Solved

Web Shield

  • 19 August 2013
  • 2 replies
  • 59 views

Hello everyone, I was testing its effectiveness at blocking viruses from downloading onto a clean machine, and tried downloading known viruses and the web shield successfully detected it and gave me a warning to close or approve which is great (ofcourse for deployment I would not allow the user to approve)
 
Now what I found strange is that when I repeated the test with the same malicious websites and downloaded the same viruses a few hours later, the web shield gave no warning this time, instead allowing the file to download normally then the file system AV kicked in and removed it.
 
There have been other examples where this happened as well. What i want to know is that why is the web shield component inconsistent.
icon

Best answer by Jack 19 August 2013, 12:23

View original

2 replies

Userlevel 4
Hi Rami78
 
Welcome to the Webroot Community!
 
I'm glad to hear that one of our other layers of protection still caught the infection when it reached the PC on the second test.
 
When you later performed the test on the same site, was this on the same computer?
 
If not, by selecting 'Allow' and proceeding to the website during the initial test, the website was recorded to be safe which would stop it from being blocked during your later test. You can find these entries by opening the SecureAnywhere program, clicking the 'settings' link at the top right corner, then 'advanced', then 'Web Threat Shield', then 'View Websites'. Here you can add or remove blocked or allowed websites. Currently this is only configurable on the endpoint and is not supported from the management console for Endpoint Protection. For greater user control over websites I recommend trialing our Web Gateway product - Webroot SecureAnywhere Web Security Service - http://www.webroot.com/us/en/business/products/web-security/
 
If it was not the same machine, it is possible that on the same website the actual source URL of the infection (through a link, ad, or drive by) had changed to one we had not yet identified. The same link could be pointing to the same file on a different site. By frequently changing their source server, malware suppliers try to avoid detection.
 
If you would like us to investigate the site and related malware sources, please open a Support ticket by visiting this link - https://www.webrootanywhere.com/servicewelcome.asp?SOURCE=ENTERPRISEWSA
 
It's also probably worth noting that the Web Threat Shield in Endpoint Protection is due a complete redesign in the not too distant future with our 2014 update, we hope to make this shield a much more user friendly feature.
 
Jack
Hello Jack,
 
It was the same site, same executable , same exact link, on the same PC , and never clicked allow . Just checked the site list you mentioned and it is empty. The link in question is *possible malware link removed by admin*  . I will submit a suppor ticket.

Reply