment?
Userlevel 7
Badge +35
@ wrote:
I was told it would never happen? So I wonder why it is now? 😠 @ @ can you get us a comment?
"Webroot has expressed its commitment to follow the recommendations of AMTSO and, in compliance with our policy, facilitates this review by MRG Effitas, an AMTSO-member tester."
 
-Dan
Userlevel 7
Badge +56
Come on Dan you know what I'm talking about! [u]TripleHelix on ?10-06-2016 05:52 PM Microsofthttps://ExpertWebroothttps://Experthttps:///t5/Ideas-Exchange/Adding-a-Webroot-SDK-to-VirusTotal/idc-p/270172 I have changed my mind on this!
 
Webroot is smart not to be on VT so that Malware Writers can't check to see if it's detected by WSA so it's best to keep them in the dark!
 
Daniel 🙂
Userlevel 7
So happy this finally happened! I've been asking around about this for the past year :)
Happy to hear we're getting our name out there.
Userlevel 7
Badge +56
@ wrote:
So happy this finally happened! I've been asking around about this for the past year :)
Happy to hear we're getting our name out there.
Well I asked 5 years ago.....and was told the above.
Userlevel 7
@ wrote:
@ wrote:
So happy this finally happened! I've been asking around about this for the past year :)
Happy to hear we're getting our name out there.
Well I asked 5 years ago.....
Indeed, you did, Daniel, as I well recall...and a number of time since then. Nice to see that it has final happened. ;)
Userlevel 7
Badge +56
@ wrote:
@ wrote:
@ wrote:
So happy this finally happened! I've been asking around about this for the past year :)
Happy to hear we're getting our name out there.
Well I asked 5 years ago.....
Indeed, you did, Daniel, as I well recall...and a number of time since then. Nice to see that it has final happened. ;)

I don't know if it is? I was told by a few that it was not a good Idea to give Malware Writers the upper hand in checking for detections on VT. :S
Userlevel 7
Well, perhaps it might, or might have in the past,...but I think it is fair to assume that that the clever people at Webroot will have weighed all of that up when making the decision. ;)
 
Hopefully we might get  afuller insight in the fullness of time.
Userlevel 7
Badge +56
@ wrote:
Well, perhaps it might, or might have in the past,...but I think it is fair to assume that that the clever people at Webroot will have weighed all of that up when making the decision. ;)
 
Hopefully we might get  afuller insight in the fullness of time.
Okay I will make it more clear. I was told by a few Webroot Staff that it was not a good Idea over the years so that's why I gave up asking for it to be on VT.
Userlevel 7
Badge +52
@ wrote:
 
 
Webroot is smart not to be on VT so that Malware Writers can't check to see if it's detected by WSA so it's best to keep them in the dark!
 
Daniel :)
Malware Writers don`t check (not submit) samples using virustotal ;)
To do this, they uses the scanner without sending samples or hashes to vendors (for example - hxxp://stopvir.us/  & others )
Userlevel 7
Badge +7
What splendid news that was!


 
Userlevel 7
Badge +56
@ wrote:
@ wrote:
 
 
Webroot is smart not to be on VT so that Malware Writers can't check to see if it's detected by WSA so it's best to keep them in the dark!
 
Daniel :)
Malware Writers don`t check (not submit) samples using virustotal ;)
To do this, they uses the scanner without sending samples or hashes to vendors (for example - hxxp://stopvir.us/  & others )
It's one of the things I was told by Webroot Staff not my words. See my post here from last year: https://community.webroot.com/t5/Webroot-SecureAnywhere-Antivirus/Webroot-and-VirusTotal/m-p/253372#M25323
Now that Webroot has been added to VirusTotal.

What does 'File not detected' mean on VirusTotal.
VirusTotal shows green check with mouse hover ...File not detected.... at
https://www.virustotal.com/en/file/d4f3b9593be74983ae195168c2163e793fedb746698612a902ac24d7c65d329f/analysis/



Does 'File not detected' on VirusTotal mean the same as Unclassified on Webroot
[u] c:usersjmsdesktophmpalert3.exe [MD5: ADB038237CC1B7B5B7E7B12695B39CA4] [Flags: 00081001.3124]

MD5 adb038237cc1b7b5b7e7b12695b39ca4
Determination: Unclassified
Determined on: February 10 2017, 12:57
File Size: 4.7 MB
First Seen: February 10 2017, 12:44
PC Count: 60

Or does 'File not detected' on VirusTotal mean 'No threat found' as file is Safe as malware threats not detected?

File name: hmpalert3.exe
Detection ratio: 0 / 58
Analysis date: 2017-02-16

Scan with Webroot client reports Threats detected 0.

So I'm confused as to what 0 means.
0 on VirusTotal and 0 on Webroot client.

Webroot consumer client reports Threats detected 0 and also reports [u].
And Webroot SecureAnywhere Business Endpoint Protection on VirusTotal reports Detection 0 and 'File not detected'.

And since file is not moving.  What does 0 & [u] & 'File not detected' mean in relation to a static / dormant file.
 
As far as I know. 
Security soft vendors do not install every piece of software and watch every single thing that the software does and then create a signature for it.
And.
Rather than rely on static signatures to identify malicious files and process, Webroot uses real-time monitoring and analysis of the events occurring within a device.
 
So, what does 0 mean.
0 on VirusTotal and 0 on Webroot client.
And should I give weight to WSA Business Endpoint Protection VirusTotal 0 vs Webroot consumer client [u].
 
Userlevel 7
Badge +56
@ most of us that has already posted in this thread and when you make so many edit's we get an email for every edit so I wanted to let you know.
Badge +1
Hi Everyone,

We decided to launch the VirusTotal scanner to provide the wider community the ability to get our opinion on files, it's taken us a little while to get here as we've been heads down focussing on servicing the needs of our customers, via our product portfolio.

Also, it should be noted that the engine we published on VT is different to our engine in the Webroot SecureAnywhere product portfolio. The engine will statically scan files submitted to VT leverage our Threat Intelligence backend to provide classifications. As you all may know, in oue SecureAnywhere agent have classification for good, bad and unknown files returned ( our log files highlight this), VT focussed purely on the Bad (malicious) classifications, so you will not be able to see whether a submitted file is Good (whitelisted) via VT, please use our SecureAnywhere agent if you'd like to verify if files are whitelisted.

If you have any questions, feel free to post here or PM me.

Regards,

Paul
Product Strategy
Userlevel 7
Badge +56
Thanks Paul!
 
Daniel
Userlevel 7
Badge +62
Sounds good...Thanks Paul!
The antivirus result displays a green circle with a white tick mark, what does this mean?



VirusTotal makes use of the symbol to indicate that the given file was not detected in any way by the antivirus under consideration. We do not use the word "clean" or "innocuous" because antivirus solutions do not tell you whether a file is goodware, they just flag maliciousness.
https://www.virustotal.com/en/faq/
Userlevel 7
Hi Paul
 
Many thanks for the heads up/clarification of how Webroot is getting involved with VT. I was certain that the clever people at Webroot would figure out how to bring the benefits of a first class analysis engine to bear...without compromising the inherent security of WSA. :D
 
Look forward to seeing the Green 'W' leading the way at VT.
 
Regards, Baldrick
Badge +1
It's misleading so VT users need to be aware of this. We are one of the few security vendor's to proactively whitelist files, however this isn't differentiated on VT with the green ticks.
 
Green ticks can relate to unclassified malware, if in doubt scan with our agent and look at the log files.
 
Paul
Userlevel 7
Badge +56
@ wrote:
It's misleading so VT users need to be aware of this. We are one of the few security vendor's to proactively whitelist files, however this isn't differentiated on VT with the green ticks.
 
Green ticks can relate to unclassified malware, if in doubt scan with our agent and look at the log files.
 
Paul
Is VT using the Full Cloud or something like a Commandline Scanner? Any other details would be appreciated.
 
TIA,
 
Daniel
Badge +1
It's a commandline scanner which is not publicly available.  It's leverages our cloud in a similar way to our SecureAnywhere product, but is missing many efficacy components seen in our production agent, which could lead to samples being potentially missed via VT vs. the public SecureAnywhere agent. Hence we have named the VT Scanner, Webroot PE Scanner, to ensure differentiation.
 
If in doubt, use our agent.
 
Paul
Userlevel 7
Badge +34
Thanks Paul for explaining the Webroot PE Scanner on Virus Total. One question though, what exactly does PE stand for?
 
Userlevel 7
Badge +56
@ wrote:
It's a commandline scanner which is not publicly available.  It's leverages our cloud in a similar way to our SecureAnywhere product, but is missing many efficacy components seen in our production agent, which could lead to samples being potentially missed via VT vs. the public SecureAnywhere agent. Hence we have named the VT Scanner, Webroot PE Scanner, to ensure differentiation.
 
If in doubt, use our agent.
 
Paul
I fully understand what your saying as the old Prevx was on VT back before WSA so thanks for that info! https://community.webroot.com/t5/Ideas-Exchange/Adding-a-Webroot-SDK-to-VirusTotal/idi-p/7462

Reply