To Customer Support To Customer Support
Solved

Still confused about brightcloud reputation vs unsafe website blocking

E
Rank
Userlevel 5
Badge +22
Baldrick (who has an icon with long hair... :D) gave a great explanation on this topic but this is a bit different.
 
I am confused about why Webroot would block me from opening a webpabe with a BrightCloud reputation of 92 or 96 that is well visited and established.
 
 
From google search, three URL's are involved which will be called Link # later in this post.
1. The link found:
forums.creativecow.net/thread/30/866686
 
2. Google Cache
http://www.google.com/url?sa=t&rct=j&q=&esrc=s&source=web&cd=7&cad=rja&uact=8&ved=0CGwQIDAG&url=http%3A%2F%2Fwebcache.googleusercontent.com%2Fsearch%3Fq%3Dcache%3ApLlIm6LuZpQJ%3Aforums.creativecow.net%2Fthread%2F30%2F866686%2B%26cd%3D7%26hl%3Den%26ct%3Dclnk%26gl%3Dus&ei=zTD0U9bqLMidygTl7ICwCw&usg=AFQjCNGW6CbWydbmVfFluFd4mIlJi2SilA&bvm=bv.73231344,d.aWw
 
3. The blocked, unsafe link as reported.  It begins with the http%3a%... in link 2 which translates to:
http://webcache.googleusercontent.com/search?q=cache:pLlIm6LuZpQJ:forums.creativecow.net/thread/30/866686+&cd=7&hl=en&ct=clnk&gl=us&ei=zTD0U9bqLMidygTl7ICwCw&usg=AFQjCNGW6CbWydbmVfFluFd4mIlJi2SilA&bvm=bv.73231344,d.aWw
 
 
So,the Google Cache (link 2) is opened and Webroot blocks me with this message.
Webroot Blocked Navigation.
This website has been reported as unsafe
<link 2> is listed
 
 
So, off to BrightCloud URL/IP lookup.  Here are the results
LInk 1: Reputation 96, infections past 12 months: no, Popularity: medium, Age 55 months (establish)
Link 2: Reputation 92, infections past 12 months: no, Popularity: high, Age 99 months (establish)
Link 3: Reputation 92, infections past 12 months: no, Popularity: high, Age 31 months (establish)
Ok, enlighten me!
 
icon

Best answer by DanP 20 August 2014, 19:47

View original

17 replies

DanP
Rank
Userlevel 7
Badge +35
@ 
I just checked the links you provided and none were blocked, which would be consistent with the Brightcloud reputations. We would need to see your logs in order to determine what may be causing this. 
 
Thanks,
 
-Dan
Webroot Threat Research
E
Rank
Userlevel 5
Badge +22
DanP,
 
Thanks.  A support case has been opened with the same subject; category "other", and containing your name.  WSALogs will follow shortly.
 
Curiosly, While Webroot blocked the website twice last night, it is not being blocked this morning.  Hey, I don't have time to make this stuff up!  😃
DanP
Rank
Userlevel 7
Badge +35
@ wrote:
DanP,
 
Thanks.  A support case has been opened with the same subject; category "other", and containing your name.  WSALogs will follow shortly.
 
Curiosly, While Webroot blocked the website twice last night, it is not being blocked this morning.  Hey, I don't have time to make this stuff up!  :D
I replied to your ticket. From what I'm seeing it appears that the BrightCloud reputation was updated between the time you saw the blocks last night and when you accessed them this morning. 
 
-Dan
Webroot Threat Research
Baldrick
Rank
Userlevel 7
Hi Dan
 
Hope that you are well?
 
I am sure that I have asked this before (and that you have most probably replied already)...but I forget.  When one cllicks to bypass the Web Threat Sheild block on a web site, it only affected the client on which the block is bypassed, right?  There is no feed back to the Cloud that this has happened, which could then be taken into account re. the reputation statistcis for a site?
 
Reason I ask is that if there was something like that it might be a good way of Webroot picking up when a reputation was...how may I put it politely?...not up to scratch?
 
Just a thought.
 
Regards
 
 
Baldrick
Webroot SecureAnywhere Complete Beta Tester v9.0.24.49, imaged by Macrium Reflect v7.2
DanP
Rank
Userlevel 7
Badge +35
@ wrote:
Hi Dan
 
Hope that you are well?
 
I am sure that I have asked this before (and that you have most probably replied already)...but I forget.  When one cllicks to bypass the Web Threat Sheild block on a web site, it only affected the client on which the block is bypassed, right?  There is no feed back to the Cloud that this has happened, which could then be taken into account re. the reputation statistcis for a site?
 
Reason I ask is that if there was something like that it might be a good way of Webroot picking up when a reputation was...how may I put it politely?...not up to scratch?
 
Just a thought.
 
Regards
 
 
Baldrick
@ 
You are correct, the override is only on the affected client.&nbsp;
 
I don't personally receive any reports on BrightCloud URL overrides or have access to that data.
 
-Dan
Webroot Threat Research
Baldrick
Rank
Userlevel 7
Hi Dan
 
Thanks for the reply.  Do you think such a feature would be a useful addition to the Webroot arsenal...or a hindrance?
 
Cheers
 
 
 
Baldrick
Webroot SecureAnywhere Complete Beta Tester v9.0.24.49, imaged by Macrium Reflect v7.2
E
Rank
Userlevel 5
Badge +22
Bakdrick,
 
Just in case it matters, I did not and would  not bypass (click the unblock button) a blocked website.  if I'm gonna trust WSA then I'm gonna trust it.  Of course, I want to understand it and you really helped with a similar question.
 
The only reason the website was tried again today was to respond to DanP's response.  I was shocked.  🙂
E
Rank
Userlevel 5
Badge +22
I know you were not asking me but...  , "Do you think such a feature would be a useful addition to the Webroot arsenal...or a hindrance?"
 
People may be clicking through BECAUSE the website is dangerous.  Testing protections, verifying THEIR website is working by infecting vistors.  Falling asleep and clicking the wrong button.
Baldrick
Rank
Userlevel 7
Hi ExpertNovice
 
I do understand where you are coming from...and it is each user's choice.  Given that Brightcloud is sometimes 'behind the times' re. reputation if the site that is being blocked is known to me then I do unblock locally.  If however the site is not well known to me then I do follow the cautious approach...as it is the safest.
 
Regards
 
 
 
Baldrick
Webroot SecureAnywhere Complete Beta Tester v9.0.24.49, imaged by Macrium Reflect v7.2
E
Rank
Userlevel 5
Badge +22
DanP,
 
Thanks.  The case was updated, but in case this thread helps others better their understaning, this was my follow up question.  Oh, it has been modified but can't update the support post, black text is the updated portion.
 
My question, is why would a website known for 31-99 months, with medium to high popularity, and 92-96 reputation have been too dangerous 20-45 minutes earlier. so dangerous it was blocked but within 20-45 minutes have such a high ranking.  If it were a new website that would make sense but after 3 to 9 years it is unlikely to have become unblocked been rerated from unsafe to safe at that exact time! :D

I'm interested in the timing and reasoning. These are made up times as 15 minutes could easily be 45. I was not watching the clock.
1. got blocked from google cached website
2. within 2 minutes checked the reputation for both the primary and google cached website.
3. within 10-15 minutes noticed the blocked website was neither of the above, reconstructed (eg changed %20 to space) and checked its reputation.
4. documented and opened case.
Baldrick
Rank
Userlevel 7
Hi ExpertNovice
 
I may not have asked you...but your view is most welcome...and I see where you are coming from.  I am just intrigued as to whether the collection of such statistics would help Brightcloud spot sites that need to be investigated more closely becuase of a large number of local overrides...might also indicate that there is an issue with reputation, etc.
 
Just a thought...;)
 
Regards
 
 
 
Baldrick
Webroot SecureAnywhere Complete Beta Tester v9.0.24.49, imaged by Macrium Reflect v7.2
E
Rank
Userlevel 5
Badge +22
good point!
DanP
Rank
Userlevel 7
Badge +35
@ wrote:
Hi Dan
 
Thanks for the reply.  Do you think such a feature would be a useful addition to the Webroot arsenal...or a hindrance?
 
Cheers
 
 
 
Baldrick
That kind of data is absolutely benneficial, and I've wanted access to it for some time now. Since I don't have access to that data, I can't really comment further on that. 
 
-Dan
Webroot Threat Research
DanP
Rank
Userlevel 7
Badge +35
@ wrote:
DanP,
 
Thanks.  The case was updated, but in case this thread helps others better their understaning, this was my follow up question.  Oh, it has been modified but can't update the support post, black text is the updated portion.
 
My question, is why would a website known for 31-99 months, with medium to high popularity, and 92-96 reputation have been too dangerous 20-45 minutes earlier. so dangerous it was blocked but within 20-45 minutes have such a high ranking.  If it were a new website that would make sense but after 3 to 9 years it is unlikely to have become unblocked been rerated from unsafe to safe at that exact time! :D

I'm interested in the timing and reasoning. These are made up times as 15 minutes could easily be 45. I was not watching the clock.
1. got blocked from google cached website
2. within 2 minutes checked the reputation for both the primary and google cached website.
3. within 10-15 minutes noticed the blocked website was neither of the above, reconstructed (eg changed %20 to space) and checked its reputation.
4. documented and opened case.
I'll have to check with the BrightCloud folks on this one.
 
-Dan
Webroot Threat Research
Baldrick
Rank
Userlevel 7
Ah ha, Dan
 
Methinks I am going to have to construct an new featire request in the Ideas Exchange...re. this one...;)
 
Regards
 
 
 
Baldrick
Webroot SecureAnywhere Complete Beta Tester v9.0.24.49, imaged by Macrium Reflect v7.2
DanP
Rank
Userlevel 7
Badge +35
@ wrote:
Hi Dan
 
Hope that you are well?
 
I am sure that I have asked this before (and that you have most probably replied already)...but I forget.  When one cllicks to bypass the Web Threat Sheild block on a web site, it only affected the client on which the block is bypassed, right?  There is no feed back to the Cloud that this has happened, which could then be taken into account re. the reputation statistcis for a site?
 
Reason I ask is that if there was something like that it might be a good way of Webroot picking up when a reputation was...how may I put it politely?...not up to scratch?
 
Just a thought.
 
Regards
 
 
Baldrick
I just wanted to follow up on this one. That data is collected in order to improve the reputation system. 
 
-Dan
Webroot Threat Research
Baldrick
Rank
Userlevel 7
Hi Dan
 
Ok, good to know...thanks for coming back on that one.
 
Have a great weekend.
 
Regards
 
 
Baldrick
Webroot SecureAnywhere Complete Beta Tester v9.0.24.49, imaged by Macrium Reflect v7.2

Reply


Terms & Conditions

© 2004 - Webroot Inc.

We have recently updated our Privacy Policies. We encourage you to read the full terms here.