As there is no patch for IE available yet (CVE-2014-1776), will Webroot protect against the current attack in the wild using this particular exploit? And if yes, how?
Thanks
Philipp
Userlevel 7
+6
Unfortunately, WSA does not have a deep inspection engine for HTTP traffic. This is one of the reasons it's so light and doesn't impact performance. Instead, web protection is through querying their Brightcloud reputation service for the resources and pages you visit. How these scores and information are determined they do not state publicly.
This choice of not having a scanning engine is philosophical in nature, and isn't a blatant lazy omission. However, there are situations where it would be nice to have. As of yesterday noon I heard that McAfee and Symantec, who do have these, still were not detecting it. Exploits can be mutated like malware to avoid these kind of detections, or may be so involved that their engines are not detailed enough to figure it out. I'm not a blind defender of Webroot in this regard, but I understand the choice and it's not without merit.
The only chance WSA has is against the actual dropped malware that the attacker will put on the machine with the exploit. This is where the WSA solution excels in my view as these dropped binaries, even if not detected, will be limited and journaled for later removal.
For now, install EMET 4.1 - which should already be installed on most corporate machines. It is a proven solution for stopping exploits, and I've been running it on our machines since version 2.
Use it. It's great. It works. It buys you time. It protects your computers against things that don't even have patches. It's free. It's from Microsoft and supported. Do it.
This choice of not having a scanning engine is philosophical in nature, and isn't a blatant lazy omission. However, there are situations where it would be nice to have. As of yesterday noon I heard that McAfee and Symantec, who do have these, still were not detecting it. Exploits can be mutated like malware to avoid these kind of detections, or may be so involved that their engines are not detailed enough to figure it out. I'm not a blind defender of Webroot in this regard, but I understand the choice and it's not without merit.
The only chance WSA has is against the actual dropped malware that the attacker will put on the machine with the exploit. This is where the WSA solution excels in my view as these dropped binaries, even if not detected, will be limited and journaled for later removal.
For now, install EMET 4.1 - which should already be installed on most corporate machines. It is a proven solution for stopping exploits, and I've been running it on our machines since version 2.
Use it. It's great. It works. It buys you time. It protects your computers against things that don't even have patches. It's free. It's from Microsoft and supported. Do it.
Yes I was referring to the second phase of the infection, the actual malware, not the exploit itself.
We were already looking into EMET and it works fine altough we haven't gone for mass rollout. So far we encountered some problems with document management plugins in Outlook and other office apps and some problems installing ActiveX (SSL VPNs etc.) in IE. As a workaround we would turn off the particular EMET feature that causes the problem. All in all it seems to work fine. By the way the tool is now covered by the Msft Enterprise support contracts.
We were already looking into EMET and it works fine altough we haven't gone for mass rollout. So far we encountered some problems with document management plugins in Outlook and other office apps and some problems installing ActiveX (SSL VPNs etc.) in IE. As a workaround we would turn off the particular EMET feature that causes the problem. All in all it seems to work fine. By the way the tool is now covered by the Msft Enterprise support contracts.
Userlevel 7
+6
Userlevel 7
EMET is a solution that can measurably increase the tightness of the OS and its resources.
Owing to the possibility of setting both global rules as well as for individual applications user gets much greater protection against expolits and vulnerabilities.
I use it myself and for the vast majority of cases, I can also recommend it with a clear conscience :D
Regards,
Mike
Owing to the possibility of setting both global rules as well as for individual applications user gets much greater protection against expolits and vulnerabilities.
I use it myself and for the vast majority of cases, I can also recommend it with a clear conscience :D
Regards,
Mike
Reply
Login to the community
No account yet? Create an account
Enter your username or e-mail address. We'll send you an e-mail with instructions to reset your password.