Solved

Identity shield fails MitB simulators

  • 18 November 2012
  • 28 replies
  • 136 views

Userlevel 4
http://www.mrg-effitas.com/current-tests/

https://www.wilderssecurity.com/showthread.php?t=336128
icon

Best answer by RetiredTripleHelix 15 December 2012, 18:16

View original

28 replies

Userlevel 5
My problem with these kind of tests is that they're using simulators, and therefore not indicative of a real-world situation. It is much like the firewall leak tests; Webroot, and many other AVs, don't detect those for the very same reasons. The leak tests are not malicious per se, which is why very few signatures exist for those.
http://www.wilderssecurity.com/showpost.php?p=2145468&postcount=2
 
You may be right, this fals in one of the following:
 
a) the test is flawed

b) in real life is different

c) you do not understand how the product works

d) user experince is different, they are happy
It would be nice nevertheless to know from developers if they are aware of the issue, if they got access to the simulators, how serious is the problem and if they plan to protect from this type of attack anytime in the future as it seems that this simulator was running on testing machines for around a year without been noticed ;)
Userlevel 4
Please read my post: https://www.wilderssecurity.com/showpost.php?p=2145670&postcount=5
Yes WSA didn't detect the simulator, that's not the point. The point is that even if it doesn't detect it, Identity Shield should protect the browser from the MitB that the simulator performs, but it does not. To reply on the leak test example, take Spyshelter test tool or Zemana's keylogger test, even if they are allowed to run they are unable to log keystrokes because Identity Shield protects the keystrokes send to the browser, it blocks the different methods to view the keystrokes so every program(unless specifically whitelisted) is not able to see them including anything unknown/malicious. Same should apply for Man-in-the-Browser, but as can be seen in the test report, there are at least 2 methods to do a MitB that Identity Shield does not cover.

BTW, it would be nice if a threadstarter can remove the Solved status from his thread if it is classified as solved by someone else and the threadstarter disagrees.
Userlevel 5
@BoerenkoolMetWo wrote:
The point is that even if it doesn't detect it, Identity Shield should protect the browser from the MitB that the simulator performs, but it does not.
Is there a possibility worth considering that Identity Shield would protect the browser from this particular MitB outside of the simulator? I'm no technical expert, but is there a chance that it's the simulator that prevents this from working for technical reasons? If this is indeed the case, I wouldn't expect WSA engineers to 'fix it' so that WSA works with the simulator and every new version of it.
 
Having said that, it would be nice to hear a more technical explanation as to why ID Shield doesn't/can't work in a simulated environment. :)
 
NB: we do not need to discuss the fact some other products may have 'passed' this test. There'll be technical reasons why they do so. What we're more interested in here is how WSA performs in or out of simulated environments.
The issue is not about detecting the simulator but preventing the leak. Given that webroot as marked this as solved seems to indicate that they are not interested in addressing the leak via the identity shield. The reasons behind are not clear (They have already fixed it? They do not beleive in the test? The test was not done correctly? They cannot fix the issue for technical reasons or limitations?).
 
They have been normally very transparent on vulnerability issues and prompt in fixing potential security holes. This seems not to be the case this time. Weird but good to know!
Userlevel 5
There are probably things going on and being dealt with behind the scenes. Some things may not be discussed for legal reasons.

The fact this 'leak' happened via a simulator shouldn't really be cause for concern though; like I said before, ID Shield and the rest of WSA works best in a real-world situation. I'm sure ID Shield will work well in a proper surfing environment.
Probably there are reasons behind, would be good to know at one point about it. As already mention Identity Shield technology can work indipendently from the detection and assuming the simulator was not trusted in the central WSA database it should have prevented the leak. If webroot wants to disregard the issue as there are no malware using the method then we have a problem of consistency as Indentity Shield is there to ensure no leak happens even with unknown infections (good or bad).
 
Anyway... I'll stop here as we have no information whatsoever 😃
Userlevel 7
Badge +13
A whole lot of sweating about nothing as far as i'm concerned.I will NOT worry until i see several Webroot users affected by a problem these tests attempt to emulate.To the Webroot faithful,there is nothing to worry about even if we are compromised at some point,as any system mods can and will be reverted,and to the Webroot naysayers,Webroot will never ever be able to make you happy as most of you jump from solution to solution based on a test,so why should Webroot bother trying.No need for Webroot to explain a thing to me.Results have been great here.2 machines running malware free since day 1 of WSA and now a tally of over 30 installs of WSA that i have done for others which are all running malware free at last check..running a variety of browsers and os's.As a matter of fact,i just recently renewed and have 875 days remaining.If i thought for one second that my computers,or those of my family,or friends were truly at risk in any way,i would never have renewed,nor recommended the productline to others.I do not believe in wasting my money,nor time,esepcially in today's world.There are far better ways to channel one's energy than to fret over a test.Relax people.There are much bigger fish to fry.Webroot has our backs,rest assured:D
Userlevel 7
@ wrote:
Results have been great here.2 machines running malware free since day 1 of WSA and now a tally of over 30 installs of WSA that i have done for others which are all running malware free at last check..running a variety of browsers and os's.As a matter of fact,i just recently renewed and have 875 days remaining.If i thought for one second that my computers,or those of my family,or friends were truly at risk in any way,i would never have renewed,nor recommended the productline to others.I do not believe in wasting my money,nor time,esepcially in today's world.There are far better ways to channel one's energy than to fret over a test.Relax people.There are much bigger fish to fry.Webroot has our backs,rest assured:D
Totally agree superssjdan. Ive been running WSA on 3 machines and all still malware free. I sometimes wonder how much money people spend on Security Software on their computers because of these tests. They see that their security software did bad in a test so it's time to switch software until that one does bad on a test, then it's switch again. As for me I'll stay with WSA for the long run. I have 335 days left on this keycode and another keycode with 1368 days. :D
 https:///t5/Webroot-SecureAnywhere-Complete/Consolidation-of-Keycodes/m-p/8302#U8302
 
BTW: My son is installing WSA on all of his computers this weekend, so the whole household will be running WSA. 😉
Userlevel 7
Badge +13
Most of the malcontents on Wilder's never pay for software.They jump from trial to trial and keygen to keygen.Then they install tons of layers that chew up memory and cpu cycles,and then sometimes blame software like WSA for making their system sluggish.i sit here day after day and chuckle at those who jump from solution to solution mainly due to test scores.I made my decision to purchase WSA last year not due to test scores,although some past Webroot products and prevx products had scored well in some tests,but mainly due to Webroot's reputation in customer service,and also their aquiring Prevx and their FANTASTIC development team.I know the endless hours that the development team has put in to make the product what it is today.Joe and his team are amongst the brightest minds in the entire industry,and NO development team works harder and cares as much for their customers.It's a marriage made in heaven.Have always thought of it that way.Webroot has earned my loyalty.From top to bottom Webroot has consistently demonstrated it's excellence not only in product development,but also in best in industry customer service..from the people manning the phones to the many wonderful people manning the forums..and can't forget the accessibilty of Joe on Wilder's.Kudos to Webroot for keeping me happy and my computers safe:D
Userlevel 7
Hey Everyone,
 
Sorry for the late reply on this topic.  I wanted to check in with our threat researchers to see how they weighed in on this test.
 
Based on the presented methodology, it's not really clear why we would have failed the 2nd and 3rd simulator tests without knowing more about them.  In MRG's statement of what contitutes success or failure in their test, they note that methods 2 and 3 differ from method 1 by virtue of using a USB drive.  They don't say how methods 2 and 3 differ from each other as far as I can tell from this paper, but they must be using different techniques, and inclusion of a USB drive wouldn't be the only material factor.
 
Our director of threat research is reaching out to MRG to hopefully take a look at one of these simulators.  We would need to see one of them in action in order to better understand the stated results.
 
The Identity Shield has been shown to stand up against Zeus and SpyEye trojans, among many others.  If there is some technique we are not accounting for, we can certainly look at that and start to account for it.  On the other hand, we have been accused of failing tests before where a different, but just as thorough, testing metric would have passed us.  In short, we need to take a close look at this.  Hopefully, MRG will provide a simulator for us to use to investigate further, and we'll update you again as we gain more information.
Userlevel 7
Badge +13
Thanks for weighing in Jim.That's another thing i love about Webroot..they always see a need for improvement..for continued refinement and product evolution:D
Userlevel 4
Thanks Jim for your serious reply. They indeed use different techniques:
"The second and third attacks are performed using custom crimeware tools ix  created by our engineering team.
Each of these tools, like the BBC simulator, employs a unique x  MitB attack to capture user credentials entered
in to SSL protected sites.

ix  All simulators are designed to be neutral. None are designed to bypass any specific vendor or product
x  Whilst all three simulators use a MitB attack, each attack is unique and makes use of different machanisms "

Can we please keep the offtopic blaming fanboy comments out of this topic?
I have a bought 5 computer license for WSA and have been using WSA since when it was still called Prevx 4 alpha and before that I had a paid Prevx 3 license so I'm certainly not a troll trying to badmouth WSA.
Happy to hear things are looked into! Looking forward to some updates in the near future :D
Userlevel 4
Any news from the Director of Threat Research?
Userlevel 7
I followed up with him to get an answer to your question.  He did speak with MRG, who were kind enough to provide the simulators for investigation.  Analysis into why Webroot missed the simulations in question is ongoing, and we'll have more to share when the analysis is complete.
Userlevel 4
Thanks for the update Jim.
Userlevel 7
Now here is a really positive update!

We are pleased to report that after working with the simulators graciously provided by MRG, the next build of Webroot will include additional functionality in the Identity Shield to block the methods used in the test. We will most likely be seeing that build release later this week. 🙂
Excellent news! Thank you :D
 
Userlevel 4
Good to hear 🙂
Userlevel 7
The new build is out!  We would like to thank MRG for sharing their simulators with us.  The improved protection against malicious BHO's are a direct result of this useful testing.  Thanks MRG!  🙂
Userlevel 7
Badge +56
Great to hear Jim!
 
TH
Userlevel 4
Nice to see it has been fixed 🙂
It now has annoying issue where first keypress after loosing the focus of protected window fails to register, though. Also probably unrelated but right click to scan stopped working too.

Reply