Solved

Should Default User Settings include 'Warn' not 'Enable Max Heuristics'?


Userlevel 5
Hello to all readers of the forum.
 
Just did an Old Test - Comodo Leaktest.
 
Yeah this program is now like so old it doesn't even see my OS as win7.'Cause back in 2008 that's all it knows. Bless.
 
Anyways I ran the test and scored 200 then I did it over and got 5% better score.
 


 
I changed one setting. This one - 'Warn' and not 'Enable max heuristics'.
 


 
So here's the point do I now permanently change my default security settings from 'Enable max heuristics' to 'Warn'?
 
Leaktest score says definitely Yes but as we live in a democracy of fonts I want you to tell me what's really better.
icon

Best answer by RetiredTripleHelix 3 October 2016, 19:00

View original

46 replies

@ wrote:
@ wrote:
Hello Thread,
 
FWIW ~ just adding my observation......not looking for reply ~ Thanks
 
just found Security Settings in Web Console




 
> observed that even at Console Settings Maximum that agent Settings Warn when any new program executes [..] is not selected.
We knew of that but I leave mine at User Configuration and that is what Lucas @ was trying to say earlier!
https://docs.webroot.com/us/en/home/wsa_website_userguide/wsa_managementwebsite_userguide.htm#PCSecurity/EditingPCSecuritySettings.htm%3FTocPath%3DPC%2520Security%7C_____3
Hmm, I thought @ was trying to say earlier that "Warn when any new program executes that is not specifically whitelisted" enables Maximum heuristics.
<<  2.) What this setting does do is enable Maximum heuristics. >>
https://community.webroot.com/t5/Webroot-SecureAnywhere-Antivirus/Should-Default-User-Settings-include-Warn-not-Enable-Max/m-p/288286/highlight/true#M29675

Not looking for reply.
Thanks
FWIW ~ based upon Security Settings chart. 



Maximum sets all Feature* Heuristics to Maximum except Offline Heuristics. 
Maybe, Warn when any new program executes that is not specifically whitelisted sets all Feature* Heuristics to Maximum including Offline Heuristics.
 
YMMV
Userlevel 7
Correct...on all counts there, Daniel.
 
Regards, Baldrick
Userlevel 7
Badge +56
@ wrote:
Hello Thread,
 
FWIW ~ just adding my observation......not looking for reply ~ Thanks
 
just found Security Settings in Web Console




 
> observed that even at Console Settings Maximum that agent Settings Warn when any new program executes [..] is not selected.
We knew of that but I leave mine at User Configuration and that is what Lucas @ was trying to say earlier!
https://docs.webroot.com/us/en/home/wsa_website_userguide/wsa_managementwebsite_userguide.htm#PCSecurity/EditingPCSecuritySettings.htm%3FTocPath%3DPC%2520Security%7C_____3
Hello Thread,
 
FWIW ~ just adding my observation......not looking for reply ~ Thanks
 
just found Security Settings in Web Console




 
> observed that even at Console Settings Maximum that agent Settings Warn when any new program executes [..] is not selected.
Userlevel 7
Badge +62
Thank you very much for this thorough explanation TechToc!
Userlevel 7
Thank you TechToc, Bookmarked. 😉
Userlevel 7
@ wrote:
Thanks for that very thorough explanation, TechToc. ;)
+1 here...excellent explanation (& now bookmarked). :D
Thanks for that very thorough explanation, TechToc. 😉
Userlevel 5
Badge +16
Hello All,
 
I've been communicating with bjm_ regarding these settings and there are a couple of notes that I think are of benefit to this discussion.
 
1.) The reason we recommend leaving the option as default is it provides the most amount of security with the least fussieness. It also underscores a certain understanding of back end processes regarding file classification. The setting as stated requires an understanding of our whitelisting functionality, and this is pretty complex and deep. As WSA has matured we've included a number of additional protections and solutions that are less Black Grey and White as it was during our earlier years. As a result, a given file may or may not raise the alarm based on a number of properties. 
 
2.) What this setting does do is enable Maximum heruistics. Those of you who have been around long enough to recall the original WSA interface (White UI) may remember that there were a number of granular settings for Heuristics that were accessible in the UI. These options didn't go away, rather they were wrapped up into the 4 different settings now seen in the consumer agent. These options are masked in the consumer agent, but are exposed in the policy section of our business agent:


By setting the agent heuristic settings as descirbed here you set every heuristic mode describted above to its maximum setting. More information on what these different modes do can be found in the Admin Guide Heuristics.  As the guide describes: 
  • Maximum — Provides the highest level of protection against new threats. Use this setting if you think that your system is infected or at very high risk. This setting may result in false detections.
While this can be managed by some of our more advanced and knowlegable customers, the vast majoritiy of our consumer base want solid security with little fuss. This setting as described doesn't really do that. 
 
3.) All of this can get muddied further, when we look at the current implementation of the Firewall / Web Shield since the release of the driver for Windows 10. 


These options have mixed conditions based on the given file, and the system state. My main point by bringing this up is that it is easy to confuse the two areas and their functions based on behavior. It's important to note that these settings only apply to network communcation. However, it can trigger network monitoring based on the given files behavior and user action.
 
I think that's enough for now. This topic can get very very confusing and indepth. Should there be any further questions, please let me know. I'll respond as soon as I can.
 
Thank you,
 
-------
Edit to correct a username.
Userlevel 7
Badge +56
I was told the same Internally!
Webroot Support (Mar 14, 2017 18:43)
Webroot not warning when there are unknown files is currently an issue that may be addressed in the future. We recommend leaving Webroot setup with default settings.
Regards,
Webroot Advanced Malware Removal Team
> upon machine start (Fast Startup Off)


 
Sun 2017-03-12 08:26:24.0933    File blocked in realtime: c:windowssystem32{a6d608f0-0bde-491a-97ae-5c4b05d86e01}.bat [MD5: 5C5A797761421CF9B72087F3BC8A5259, Size: 180 bytes] [160/0000000E] [(null)]





maybe, Heuristics (Local) Warn when any [..] is (only) for System Space upon machine start (Fast Startup Off).


 
When I get "This file was blocked because [..]" with [u] in User Space.  I'll update thread.
Thanks
 
I asked Support about 
<<Warn when any new program executes that is not specifically whitelisted
Issues a warning for any program not specifically included in the Webroot database of websites that are known to be okay.>>
 
<<Webroot will always ask if an unknown [u] program is trying to run. This is to ensure the user is aware that a file may be risky.
The Webroot Support Team>>
_____________________________________
 
FWIW ~ IIRC, I've not seen this dialog with [u] ~ YMMV


 
I'll update thread when I see above dialog. 
Thanks
Userlevel 7
And you certainly can find a lot of information and answers here in the Community...but NOT all...the only people who know ALL the answers are Webroot Support and/or the Development Team. Hence the recommendation that you make use of their services.
 
😉
@ wrote:
You can well ask away here but as I stated earlier the quickest & best approach is the Support Team. Most of us do not have time to test every single setting & feature and so unless there is someone out there who has and wants to share you are most likely wasting your time, IMHO.
 
Personally, I use the recommended default "Enable enhanced heuristics based on the behavior, origin, age, and popularity of files", and it has never let me down...so for me...no need to experiment.
 
But if I ever do in this area I will let you know. ;)
 
Baldrick
 
 
And Support always writes.
<< We would like to invite you to join the Webroot Community, an online forum where you can find answers to your security questions, vote on ideas for our products, and talk to experts. >>
Userlevel 7
You can well ask away here but as I stated earlier the quickest & best approach is the Support Team. Most of us do not have time to test every single setting & feature and so unless there is someone out there who has and wants to share you are most likely wasting your time, IMHO.
 
Personally, I use the recommended default "Enable enhanced heuristics based on the behavior, origin, age, and popularity of files", and it has never let me down...so for me...no need to experiment.
 
But if I ever do in this area I will let you know. ;)
 
Baldrick
 
 
@ wrote:
@ no need to start new threads just keeping asking in here! Also follow Baldrick's suggestion and contact support.
Okay. 
The OP or Mod has marked up a Solution for this thread.
https://community.webroot.com/t5/Webroot-SecureAnywhere-Antivirus/Should-Default-User-Settings-include-Warn-not-Enable-Max/m-p/269705/highlight/true#M27776
 
Okay.  I'll keep asking here.  Also, thought thread was passed over because no reply "during the week"
<< Well lets see what Webroot has to say during the week [...]. >>
https://community.webroot.com/t5/Webroot-SecureAnywhere-Antivirus/Should-Default-User-Settings-include-Warn-not-Enable-Max/m-p/280585/highlight/true#M28996
 
Okay.  I'll keep asking in here & ask Support as per Baldrick's suggestion.
Should I receive warn dialog for [u] launch?
Does [u] launch qualify as new program execute that is not whitelisted?
 
Thanks
Userlevel 7
Badge +56
@ no need to start new threads just keeping asking in here! Also follow Baldrick's suggestion and contact support.
Userlevel 7
If you believe that you have an issue with this or that there is a general issue with the feature I would open a support ticket to let the Support Team know/so that they can investigate.
 
Quickest & most appropriate action.
 
Baldrick
Hello Webrooters,
 
Warn when any new program executes that is not specifically whitelisted   
Issues a warning for any program not specifically included in the Webroot database [of websites that are known to be okay.]


 
after clean Webroot Antivirus install + restart and Advanced Settings to my preference + restart.   
Webroot Antivirus is silent for sandboxieinstall64-517-5.exe launch. 
[u] c:usersjmsdownloadssandboxieinstall64-517-5.exe [MD5: 209C43AD998FAB09AF14D8231F520157] [Flags: 40081000.1454]
 
IDK.  Should I receive warn dialog for [u] launch?
Does [u] launch qualify as new program execute that is not whitelisted?
 
Thanks
 
> verbiage remains


 
> did we find out if "Warn when any [..]" works with W10
@ wrote:
@ wrote:
Here is another Tidbit but notice the part on Heuristics:  https://community.webroot.com/t5/Webroot-SecureAnywhere-Complete/The-difference-between-a-deep-scan-and-a-full-scan/ta-p/6476
Yes, curious why Webroot has local Heuristics > Enable. 
 
quote: << The extra information generated from these actions may result in a Good or Bad determination from the cloud based on cloud heuristics or a heuristic determination from WSA itself - in which case one of the above Good or Bad results occur.>>
 
With respect & appreciation,
Thanks
> further to my curiosity re local Heuristics,.....found message >
 
There are two kinds of heuristics - agent heuristics and cloud heuristics.  Agent heuristics look at what the file is doing on that particular system, and cloud heuristics look at what a file is doing across the entire userbase.  If we have data on what that same file has been doing on all of the other computers in our intelligence network, the cloud heuristics are far better off for it and we can make rules in the cloud to identify and blacklist malware based on what the cloud is seeing about a given file. 
https://community.webroot.com/t5/Webroot-SecureAnywhere-Antivirus/Evaluating-SecureAnywhere-Antivirus-feedback-and-some-questions/m-p/38796/highlight/true#M1735
 
 
@ wrote:
Here is another Tidbit but notice the part on Heuristics:  https://community.webroot.com/t5/Webroot-SecureAnywhere-Complete/The-difference-between-a-deep-scan-and-a-full-scan/ta-p/6476
Yes, curious why Webroot has local Heuristics > Enable. 
 
quote: << The extra information generated from these actions may result in a Good or Bad determination from the cloud based on cloud heuristics or a heuristic determination from WSA itself - in which case one of the above Good or Bad results occur.>>
 
With respect & appreciation,
Thanks
Userlevel 7
Badge +56
Here is another Tidbit but notice the part on Heuristics:  https://community.webroot.com/t5/Webroot-SecureAnywhere-Complete/The-difference-between-a-deep-scan-and-a-full-scan/ta-p/6476

Reply