No firewall settings for WRSA AV on Windows 10 ?

  • 10 February 2016
  • 38 replies
  • 1476 views


Show first post

38 replies

Userlevel 7
Badge +34
Now that this thread has broadened out into a discussion of WSA's scanning and file detection methodology, I find I have a couple more comments.
 
The regular deep scan that WSA undertakes looks at those files that are "are running, definitely will run, or are likely to run".
In my case that is somewhere around 30,000 files. If malware is found, then the file is quarantined and marked for removal.
 
The 10 files that ? downloaded into his spam folder and then scanned with WSA via a right  mouse click, were not marked as malicious by WSA but were by 50% of the AVs on Virus Total. This suggests to me that the files were more likely to be PUA/PUPs that we know WSA is not as aggressive at detecting and removing as some other AVs that always want to be seen to be doing something. Whatever they were, the fact that half of the traditional AV programs did not detect them, indicates that they were unlikely to be malicious in the true sense.
 
Like ?, I also like to have a second opinion and user a well known free scanner every few days. This scan checks around 350,000 files (65 GB) and since I have been running WSA, has never found anything.
 
So to ?, I would just like to say that I do not believe that you need to have Windows Defender running on your system as well as WSA. If you use WSA as your main AV and do occasional full scans with a second opinion scanner, you get the best of both worlds - a very light resource real-time AV in WSA and the reassurance that if any malicious files are lurking in unlikely places on your hard drive, they will be picked up by the second opinion full scanner.
 
I hope this is of assistance ? but if I am off the mark with any of the above, I would be grateful of feedback.
 
Regards
 
Nemo
 
 
@ wrote:
Thanks for the feedback caveman. I also use Win 7 but was interested to hear that you cannot run WD with WSA on W10.
 
I am somewhat confused by these 10 sample files that you downloaded. You say that they were identified as Trojans or viruses but that half of the VirusTotal AVs gave them a clean bill of health, as did WSA. This suggests to me that they cannot be particularly malicious or surely they would be detected by all the AVs.
 
Anyway, if nothing else, this thread has provided a good summary of how Webroot works! 
Nemo, here is just the most recent sample of those 10 malwares, doesn't look like a PUP to me, just a nasty JS trojan downloader. As to why so many companies would not detect it, well, I feel sorry for their users if they got hit with this!
 
https://www.virustotal.com/en/file/be6dd0157cd7ca8bbff9137b539e0def4d3ab9dfd77bfe2e37b6ded578489d75/analysis/1456152535/
 
Here is a description, as to what it does...
http://www.certego.net/en/news/italian-spam-campaigns-using-js-nemucod-downloader/
 
Hope this helps.
 
Userlevel 7
Badge +34
Thanks caveman - that is interesting.
 
I see that it is a Trojan downloader and was not picked up by many of the major AVs out there. Presumably they, like Webroot, consider it benign until it is activated when they would spring into action.
 
It would be interesting if we could hear directly from a member of the Webroot team on this. 
 
EDIT
Having had a further look at this it still seems to me that this file could be considered to be a PUA/PUP since its purpose is to "download and install other programs onto your PC without your consent, including other malware" (per MS). Not saying I would like it residing on my PC, I wouldn't, but it would be harmless until activated. At which point WSA would kick in. Still it is interesting to see that WSA and many of the other big boys do not detect it.
@ wrote:
Thanks caveman - that is interesting.
 
I see that it is a Trojan downloader and was not picked up by many of the major AVs out there. Presumably they, like Webroot, consider it benign until it is activated when they would spring into action.
 
It would be interesting if we could hear directly from a member of the Webroot team on this. 
 
EDIT
Having had a further look at this it still seems to me that this file could be considered to be a PUA/PUP since its purpose is to "download and install other programs onto your PC without your consent, including other malware" (per MS). Not saying I would like it residing on my PC, I wouldn't, but it would be harmless until activated. At which point WSA would kick in. Still it is interesting to see that WSA and many of the other big boys do not detect it.
 
Yes I'd be interested to hear more.
 
As far as classification is concerned, if ESET and other respected companies classify the malware as a trojan, that's scary enough for me :)
 
I think a common thread in non-detection across those samples are Comodo and Symantec. The others are smaller or regional companies. Most of the other big boys and girls managed to detect them. I know from experience that Comodo has poor detection but they work on the principle of "default deny", so anything that is not whitelisted is blocked; not the most user friendly nor necessarily effective solution.
 
Anyway, we've gone slightly off track a bit from the original purpose of the thread, but I hope that someone from Webroot can throw more light on why these are ignored by WRSA, here are just 3:
 
https://www.virustotal.com/en/file/be6dd0157cd7ca8bbff9137b539e0def4d3ab9dfd77bfe2e37b6ded578489d75/analysis/1456152535/
 
https://www.virustotal.com/en/file/212897bf0735fd28f20c6092adcd4a1388d55922c74575a9177b255e01c454de/analysis/1456159749/
 
https://www.virustotal.com/en/file/56948e255c7f1cc28c445ea7d0230f56ed3073701b7dd61c4fd3a67310d6b2b8/analysis/1456160192/
 
@ wrote:

 
 
But you can run WD with WSA but why would you want to?
 
https://community.webroot.com/t5/Webroot-SecureAnywhere-Complete/What-s-the-difference-between-the-new-Windows-Defender-and/ta-p/13852
 
https://community.webroot.com/t5/Webroot-SecureAnywhere-Antivirus/How-to-Run-WSA-alongside-Windows-Defender-on-Windows-8-Windows-8/ta-p/23058
 
Thanks,
 
Daniel
 
Hi Daniel, thanks for the suggestion, but I am going around full circle, let me explain...
 
I want to use WRSA exclusively, but I see there are issues, above, about WRSA not dealing with at least 20 recent Trojans in my sample during a) download nor b) upon manual scan request. There was no warning. Now you guys, will say the malware is not active, but I say, if WRSA knows there is a Trojan in the file then quaranteen it immediately, not wait, because in the meantime someone can pass that file on to another person thinking it's OK. Otherwise, Webroot should not be offering a manual scan option and giving users a false sense of security, period. Defender and other AVs identify and quaranteen or delete the Trojan immediately.
 
So my potential solution is to use Defender and WRSA side by side. As you show, there is a registry hack for that, and I have been using it for a couple of days now. But, in Windows 7, WRSA has logic to allow MS Security Essentials to first deal with any malware and only if MSE does not deal with it, WRSA then jumps in. But, in Windows 10, WRSA is not expecting to see WD switched on because MS don't allow it. So my question was on another thread and still awaiting an answer, with this registry tweak on Windows 10 to allow WD and WRSA run together, will WRSA recognise WD actions and wait for it, or else will WRSA wrestle with WD over a piece of malware they both recognise, unlike in Windows 7 ?
 
In summary, my preference is to keep WRSA and see it improved handling of such Trojans. In the meantime I want to use on Windows 10 WRSA and WD together, but I am concerned they might fight over the same malware unlike in Windows 7.
 
Hope this clarifies my concerns and I hope someone can give an informed answer concerning the way that WRSA works alongside WD on Windows 10 when it's not expecting to do so.
 
Cheers.
 
Userlevel 7
Badge +55
? can explain better!
 
Thanks,
 
Daniel 😉
@ wrote:
It still has a Firewall and it's a Smart Firewall as it will block malware from calling out to it's control center and you will get a pop-up if that's the case. If you want more granular control maybe look for a third party firewall but again it still uses the same API's from Windows 10. https://en.wikipedia.org/wiki/Application_programming_interface
 
Note what JoeJ said here:
"PrevxHelp( JoeJ, VP of Development ) wrote:
 
The firewall in Windows 8 is much easier to work with than previous platforms because of the built in OS controls. Every vendor needs to use the same APIs now (the older methods are deprecated), but that's exactly why we aren't doing it currently - no matter what vendor wraps the APIs, it will be exactly the same underlying calls which are built into the OS, and you can use the OS UI to do the same job if you want to customize it.
 
The reason why we have the functionality on Windows 7 and not Windows 8 is because Microsoft doesn't expose the same normalized interfaces on Windows 7 (or require vendors to use the new APIs)."
 
 
Thanks,
 
Daniel ;)
 
I thought that sounded a great reason Daniel, thanks for sharing, but yesterday I did a test on Panda because I was curious after seeing something on their website, and I was then really surprised to see that they seem to have firewall control over processes in Windows 10 in a similar way to WRSA on Windows 7 but which is not available in Windows 10.
 
I've attached a screenshot for reference (hope this is not going against forum rules, it's not intentional, pls remove if needed) I just want to illustrate my strong desire to have WRSA return to this firewall ability in Windows 10 which another company seems to be already providing. If I am "barking up the wrong tree" please let me know!
 
 

@ wrote:
Hi cavehomme
 
I think that you may have failed to understand how WSA is designed to work; the principle which is alien to the more traditional view of scanning everything, reporting everything that is malicious and then removing it. WSA works very differently by focusing it's resource in watching for and dealing effectively with ACTIVE malware, i.e., when a malware payload attempts to execute WSA jumps on it and nails it.
 
After all, a piece of malware that is not active is just another piece of software and does no harm, so why waste precious resources on it UNTIL it tries to activate.
 
That is how WSA works...and as you say it is a matter of some trust as to whether one is prepared to put ones faith in such a non traditional approach. But let me speak from personal experience...I have used WSA, every since it was introduced (which was shortly after it acquired Prevx, and I had been using Prevx prior to the acquisition), I have been attacked a small number of times and in every single case WSA has protected me completely.
 
Now nothing is 100%, not even WSA, but I personally would not use anything else as my primary line of defence against malware.
 
Not sure if that helps but just wanted to share with you.
 
Regards, Baldrick
Thanks for sharing Baldrick.
 
I've been using the software since it was Prevx and I do know the approach to malware detection, however, when you have a pieces of malware sitting on your drive AND there is the option in Explorer to scan those files for malware, which to me  suggests the more traditional approach to scanning and detection for at least that function, but then it fails to detect any of 10 malware samples from the past week, unlike 50% or more of the 40+ Virustotal scanners, then my trust wobbles severely.
 
Put another way, if WRSA was only about active malware detection then it would not, I guess, scan passive files being downloaded nor provide the option to scan passive files sitting on the hard drive. So I conclude that it is menat to do both active and passive, with the latter being by cloud lookup therefore not creating bloat to the application. The application then must have complex algorithms which monitor active malware and jump on it and roll-back changes if needed.
 
In Win 7 having WRSA (or Prevx) hovdering over MS SE and pouncing whenever it slipped up was great, but it's not allowing that in Windows 10. To rely on WRSA when the passive detection component failed 10/10 times and then to trust it to actually then kick into action 10/10 times if I activated that malware...well, as I said, it's a trust-step too far at the moment considering I saw all those failures. I do however respect yours and others choices. Anyway, WRSA remains installed on 4 out of 5 less critical PCs, just not my main one for business.  :)
 
Cheers,
Cavehomme
@ wrote:
Now that this thread has broadened out into a discussion of WSA's scanning and file detection methodology, I find I have a couple more comments.
 
The regular deep scan that WSA undertakes looks at those files that are "are running, definitely will run, or are likely to run".
In my case that is somewhere around 30,000 files. If malware is found, then the file is quarantined and marked for removal.
 
The 10 files that @ downloaded into his spam folder and then scanned with WSA via a right  mouse click, were not marked as malicious by WSA but were by 50% of the AVs on Virus Total. This suggests to me that the files were more likely to be PUA/PUPs that we know WSA is not as aggressive at detecting and removing as some other AVs that always want to be seen to be doing something. Whatever they were, the fact that half of the traditional AV programs did not detect them, indicates that they were unlikely to be malicious in the true sense.
 
Like @, I also like to have a second opinion and user a well known free scanner every few days. This scan checks around 350,000 files (65 GB) and since I have been running WSA, has never found anything.
 
So to @, I would just like to say that I do not believe that you need to have Windows Defender running on your system as well as WSA. If you use WSA as your main AV and do occasional full scans with a second opinion scanner, you get the best of both worlds - a very light resource real-time AV in WSA and the reassurance that if any malicious files are lurking in unlikely places on your hard drive, they will be picked up by the second opinion full scanner.
 
I hope this is of assistance @ but if I am off the mark with any of the above, I would be grateful of feedback.
 
Regards
 
Nemo
 
 
 
Thanks for the suggestions Nemo, I'm essentially actually doing what you suggest on the other 4 PCs which are all Windows 7s.
 
Regarding the 10 malware samples, they were definitely not PUPs, they were identified as various Trojans as well as a couple of Macro viruses. That's why I really was surprised that a random sample of 10 from the past week would not trigger an alert on manual scan; that's the whole purpose surely of a manual scan since the malware is not active at that point. Otherwise, Webroot should just remove this feature and rely 100% on pouncing on active malware ;)
 
Anyway, apart from beig a bit confused now about Webroots approach, I continue to stick with them for most of my protection, at least on Widows 7 since it's combined with the extra layer of security of having MSE.
Thanks Dan. Can you explain though the purpose of a manual scan of a file? If I download several emails with almost-certain malware attachments and during the download they don't get identified by WRSA as being anything to worry about, well, I can understand the philosophy that they are not active and to leave them.
 
But during download is it actually detecting and comparing with the remote online database, or just ignoring the download? If detecting but then leaving until active, why not just quaranteen and get it off the PC as soon as possible rather than taking a risk later? If leaving it because it does not actually scan the download, then OK, I can understand it will be left alone by default.
 
Second scenario is manual scanning. If I purposefully right click over the downloaded suspected malware files and request a manual scan by Webroot then it must surely be comparing the signature against the online database - it's own or Virustotal for example. So now it has been asked, and now knows there is a malicious payload, so why not quaranteen or remove immediately? Otherwise if left after the scan, it is giving a false impression that the file is legitimate.
 
What if I don't open that file (therefore WRSA will not get the chance to jumpt on it) but instead pass it on to someone else thinking it's not an infected file and the other user is not a Webroot user? Their AV will alert them to a malicious file probably, before they even try opening it. I will have sent them a malicious file and risked their system and data integrity!
 
So under the philisophy of Webroot monitoring file behaviour and then only acting, what is the actual purpose of having a manual scan ability which does not actually alert the user to trojan downloaders, macro virus and other nasties? In the past 2 weeks I have tested more than 20 such malware attachments and WRSA just alerted me on one, and I think that was on actual download not manual scan. The same sample had Windows Defender catch all but 2 on download and then on manual scan those 2 were dealt with.
 
When I ran Windows 7 this kind of feature was resolved because I ran MS Security Essentials and WRSA together but under Windows 10 it is not possible to run Defender and WRSA. Although yesterday I read on these forums that there is a registry hack to allow this, so I am trying it out now, but I am not sure if WRSA will recognise WD as the "primary" AV and allow it to do it's thing when spotting malware and only act if WD fails, or else it will fight with WD to own the malware and deal with it!
 
 
@ wrote:
@, 
In the examples you have given, the attachments have been non-executable files containing exploits that will download and run an executable file when opened, at which point the malicious payload would be detected. For the most part, we focus on the actual executables, which is why those files would not be detected when downloaded or manually scanning the files. If you were to download an attachment that was actually an executable file, it would be detected on download or manual scan. 
 
While it is possible that you could download one of these attachements and send it to someone else, you did mention in an earlier post that you downloaded those attachments from your spam folder, so I don't think that you would actually go into your spam folder, download a suspicious attachement and send it to someone else.
 
-Dan
 
 
Dan, thanks for clarifying.
 
I had assumed that attachments detected as Trojans by WRSA and other AVs would be considered by WRSA as capable of executing a malware process directly or indirectly, hence cause for WRSA to act immediately from the get-go.
 
The scenario that I painted, I would not actually have forwarded such an email myself, but was using myself as an example of someone such a business professional who receives an invoice or Fedex delivery note by email and then forwards it to an admin person to administer. That admin person might not be in the same office therefore not have WRSA,  they could be outsourced and have another AV.  So in other words, my point is that if WRSA knows that it has a Trojan or other malware not yet executed, then the owner of the PC may pass on the file unaware that it is malicious. WRSA could have already taken action which Defender and many other AVs would have already taken to neutralise the threat.
 
I don't want to change AVs, I like WRSA but was really surprised to experience so many malicious files (a sample of more than 20) being passed by WRSA as being OK at download and manual scan. AT the time of download or manual scan WRSA is, I guess, already looking up that file online and so it can check the signature and know it is suspicious. So why not quaranteen it then, or at least put a flag on it to warn the user? From the user's point of view that file just received a clean bill of health not once but TWICE by WRSA (at download and manual scan) when in fact it was widely known as a malicious file. In other words, by twice giving the OK status to a file, WRSA is mis-representing that file as a legitimate file and that file may continue through the user's workflow and do a lot of damage elewhere.
 
Surely does not add bloat to WRSA to online lookup a file even on Virustotal and know it's a suspect and quaranteen it imediately?
 
In the meantime that's exactly why Webroot should allow people like me and quite a few others who used  WRSA on Windows7 together with MS Security Essentials which sweeps up all these obvious Trojans and just leaves WRSA for the more elucid malware, to now do the same on Windows 10, but as you will be aware, WD and WRSA cannot run together on Windows 10.
 
I realise I raise a few issues, but I assure you that main aim is to have an even better WRSA that we have now whilst also raising legitimately serious issues from the real world of the user. I use WRSA on my business PCs and I  am explaining these real world scenarious from real experience of how people work, it's not a theoretical discussion.
 
Thanks Baldrick and thanks Dan.
 
I'm not worked up in a lather / froth, I hope, just scratching my head trying to understand how my favourite AV works in detail ;)
 
I am also applying logic, that if a software is designed to work one way, even from the ground up, then it might not work the exact same way in a different environment (e.g. Win10 vs Win 7) due to design considerations for two different environments.
 
But now I am more comfortable with your answers, thanks.
 
That said, I still don't understand when WRSA recognises a Trojan via it's scan and lookup, it simply leaves it there untouched and unflagged, for "ignorant" users to assume it's OK and possibly pass that malicious file on to another person in the workflow who does not use somethng as advanced as WRSA.
 
Bottom line for me as a designer would be, once you suspect something may be malicious then for goodness sake deal with it immediately, there and then, not wait until it becomes active.  :@
 
 
 
Interesting, thanks. So what does the WRSA firewall actually do then? It's not linked directly to the Windows firewall insomuch as when I disable the WRSA firewall the Windows 10 firewall remains on. What are the WRSA firewall actions, same as on Windows 7 but without the ability to control options?

Reply