How did WSA know? A modern day mystery.

Hi explanoit,
 
As Dan mentioned, the file was determined by a rule on our cloud. This occurs immediately in most cases, but sometimes it may take a few minutes before a new sample we have not seen before is processed in the cloud and flagged as malicious by one of our rules. This will only occur the first time a new sample is seen. Since its initial detection, the file in question was seen on 13 additional computers and was immediately detected and removed on each one.
 
I hope this helps!
 
-Brenden

Thanks Daniel! It's nice to meet you as well. I am glad I was able to help!

-Brenden

Could you expand on the "rule" term you use?
I assume this is Webroot terminology for certain file metrics and behaviours that were set off by this file?

Agreed, the modern threat landscape requires some minimum of cloud functionality for cases just like this.
Not to say that all security products need this, but at least one product on your machine should have the ability to work with other computers to share intelligence.
 
Looking back now, the progression to the cloud approach seems so obvious. But this used to be absolutely radical stuff. From what I've gathered talking to Webroot employees directly, the interface they get access to is absolutely incredible and allows tracking everything about threats across the world. I'm quite envious.
 
Once concern that I do have is that antivirus companies like Webroot not become too reliant on automatic threat catageorization. I know there are plenty of people in their threat research, but Webroot marketing seems to focus too much on their technology instead of their people sometimes. Too many slick graphics and stock photos instead of real people and real buildings.
 
The story of Prevx was that of a a Few Good Men/Women changing the world. I miss that sometimes. Perhaps I'm too romantic over computer security technology.

Hello again everyone,
 
To answer explanoit's earlier question: a 'rule' is a set of criteria by which a file determination is made in our cloud. This can include any number of file characteristics, including behavioral data gathered from the endpoints and file signatures similar to those used in traditional AV solutions. Usually a rule will include multiple data points that, when used together, allow us to determine if a file is malicious with a high degree of certainty.
 
Webroot Threat Researchers are hard at work producing many thousands of such rules every week to target malware seen on our customers' PCs.

Thanks,
-Brenden

Glad to help!
 
I've been very into computers my entire life, starting as a kid on my 386 and DOS. I've been interested in computer security ever since it first started becoming a serious issue with the rise of the internet. I had a lot of personal experience in the field acting as tech support for my entire family and their businesses.
 
My career at Webroot started on the support side with manual malware removals for customers and then eventually I was promoted to Threat Research. It's been a long road with many changes along the way, but I've had the benefit of learning from some exceptionally talented people here. Webroot has been very good to me and I've learned a ton over the years.
 
-Brenden

Hello Brenden, Welcome to the Webroot Community Forum. :D

__________________________________________________

@ wrote:
You gave us a chance to look under the hood a bit :D

Exactly. Webroot Employees, the people that know what's happening under the hood work with the members on the forum to explain and work problems out. Not many forums like this one. Excellent work Webroot! 😉

I got my start on a TRS-80 Color Computer 2.

How things have changed!