Solved

Should Default User Settings include 'Warn' not 'Enable Max Heuristics'?



Show first post

46 replies

Hello Webrooters,
 
Warn when any new program executes that is not specifically whitelisted   
Issues a warning for any program not specifically included in the Webroot database [of websites that are known to be okay.]


 
after clean Webroot Antivirus install + restart and Advanced Settings to my preference + restart.   
Webroot Antivirus is silent for sandboxieinstall64-517-5.exe launch. 
[u] c:usersjmsdownloadssandboxieinstall64-517-5.exe [MD5: 209C43AD998FAB09AF14D8231F520157] [Flags: 40081000.1454]
 
IDK.  Should I receive warn dialog for [u] launch?
Does [u] launch qualify as new program execute that is not whitelisted?
 
Thanks
 
Userlevel 7
If you believe that you have an issue with this or that there is a general issue with the feature I would open a support ticket to let the Support Team know/so that they can investigate.
 
Quickest & most appropriate action.
 
Baldrick
Userlevel 7
Badge +55
@bjm_ no need to start new threads just keeping asking in here! Also follow Baldrick's suggestion and contact support.

@TripleHelix wrote:
@bjm_ no need to start new threads just keeping asking in here! Also follow Baldrick's suggestion and contact support.

Okay. 
The OP or Mod has marked up a Solution for this thread.
https://community.webroot.com/t5/Webroot-SecureAnywhere-Antivirus/Should-Default-User-Settings-include-Warn-not-Enable-Max/m-p/269705/highlight/true#M27776
 
Okay.  I'll keep asking here.  Also, thought thread was passed over because no reply "during the week"
<< Well lets see what Webroot has to say during the week [...]. >>
https://community.webroot.com/t5/Webroot-SecureAnywhere-Antivirus/Should-Default-User-Settings-include-Warn-not-Enable-Max/m-p/280585/highlight/true#M28996
 
Okay.  I'll keep asking in here & ask Support as per Baldrick's suggestion.
Should I receive warn dialog for [u] launch?
Does [u] launch qualify as new program execute that is not whitelisted?
 
Thanks
Userlevel 7
You can well ask away here but as I stated earlier the quickest & best approach is the Support Team. Most of us do not have time to test every single setting & feature and so unless there is someone out there who has and wants to share you are most likely wasting your time, IMHO.
 
Personally, I use the recommended default "Enable enhanced heuristics based on the behavior, origin, age, and popularity of files", and it has never let me down...so for me...no need to experiment.
 
But if I ever do in this area I will let you know. ;)
 
Baldrick
 
 

@Baldrick wrote:
You can well ask away here but as I stated earlier the quickest & best approach is the Support Team. Most of us do not have time to test every single setting & feature and so unless there is someone out there who has and wants to share you are most likely wasting your time, IMHO.
 
Personally, I use the recommended default "Enable enhanced heuristics based on the behavior, origin, age, and popularity of files", and it has never let me down...so for me...no need to experiment.
 
But if I ever do in this area I will let you know. ;)
 
Baldrick
 
 

And Support always writes.
<< We would like to invite you to join the Webroot Community, an online forum where you can find answers to your security questions, vote on ideas for our products, and talk to experts. >>
Userlevel 7
And you certainly can find a lot of information and answers here in the Community...but NOT all...the only people who know ALL the answers are Webroot Support and/or the Development Team. Hence the recommendation that you make use of their services.
 
😉
I asked Support about 
<<Warn when any new program executes that is not specifically whitelisted
Issues a warning for any program not specifically included in the Webroot database of websites that are known to be okay.>>
 
<<Webroot will always ask if an unknown [u] program is trying to run. This is to ensure the user is aware that a file may be risky.
The Webroot Support Team>>
_____________________________________
 
FWIW ~ IIRC, I've not seen this dialog with [u] ~ YMMV


 
I'll update thread when I see above dialog. 
Thanks
> upon machine start (Fast Startup Off)


 
Sun 2017-03-12 08:26:24.0933    File blocked in realtime: c:windowssystem32{a6d608f0-0bde-491a-97ae-5c4b05d86e01}.bat [MD5: 5C5A797761421CF9B72087F3BC8A5259, Size: 180 bytes] [160/0000000E] [(null)]





maybe, Heuristics (Local) Warn when any [..] is (only) for System Space upon machine start (Fast Startup Off).


 
When I get "This file was blocked because [..]" with [u] in User Space.  I'll update thread.
Thanks
 
Webroot Support (Mar 14, 2017 18:43)
Webroot not warning when there are unknown files is currently an issue that may be addressed in the future. We recommend leaving Webroot setup with default settings.
Regards,
Webroot Advanced Malware Removal Team
Userlevel 7
Badge +55
I was told the same Internally!
Userlevel 5
Badge +15
Hello All,
 
I've been communicating with bjm_ regarding these settings and there are a couple of notes that I think are of benefit to this discussion.
 
1.) The reason we recommend leaving the option as default is it provides the most amount of security with the least fussieness. It also underscores a certain understanding of back end processes regarding file classification. The setting as stated requires an understanding of our whitelisting functionality, and this is pretty complex and deep. As WSA has matured we've included a number of additional protections and solutions that are less Black Grey and White as it was during our earlier years. As a result, a given file may or may not raise the alarm based on a number of properties. 
 
2.) What this setting does do is enable Maximum heruistics. Those of you who have been around long enough to recall the original WSA interface (White UI) may remember that there were a number of granular settings for Heuristics that were accessible in the UI. These options didn't go away, rather they were wrapped up into the 4 different settings now seen in the consumer agent. These options are masked in the consumer agent, but are exposed in the policy section of our business agent:


By setting the agent heuristic settings as descirbed here you set every heuristic mode describted above to its maximum setting. More information on what these different modes do can be found in the Admin Guide Heuristics.  As the guide describes: 
  • Maximum — Provides the highest level of protection against new threats. Use this setting if you think that your system is infected or at very high risk. This setting may result in false detections.
While this can be managed by some of our more advanced and knowlegable customers, the vast majoritiy of our consumer base want solid security with little fuss. This setting as described doesn't really do that. 
 
3.) All of this can get muddied further, when we look at the current implementation of the Firewall / Web Shield since the release of the driver for Windows 10. 


These options have mixed conditions based on the given file, and the system state. My main point by bringing this up is that it is easy to confuse the two areas and their functions based on behavior. It's important to note that these settings only apply to network communcation. However, it can trigger network monitoring based on the given files behavior and user action.
 
I think that's enough for now. This topic can get very very confusing and indepth. Should there be any further questions, please let me know. I'll respond as soon as I can.
 
Thank you,
 
-------
Edit to correct a username.
Userlevel 7
Thanks for that very thorough explanation, TechToc. 😉
Userlevel 7

@BurnDaddy wrote:
Thanks for that very thorough explanation, TechToc. ;)

+1 here...excellent explanation (& now bookmarked). :D
Userlevel 7
Thank you TechToc, Bookmarked. 😉
Userlevel 7
Badge +55
Thank you very much for this thorough explanation TechToc!
Hello Thread,
 
FWIW ~ just adding my observation......not looking for reply ~ Thanks
 
just found Security Settings in Web Console




 
> observed that even at Console Settings Maximum that agent Settings Warn when any new program executes [..] is not selected.
Userlevel 7
Badge +55

@bjm_ wrote:
Hello Thread,
 
FWIW ~ just adding my observation......not looking for reply ~ Thanks
 
just found Security Settings in Web Console




 
> observed that even at Console Settings Maximum that agent Settings Warn when any new program executes [..] is not selected.

We knew of that but I leave mine at User Configuration and that is what Lucas @TechToc was trying to say earlier!
https://docs.webroot.com/us/en/home/wsa_website_userguide/wsa_managementwebsite_userguide.htm#PCSecurity/EditingPCSecuritySettings.htm%3FTocPath%3DPC%2520Security%7C_____3
Userlevel 7
Correct...on all counts there, Daniel.
 
Regards, Baldrick
FWIW ~ based upon Security Settings chart. 



Maximum sets all Feature* Heuristics to Maximum except Offline Heuristics. 
Maybe, Warn when any new program executes that is not specifically whitelisted sets all Feature* Heuristics to Maximum including Offline Heuristics.
 
YMMV

@TripleHelix wrote:

@bjm_ wrote:
Hello Thread,
 
FWIW ~ just adding my observation......not looking for reply ~ Thanks
 
just found Security Settings in Web Console




 
> observed that even at Console Settings Maximum that agent Settings Warn when any new program executes [..] is not selected.

We knew of that but I leave mine at User Configuration and that is what Lucas @TechToc was trying to say earlier!
https://docs.webroot.com/us/en/home/wsa_website_userguide/wsa_managementwebsite_userguide.htm#PCSecurity/EditingPCSecuritySettings.htm%3FTocPath%3DPC%2520Security%7C_____3

Hmm, I thought @TechToc was trying to say earlier that "Warn when any new program executes that is not specifically whitelisted" enables Maximum heuristics.
<<  2.) What this setting does do is enable Maximum heuristics. >>
https://community.webroot.com/t5/Webroot-SecureAnywhere-Antivirus/Should-Default-User-Settings-include-Warn-not-Enable-Max/m-p/288286/highlight/true#M29675

Not looking for reply.
Thanks

Reply

    Cookie policy

    We use cookies to enhance and personalize your experience. If you accept or continue browsing you agree to our cookie policy. Learn more about our cookies.

    Accept cookies Cookie settings