Managing Protected Applications / Lack Of Control Rant

  • 12 September 2014
  • 6 replies
  • 54 views

I'm trialing WSA Business Endpoint Protection and have found a lack of documentation regarding Protected Applications (PAs).
 
Here are my questions:
 
  1. How does WSA determine what programs to automatically add and their status (protected/allow/deny)?  Right now it seems it has added my browsers.  What if I don't want that to happen?
  2. How can I set a default status for programs on a policy level?
  3. How can I specify PAs on a policy level?  It doesn't appear possible??
  4. How is the admin (me) alerted when a workstation makes a block happen, or when a workstation has a new PA added with a "blocked" status?
Yes I am aware I can allow blocked applications on a per-client basis via the management console (and by selecting any number or workstations).  But this is NOT viable when new clients are being added regularly.
 
It looks like if we use this product then I'll need to disable Identity Shield altogether.  It's a cool feature but without any administrative controls to automatically prevent a workstation from auto-blocking an application I cannot use it.
 
As constructive criticism as a developer and sysadmin myself, I think the control of this feature is terribly designed.  Who thought it was a good idea to build in an auto-blocking feature that could very likely disrupt workflow for any number of clients without having any sort of feedback to the sysadmin (through the web client) AND additionally not provide a way to set any default settings?  I guess "off" is the default setting I need.
 
I like Webroot for its alternative approach to malware but have been amazed by it's lack of options and control offered to the administrator.  Some of these lacking configuration features are essentially crippling the feature altogether as they will need need to be disabled to ensure that workflow is not interrupted.
 
Something the developers need to understand is that a sysadmin does not ever want to single out a specific machine in his network.  EVER.  Everything should be able to be controlled on a policy/domain basis, to multiple clients at once.  Yet, I've found a considerable number of features in the WSA client that are not configurable via the administrative console.  If an option is NOT configurable on a policy level, it's the same thing as making the sysadmin apply it individually.  This is because, after the intial options setting (where all clients can be selected), every new client would need to have the settings applied as it is added.
 
I'm not sure if Webroot is actively developing and improving these things or not?  Make all developers become sysadmins and they will start designing more useful products.
 
Also, I can assume the same for the outbound firewall, which I would also need to disable.  I don't think I can globally whitelist any programs on a policy level, which is super annoying.
 
I don't mean to rant but want to offer some opinions to hopefully improve a product that I see as having great potential (for my company and others) but is not there yet.  Thanks!

6 replies

Userlevel 7
Badge +56
Thanks for the feedback - there is currently a lot of work being done on the business product to improve it and make it easier to manage.  As you probably know, the business version is an outgrowth of the consumer product and much newer.  I'll look into answers for your questions and make sure your feedback gets passed to the right folks.
Userlevel 7
Badge +56
Ok I pinged one of the enterprise support folks here and got some answers to questions:
 
1. It's done throught the ID shield based on behavior and filetype, although we can't go into too much detail since that's proprietary info that we don't want our competitors to have.  You can create an override using the MD5 hash and sending the agent command of Identity Shield->Allow application.
2.  You can send the allow application command to all machines whether they have that application or not - it won't hurt to send it to all of them.
3. Again sending the allow application command should fix this.
4. This isn't a feature we have yet, but I have send the feedback to the dev team.
How often do you add clients?  Would it be possible to just resend the command daily?  If you contact our support they might be able to figure out a way to make this process easier.
Thank you for the response Nic!  You are really filling in the hole with great customer service where the product is (currently) lacking.  And that makes a huge difference!
 
Regarding #1 I don't like the idea of micro-managing with MD5s. (that's another issue)  Certain higher-security folks might want this feature, but I think many do not.
 
For example, Chrome updates frequently (already three times in less than half a month, with another likely today or tomorrow).  If for some reason having Chrome being run automatically as protected were to inhibit our workflow, my only choice would be to disable this feature as I am not about to to bring my company to a halt multiple times a month until I manually add Chrome as allowed.

I understand the argument for using hashes to truly verify the file (instead of directory or filename), however this places serious restrictions on administrators looking for less work.  If I want to shoot myself in the foot by allow a specific filename and path, that should be my choice.
 
There might be some confusion regarding #2 and #3.  I'm not looking for the ability to allow or disallow program execution.  If I wanted that I would use Group Policy, built into MS server. I can supply a default behavior, designate trusted extensions, set trusted publishers, path rules, hashes, etc.  It has my bases covered there :)
 
My question is more about how can I set additional Protected Applications automatically at a policy level?  I guess for now I would just leave this feature disabled as I cannot automatically control the default behavior or default programs.  IE: I cannot automatically set Chrome to be allowed instead of protected (or denied, if it gets denied).
 
Regarding #4, thank you for sending feedback.  Anything important happening on a client machine should be available to the admin in the management console.  Especially any blocking actions or anything that might affect a user's workflow.
 
I add clients up to 3/4 times a month.  Of course it is possible to resend an "allow this application via this MD5 hash" daily.  But we have a number of custom applications running, which each update typically 3 times a month (sometimes more!).  Each update might touch 5/10 files.
 
Let's say we have a total of 25 files changes a month (close to accurate for us), and in that month we add 3 clients.  I'd be manually resending a command (based on hash) 25 times initially, then 25 times for each new client (assuming all changes happened on day 1).  So sending out 100 commands monthly is not going to happen.  This is not a scalable solution and I would rather run with no anti-malware protection at all.
 
The way to make this process easier is to allow this (and other) settings to be set on a policy level so new clients are automatically adjusted.  Or to have some sort of say in how a program's status gets set.  To avoid 100 commands per month, all I need to do is say "whitelist these few directories - always protect/allow (or do not deny)".  Then apply it to a policy.
 
This is not just for "Protected Applications", but also for every other option that cannot be configured via policy.  This includes firewall rules (allowing certain programs), website whitelisting (preventing identity shield from blocking), etc.
 
WSA does this correctly for overrides for the malware detections, which can be applied on a policy level.  It just needs to do this for other features to have them be useful for a sysadmin.
 
Thank's for listening!  I can turn a 5 minute conversation into a 20 minute book quite easily.  I hope to see some of these teatures implemented in the future.  I want to love Webroot...but I think I only have a crush so far.
Userlevel 7
Badge +56
Thanks for the additional info.  Yeah that makes total sense, and I agree that the management system for malware is a good model for how you need the shield to work.  One other thing that might help is if you paste all of your suggestions into a feature request here:
https://community.webroot.com/t5/Feature-Requests/idb-p/ent4
That allows other people to vote it up, then when I go over top feature requests with the escalations team and dev, we can show which suggestions are getting the most votes.  Anyway, appreciate the feedback and we are working on making lots of improvements to the business product (you can see the latest release notes here), so your feedback comes at a great time.
Okay, I will have a peek and add anything I can extract from my excessively verbose posts which has not already been suggested. 🙂
Userlevel 7
Badge +56
Sounds good, thanks!  And while you're there see what other feature requests look good to you and vote those up as well.  

Reply