WEBROOT UNKNOWN PROGRAMS BEHAVIOUR - CRYPTOLOCKER

  • 11 September 2015
  • 3 replies
  • 23 views

Hi everyone,
I'm struggling to understand two featuers of the central managed webroot endpoint security:
1- Unknown program management
2- protection against ransomware-day 0 attacks for online enpoints
 
1) once an endpoint is scanned a report is sent back to the central console and from there the admin could take a look to the unknown programs- suspect files and so on.
Reading on the manual I found out that once an override is managed (e.g. good program) than the endpoint, for that MD5 signature, doesn't do any kind of check. The problem is that that file keep being displayed on the report of the scan for the endpoint on the firther checks even if it's considered good , that's not simply annoying, create confusion as far as i see
2) I cannot really unserstand how an "online" workstation could be protected from attacks such as the cryptolocker ransomware.
On one said as far as I understood, if the workstation goes offiline a heuristic mode is turned on and a sandbox feature forn unknown programs is provided in order to rollback changes.
But how can the system in online mode detect and "protect" the endpoint from these attacks? What would the endpoint user see on his pc? A warning? A guide to rollback?
Sorry for these strange questions but the guide I found that threat the cryptolocker remediation are related to a local managed endpoint and i cannot find any similar reference on the web console.
 
Regards and thanks in advance

3 replies

Userlevel 7
Badge +56
Sorry I haven't been able to get you a good answer to #1. Would you like me to have support follow up with you?

For #2, typically we block any known ransomware from starting up. If a new version of ransomware infects your computer, then we keep a record of all changes it makes. Once it is identified as ransomware, we roll back all the changes that it has made, which restores the un-encrypted versions of files. This isn't anything you have to do manually - it happens automatically in the background.
Hi, yes thanks I would like to have a follow up if possibile and to have a screenshot or demo if possible on the behaviour in case of infection. Regards
Userlevel 7
Badge +56
Ok I'll put in a ticket for you right now.

Reply