I recently bought an HP laptop with Windows 10 Home installed on it, previously using Windows 7 and WRSA on othr PCs.
I installed WRSA Antivirus on the new laptop and the Windows 10 firewall is switched on, also the WRSA firewall is switched on.
I am a long-time WRSA user and recall that the WRSA firewall works in a complementary way on top of the Windows firewall, so no problems so far....
In advanced settings, under Firewall / Webshield there appear only webshield options, the Firewall options are completely blank. Is this normal on Windows 10 ?
I previously used WRSA Complete so I thought that restriction might be due to version differences as well?
Screenshot attached. Appreciate a quick answer please, need to go travelling soon and would like to increase the level of firewall protection to alert when new unknown processes start, not just when WRSA thinks I am infected..
Already have an account? Login
Login to the community
No account yet? Create an account
Enter your username or e-mail address. We'll send you an e-mail with instructions to reset your password.
I'll have a look at the other samples that you have listed, but I'm guessing we'll block the paylod on those too. If not, I'll update our detections for them.
It is explained here.
I may now need to eat my earlier words, I have just discovered that Panda AV Pro in fact includes a fully functioning firewall that REPLACES the Windows firewall ! I had no idea and thought it was just outbound control. I don't know what extra their IS suite offers but it's surprising to see a firewall in the AV product since it's not really just an AV then.
Anyway, where this leads me to is that most likely the original statement is correct that the option / granularity that I seek cannot be achieved in Windows 10 due to the restrictions imposed by Microsoft. Anway, I guess I have confidence in WRSA to make the right choices and so I'll continue to use it. Just hope my earlier feature request (not directly related to this issue) of immediately removing known threats via an online lookup gets approved.
Apologies for any confusion that I caused, I'll be more awake next time I post ! 😉
Not at all, and no need to apologise as you have quite eloquently raised and discussed on a point that is, I suspect, more of a concern to many users than they might want to admit.
I for one would much prefer to be able to control what is allowed outbound from within WSA as was possible under Windows 7, and I do believe that there is indeed a way of doing that as evidenced by a number of standalone apps that are effectively WIndows Firewall 'helpers'. I have often asked myself as to why this sort of functionality could not be included in WSA, but I think that it is because to do so there would need to be either 2 version of WSA; one for Windows 7 & before leveraging the WFC functionality and another for WIndows 8 & above leveraging the Windows Firewall-related functionality that came in from Windows 8 onwards.
Clearly two versions would not be good or sensible and to have both functionality catered for in the one app would most likely increase the size of the app and therefore to some extent add 'bloat' to it.
I agree with you in terms of trusting WSA to handle outbound communications properly but it is a bit of a pain in the neck if one does in fact inadvertently block something that one later wants to allow and as fare as I know (and anyone who knows differently please step in here) the only way to resolve that issue is to uninstall WSA and then clean re-install it.
Anyway, I will be intrigued to see what this debates sparks off. ;)
In the examples you have given, the attachments have been non-executable files containing exploits that will download and run an executable file when opened, at which point the malicious payload would be detected. For the most part, we focus on the actual executables, which is why those files would not be detected when downloaded or manually scanning the files. If you were to download an attachment that was actually an executable file, it would be detected on download or manual scan.
While it is possible that you could download one of these attachements and send it to someone else, you did mention in an earlier post that you downloaded those attachments from your spam folder, so I don't think that you would actually go into your spam folder, download a suspicious attachement and send it to someone else.
I chose WEBROOT because it appears to do its job while using the least amount of system resources. Yes, I could get a product that scans all files, every bit sent or received via Ethernet, wifi, serial cable etc... but having had a couple of those type products before, I found them to be too intrusive on my day to day activities. They took my custom built I7, 16gig, 1TB SSD machine and turned it into a 1990's era Celeron machine!
I personally believe that security starts with the user. If you don't know where the email came from, or who gave you the file via whatever media, DON'T OPEN IT. On the machines I administered (Which happened to be process control stations in industry) I disabled all USB ports, and any removable media. I also made sure that users were not allowed administrator privileges. This carries over to my personal machines as well.
One last thing, I know of several people that have joined various peer to peer networks. These people are usually first in line to get hit with the various forms of Malware and Virus software that is circulating the net today. I wonder why?? (Sarcasm)
My point is, use a quality product (Webroot) for AV, make my your router / gateway has a quality firewall, then let the MS firewall handle what slips though. And last but not least use your head, and keep plenty of backups.
Would not disagree with what you say and it all seems to be common sense advice...having said that if everyone headed common sense advice then the malware miscreants out there would have a much harder time of it.
There is a great deal of confusion about this particular area of WSA and to be honest we are not sure as to exactly the limitations and under what rules the Development Team are operating under. As you example shows there are ways to do what you are requesting but the issue remains as to whether the design of WSA currently would allow this or not.
Of course, we can expend a great deal of time and/or lines of posts in a debate that at the end of it may be moot as it is down to Webroot's product strategy, etc.
Having said that there is nothing to stop you from opening a Feature Request for this in the Ideas Exchange. There have been a number of these over the last year or so and none have gained much traction witht he Development Team but perhaps a new Request, formed based on what you have provided in this thread may have more chance of success. So go ahead, raise a request, and we will see how much traction this one gains and whether in the light of what the competition is now doing the Development Team are prepared to take another look at some more granular outbound firewall functionality being included in future versions.
Perhaps I am barking up the wrong tree, thinking about it, all I simply want the Windows 7 WRSA feature enableed of not allowing unknown outbound processes to communicate to the internet rather than the default option of not allowing this only when infected....but perhaps someone can let me know if perhaps this might be already the default in the WRSA Windows 10 version albeit hidden? I don't need the rest of the granularity options, I don't want to tinker with processes, etc, just that simple but important option. Thanks!
I completely understand where you are coming from with this...you just want the Windows 7 level fucntionalioty; nothing more...and I suspect that many of us out there feel the same way so I would urge you to open a Feature Request so that all those that agree with you can comment/support the suggestion and also it becomes apparent to the Development Team that there is a requirment for this feature to be reinstated, etc. Especially since you are quite correct and we are seeing a number of applications out there that are managing to interface with the WPS (as opposed to the older, and now defunct, WFC) functionality and thereby have some control as to what occurs outbound.
With reagrd to "...this might be already the default in the WRSA Windows 10 version albeit hidden?" I can categorically state that this is not currently possible in WSA and there is no 'hidden' fucntionality that would allo one to do that...apologies!
It seems that since the introduction of Windows 8 when the ability to adjust the firewall settings in WSA was eliminated, the confusion started when users upgraded from Win7 (or earlier) and hasn't been helped by the fact that the online user guide still refers to the firewall settings available in Win7. Many of the recent upgraders to Win10 have become aware of this change and I do feel that WSA need to address this matter one way or the other.
I think that you may have failed to understand how WSA is designed to work; the principle which is alien to the more traditional view of scanning everything, reporting everything that is malicious and then removing it. WSA works very differently by focusing it's resource in watching for and dealing effectively with ACTIVE malware, i.e., when a malware payload attempts to execute WSA jumps on it and nails it.
After all, a piece of malware that is not active is just another piece of software and does no harm, so why waste precious resources on it UNTIL it tries to activate.
That is how WSA works...and as you say it is a matter of some trust as to whether one is prepared to put ones faith in such a non traditional approach. But let me speak from personal experience...I have used WSA, every since it was introduced (which was shortly after it acquired Prevx, and I had been using Prevx prior to the acquisition), I have been attacked a small number of times and in every single case WSA has protected me completely.
Now nothing is 100%, not even WSA, but I personally would not use anything else as my primary line of defence against malware.
Not sure if that helps but just wanted to share with you.
I am somewhat confused by these 10 sample files that you downloaded. You say that they were identified as Trojans or viruses but that half of the VirusTotal AVs gave them a clean bill of health, as did WSA. This suggests to me that they cannot be particularly malicious or surely they would be detected by all the AVs.
Anyway, if nothing else, this thread has provided a good summary of how Webroot works!
I had assumed that attachments detected as Trojans by WRSA and other AVs would be considered by WRSA as capable of executing a malware process directly or indirectly, hence cause for WRSA to act immediately from the get-go.
The scenario that I painted, I would not actually have forwarded such an email myself, but was using myself as an example of someone such a business professional who receives an invoice or Fedex delivery note by email and then forwards it to an admin person to administer. That admin person might not be in the same office therefore not have WRSA, they could be outsourced and have another AV. So in other words, my point is that if WRSA knows that it has a Trojan or other malware not yet executed, then the owner of the PC may pass on the file unaware that it is malicious. WRSA could have already taken action which Defender and many other AVs would have already taken to neutralise the threat.
I don't want to change AVs, I like WRSA but was really surprised to experience so many malicious files (a sample of more than 20) being passed by WRSA as being OK at download and manual scan. AT the time of download or manual scan WRSA is, I guess, already looking up that file online and so it can check the signature and know it is suspicious. So why not quaranteen it then, or at least put a flag on it to warn the user? From the user's point of view that file just received a clean bill of health not once but TWICE by WRSA (at download and manual scan) when in fact it was widely known as a malicious file. In other words, by twice giving the OK status to a file, WRSA is mis-representing that file as a legitimate file and that file may continue through the user's workflow and do a lot of damage elewhere.
Surely does not add bloat to WRSA to online lookup a file even on Virustotal and know it's a suspect and quaranteen it imediately?
In the meantime that's exactly why Webroot should allow people like me and quite a few others who used WRSA on Windows7 together with MS Security Essentials which sweeps up all these obvious Trojans and just leaves WRSA for the more elucid malware, to now do the same on Windows 10, but as you will be aware, WD and WRSA cannot run together on Windows 10.
I realise I raise a few issues, but I assure you that main aim is to have an even better WRSA that we have now whilst also raising legitimately serious issues from the real world of the user. I use WRSA on my business PCs and I am explaining these real world scenarious from real experience of how people work, it's not a theoretical discussion.
But you can run WD with WSA but why would you want to?
I am afraid that you are getting yourself in a lather for nothing. WSA has been built, from the ground upwards, to be compliant to other security solutions that might run with it...as far as I am aware it is one of the few if not the only security app to do so by design...and as I understand it WSA lets the other security app have a first go at protection but watches what occurs very carefully and if the other application lets anything through WSA springs into action to deal with the 'miss'.
Personally, I would not worry about the "...they might fight over the same malware unlike in Windows 7".
Just my two pence worth...for what it is worth, and hopefully DanP will confirm that. ;)
Look, it is really simple in my book...the designer of WSA designed it to work in a certain way, based on certain permises...and work it does based on that design...as such I have chosen to trust in that design and its execution...and I leave it at that.
As far as I am concerned that is all good for me/I am happy with that.
You are free to express your views as you see fit and they are as valid as anyone elses...as they are yours...just don't expect anyone to act on them any time soon. That is Webroot's choice in the matter...if they want to they will and if they don't they won't.
Note what JoeJ said here:
"PrevxHelp( JoeJ, VP of Development ) wrote:
The firewall in Windows 8 is much easier to work with than previous platforms because of the built in OS controls. Every vendor needs to use the same APIs now (the older methods are deprecated), but that's exactly why we aren't doing it currently - no matter what vendor wraps the APIs, it will be exactly the same underlying calls which are built into the OS, and you can use the OS UI to do the same job if you want to customize it.
The reason why we have the functionality on Windows 7 and not Windows 8 is because Microsoft doesn't expose the same normalized interfaces on Windows 7 (or require vendors to use the new APIs)."
As I posted here: https://community.webroot.com/t5/Webroot-SecureAnywhere-Antivirus/No-firewall-settings-for-WRSA-AV-on-Windows-10/m-p/239337#M23002
But in my tests this weekend I'm now really sitting on the fence on the trust issue. I downloaded 10 attachments from the past week in my spam folder with WRSA enabled and not a single squeak from WRSA. So I then scanned each file, again not a squeak. I then uploaded all of them to Virustotal and indeed they were all malware, but typically only 50% of AV softwares detected them as being malicious.
Interestingly ALL of the sample were identified as malware by Windows Defender. So guess what? I've now fallen back to WD because I simply trust it more....I find that difficult to say and accept, but based on not only my test, but also AV Test and AV Comparatives they are now ranking WD at 95% or above detection rates.
To detect the other 5% and for secure banking, I would love to use WRSA in the same way that MS Security Essentials and WRSA can co-exist on Windows 7, but it's impossible on Windows 10 because WD is switched off when Windows detects WRSA as full AV solution and not treated as just an extra layer of security.
So now to get approaching 100% malware coverage I am reverting to either Malwarebytes Premium which DOES work as an extra layer of security on top of WD, or possibly Spyshelter or Zemana, but they are taking me back to the horrible days of chatty HIPS alerts even for trusted processes and applications, ouch!
Bottom line is that I really want to make WRSA work, but due to the issues I've noticed plus the fact that as a workaround I can't run WD + WRSA as the extra layer, I am being forced by Webroot design policy to look to alternative solutions. I really want to keep giving my money to Webroot, but they need to wake up and deal with some of these issue. I'm not being arrogant but I guess that for each one person like me there might be a few hundred or even thousands thinking and doing the same, just quietly in the background without sharing their experiences or frustrations on this forum.
WSA has not failed to detect those 10 elements of malware it has just not because they are of no consequence or no threat to your system...that is all. It is a false sens of security when one has a more traditional AV or IS app scan ones system, declare it has found 100 threats and either quarantined and/or deleted them. That is all well and good but if none of them were goingt o cause any damage then what is the point...a false sense of security.
Personally, I think that detecting & dealing with active malware consisently and throughly, as WSA does, is far more important than the more traditional approach. And it gets worse, when the traditional AVs & ISs include cookies in their threat tally.
Of course, it is horses for courses and one must do what one thinks is for the best. So good luck to you in your search for something better than WSA...unfortuantely I do not think that will find it.