Solved

Should Default User Settings include 'Warn' not 'Enable Max Heuristics'?

  • 3 October 2016
  • 46 replies
  • 1953 views

Userlevel 5
Hello to all readers of the forum.
 
Just did an Old Test - Comodo Leaktest.
 
Yeah this program is now like so old it doesn't even see my OS as win7.'Cause back in 2008 that's all it knows. Bless.
 
Anyways I ran the test and scored 200 then I did it over and got 5% better score.
 


 
I changed one setting. This one - 'Warn' and not 'Enable max heuristics'.
 


 
So here's the point do I now permanently change my default security settings from 'Enable max heuristics' to 'Warn'?
 
Leaktest score says definitely Yes but as we live in a democracy of fonts I want you to tell me what's really better.
icon

Best answer by RetiredTripleHelix 3 October 2016, 19:00

If that setting above was working correctly it would make WSA very, very noisy to say the least. You would get so many Pop-Ups it would drive you crazy like an Anti-EXE app so no I would not recommend that setting as in most cases all your or anyone's files are not fully Whitelisted  and depends if you use not so well known programs as it would take the Webroot Cloud longer to determine such programs Good without contacting support and asking them to Whitelist all your files on every update.
 
IMO,
 
Daniel
View original

46 replies

Userlevel 7
Badge +55
Just to let you know that setting in WSA: "Warn when any new program executes that is not specfically whitelisted" is not working as it should and Webroot is aware of it and a fix will be out in the near future. Also note this does not reduce the protection of WSA in any way as it's just the setting that needs to be fixed.
 
Thanks,
 
Daniel ;)
 

Userlevel 5
Thankyou for that TripleH.
 
Ok the button is a bit broken but it still works - so that's all good.
 
 
So Mr H do you reckon I should change my settings or not?
 
 
 
 
Userlevel 7
Badge +55
If that setting above was working correctly it would make WSA very, very noisy to say the least. You would get so many Pop-Ups it would drive you crazy like an Anti-EXE app so no I would not recommend that setting as in most cases all your or anyone's files are not fully Whitelisted  and depends if you use not so well known programs as it would take the Webroot Cloud longer to determine such programs Good without contacting support and asking them to Whitelist all your files on every update.
 
IMO,
 
Daniel
Userlevel 5
TFT Daniel.
 
I'll go with 'Max Heuristics' enabled.:womanvery-happy:
 
 
Userlevel 7
Badge +55
Great that's how I have it set!
 
Daniel 😉
@ wrote:
Just to let you know that setting in WSA: "Warn when any new program executes that is not specfically whitelisted" is not working as it should and Webroot is aware of it and a fix will be out in the near future. Also note this does not reduce the protection of WSA in any way as it's just the setting that needs to be fixed.
 
Thanks,
 
Daniel ;)
 


Progress regarding "setting that needs to be fixed."....?
 
Thanks
Userlevel 7
Badge +55
@ wrote:
@ wrote:
Just to let you know that setting in WSA: "Warn when any new program executes that is not specfically whitelisted" is not working as it should and Webroot is aware of it and a fix will be out in the near future. Also note this does not reduce the protection of WSA in any way as it's just the setting that needs to be fixed.
 
Thanks,
 
Daniel ;)
 


Progress regarding "setting that needs to be fixed."....?
 
Thanks
I'm not sure if it's fixed so I will ask @ @ @ @ to see if it is?
 
Thanks,
 
Daniel
TripleHelix,
Thanks for your interest and help.  

I'm unsure whether "Warn when any..." turns Off any level of Heuristics and changes Heuristics protection into whitelist anti-executable solely based upon user decision. 

Thanks
Userlevel 7
Badge +55
I'm still waiting for a reply internally.
Userlevel 7
I've reached out to a few people as well and will post back what I find.
Userlevel 7
Badge +55
No info yet?
Userlevel 7
Badge +55
@ wrote:
I've reached out to a few people as well and will post back what I find.
@ can we get some answers please? Or even from @ @ @ anyone.
 
I heard it's working fine on Win 7 and Win 10 but it doesn't work on Win 8 or 8.1 correct? How about XP and Vista users?
 
Thanks,
 
Daniel
Userlevel 7
Badge +55
@ can you check with Lucas @ about this for a comment?
 
Thanks,
 
Daniel 😉
Userlevel 7
@ wrote:
@ can you check with Lucas @ about this for a comment?
 
Thanks,
 
Daniel ;)
Unfortunately, Lucas is not in the Office currently. I've forwarded this thread to our Manager of Product Support to check with his Team and/or the Product Team as well.
Userlevel 7
@ wrote:
@ wrote:
@ can you check with Lucas @ about this for a comment?
 
Thanks,
 
Daniel ;)
Unfortunately, Lucas is not in the Office currently. I've forwarded this thread to our Manager of Product Support to check with his Team and/or the Product Team as well.
The Product Team has informed me that this issue has been documented and we are actively tracking it. They also said there has been only one report thus far, meaning that it is by no means a high-priority-issue in the backlog.
 
Also trying to figure out if this affects all OS's or just Win10.
JP wrote: 
The Product Team has informed me that this issue has been documented and we are actively tracking it. They also said there has been only one report thus far, meaning that it is by no means a high-priority-issue in the backlog.  Also trying to figure out if this affects all OS's or just Win10.
_________________________________________________________________
 
and by "this issue has been documented" & "only one report" .... means, "Warn when any new program executes [..]" ...button, does not "Warn"..?
 
FWIW ~ I launched new setup.exe from my desktop (at test) with "Warn when any [..]" checked. 
Webroot was silent.   IDK, if my test is valid.   IDK, if "not specifically whitelisted" means, 'local or global' whitelist.
Thanks
Userlevel 7
Badge +55
bjm_ wrote: IDK, if "not specifically whitelisted" means, 'local or global' whitelist.Thanks
Whitelisted means Global or the Webroot BrightCloud Database deems it's known and clean.
@ wrote:
bjm_ wrote: IDK, if "not specifically whitelisted" means, 'local or global' whitelist.Thanks
Whitelisted means Global or the Webroot BrightCloud Database deems it's known and clean.
Okay. 
Thanks. I remain unsure regarding. 
<< Issues a warning for any program not specifically included in the Webroot database of websites that are known to be okay. >>
 
< any program not specifically included in the Webroot database of websites >

          program in the database of websites ?
 
 
Userlevel 7
Badge +55
@ wrote:
@ wrote:
bjm_ wrote: IDK, if "not specifically whitelisted" means, 'local or global' whitelist.Thanks
Whitelisted means Global or the Webroot BrightCloud Database deems it's known and clean.
Okay. 
Thanks. I remain unsure regarding. 
<< Issues a warning for any program not specifically included in the Webroot database of websites that are known to be okay. >>
 
< any program not specifically included in the Webroot database of websites >

          program in the database of websites ?
 
 
I'm just talking about files that are known good in the Webroot Cloud Database not websites.
 
[g] Means Known Good so they are whitelisted!
 
[u] Means Unknown so they are not whitelisted yet or could be bad and Webroot will monitor [u] files just in case it needs to rollback when marked Bad or Good. When Good it will stop monitoring the said [u] files.
 
Scan Started: Fri 2016-12-30 13:00:10
[g] c:windowssystem32smss.exe [MD5: 55366CB9F41F3112DE634CDB3116E563] [Flags: 40191000.3]
[g] c:windowssystem32csrss.exe [MD5: 77DBC745D957B4F0404ABABC10696784] [Flags: 40191000.58]
[g] c:windowssystem32wininit.exe [MD5: 99A19C9A74E2F9820E501DCE77F84F70] [Flags: 40191000.59]
[g] c:windowssystem32services.exe [MD5: 3C69CC28665854F1AAB4B4005005FA31] [Flags: 50191000.60]
[g] c:windowssystem32lsass.exe [MD5: 6F8E95716C1A27FF2FE96D30B147F1C1] [Flags: 50191000.61]
[g] c:windowssystem32svchost.exe [MD5: 36F670D89040709013F6A460176767EC] [Flags: 50191000.62]
[g] c:windowssystem32dwm.exe [MD5: C89F159A577F19F7F03C73C98D29D841] [Flags: 40190000.63]
[g] c:windowssystem32wudfhost.exe [MD5: EEFFD9259D6D6CFDBDC71F24730566BB] [Flags: 40190000.64]
[g] c:windowssystem32winlogon.exe [MD5: DE6DF9BBBECAFDEF462A37D839167368] [Flags: 40190000.65]
[g] c:windowssystem32kernel32.dll [MD5: 6955067712F2F4752CA12192B08EF860] [Flags: 40011000.69]
[g] c:windowssystem32advapi32.dll [MD5: BB70217AED0E89C3737D48BAA0A401DE] [Flags: 40011000.75]
[g] c:windowssystem32msvcrt.dll [MD5: 94EF9321C287FC1B179419E662996A41] [Flags: 40011000.79]
[g] c:windowssystem32sechost.dll [MD5: 613633DB655721B1753AEE43947665EC] [Flags: 40011000.78]
 

 
 
https://www.webroot.com/us/en/business/threat-intelligence
TripleHelix wrote: Whitelisted means Global or the Webroot BrightCloud Database deems it's known and clean.
_________________________________________________________
bjm_ wrote: Thanks. I remain unsure regarding. 
<< Issues a warning for any program not specifically included in the Webroot database of websites that are known to be okay. >>
 
< any program not specifically included in the Webroot database of websites >

          program in the database of websites ?
___________________________________________________________________
 
TripleHelix wrote:  I'm just talking about files that are known good in the Webroot Cloud Database not websites.
 ___________________________________________________________________
bjm_ wrote:


 
http://live.webrootanywhere.com/content/680/Adjusting-Heuristics
 
___________________________________________________
 
FWIW ~ I run [u] c:program filesovirusthanksexe radar proerpsvc.exe [MD5:C1C9E5C71171E806646FB9E9ADB7E27B].  
 
"Warn when any" is silent.   Yes, erpsvc is Monitor (or, I'll move to Allow).   Webroot reports erpsvc as Unclassified.
Userlevel 7
Badge +55
@ wrote:
TripleHelix wrote: Whitelisted means Global or the Webroot BrightCloud Database deems it's known and clean.
_________________________________________________________
bjm_ wrote: Thanks. I remain unsure regarding. 
<< Issues a warning for any program not specifically included in the Webroot database of websites that are known to be okay. >>
 
< any program not specifically included in the Webroot database of websites >

          program in the database of websites ?
___________________________________________________________________
 
TripleHelix wrote:  I'm just talking about files that are known good in the Webroot Cloud Database not websites.
 ___________________________________________________________________
@ wrote:


 
http://live.webrootanywhere.com/content/680/Adjusting-Heuristics
 
___________________________________________________
 
FWIW ~ I run [u] c:program filesovirusthanksexe radar proerpsvc.exe [MD5:C1C9E5C71171E806646FB9E9ADB7E27B].  
 
"Warn when any" is silent.   Yes, erpsvc is Monitor (or, I'll move to Allow).   Webroot reports erpsvc as Unclassified.
Well lets see what Webroot has to say during the week because if you go to a bad Website it will be blocked so I don't know why that's in there with Heuristics as that is for running process files on that system IMO. None of the other settings say anything about Websites and I run with Max Heuristics which is just fine.
 
Adjust heuristics using the information in the following table.
OPTIONDESCRIPTION
Disable heuristicsTurns off heuristic analysis. Not recommended.
Enable standard heuristicsThis setting could lower your level of security.
Enable enhanced heuristics based on the behavior, origin, age, and popularity of filesDefault; recommended setting.
Enable maximum heuristicsUse with caution; this could cause unexpected behavior, prevent the use of lesser known applications, or prevent the installation of rarely-used programs.
Warn when any new program executes that is not specifically whitelistedIssues a warning for any program not specifically included in the Webroot database of websites that are known to be okay.
Enable Webroot InfraredFor details, see PC Shields Overview.
Userlevel 7
Badge +55
Here is another Tidbit but notice the part on Heuristics:  https://community.webroot.com/t5/Webroot-SecureAnywhere-Complete/The-difference-between-a-deep-scan-and-a-full-scan/ta-p/6476
@ wrote:
Here is another Tidbit but notice the part on Heuristics:  https://community.webroot.com/t5/Webroot-SecureAnywhere-Complete/The-difference-between-a-deep-scan-and-a-full-scan/ta-p/6476
Yes, curious why Webroot has local Heuristics > Enable. 
 
quote: << The extra information generated from these actions may result in a Good or Bad determination from the cloud based on cloud heuristics or a heuristic determination from WSA itself - in which case one of the above Good or Bad results occur.>>
 
With respect & appreciation,
Thanks
@ wrote:
@ wrote:
Here is another Tidbit but notice the part on Heuristics:  https://community.webroot.com/t5/Webroot-SecureAnywhere-Complete/The-difference-between-a-deep-scan-and-a-full-scan/ta-p/6476
Yes, curious why Webroot has local Heuristics > Enable. 
 
quote: << The extra information generated from these actions may result in a Good or Bad determination from the cloud based on cloud heuristics or a heuristic determination from WSA itself - in which case one of the above Good or Bad results occur.>>
 
With respect & appreciation,
Thanks
> further to my curiosity re local Heuristics,.....found message >
 
There are two kinds of heuristics - agent heuristics and cloud heuristics.  Agent heuristics look at what the file is doing on that particular system, and cloud heuristics look at what a file is doing across the entire userbase.  If we have data on what that same file has been doing on all of the other computers in our intelligence network, the cloud heuristics are far better off for it and we can make rules in the cloud to identify and blacklist malware based on what the cloud is seeing about a given file. 
https://community.webroot.com/t5/Webroot-SecureAnywhere-Antivirus/Evaluating-SecureAnywhere-Antivirus-feedback-and-some-questions/m-p/38796/highlight/true#M1735
 
 
> verbiage remains


 
> did we find out if "Warn when any [..]" works with W10

Reply