I was told about a function that Panda antivirus has, it monitors how many files a process accesses at the time. If it’s too many files then it kills the process.
A normal process usually don’t access thousands of files at the same time/in a short while but a ransom virus will do that.
Is this something you could implement?
We would like to make a feature request to have Webroot integrate with N-able RMM tool to send alerts, information, and anything relevant that can show up in the N-able console. Bonus would be an easy way to deploy Webroot through N-able.
Customer would like some sort of error message or alert on screen or on the system tray icon to alert that there was a licence check failure and to prompt them to take action rather than leaving the icon green.
We just got CryptoWall infection at one of custmoers with 1500 PCs.
Even though WSA client is capable to recognize new unknown processes starting on an endpoint, and even though it also reports it to the console, still the most important things are missing:
- send email alert to admins immediately when an endpoint reports new unknow process running on the endpoint
- be able to create a report in the console for a specific day that includes the new unknows started found on THE SPECIFIED DAY only
If we had these information, we possible could very quickly pinpoint the infection among the 1500 PCs.
Now we could not, because, just imagine, what is the best advice if you see files being encrypted on file server shares? Switch off the shares and disconnect the endpoints from LAN / INTERNET! Well, but then again, that would lead to several days off work, and you will be need to find the infected machine all offline.
So in our example, Saturday morning some user suddenly found encrypted files on a netwrok share. The share was swithed off. We saw the timestamps of HELP_DECRYPT.TXT files so we could see when the malware encrypted the files. It was Saturday morning. OK. Then, IF we had an alert about new unknowns of this Saturday then we could easily pinpoint out of 1500 clients which ones were running an unknown process at the time of encryption - and we could stop only these PCs and let others work.
So, I believe, as I told it in 2012 several times to Webroot already: sending alerts about caugth viruses to admins (meaning existing "Threat Detected" and "" reports) is simply useless as they contain information after auto-remediation (auto-quarantining the malware). Some email collectors may like to get these alerts, but they will really not have any job with it.
Rather, admins need to focus on hidden things running in the environments, and those are the unknowns.
We need alerts for each and every unknown process immediately, just as soon as they first run! That is what admins must take care about! And then admins will have a chance to stay in control.
WSA 6500+ endpoints inatalled and maintained daily, 11+ years with Webroot, 1 yr Webroot MSP
Today I booted my PC and saw the red alert Webroot icon. Opened the UI and saw this:
Sure I got excited and wanted to know immediately what malware is active on my system!!!
Isn't it that you also wanted to know immediately what infection is active on your PC?
1) As a simple home user (not IT expert) I realized that I simply do not have any chance to get any details - I cannot click anywhere for more details!!! Why? Why is not there any "Details" button/link yet to help me out of this scary situation?
2) As an IT expert, of course, I opened the "Control active processes" window - bit I found nothing being monitored!!!
IF any threat were active now, I believe that should be monitored, as far as I understand the logic of SecureAnywhere. Why there is nothing being monitored??? It scares me even more! The malware must be hiding very good! I have a malware active and I cannot get to know what it is!!! SOS SOS SOS to the World!!!
3) As a more experianced IT expert (but hey! stop! Webroot users may never be required to get to be an experienced IT expert just for getting detailed info about a malware alert) I saved and checked threat log first. Nothing! Oh my Good God, I have an active threat and
- no details on UI available
- it is not even logged in threat log
4) Ok, so very last chance is if I could find anything in the scan log. Let's go for it! Exported. Wow, I found the following in the scan log:
Tue 2016-03-08 11:13:59.0441 Infection detected: d:\letoltesek\mediainfo_gui_0.7.81_windows.exe [MD5: B8906012C0AEC3EB8A61B189F41AE47C] [3/00001400] [W32.Malware.Ml.Vt]
Tue 2016-03-08 11:13:59.0768 Scan Results: Files Scanned: 61528, Duration: 16m 12s, Malicious Files: 1
Tue 2016-03-08 11:13:59.0862 Scan Finished: [ID: 646 - Seq: 2147000000]
Tue 2016-03-08 11:17:56.0639 Agent Bits : 0
So I got it, finally! So nice to be an expert log-reader! Webroot, thank you for using my built-in human intelligence and years spent in the IT university in relation to using your products for the common people! Give me a double-kudo NOW and get me to the next level!
Ok, so I got the malware logged. But, why logged only?! If it is found, why was not it quarantined immediately and then I were received a quarantine message instead of an malware alert red icon? What if I do not even notice the red icon? Have you conducted a survey about how many percent of common cumputer users would notice this red icon and do know what to do with it? I bet it would be very low %. Furthermore, there is not any advice what to do now...
Very very poor implementaion of
- malware found logic and
- alerting logic
It all needs to be reinvented, Webroot.
Now, there's a little more if we take a look what was found as a malware expert:
mediainfo_gui_0.7.81_windows.exe is not really a malware, it only has an adware (Opencandy) inside the installer, thus it shoud have been classified as "PUA/Opencandy". Others classified it as a PUA, too:
So, here go my feature requests:
Reinvent actions on found malware and make the product usable for your customers, especially for common people, so:
1. add a window to show details of found malware on UI and make it easy to access
2. if a treat is found (no matter if during scan or real-time), log it in the threat log (not in the scan log only)
3. if a threat is found during such circumstances when user action is impossible (eg. booting boot-up or when user is logged in) make sure
- you quarantine the malware
- you notifiy the user in details the very next time user logs in about what was found & quarantined when user action was impossible
Well, I wonder if Webroot's development manager ever ever used this product and ever cared about this annoying red icon without details? Webroot, why do not you want me as a development manager? For that money, I will even take care of the basics of computer software products usability features. I guarantee I use the product myself and will make a development plan that fist much better to the needs of the users, including admins.
Why am I telling this unusal offer? Because:
1. I do not like to be scared by any AV that I have a malware active (which at the end turns out not to be active at all)
2. or if the AV scares me because it has to, I really do not feel comfortable if I cannot get the details at my hands easy
Webroot should provide our download via Https rather than Http, “to give clients comfort that what they intend to receive is legitimate”.
Sometimes our techs need to temporarily disable AV protection during troubleshooting. At the moment all we can do is to fully uninstall Webroot, which is not desirable. It could great if there was a "Disable protection" option which could be clicked on by any user and, after entering a password (defined in the central policy), protection is disabled for 5, 10, 30 mins or 1 hour.
I cant believe I was told by support to field this to a BLOG site but whatever. The idea is as follows. The software (webconsole) has no maitenance feature available for inactive licenses to be polled and placed to a folder that shows inactive and then to recover thos said licenses. In a large environment such as education machines are replaced and or renamed and there are many thousand machines to try and keep track of issue a remove command and then sent them manually to inactive client, how shall we say , "This is impractical to maintain". WebRoot needs to develop a routing that allows the administrator to set a time frame of if inactive for (drop down box) 30-60-90 days) then free up the license so it can go back in the Enterprise licensing pool. I cannot believe that this has not been developed before now as other AV companies have routines to take care of licensing issues.
Hint guys at webroot. You want to go mainstream with Large campuses and Enterprises and you dont have this, they will go elsewhere.
Since we have the ability to group machines together and apply policies to them based on the group, it would make sense to be able to issue alerts to various lists based on what group the alert occurs in. In short, if I have different groups of machines, I want to be able to alert different techs to threats that occur to that group. Should be a pretty simple modification folks and it would make it easier to administer and support multiple customers.