Solved

Why do we have 5700+ undetermined software for months?


Userlevel 2
Badge
Hi,
 
I wish to mention here my problem with Webroot Threat Research:
 
I have a customer who has 5700+ undetermined software in the 'All undetermined software seen' report for months.
(And some more customers with 1000+ undetermined software)
 
First of all, I do not understand how this can happen? Actually, I expect Webroot Threat Research to classify all undetermined software as soon as possible, otherwise how could Webroot guarantee that there are not any malware among them --- that are being able to run on the endpoint thanks to the way WSA client is developed, it will run just until the client receives the BAD classification from the cloud. But it looks like many thousand software are simply never gets classified. So in my reading, a malware can simply run anytime for quite a long time (eg. for month as in our case).
 
I think the expected approach from Webroot is that in case of undetermined objects added to the list and the reported to the cloud then Webroot shall process it ASAP (just like any other AV lab in the world) and classify so that in quite a soon time (most likely in less time than AV competitors) we shall see Webroot's classification in the console. Then we can feel safe and protected and supported good. Otherwise, how could Webroot ensure that viruses ever get recognized (especially targeted malware) if this list is not processed for ALL Webroot users?
 
I have been constantly asking Webroot for months now support to classify all our undetermined software one-by-one but they just wrote me:
 
"Most of the undetermined software has only been seen on one PC in the environment and by determining these files, it is very time consuming with not much of an effect other than not showing up on the undetermined list on your side."
 
So if this is the official Webroot Support / Threat Research approach, how can we expect Webroot protect against such targeted malware like the one mentioned here:
 
https:///t5/Ask-the-Experts/Webroot-Malware-Detection-Hackers-in-China-Attacked-The-Times/td-p/24628
 
 
 
icon

Best answer by DanP 29 March 2013, 21:20

View original

15 replies

Userlevel 7
Badge +35
Hello,
Undetermined indicates that a file has been processed and not determined bad or good by our rules. A file being undetermined does not indicate that the file has not been processed. While we do also mark files as good, most files are undetermined. With other AV products, files are either classified as bad or not bad, and for the most part any file not flagged as bad would be the same as files that we show as undetermined.
 
Thanks,
 
-Dan
 
Userlevel 7
Badge +6
Hello,
What you are describing/expecting is application whitelisting. Individually inspecting 5700+ executables for threat intent, and expecting that to be done on a continuing basis is not something any antivirus firm does.

When software is in "undetermined" status that's kind of a good thing. Files that are not trusted are prevented from doing extremely sensitive operations to your computer, and any changes they do make are journaled. This is above and beyond other antivirus technology. It is a good thing that Webroot does not blindly mark files as good because if there were any mistakes that would allow malware to do more damage and bypass protections.

The list of undetermined software is a special feature that Webroot's technology allows you to see. It's for hawk-eyed administrators and for investigating infections. Large lists of undetermined software is expected and does not imply any failings on Webroot's part.

Antivirus is by definition a reactive, blacklisting based service. It can not meet the requirements you seem to have for 100% awareness of your entire Windows ecosystem.
Userlevel 7
Badge +35
Gyozo,
As I mentioned before, the files we display as undetermined are essentially the same as every file that is not detected as malicious when using a traditional antivirus, Webroot SecureAnywhere just happens to display these files as unknown. The files that are not detected as bad by a traditional antivirus are not marked as good, they are just not marked as bad. I don't want to even think about how large the local database for a traditional AV would be if they also had signatures for even a small percentage of the known good files out there. ;)
 
All files scanned by SecureAnywhere, whether they have a determination of Good, Bad, or Unknown are processed by local client-side heuristics and by our could database. Our focus is on protecting our customers from malicious software, not whitelisting or marking files as good. To mark files as good takes resources away from tracking down malware.
 
Part of the reason you may be seeing more unknown files from well-known applications could be due to language.
 
Thanks,
 
-Dan
 
Userlevel 5
Answer 1:
This means that Webroot's agent communicated with the Webroot Intelligence Network twice. First to verify if the hash exists (to see if it has seen it and has it classified or not) and a second time to exchange the files behaviour (to see if the behaviour is good or bad). Since you have not been alerted by it, Webroot has not found your files to be harmful, however since it might be files that differ from everybody else in the world, they are set apart (maybe they are new and they will be fully GOOD in a certain amount of time in the future). Webroot is just extra careful with your files, beyond it's initial investigation.
 
Answer 2:
Not determined bad or good indicates that the specific file has not been seen often enough for it to receive a full classification in either direction and why Webroot will continue to look with suspicious towards that file, maybe it will wait to show bad behaviour. This is to prevent you again malware that won't act direction, but rather at a later or predetermined time.
 
Answer 3:
If Webroot does not give you a warning about a file, you can be pretty sure that they aren't harmful at this point in time. Also see partial answer 2 in regards to why determining it directly bad or good is not the behavriour you'd want. If anybody with a Webroot Agent on their PC will find a file with malware this will immediately spread throughout the network and you're immediately protected against that file.
 
Answer 4:
Don't know why those are listed for you. For mine I can only see the obscure software that was custom made. Maybe someone else can comment on that one.
Userlevel 2
Badge
You know, you ask me a very difficult question by this: "Is the list shrinking?"
 
Why is it difficult?
 
1. Because - as I already complained at many forums about it (community + ent support) the console UI does not tell you how many items are in the list of a report page. There "back" and "next" buttons like this:
 


 
but as a kind of standard there are missing the page count + jump to a certain page + jump to end of list controls. So I do not have a clue how many items I really have there, all I can do is to go from page to page and after some 30-40 mins I may get to the 234th page or so.
 
 
2. Also, I did reported that when I want to export this report, only the first 1004 records are exported and NOT ALL records! So exporting the list does not help me either. And this serious bug in the export feature still has not been corrected for more than a year! Why do we have export feature then if it cannot create precise exports?! This is misleading very much! I have never seen such buggy implementation of an export feature.
 
 
Please refer to my feature request from February 2013:
https:///t5/Feature-Requests/Missing-number-of-pages-quick-jump-to-specific-page-in-the/idi-p/26204
 
Today I still cannot see how many items are in the reports.
 
 
Anyway, I took the time now just to be able to answer you here and went from page to page. Reaching the 7.500th item (page 150) in 15 mins with 150 clicks for the next page the console suddenly showed the message "The riport will soon be available. Come back to this page later..." message and after clicking OK it dropped me back to the 1st record. :S :(  So it looks like today we have 7500+ undetermined items but I never will be able even to see all of them.
 
 
Yes, Openoffice was just one good example, but I find many IBM software (eg. Tivoli, Websphere, ...), Oracle (eg. Business Intteligence enterprise Edition Client, etc.),  Cygwin and Postgres files and many well known manufacturers' software. I tend to believe not only this customer uses these worldwide.
 
And this is for 540 PCs only, and I have bigger installations where I know we have the same huge amount of unknowns.
 
So I ask you, do not tell me this is normal or can be considered as normal or anyone would not be confused about it if it were his system.
 
 
Userlevel 2
Badge
Hi,
 
Question 1:
You say this: Undetermined indicates that a file has been processed and not determined bad or good by our rules.
So, I cannot imagine how these files are processed?
Can you explain in details and then if they were processed locally or in the clould?
Can you tell me if they were really processed thoroughly and Webroot says that they do not do any hamrful then why do Webroot not simply classified as good?
 
Question 2:
You say this: Undetermined indicates that a file has been processed and not determined bad or good by our rules.
Ok, so if you do not know if the process is good or bad, then you claasify it as undetermined.
Good. And for how long will you not know if this process is good or bad? That is why I think that you have to classify everything as good or bad, otherwise I may think that you never know about a process if that is a malware or not. This is the point where you may find 0-day malware - if you go through undetermined ones and examine them.
 
Question 3:
If there can be so many undetermined (= not good and not bad) processes then how can you guarantee that there were no malware among them? If they are not malware for 100% sure, why not classify them as good? Or how do you find 0-day malware? Can you explain me, please?
 
Question 4:
On our list I can see so many Microsoft Windows XP, 7 , Oracle, IBM Lotus Notes, Java and many other well-known application's processes. I actually also would like to see all unharmful processes as good because I do not want to these well-known processes to write unnecessary local log files forever. Who would like keep loogging for authentic Windows OS files? Why does not Webroot classifies at least the well-know processes as good to avoid local logging for them?
 
 
 
Userlevel 2
Badge +3
So you (danP) say its normal to have thousands of unknown files in the list.
As far as I understand you do _NOT_ advise us to classify by ourselves? (only if we want a file definitely be good in our environment - or bad if we do _NOT_ want it in our environment).
Userlevel 5
There is no added benefit if you classify the files yourself. I would even go as far as to say that if you classify those files yourself you are preventing Webroot from functioning properly and as such your protection is not as optimal as it could be.
 
What "Undetermined Software" really means is that it's software that is not common globally and a such Webroot has not seen enough of that file in it's systems to make a proper classification for it. As such it's being tracked by Webroot to see if it will give off any behaviour that might be problematic.
 
Maybe it's just the "Undetermined" part that people seem to take issue to. Maybe using a different word for it will make this less of an issue.
Userlevel 2
Badge
Dear Johan,
 
My only problem with the "unknown" files really is that I learnt from a Webroot expert that WSA client keeps logging all the changes that "unknown" files are doing to the system and any files on the system so that if need be later (eg. it turns out that one of the "undetermined" files are actually a virus) WSA would be able to roll back changes. These files are shown in the client as monitored. Is this ture?
 
Therefore, I consider keeping a plenty of "unknow" files in the WSA knowledge base:
1. these files are not know to be malware or not - any of them can still be a malware
2. monitoring these files generates unnecessary logging on the client (eg. WSA now logs all that OpenOffice does - imagine WSA keeps record of all document changes on your system!)
 
Furthermore, from my experience I can tell you a story when I found a 0-day threat on a WSA client running PC. On that PC there was only 1 file monitored: the 0-day virus. It was very easy to put its MD5 into the console and then the threat removeing was quick and easy.   BUT, if I would have seen not only the 0-day virus being monitored but the whole OpenOffice package files then what should I have to do? I cold not be sure what is wrong or good on the system, so I may have ended up blacklisting all the OopenOffice files, DLLs, etc as well? Now that could be a serious case because the customer would loose all it document changes thanks to the WSA rollback!!!  Wow!!!
 
And lastly, I think this is not a coincidence that Webroot (or earlier Prevx) do not only use 2 categories: "GOOD" / "BAD". The 3rd category "UNKNOWN" does have a serious meaning: these are the files to be checked by the Webroot threat research division and classify them as good or bad. I rather feel that Webroot just does not have enough capacity to the job.
 
So I still say: Webroot must classify every MD5 they receive via the WSA clilent reports to the cloud. Yes, this is a big job, but that is this indusrty Webroot proviedes solution in.
 
 
Userlevel 5
Yes, it is true that the Roll back and Journaling are in play when files are listed as "Monitored". Even if WSA would log OpenOffice as "undetermined" this is a piece of software in use by millions of people around the world and as such it will be able to classify it's "undetermined" status pretty quickly into "Good" (or bad, but that's doubtful). I'm assuming your using OpenOffice as an example as I'm not seeing that as "undetermined" on my machines.
 
If you found an application on the "undetermined" list that you know is not a virus or malware then there is nothing stopped you from sending your MD5's to Webroot through the Support ticket system. I've done this a couple of times and the files get changed pretty quickly (probably after an investigation by Webroot's Threat research).
 
In regards to the 0-day virus. You won't have to make that determination as WSA will do that for you. If it really is a 0-day, it will show behaviour that will mark it as bad and it will become bad rather then remain undetermined. If this virus is sleeping for a month on my PC then I surely will like for WSA to keep monitoring it. Until it starts misbehaving, so it can be marked as bad at a later state.
 
In regards to your remark of not having enough capacity to do so, I doubt that it is even something that can be completed at all. If I look at the undetermined software in our company I find a piece of software that was made specifically for our company. I don't see how Webroot would ever be able to test this in a thread research scenario without having access to the software itself.
 
I do understand where you are coming from, however I do not share your views in this. I'm sure that someone at Webroot will be able to help you in shrinking your list of undetermined software as I do agree that 5700+ is too many, no matter how many agents you are using.
 
 
Userlevel 2
Badge +3
" ... sending your MD5's to Webroot through the Support ticket system" one question about that.
Is the list shrinking by the time?
I cannot see if the unknown files are still unknown because i only see the "first time this file has been seen".
There is no report "show me the actual unknown files" .
Am I wrong?
Userlevel 5
To my knowledge it should shrink. It's a list of undetermined software. If it has been determined to be good or bad it no longer has any place being on that list.
 
Maybe someone can confirm this?
Userlevel 2
Badge +3
@GyozoK: sorry, b ut I did not ask you in special - what you describe (export, 1004, paging , sudden death of the console on the end) ist the same as in my console and i'm not happy with that.
The question "Is the list shrinking?" was asked - maybe someone knows the answer and wants to share ...

And, yes i'm confused about reporting in the webconsole.
Userlevel 7
Gyozo, you have a good point about the report cutting off at 1,000 lines when exported and the difficulty in sorting through the report otherwise if it is quite large.  I want to let you know, I have escalated these issues to our Product Manager of Support @  to pursue them as defects.
Userlevel 7
Badge +6
Also:
https://community.webroot.com/t5/Webroot-Discussions/Undetermined-software-report-cut-off-at-1001-lines/m-p/56299#M283

Reply