cancel
Showing results for 
Search instead for 
Did you mean: 
Frequent Voice

Webroot can't detect malicious Word DOCs?

Why can't Webroot detect malicious Word DOCs?

 

I just got this doc in a spear phish e-mail and Webroot totally failed to identify the threat. This particular attack is 8 years old

First Seen In The Wild: 2010-11-20 23:29:33

 

According to Virustotal the reason is that "Webroot: Unable to process file type" which suggests that Webroot can't detect ANY malicous word doc. That's pretty scary since we know it is a very common attack vector.

 

Is work being done on this? 8 years later can we get some protection?

 

https://www.virustotal.com/#/file/bc5e2cef534da102cd8b025ad4b404cf8cd832bced80c99918714bf3e3af3a13/d...

17 REPLIES
Bronze VIP

Re: Webroot can't detect malicious Word DOCs?

The only suggestion I can add is to Submit a Support Ticket with the info you supplied and ask them why and please let us know what they say as we would like to know as well! The Community Staff are now gone and will not be back till Monday but support in open 24/7/365.

 

Thanks,

 


Daniel Bow.gif  “Truth is more of a stranger than fiction.” (Mark Twain)


 EPA.giforiginal (6).png   


original.png Microsoft® Windows Insider MVP - Windows Security beta_tester_transparent.png


Alienware 17R5 Laptop with the new i9-8950HK Processor Overclock-able to 5.0GHz - 2 Samsung 960 Pro PCIe NVMe M.2 512GB + 1 Samsung 860 Pro 512GB SSD's with 32GB of G.SKILL Ripjaws RAM and NVIDIA GTX 1080 GPU Overclocked. Windows 10 Pro for Workstations 1809 x64.

Frequent Voice

Re: Webroot can't detect malicious Word DOCs?

I did make a support ticket. The official response is:

 

"This macro-enabled word document runs powershell to download and execute a malicious payload for the 'Emotet' banking trojan. While we do not yet detect the document itself, we would detect the execution of the payload in real time, and the hash for this payload has already been determined as malicious in our threat database."

 

Which sounds like I would have been protected if the VBA code had ran. Furthermore:

 

"We are currently beta testing our 'script shield' addition to our protective coverage, which will be better at detecting non-PE vectors such as .js files, powershell scripts, etc. Once that rolls out we should be able to stop the process at the powershell script execution (using this infection as an example), before it could connect and download the actual payload."

 

Which sounds like they are working on a more layered approach to blocking these attacks, as the payload will change over time.

Bronze VIP

Re: Webroot can't detect malicious Word DOCs?


@Dirty_White_Hat wrote:

I did make a support ticket. The official response is:

 

"This macro-enabled word document runs powershell to download and execute a malicious payload for the 'Emotet' banking trojan. While we do not yet detect the document itself, we would detect the execution of the payload in real time, and the hash for this payload has already been determined as malicious in our threat database."

 

Which sounds like I would have been protected if the VBA code had ran. Furthermore:

 

"We are currently beta testing our 'script shield' addition to our protective coverage, which will be better at detecting non-PE vectors such as .js files, powershell scripts, etc. Once that rolls out we should be able to stop the process at the powershell script execution (using this infection as an example), before it could connect and download the actual payload."

 

Which sounds like they are working on a more layered approach to blocking these attacks, as the payload will change over time.


Thanks for the info from support! Yes we are Beta Testing the new Script Shield see picture below:

 

2018-10-09_13-00-01.png

 

 

 


Daniel Bow.gif  “Truth is more of a stranger than fiction.” (Mark Twain)


 EPA.giforiginal (6).png   


original.png Microsoft® Windows Insider MVP - Windows Security beta_tester_transparent.png


Alienware 17R5 Laptop with the new i9-8950HK Processor Overclock-able to 5.0GHz - 2 Samsung 960 Pro PCIe NVMe M.2 512GB + 1 Samsung 860 Pro 512GB SSD's with 32GB of G.SKILL Ripjaws RAM and NVIDIA GTX 1080 GPU Overclocked. Windows 10 Pro for Workstations 1809 x64.

Silver VIP

Re: Webroot can't detect malicious Word DOCs?

Thank you @Dirty_White_Hat for posting Supports reply. Good info. Smiley Wink


Dave


Silver VIP


 

Late 2015 5K 27" Mac, 4GHz i7, 16GB RAM, 1TB Fusion Drive, macOS Mojave, 10.14.2  

iMac Clone & Backup with SuperDuper / Time Machine / iCloud 

Windows 7 X 64, 3.4GHz i7, 10GB RAM, 1TB HD

Bronze VIP

Re: Webroot can't detect malicious Word DOCs?


@total1 wrote:

So , let's make this clear:

 

The malware is 8 years old, detected by the free MSE , but not Webroot, which is still "working" on some sort of detection...

Remind me again, why should I pay $30 /year for Webroot, when the free MSE performs better?

 

Just curios...


 

From the post above...

 

"While we do not yet detect the document itself, we would detect the execution of the payload in real time, and the hash for this payload has already been determined as malicious in our threat database."

 

Had the payload been executed, Webroot would've jumped on it.

 

So what's your point? (other than to start crap, as usual).

 

Just curious.

Highlighted
Community Leader

Re: Webroot can't detect malicious Word DOCs?

Hi total1, You have already answered your own question. It would be downright bonkers of you to pay for something you didnt feel was going to do you any good. Now, I dont think you are 100% bonkers but Ill have to read some more of your postings to make up my mind.

 

When time permits, will you post up some more comments so we can determine once and for all if you really are 100% bonkers ?

Silver VIP

Re: Webroot can't detect malicious Word DOCs?


@total1 wrote:


Sorry but I do not intend to spend neither money nor time with an antivirus which refuses to participate in any third party evaluation (AV Comparatives, AV Test) and has a detection rate inferior to MSE  which is the basic antivirus of all times.


Then don't. There is nobody here forcing you to, I am sure you will enjoy MSE.

 


 


http://community.webroot.com/html/assets/SigSVIP.png  beta_tester_transparent.png

Luminary Signature.png


2016-07-18_12-11-32.png  Microsoft® Windows Insider MVP - Windows Security

Bronze VIP

Re: Webroot can't detect malicious Word DOCs?


@total1 wrote: 

Sorry but I do not intend to spend neither money nor time with an antivirus which refuses to participate in any third party evaluation ...


Yet, you’ll waste your and everyone else’s time here, on and off for years incidentally, to bi+ch and moan about a product you haven’t used in years? 

 

Unbelievable.

Community Leader

Re: Webroot can't detect malicious Word DOCs?


@BurnDaddy wrote:

Yet, you’ll waste your and everyone else’s time here, on and off for years incidentally, to bi+ch and moan about a product you haven’t used in years? 

 

Unbelievable.


Perfectly put.