Question

Webroot® SecureAnywhere™ - Antivirus doesn't find all viruses.



Show first post

43 replies

Userlevel 1
Badge +3
Okay, I'm back. Funny, I only got two emails that someone had replied to my initial post. A lot of discussion since.

A little background: I started working on PC's before Windows ever existed. Okay, I'm old. lol. After a long IT career, I started my home pc repair business as a sideline to help folks with their home PCs. I've been doing this for 10 years now. So in 35 years, I have seen a ton of computers over the years and every antivirus program that ever existed.

I also do not expect Webroot to be the end all antivirus program that catches everything. In fact, I have also purchased Malwarebytes and between these two programs, I rarely pick up something.

I was just curious as to why I see so many of my customers PCs that I had previously installed Webroot on come back with obvious infections. I'll run Webroot in Safe Mode and it finds nothing. A quick run of Adwcleaner more often than not uncovers viral infections. I then use Malwarebytes, Mbar, and Tdsskiller to root out the rest. Some of the common infections are Conduit and DriverSupport but there are many more, I just don't jot down their names every time. I am going to start gathering that info from now on and posting in their service tickets for documentation.

Most of my customers are senior citizens but not all. I invariably get the question "I have Webroot, how come I'm infected?" I do explain no one program catches all and try and give them safe computing suggestions.

Regards
Dave

💾 And yes I use to boot off of 8 1/2" floppies!
davetully wrote:

I was just curious as to why I see so many of my customers PCs that I had previously installed Webroot on come back with obvious infections. I'll run Webroot in Safe Mode and it finds nothing. A quick run of Adwcleaner more often than not uncovers viral infections. I then use Malwarebytes, Mbar, and Tdsskiller to root out the rest. Some of the common infections are Conduit and DriverSupport but there are many more, I just don't jot down their names every time. I am going to start gathering that info from now on and posting in their service tickets for documentation.



Please review thread here: https://community.webroot.com/webroot-secureanywhere-antivirus-12/reoccurring-pups-false-positive-or-webroot-not-picking-anything-up-278575#post278575
Userlevel 4
Badge +12
I'm not suggesting you (or anyone) not share their experience. I was simply asking the question: how does one become regularly infected? In the 22 years I've been online I've only had one virus and that was during my second year as a newbie still not aware of things. Common sense precautions, an updated system and pretty much any of the top ten AV programs will prevent infections for most users. WSA is not unique in doing this... they all do. What WSA has to offer is low impact and fast scanning. Beyond that it's pretty much the same as most other programs in terms of its effectiveness (i.e. Avast, Avira, AVG, Norton, McAfee, F-Secure, Sophos, Kaspersky, Bitdefender and so forth). And I've used them all over the years and without exception, they all worked just fine with one caveat: some of them had a greater impact on my system using its resources and slowing things down.
Thanks for coming back, @davetully.

Great to get more information from you!

Essentially, I had two questions I wished to ask you:
  1. How many of the malware that you encountered were PUPs?
  2. Of those that were not PUPs, how many of them were pre-existing on the machines prior to Webroot SecureAnywhere installation?
------------------------------------------------------------------------------------------------------------
DIGRESSION:
Here are the reasons for my asking these two questions.

Re Point #1:
Webroot has traditionally taken the approach that it does not block all PUPs (see @bjm_'s link) because:
(i) it does not consider them in the true sense to be malware but rather just bl**dy nuisances
(ii) it was the decision of the user to voluntarily install these toolbars etc. For example, I had a student (not using Webroot, I should hasten to add) who had installed Babel and/or some. kind of toolbar which were some kind of PUP and I told him that I thought they were not good, but in the final count that was his decision (he decided to keep them, but at a later date I found, probably because of the advice of his IT man, that they were no longer present on his device)
(iii) quite a few AV companies are loath to remove PUPs because there have been some nasty legal suits that have been introduced by these companies that can prove prohibitively expensive to contest with the added risk that one might lose.

I believe Webroot has been improving in this area in the last few years and there is also now the option in Advanced Settings > Scan Settings to check "Detect Potentially Unwanted Applications" (i.e. PUPs)

Re Point #2:
Webroot's great strength is as a behaviour and malware blocker. It may not be the best AV (though it's certainly far from bad—as far as I know!) at cleaning existing infections.

I notice that you mention two culprits that you have come across on your customers' computers: Conduit and Driver Support. I'm not that au fait in IT matters so I needed to google these critters. It appears that Conduit is a toolbar and Driver Support a driver search and update software. Both therefore seem to me to come under the category of Potentially Unwanted Applications.

We in the Webroot Community have been pushing Webroot to take a more pro-active stance in blocking PUA/PUPs. Personally, I agree with Webroot that they are not strictly malware but would prefer Webroot to detect and, at least invite the remover to take the option, to remove them.
END OF DIGRESSION
------------------------------------------------------------------------------------------------------------

Anyway, I am curious to hear your reply to my two questions.

Again, thanks for coming back!
Userlevel 1
Badge +3
Quote" Essentially, I had two questions I wished to ask you:
  1. How many of the malware that you encountered were PUPs?
  2. Of those that were not PUPs, how many of them were pre-existing on the machines prior to Webroot SecureAnywhere installation?"
Unquote

#1
Again, I rarely keep records on what was found/detected (but will as of today) so I have no idea on how many were PUPs.

#2
New customers typically are infected either due to no protection at all or by using ineffective software. Since I've been doing this for a while in our area its pretty rare I get a new customer so I deal with mostly past customers who have Webroot installed and reinfected. At times the customer forgot to empty their Quarantine for months so reeducation on promptly clearing is done.

Speaking of which, it sure would be nice if Webroot would put a button on the main menu to access the Q without burying it under hotspot next to PC Security.
Thank, Dave!

Keep us posted if possible regarding your records as (in my case, at least) we are interested not only in good news about Webroot but also less good news, and then to try and get to the bottom (when the Webroot user has the time to tell us, of course!) of what it was and what caused it 😉
Userlevel 7
Badge +22
Personally, I've seen a virus caught on a system that the file was originally created over a year earlier. Why did it take Webroot that long to find it? Based on the records at the time, their database knew about the virus before the file was created. Webroot had been installed on the PC since before the file was created on the system. So, I understand why @davetully is asking these questions and wonder myself why they are seeing such poor results.
NicCrockett wrote:

Personally, I've seen a virus caught on a system that the file was originally created over a year earlier. Why did it take Webroot that long to find it? Based on the records at the time, their database knew about the virus before the file was created. Webroot had been installed on the PC since before the file was created on the system.


Maybe because Webroot concentrates on viruses that are likely to run rather than viruses that are in zip files, email attachments or in remote folders on the disk that are unlikely ever to run? Webroot, as I understand it, is more a behaviour blocker (instantly zap anything that runs or is likely to run) than a malware finder (look in all the remotest nooks and crannies of your disk).

I've seen similar kind of behaviour from Prevx & Webroot. The important thing is that (to the best of my knowledge) I've never been infected since using Prevx/Webroot.
Userlevel 7
Badge +22
Muddy7 wrote:


NicCrockett wrote:

Personally, I've seen a virus caught on a system that the file was originally created over a year earlier. Why did it take Webroot that long to find it? Based on the records at the time, their database knew about the virus before the file was created. Webroot had been installed on the PC since before the file was created on the system.

Maybe because Webroot concentrates on viruses that are likely to run rather than viruses that are in zip files, email attachments or in remote folders on the disk that are unlikely ever to run? Webroot, as I understand it, is more a behaviour blocker (instantly zap anything that runs or is likely to run) than a malware finder (look in all the remotest nooks and crannies of your disk).

I've seen similar kind of behaviour from Prevx & Webroot. The important thing is that (to the best of my knowledge) I've never been infected since using Prevx/Webroot.



I looked up the exact stats on the virus to see if it fit your description. It was an exe file, not a zip file. It wasn't an email attachment, it was a download via Firefox. It wasn't in a remote folder, unless you consider the My Documents folder remote. The user downloaded the exe and ran the file to install the program. Webroot didn't catch the download or the installation. This was on 12/24/2014, the exe then "dwelled" in the My Documents folder for 202 days until Webroot finally found it on 7/14/2015. I'll admit, I misremembered the amount of time it was on the system. However, that's still a ridiculous catch time frame.
Userlevel 1
Badge +5
NicCrockett wrote:

Personally, I've seen a virus caught on a system that the file was originally created over a year earlier. Why did it take Webroot that long to find it? Based on the records at the time, their database knew about the virus before the file was created. Webroot had been installed on the PC since before the file was created on the system. So, I understand why @davetully is asking these questions and wonder myself why they are seeing such poor results.



I will tell you why: when WSA performs a "computer scan" , doesn't scan each and every location or each and every file, and so will finish very fast , scanning only it believes a malware can be found.

This is another marketing gimmick, whoaw!!! see how fast WSA it is scanning "your computer"???

If your virus was dormant in some obscure location, WSA missed it.
If you decided to scan that particular area (context scan) or the virus was active somehow, that is the moment WSA reacted ....after 1 year.
Userlevel 7
Badge +55
NicCrockett wrote:


Muddy7 wrote:


NicCrockett wrote:

Personally, I've seen a virus caught on a system that the file was originally created over a year earlier. Why did it take Webroot that long to find it? Based on the records at the time, their database knew about the virus before the file was created. Webroot had been installed on the PC since before the file was created on the system.

Maybe because Webroot concentrates on viruses that are likely to run rather than viruses that are in zip files, email attachments or in remote folders on the disk that are unlikely ever to run? Webroot, as I understand it, is more a behaviour blocker (instantly zap anything that runs or is likely to run) than a malware finder (look in all the remotest nooks and crannies of your disk).

I've seen similar kind of behaviour from Prevx & Webroot. The important thing is that (to the best of my knowledge) I've never been infected since using Prevx/Webroot.

I looked up the exact stats on the virus to see if it fit your description. It was an exe file, not a zip file. It wasn't an email attachment, it was a download via Firefox. It wasn't in a remote folder, unless you consider the My Documents folder remote. The user downloaded the exe and ran the file to install the program. Webroot didn't catch the download or the installation. This was on 12/24/2014, the exe then "dwelled" in the My Documents folder for 202 days until Webroot finally found it on 7/14/2015. I'll admit, I misremembered the amount of time it was on the system. However, that's still a ridiculous catch time frame.


Do you have the MD5 Hash so I can check it?
NicCrockett wrote:

I looked up the exact stats on the virus to see if it fit your description. It was an exe file, not a zip file. It wasn't an email attachment, it was a download via Firefox. It wasn't in a remote folder, unless you consider the My Documents folder remote. The user downloaded the exe and ran the file to install the program. Webroot didn't catch the download or the installation. This was on 12/24/2014, the exe then "dwelled" in the My Documents folder for 202 days until Webroot finally found it on 7/14/2015. I'll admit, I misremembered the amount of time it was on the system. However, that's still a ridiculous catch time frame.


Well, without knowing more details of the incident, and also not being that IT-"fluent", I can't really say more.

Daniel (Triple Helix) has posted with his request, and that may be a more fruitful avenue to follow. Also, if the client has not reinstalled Webroot since then (or removed it), it would be extremely interesting to get in touch with Webroot Support as they could give a better diagnosis of what happened with the logs.

Also the key question: was the client infected with this malware? Not clear as you say on the one hand "The user downloaded the exe and ran the file to install the program. Webroot didn't catch the download or the installation" and then on the other "the exe then "dwelled" in the My Documents folder for 202 days until Webroot finally found it on 7/14/2015." (Installed? .exe still in My Documents folder? Not quite following you. Maybe it's because I'm not very fluent in IT?) If it was a momentary installation, did Webroot monitor and journal it as an Unknown exe. and then monitoring ceased because it was no longer executed/was uninstalled. So many questions... The first, as Daniel says is the MD5 Hash question. After that, maybe analysis by Webroot Support to better help us all understand what happened?

I think I'll pass this over to Daniel and let him handle it (maybe @Baldrick also?). They're more IT fluent than me.
Muddy7 wrote:

I think I'll pass this over to Daniel and let him handle it (maybe @Baldrick also?). They're more IT fluent than me.


But I'm certainly interested in what transpires if you do decide to follow this through.
Userlevel 7
Badge +22
I don't want to take over @davetully's thread. I was only pointing out an example of an extreme failure with Webroot's software finding threats accurately and timely. However, I will answer your questions for clarification, but this thread doesn't need to become about an old virus that we got.

@locomotive, I'm aware of how Webroot works and why it runs scans fast. However, it should catch something when it is downloaded and runs. As I pointed out, it did neither. Thus, what is the point of owning an AV software if it does nothing but scan a few places quickly once a day. I realize that is simplifying what Webroot does, but it gets across a point that the software is no good if it doesn't perform the task it is meant to do.

As for your question @TripleHelix. This happened a few years ago and I no longer have the MD5 hash. I was able to pull the dates from the All Threats Seen report. However, the MD5 hash was cutoff in the report. At the time it found the virus, I did open a support case. However, support was never able to give me a logical explanation as to why it wasn't found 202 days earlier.

To explain your questions of clarifying what I was saying @Muddy7, I'll try again.
  1. The user downloaded a .exe file to their My Documents folder that Webroot should have caught as virus.
  2. Since Webroot didn't quarantine the file, the user installed the program.
  3. Points 1 and 2 happened on 12/24/2014.
  4. On 7/14/2015, 202 days later, Webroot found the .exe file on a regular daily scan in the users My Documents folder and quarantined it as a virus. In Webroot they call the 202 days, dwell time on a system. In other words, how long the file was on the system.
So, three questions have always remained:
  1. Why wasn't it caught during download?
  2. Why wasn't it caught when the user ran the file?
  3. Why did it take 202 daily scans to finally find the file, which was easily located in the My Documents folder?
Hope that clarifies everything for everyone. Again, this is just an example of Webroot's failure to work properly. I don't want to start a long discussion about it since I've already been through this with support.
Thanks, @NicCrockett, for going to the trouble of explaining all that ☺

Not good that Support was not able to come up with a clear explanation of what happened and why 😐

Maybe this case history is still in their archives and maybe if so, @TripleHelix, you might have an ability to pull some strings so we can have some more info on this. Or @LLiddell?? Or @freydrew??

EDIT: Btw I understand that the .exe (installer?) file remained dormant in the My Documents folder for 202 days but, far more important, what happened with the app that the user had installed onto his system from that .exe and was presumably using?
Userlevel 7
Badge +22
I appreciate you trying to get an answer on this @Muddy7. However, I'm not concerned about it at this point. The problem has been resolved and I don't want to take over the @davetully's thread. Obviously anyone is allowed to post about it if they want, but it's really the original poster that needs answers at this point.
Userlevel 7
Badge +33
Honestly this is over my head, I'm not fully trained as a support tech so I'm not sure the answer to this. Our support team is the best resource for this, do you know which support agent was unable to provide clarity on this issue?
Userlevel 7
Badge +22
LLiddell wrote:

Honestly this is over my head, I'm not fully trained as a support tech so I'm not sure the answer to this. Our support team is the best resource for this, do you know which support agent was unable to provide clarity on this issue?



This was a few years back, I don't have a clue at this point. Again, I'm not concerned with my issue from then. Concentrate on the original posters issues first. Thanks for the concern though.

Reply

    Cookie policy

    We use cookies to enhance and personalize your experience. If you accept or continue browsing you agree to our cookie policy. Learn more about our cookies.

    Accept cookies Cookie settings