Solved

Should Default User Settings include 'Warn' not 'Enable Max Heuristics'?


Userlevel 5
Hello to all readers of the forum.

 

Just did an Old Test - Comodo Leaktest.

 

Yeah this program is now like so old it doesn't even see my OS as win7.'Cause back in 2008 that's all it knows. Bless.

 

Anyways I ran the test and scored 200 then I did it over and got 5% better score.

 



 

I changed one setting. This one - 'Warn' and not 'Enable max heuristics'.

 



 

So here's the point do I now permanently change my default security settings from 'Enable max heuristics' to 'Warn'?

 

Leaktest score says definitely Yes but as we live in a democracy of fonts I want you to tell me what's really better.
icon

Best answer by RetiredTripleHelix 3 October 2016, 19:00

View original

46 replies

Userlevel 7
Badge +56
@ wrote:

@ wrote:

Just to let you know that setting in WSA: "Warn when any new program executes that is not specfically whitelisted" is not working as it should and Webroot is aware of it and a fix will be out in the near future. Also note this does not reduce the protection of WSA in any way as it's just the setting that needs to be fixed.

 

Thanks,

 

Daniel ;)

 



Progress regarding "setting that needs to be fixed."....?

 

Thanks

I'm not sure if it's fixed so I will ask @ @ @ @ to see if it is?

 

Thanks,

 

Daniel
Userlevel 7
Badge +56
If that setting above was working correctly it would make WSA very, very noisy to say the least. You would get so many Pop-Ups it would drive you crazy like an Anti-EXE app so no I would not recommend that setting as in most cases all your or anyone's files are not fully Whitelisted  and depends if you use not so well known programs as it would take the Webroot Cloud longer to determine such programs Good without contacting support and asking them to Whitelist all your files on every update.

 

IMO,

 

Daniel
@ wrote:

Just to let you know that setting in WSA: "Warn when any new program executes that is not specfically whitelisted" is not working as it should and Webroot is aware of it and a fix will be out in the near future. Also note this does not reduce the protection of WSA in any way as it's just the setting that needs to be fixed.

 

Thanks,

 

Daniel ;)

 



Progress regarding "setting that needs to be fixed."....?

 

Thanks
Userlevel 7
I've reached out to a few people as well and will post back what I find.
Userlevel 7
Badge +56
Just to let you know that setting in WSA: "Warn when any new program executes that is not specfically whitelisted" is not working as it should and Webroot is aware of it and a fix will be out in the near future. Also note this does not reduce the protection of WSA in any way as it's just the setting that needs to be fixed.

 

Thanks,

 

Daniel ;)

 

TripleHelix,

Thanks for your interest and help.  



I'm unsure whether "Warn when any..." turns Off any level of Heuristics and changes Heuristics protection into whitelist anti-executable solely based upon user decision. 



Thanks
Userlevel 7
@ wrote:

@ wrote:

@ can you check with Lucas @ about this for a comment?

 

Thanks,

 

Daniel ;)

Unfortunately, Lucas is not in the Office currently. I've forwarded this thread to our Manager of Product Support to check with his Team and/or the Product Team as well.

The Product Team has informed me that this issue has been documented and we are actively tracking it. They also said there has been only one report thus far, meaning that it is by no means a high-priority-issue in the backlog.

 

Also trying to figure out if this affects all OS's or just Win10.
Userlevel 7
Badge +56
Great that's how I have it set!

 

Daniel 😉
Userlevel 7
Badge +56
No info yet?
Userlevel 7
Badge +56
@ wrote:

I've reached out to a few people as well and will post back what I find.

@ can we get some answers please? Or even from @ @ @ anyone.

 

I heard it's working fine on Win 7 and Win 10 but it doesn't work on Win 8 or 8.1 correct? How about XP and Vista users?

 

Thanks,

 

Daniel
Userlevel 7
@ wrote:

@ can you check with Lucas @ about this for a comment?

 

Thanks,

 

Daniel ;)

Unfortunately, Lucas is not in the Office currently. I've forwarded this thread to our Manager of Product Support to check with his Team and/or the Product Team as well.
Userlevel 5
Badge +16
Hello All,

 

I've been communicating with bjm_ regarding these settings and there are a couple of notes that I think are of benefit to this discussion.

 

1.) The reason we recommend leaving the option as default is it provides the most amount of security with the least fussieness. It also underscores a certain understanding of back end processes regarding file classification. The setting as stated requires an understanding of our whitelisting functionality, and this is pretty complex and deep. As WSA has matured we've included a number of additional protections and solutions that are less Black Grey and White as it was during our earlier years. As a result, a given file may or may not raise the alarm based on a number of properties. 

 

2.) What this setting does do is enable Maximum heruistics. Those of you who have been around long enough to recall the original WSA interface (White UI) may remember that there were a number of granular settings for Heuristics that were accessible in the UI. These options didn't go away, rather they were wrapped up into the 4 different settings now seen in the consumer agent. These options are masked in the consumer agent, but are exposed in the policy section of our business agent:



By setting the agent heuristic settings as descirbed here you set every heuristic mode describted above to its maximum setting. More information on what these different modes do can be found in the Admin Guide Heuristics.  As the guide describes: 


  • Maximum — Provides the highest level of protection against new threats. Use this setting if you think that your system is infected or at very high risk. This setting may result in false detections.
While this can be managed by some of our more advanced and knowlegable customers, the vast majoritiy of our consumer base want solid security with little fuss. This setting as described doesn't really do that. 

 

3.) All of this can get muddied further, when we look at the current implementation of the Firewall / Web Shield since the release of the driver for Windows 10. 



These options have mixed conditions based on the given file, and the system state. My main point by bringing this up is that it is easy to confuse the two areas and their functions based on behavior. It's important to note that these settings only apply to network communcation. However, it can trigger network monitoring based on the given files behavior and user action.

 

I think that's enough for now. This topic can get very very confusing and indepth. Should there be any further questions, please let me know. I'll respond as soon as I can.

 

Thank you,

 

-------

Edit to correct a username.
Userlevel 5
TFT Daniel.

 

I'll go with 'Max Heuristics' enabled.:womanvery-happy:

 

 
Userlevel 7
Badge +56
I'm still waiting for a reply internally.
Userlevel 7
Badge +56
@ can you check with Lucas @ about this for a comment?

 

Thanks,

 

Daniel 😉
Userlevel 7
Badge +56
bjm_ wrote: IDK, if "not specifically whitelisted" means, 'local or global' whitelist.Thanks

Whitelisted means Global or the Webroot BrightCloud Database deems it's known and clean.
Userlevel 7
Badge +56
@ wrote:

@ wrote:

bjm_ wrote: IDK, if "not specifically whitelisted" means, 'local or global' whitelist.Thanks

Whitelisted means Global or the Webroot BrightCloud Database deems it's known and clean.

Okay. 

Thanks. I remain unsure regarding. 

<< Issues a warning for any program not specifically included in the Webroot database of websites that are known to be okay. >>

 

< any program not specifically included in the Webroot database of websites >



          program in the database of websites ?

 

 

I'm just talking about files that are known good in the Webroot Cloud Database not websites.

 

[g] Means Known Good so they are whitelisted!

 

[u] Means Unknown so they are not whitelisted yet or could be bad and Webroot will monitor [u] files just in case it needs to rollback when marked Bad or Good. When Good it will stop monitoring the said [u] files.

 

Scan Started: Fri 2016-12-30 13:00:10

[g] c:windowssystem32smss.exe [MD5: 55366CB9F41F3112DE634CDB3116E563] [Flags: 40191000.3]

[g] c:windowssystem32csrss.exe [MD5: 77DBC745D957B4F0404ABABC10696784] [Flags: 40191000.58]

[g] c:windowssystem32wininit.exe [MD5: 99A19C9A74E2F9820E501DCE77F84F70] [Flags: 40191000.59]

[g] c:windowssystem32services.exe [MD5: 3C69CC28665854F1AAB4B4005005FA31] [Flags: 50191000.60]

[g] c:windowssystem32lsass.exe [MD5: 6F8E95716C1A27FF2FE96D30B147F1C1] [Flags: 50191000.61]

[g] c:windowssystem32svchost.exe [MD5: 36F670D89040709013F6A460176767EC] [Flags: 50191000.62]

[g] c:windowssystem32dwm.exe [MD5: C89F159A577F19F7F03C73C98D29D841] [Flags: 40190000.63]

[g] c:windowssystem32wudfhost.exe [MD5: EEFFD9259D6D6CFDBDC71F24730566BB] [Flags: 40190000.64]

[g] c:windowssystem32winlogon.exe [MD5: DE6DF9BBBECAFDEF462A37D839167368] [Flags: 40190000.65]

[g] c:windowssystem32kernel32.dll [MD5: 6955067712F2F4752CA12192B08EF860] [Flags: 40011000.69]

[g] c:windowssystem32advapi32.dll [MD5: BB70217AED0E89C3737D48BAA0A401DE] [Flags: 40011000.75]

[g] c:windowssystem32msvcrt.dll [MD5: 94EF9321C287FC1B179419E662996A41] [Flags: 40011000.79]

[g] c:windowssystem32sechost.dll [MD5: 613633DB655721B1753AEE43947665EC] [Flags: 40011000.78]

 



 

 

https://www.webroot.com/us/en/business/threat-intelligence
Userlevel 7
Badge +56
@ wrote:

TripleHelix wrote: Whitelisted means Global or the Webroot BrightCloud Database deems it's known and clean.

_________________________________________________________

bjm_ wrote: Thanks. I remain unsure regarding. 

<< Issues a warning for any program not specifically included in the Webroot database of websites that are known to be okay. >>

 

< any program not specifically included in the Webroot database of websites >



          program in the database of websites ?

___________________________________________________________________

 

TripleHelix wrote:  I'm just talking about files that are known good in the Webroot Cloud Database not websites.

 ___________________________________________________________________

@ wrote:



 

http://live.webrootanywhere.com/content/680/Adjusting-Heuristics

 

___________________________________________________

 

FWIW ~ I run [u] c:program filesovirusthanksexe radar proerpsvc.exe [MD5:C1C9E5C71171E806646FB9E9ADB7E27B].  

 

"Warn when any" is silent.   Yes, erpsvc is Monitor (or, I'll move to Allow).   Webroot reports erpsvc as Unclassified.

Well lets see what Webroot has to say during the week because if you go to a bad Website it will be blocked so I don't know why that's in there with Heuristics as that is for running process files on that system IMO. None of the other settings say anything about Websites and I run with Max Heuristics which is just fine.

 

Adjust heuristics using the information in the following table.

OPTIONDESCRIPTION

Disable heuristicsTurns off heuristic analysis. Not recommended.

Enable standard heuristicsThis setting could lower your level of security.

Enable enhanced heuristics based on the behavior, origin, age, and popularity of filesDefault; recommended setting.

Enable maximum heuristicsUse with caution; this could cause unexpected behavior, prevent the use of lesser known applications, or prevent the installation of rarely-used programs.

Warn when any new program executes that is not specifically whitelistedIssues a warning for any program not specifically included in the Webroot database of websites that are known to be okay.

Enable Webroot InfraredFor details, see PC Shields Overview.
Userlevel 7
Badge +56
Here is another Tidbit but notice the part on Heuristics:  https://community.webroot.com/t5/Webroot-SecureAnywhere-Complete/The-difference-between-a-deep-scan-and-a-full-scan/ta-p/6476
Userlevel 7
Badge +56
I was told the same Internally!
Userlevel 5
Thankyou for that TripleH.

 

Ok the button is a bit broken but it still works - so that's all good.

 

 

So Mr H do you reckon I should change my settings or not?

 

 

 

 
Thanks for that very thorough explanation, TechToc. 😉
Userlevel 7
@ wrote:

Thanks for that very thorough explanation, TechToc. ;)
+1 here...excellent explanation (& now bookmarked). :D
Userlevel 7
Thank you TechToc, Bookmarked. 😉
Userlevel 7
Badge +62
Thank you very much for this thorough explanation TechToc!

Reply