I have a question regarding the "monitored time" between the infection with an unknown malware and detection by webroot community and final removal and reversal of infected objects.
I keep seeing on WILDERS PREVEX forum the reply that even though SA might not detect an unknown threat in time, the SA package will MONITOR all activates performed by the new Threat and once the Threat gets identified as threat than those activities are reverted back.
Now assume this scenario:
System gets infected with an unknown strain, the user then logs into a bank account, logs into World of Warcraft, any other non-browser entity. What is the new strain allowed to see? I understand that the new strain might get blocked from seeing the bank account login since the user is using a browser that is behind the SA screen capture protection. However, can the new strain see the WoW login as it's being typed? How about anything else?
What if the new strain is a rootkit and it attempts to plant itself into the system folder and hide on reboot? Will the SA allow the strain to deposit itself into system folder and what happens when the system is reboot and the rootkit takes hold? Will SA be able to remove the Rootkit once the definitions are added?
How long does the program stay in monitored mode? I mean it's been said that SA determines if the program is malicious or not after a specific amount of time. So what happens if it's determined that the program is not malicious after x amount of days? Are all the tracks deleted?
Sorry just the idea of relaying on a rollback feature of the detection algorithm as opposed to superb detection algorithm frightens me a bit.
I know it's better to have the rollback feature then not having anything at all, the main problem is: How truly effective is the rollback feature in today's world?
Userlevel 7
Hi tempnexus,
Regarding the bank account, that would happen through a browser, and if it's a supported browser (IE, Firefox, Chrome), the Identity Shield would prohibit keylogging even from an unknown keylogger that is already present on the system.
Worst case scenario, a malicious file that is unknown to the Webroot Intelligence Network (WIN), is still flagged by the agent as being unknown. Unknown files are blocked from accessing your keystrokes within a protected application.
Non-browser entities, such as World of Warcraft, can be added into the Protected Applications list by the user. By default, only browsers are added to the list automatically, but it's easy to add more programs. Go to Protected Applications in your Identity Shield settings and choose to add an application. Navigate to that program's executable file on your hard drive, add it, and it's now protected by the Identity Shield. If you have particular programs you're extra concerned about and want to take this additional step, it's there for you.
Regarding rootkits, while journaling should still function, they should be picked up by the Rootkit Shield without needing to rely on journaling and rollback.
A program stays monitored as an unknown file until it's determined. Our database of known good and bad files is massive, and most files on any computer are already classified. Turnaround time for determining a file depends on that file's popularity and behavioral characteristics, though any time you want us to take a closer look at your list of unknown files, our support department can get right on that for you if you open a support case. There is no specific amount of time in which a file must be determined one way or the other - some infections don't seem to do anything malicious until a timer goes off for instance, so it would be bad to say "this must be good" after a set interval just because the file hasn't done anything bad yet.
I'm not quite sure what "are all the tracks deleted?" means. Could you clarify?
It's really not a matter of journaling and rollback VS superb detection. It's actually both. The Realtime Shield, other shields, heuristics, and cloud-based determinations serve as a very effective front-line defense. Journaling and rollback is there because no solution is 100% effective except when it can reverse anything bad that's happened after the fact, for those rare times the first line of defense misses something.
Regarding the bank account, that would happen through a browser, and if it's a supported browser (IE, Firefox, Chrome), the Identity Shield would prohibit keylogging even from an unknown keylogger that is already present on the system.
Worst case scenario, a malicious file that is unknown to the Webroot Intelligence Network (WIN), is still flagged by the agent as being unknown. Unknown files are blocked from accessing your keystrokes within a protected application.
Non-browser entities, such as World of Warcraft, can be added into the Protected Applications list by the user. By default, only browsers are added to the list automatically, but it's easy to add more programs. Go to Protected Applications in your Identity Shield settings and choose to add an application. Navigate to that program's executable file on your hard drive, add it, and it's now protected by the Identity Shield. If you have particular programs you're extra concerned about and want to take this additional step, it's there for you.
Regarding rootkits, while journaling should still function, they should be picked up by the Rootkit Shield without needing to rely on journaling and rollback.
A program stays monitored as an unknown file until it's determined. Our database of known good and bad files is massive, and most files on any computer are already classified. Turnaround time for determining a file depends on that file's popularity and behavioral characteristics, though any time you want us to take a closer look at your list of unknown files, our support department can get right on that for you if you open a support case. There is no specific amount of time in which a file must be determined one way or the other - some infections don't seem to do anything malicious until a timer goes off for instance, so it would be bad to say "this must be good" after a set interval just because the file hasn't done anything bad yet.
I'm not quite sure what "are all the tracks deleted?" means. Could you clarify?
It's really not a matter of journaling and rollback VS superb detection. It's actually both. The Realtime Shield, other shields, heuristics, and cloud-based determinations serve as a very effective front-line defense. Journaling and rollback is there because no solution is 100% effective except when it can reverse anything bad that's happened after the fact, for those rare times the first line of defense misses something.
Thanks for the quick answer.
By tracks I mean "remnants, non active non malicious trash that is spewed all over the registry and temp files etc".
Yes I have tried the PROTECT feature, well that doesn't work too well with programs requiring keyboard input while the program is being ran. For example if I protect GW2.exe (Guild Wars 2 MMO) then in game I will either have very strange behaviour with key input (lag time between key press and display in order of seconds) to totally unresponsive keyboard while in game. So true, one can protect any program from key capture, the problem is that it leaves the user with unforseen cicrumstances.
Believe me, I almost swapped keyboards before I realized the problem. (Yes I had all net faceing programs under Protected a while back).
By tracks I mean "remnants, non active non malicious trash that is spewed all over the registry and temp files etc".
Yes I have tried the PROTECT feature, well that doesn't work too well with programs requiring keyboard input while the program is being ran. For example if I protect GW2.exe (Guild Wars 2 MMO) then in game I will either have very strange behaviour with key input (lag time between key press and display in order of seconds) to totally unresponsive keyboard while in game. So true, one can protect any program from key capture, the problem is that it leaves the user with unforseen cicrumstances.
Believe me, I almost swapped keyboards before I realized the problem. (Yes I had all net faceing programs under Protected a while back).
Userlevel 7
Most traces will be removed, but it's possible there could be non-malicious leftovers still present. WSA doesn't tend to concern itself with things like text files or the like, because they pose no actual threat to your computer.
On the gaming issue, that sounds like one our support department would like to have a look at. Could you please reproduce the behavior and then open a support case from the computer experiencing the issue? We're trying to make a point of ironing out this sort of problem altogether. Any cases of this sort brought to support's attention are very appreciated. Please include a link to this topic in the support case to bring the support agent up to speed on what's been discussed so far.
On the gaming issue, that sounds like one our support department would like to have a look at. Could you please reproduce the behavior and then open a support case from the computer experiencing the issue? We're trying to make a point of ironing out this sort of problem altogether. Any cases of this sort brought to support's attention are very appreciated. Please include a link to this topic in the support case to bring the support agent up to speed on what's been discussed so far.
Reply
Login to the community
No account yet? Create an account
Enter your username or e-mail address. We'll send you an e-mail with instructions to reset your password.