To Customer Support To Customer Support
Solved

If Webroot misses a virus can that virus connect to remote server and send my keystrokes?

P
Rank
Re. this video by Webrooot: https://www.youtube.com/watch?v=uKMZ1Ukw_7I
 
Can you please confirm that this (unknown and undetected) keylogger would be automatically blocked from sending the captured keystrokes to a remote server? i.e. would the Webroot firewall component prompt me before allowing an unknown (as yet unverified) application from connecting outbound?
 
Thanks
PJ
icon

Best answer by DanP 17 March 2015, 15:47

View original

15 replies

Ssherjj
Rank
Userlevel 7
Badge +62
Hello PJCarmody,
 
I might need help in answering this but here's an interesting thread https://community.webroot.com/t5/Webroot-SecureAnywhere-Complete/Concern-regarding-Webroot-SecureAnywhere-Keylogger-protection/m-p/184170/highlight/true#M10864
 
 
@ can you assist here?
Windows Insider, iMac 2021 27 in i5 Retina 5, iMac OS Sonoma (14.3.1}, Security: iPads, W 10 & (VM:15), ALIENWARE 17R4, W10 Workstation, ALIENWARE 15 R6, W11, Webroot® SecureAnywhere™ Internet Security Complete (Android Samsung Galaxy Ultra Note 23, Webroot Beta Tester. Security
RetiredTripleHelix
Rank
Userlevel 7
Badge +56
Hello and Welcome to the Webroot Community!
 
Sherry pointed to a good thread and Yes WSA will protect from all unknown keyloggers as the WIN cloud http://www.brightcloud.com/platform/webroot-intelligence-network.php is analyzing it's behaviour also it's Identity Shield protects from Malicious activity so there are many layers that most don't have. Also see the latest MRG tests: https://community.webroot.com/t5/Announcements-and-Release-Notes/WSA-certified-in-MRG-Effitas-360-Assessment-amp-Certification/m-p/185041#M4198
 
Thanks,
 
Daniel ;)
 


 

P
Rank
Hi Sherry and Daniel,
 
Thanks for your quick responses, lots of good info there which I've now read thru and watched.
 
What I'm wondering is specifically what happens in this scenario below:
 
1) Webroot is watching the new executable (keylogger) - as shown in Webroot Education video https://www.youtube.com/watch?v=uKMZ1Ukw_7I
 
2) As in the video, the keylogger is capturing keystrokes (not in protected applications such as web browser)
 
3) The keylogger wants to send keystrokes to remote bad person, via Internet (and assuming at this stage Webroot still does not know that this is an evil executable as not on WIN yet)
 
4) What does Webroot do when keylogger wants to send data - will the Webroot Firewall trap the access to the outgoing Internet? And will it notify me say "Hey Keyloggger.exe wants to access the Internet, it's an verified application, do you want it to do that?"
 
So what happens in step 4 please?
 
Thanks
 
PJ
Ssherjj
Rank
Userlevel 7
Badge +62
Hello PJ,
 
To be honest I would like to ping..@ or @ to answer this for you for they are Threat Reseachers and they know more then  I.
 
.
 
So hang in there and one of them will answer this question for you,.
 
 
Best Regards,
Windows Insider, iMac 2021 27 in i5 Retina 5, iMac OS Sonoma (14.3.1}, Security: iPads, W 10 & (VM:15), ALIENWARE 17R4, W10 Workstation, ALIENWARE 15 R6, W11, Webroot® SecureAnywhere™ Internet Security Complete (Android Samsung Galaxy Ultra Note 23, Webroot Beta Tester. Security
RetiredTripleHelix
Rank
Userlevel 7
Badge +56
@ wrote:
Hi Sherry and Daniel,
 
Thanks for your quick responses, lots of good info there which I've now read thru and watched.
 
What I'm wondering is specifically what happens in this scenario below:
 
1) Webroot is watching the new executable (keylogger) - as shown in Webroot Education video https://www.youtube.com/watch?v=uKMZ1Ukw_7I
 
2) As in the video, the keylogger is capturing keystrokes (not in protected applications such as web browser)
 
3) The keylogger wants to send keystrokes to remote bad person, via Internet (and assuming at this stage Webroot still does not know that this is an evil executable as not on WIN yet)
 
4) What does Webroot do when keylogger wants to send data - will the Webroot Firewall trap the access to the outgoing Internet? And will it notify me say "Hey Keyloggger.exe wants to access the Internet, it's an verified application, do you want it to do that?"
 
So what happens in step 4 please?
 
Thanks
 
PJ
Yes #4 is correct if the keylooger is new so in this case Unknown to the Cloud Database WSA's firewall automatically blocks it from calling out no pop-up on Win 8.1 and I really never had a Keylogger personally, now while this is being done the Behaviour is being checked and rechecked then it sets to block it from seeing and doing anything to other programs, there are many levels of Monitoring within WSA. WSA is a Smart AV and it's Firewall is as well, WSA sees the Bad, Good & Unknown unlike other conventional AV's that know Good or Bad. https://www.youtube.com/watch?v=mwnhr1Dlkfo#t=77 and this Video https://www.youtube.com/watch?v=GqvVTE8-fA4
 
Thanks,
 
Daniel
RetiredTripleHelix
Rank
Userlevel 7
Badge +56
Also you can add web facing programs to protect as well in Identity Shield.
 
Thanks,
 
Daniel ;)
 

Rakanisheu Retired
Userlevel 7
In your example you are running with the following assumptions
 
1) The malware was downloaded via a website or Email that wasnt blocked
2) The executed malware was wasnt detected
3) Said Malware then executed
 
The indentity shield is quite protective and it doesnt really rely on the file determination, it doesnt like any software trying to intercept keystrokes. Note that all keystrokes are protected by Webroot regardless of what a files determination is. It's worth mentioning that Keyloggers have really fallen out of favour, they are quite rare to encounter these days. It's much easier (and more effective) to trick people into giving you information (phishing) rather than steal it. 
P
Rank
Thanks Daniel, couple more questions on this:
 
>Yes #4 is correct if the keylooger is new so in this case Unknown to the Cloud Database WSA's firewall
> automatically blocks it from calling out no pop-up on Win 8.1
 
Is there a pop-up on Win 7? Wondering about false positives, whereby Unknown programs are silently blocked from accessing the Internet
 
> now while this is being done the Behaviour is being checked and rechecked then it sets to block it from seeing
> and doing anything to other programs, there are many levels of Monitoring within WSA
 
From the video it looks like the Unknown keylogger is able to do what it wants, until and if it is becomes Known at which point if it consider Bad then it will be Blocked and all its activities up until that time will be reversed?
 
PJ
 
 
P
Rank
Thanks, I agree the assumptions, they do follow from the video example.
 
>all keystrokes are protected by Webroot regardless of what a files determination is
 
from what I can see this only applies to Protected Applications; ones have been pre-added to the list, or manually added later, correct?
RetiredTripleHelix
Rank
Userlevel 7
Badge +56
@ wrote:
Thanks Daniel, couple more questions on this:
 
>Yes #4 is correct if the keylooger is new so in this case Unknown to the Cloud Database WSA's firewall
> automatically blocks it from calling out no pop-up on Win 8.1
 
Is there a pop-up on Win 7? Wondering about false positives, whereby Unknown programs are silently blocked from accessing the Internet
 
> now while this is being done the Behaviour is being checked and rechecked then it sets to block it from seeing
> and doing anything to other programs, there are many levels of Monitoring within WSA
 
From the video it looks like the Unknown keylogger is able to do what it wants, until and if it is becomes Known at which point if it consider Bad then it will be Blocked and all its activities up until that time will be reversed?
 
PJ
 
 
I'm not sure about any pop-ups as I never had a Keylogger but all I can say is you are well protected and hopefully @ or @ can tell us what does happen but are the 3 best places to check within WSA. 1. http://www.webroot.com/En_US/SecureAnywhere/PC/WSA_PC_Help.htm#C10_SystemControl/CH10b_ControllingProcesses.htm 2. http://www.webroot.com/En_US/SecureAnywhere/PC/WSA_PC_Help.htm#C5_Quarantine/CH5b_BlockingAllowingFiles.htm 3. http://www.webroot.com/En_US/SecureAnywhere/PC/WSA_PC_Help.htm#C6_IDProtection/CH6c_ManagingProtectedApps.htm
 
Thanks,
 
Daniel 😉
DanP
Rank
Userlevel 7
Badge +35
Hello PJCarmody,
 
To answer your questions...
 
- Is there a pop-up on Win 7? Wondering about false positives, whereby Unknown programs are silently blocked from accessing the Internet
 
You will see prompts when Unknown processes are trying to access the internet. 
 
- From the video it looks like the Unknown keylogger is able to do what it wants, until and if it is becomes Known at which point if it consider Bad then it will be Blocked and all its activities up until that time will be reversed?
 
The keystroke logging would still be blocked. The changes made to the file system and registry are what would be reversed during rollback.
 
- >all keystrokes are protected by Webroot regardless of what a files determination is

- from what I can see this only applies to Protected Applications; ones have been pre-added to the list, or manually added later, correct?
 
The Protected Applications are not the only applications that are protected from keylogging.
 
-Dan
Webroot Threat Research
RetiredTripleHelix
Rank
Userlevel 7
Badge +56
Thanks Dan!
 
Daniel 😉
Ssherjj
Rank
Userlevel 7
Badge +62
Yes I agree a big thanks Dan!:D
Windows Insider, iMac 2021 27 in i5 Retina 5, iMac OS Sonoma (14.3.1}, Security: iPads, W 10 & (VM:15), ALIENWARE 17R4, W10 Workstation, ALIENWARE 15 R6, W11, Webroot® SecureAnywhere™ Internet Security Complete (Android Samsung Galaxy Ultra Note 23, Webroot Beta Tester. Security
P
Rank
Great, thank you for clarifying Dan.
 
PJ
P
Rank
Thanks Daniel, those links are very helpful.
 
PJ

Reply


Terms & Conditions

© 2004 - Webroot Inc.

We have recently updated our Privacy Policies. We encourage you to read the full terms here.