Webroot can be initially disabled but a reboot caused an upgrade of ESET to go really, really, bad. I would like to avoid this problem on the Win7 system.
The community is being asked because supports final answer was; "the Webroot software you own from us is a full antivirus suite meaning that is all you need, so you do not need to antivirus applications."
(edited to indicate change of mind)
Best answer by JimMView original
EDIT: And Welcome to the Webroot Community Forums. ;)
The last response you received from the support system was:
"In this situation our software does not conflict with other antivirus, so there is no reason to shut down or remove the Webroot software. Our software is a lot different than other antivirus programs out there, we are cloud security and we do not conflict with any other antivirus or firewall programs out there.
Can you send us a message from the computer in question so we can get its logs?"
The technician was trying to collect logs to continue the investigation. I am wondering if perhaps you had contacted someone who had claimed to be Webroot? You can reply to your support ticket and I would be happy to take over and send instructions for gathering logs.
Thanks TripleHelix for your suggestions! Please try these instructions and reply to your support ticket if you need further assistance and I will be happy to help.
I installed both programs so that I could compare and contrast them, and as long as there is no conflict between the two, the simultaneous installation of both would not appear to be harmful or disruptive. In the short time I have had to compare the two programs, I have found that the scan time using WSA is much faster than the scan time using Norton.* I have also found that the backup of my C drive with WSA took less backup space than the backup of my C drive with Norton.
I also like the linkage of the web community directly with the WSA console. Merely open the WSA console and you can click on the web community link. I don't believe Norton offers this feature.
I also found dealing with WSA tech people easier than dealing with Norton tech people, and the wait time generally is not as long with WSA as it is with Norton.
Let us know if you discover other differences once you install both programs.
* A full system scan with Norton takes me more than two hours; a scan with WSA takes me about two minutes.
The method Webroot uses to scan and what it scans will, of course, make for a faster scan. I used to not be worried about such things as I went from 1981 until 2007 without a virus (started with BBS, Source, & Compuserve). At that time I was researching the real cause of the housing crash (have since learned that even the NY Times warned of this issue in 1999!) and a virus/whatever caused me to reformat and reinstall my system. Now, I run with the best protection I can get.
Thanks for your response!
Kudos. That is exactly what I asked Support in my initial question.
The first and last response from support stated I didn't need another antivirus program or a firewall. Based on the first response from support, logs had been sent. Later they got logs from my wife's computer (not sure how). Her computer has no issue.
The only question asked in the request to support was; "So, should I uninstall Webroot, install ESET, and reinstall Webroot or what?" Their third response failed to get an answer and logs had apparently been submitted so I simply gave up. Until now.
Thanks for responding.
Thanks for the suggestion. It doesn't seem to handle any of the problems I'm trying to avoid such as a virus, worm, trojan, malware, spyware, etc. Am I missing something?
Thanks for the info. Cleaning up sounds like a good idea so East-Tec will be tried. Another piece of software you might consider is Sandboxie. While no amount of protection is perfect, given the range of massive offshore government attacks to kiddie attacks, it seems we must strive to become more secure or be prepared to rebuild.
PS. After following a couple of other threads it appears I will stick with OnlineArmor Premium; meaning Norton won't be installed. I guess more research to see if Bitdefender should be used in place of ESET. (The plan is to take advantage of Webroot's cloud-based-scan-at-execution along with a local-based-scan-everything package.
I have read about Webroot's off-line protection. It still seems to me that if the laptop is not connected to the internet some protection is lost. Webroot Secureanywhere purports to clean up damage once reconnected but I'm unclear as to how it restores deleted or modified files or corrects a computer that can no longer connect or even boot. My one infection (2007 pre-protection) kept trying to connect so I installed the air-wall (removed the ethernet cable).
Like with anything new I prefer to wait for longer-term, out-of-the-lab, real-life evidence. Please note that I am sticking with Webroot. 😃
Insofar as removing Norton, I may well follow your lead. However, at present, I have experienced no conflicts, so I'll stick with Norton for the time being. As I detect other differences between Norton and WSA, I'll post to this site. I still consider Norton good software, but I'm inclined, at the moment, to think WSA is better. It sure is faster! :D
Kudos to WSA for its tolerance permitting discussion of other products on this site.
After another review I will replace ESET with BitDefender, keep OnlineArmor, and (of course) keep Webroot Secureanywhere.
As for the Kudos to WSA, I heartily concur. if we have trampled their policies I will not take offense if they remove the offending posts. The basic post would, hopefully, remain.
The video shows added files and registry entries being deleted but doesn't show deleted or modified files being restored. The summary states; "Webroot's unique journaling and rollback functionality will perfectly clean up any infections" but doesn't state that deleted or modified files will be restored.
However, at 4:33 into the video the woman states; "every single change the virus makes to my PC is recorded. So if at a later date the file is classified by Webroot as bad all the changes will be perfectly reversed." This means replaced and deleted files will be perfectly restored. Perfect means 100% of the time. For this to be accurate Webroot archives any file, including binaries, if they are to be deleted, killed, replaced, modified, or in anyway impacted by a monitored file and every single change will be rolled back once the file is set to "Block." Changes a safe program or that we manually make in the interim will be retained. That is quite a feat!
How does Webroot handle the following?
** a virus is "missed"
** it sets itself to auto-execute at startup. (it is set to be Monitored)
** Initially it does nothing if an internet connection is detected
** Once unconnected it disables Webroot and deploys the payload
** Webroot won't execute at the next restart even if connected to the internet
The woman is Webroot Secureanywhere vesrion 8.1.229. My version is only 18.104.22.168 with no update available. Not an issue. I'm only reporting the difference. Perhaps she 22.214.171.124 or is running an alpha or beta version.
Remember that from 1980/1981 until 2007 I had never been infected by anything until searching for the true culprits of the bank collapse due to the housing markets. (They are planning to do it again!) Since then there have been a few attempts across several machines, all while investigating or researching. Between "safe" browsing and very low odds of being targeted I still want extra protection.
The next thing you'd like to propose is the auto-execution at startup. That would likely be with a different package it dropped on the system, which is also being journaled. Ok, let's grant that it's set to run at startup.
I think you're suggesting in the next step that the malware breaks the internet connection. A malicious action like that would most likely be picked up heuristically. This, in fact, would be part of the "payload" you're talking about in the next step, which is also a reversed-order scenario. An attempt to disable Webroot entails that code to accomplish this would already be running, and that code would already be subject to review and potential sandboxing actions by Webroot before it's allowed to proceed. It would be stopped before it could do what it's trying to do. The threat would run into WSA's self-protection shield, which would prohibit the threat from shutting it down.
If it had somehow managed to break your internet connection (this is a big "if"), the malware trying to shut down Webroot would have presented another heuristic opportunity to detect and remediate the threat, which will trigger a rollback and a repair of your LSP chain, WinSock entries, and whatever else the malware disrupted to kick you offline.
In addition to that, just because a threat breaks your ability to get online via a browser, it does not mean it has shut down all other avenues for WSA to connect to the internet to receive updates. A redirector is a prime example. You're still connected to the internet. It's just sending you somewhere you don't want to go. There is very little incentive for malware to break your connection entirely. These days, it's usually trying to force you to buy something or send you places you don't want to go. That requires at least a base level of access.
Let's assume it broke something more important though. There are methods built into the program that will attempt to circumvent this malware tactic. A browser is "dumb" code that doesn't anticipate for malware closing the door on how it normally gets online. So if it fails to get online, the browser doesn't do anything about it. WSA, on the other hand, is "smart" code that knows malware wants it offline, and it takes measures to stop this from happening and to get around it even if standard methods are disrupted. With this circumvention, even if heuristics somehow missed the threat (another big if), WSA will could still ultimately receive a cloud classification of "Bad" for the malware and act accordingly.
I think you're suggesting in the next step that the malware breaks the internet connection
Incorrect. If the incorrect assumption leads to a different scenario please revise. BTW, it should be obvious that I am, er, uh, stupid, about malware. :D
I am suggesting that the malware is installed while connected or from a USB while not connected. (The latter is even better.) The malware is designed to initially CHECK for an internet connection and, if found, to do nothing else.
Later, the laptop is started without connectivity. (Very common when we travel.) At this point the malware detects the lack of connectivity (no cloud), installs the actual payload, and disables WSA
Later, when the laptop is started with connectivity. WSA does not execute and is unable to log the actions or clean the malware.
So if it fails to get online, the browser doesn't do anything about it. WSA, on the other hand, is "smart" code that knows malware wants it offline, and it takes measures to stop this from happening and to get around it even if standard methods are disrupted.
This suggests that WSA does not require a connection for scanning and detection. I was under the impression that, being cloud based, that was a requirement.
There was no mention of how a deleted or replace file would be restored.
Thanks for being patient with me and for the excellent responses from so many!
The entry point being a USB device wouldn't change the scenario negatively, but it does add an additional point at which WSA could potentially locate and deal with the threat. WSA has a USB shield, specifically designed to deal with that type of threat, offline and behavioral shields to deal with threats without a cloud connection, and the self-protection shield I mentioned earlier to stop a malicious unknown from tampering with WSA itself. So again, the example cannot actually occur when the hypothetical threat cannot actually disable WSA.
"This suggests that WSA does not require a connection for scanning and detection. I was under the impression that, being cloud based, that was a requirement."
No, that's not a requirement. "Cloud-based," does not necessarily entail that the cloud is a requirement for it to function. The optimal state is of course that the device is connected to the internet so that the cloud database can tell WSA "We classified this one already. Deal with it as either Good or Bad." However, WSA is capable of making determinations heuristically without consulting the cloud if necessary.
"There was no mention of how a deleted or replace file would be restored."
Any action the Unknown program is making is logged. That would include actions taken on existing files. Those edits are reversed because the actions themselves are journaled and can basically be rewound. As a change is being made (file is changed or deleted), the existing data is encrypted and stored by WSA. If the Unknown that did the change gets marked as Good, the stored data copy is deleted after a while since it wouldn't be needed. If the Unknown is discovered to be Bad, the stored data is used to roll back the changes.
Or to use a fun analogy, it's kind of like how transporter buffers work in Star Trek. Transporter A reads the data from the object to be transported, and Transporter B writes that information to the world. Transporter B might transport the object (copy it), beam it out into space (delete it), or beam a pile of goo onto the transporter room floor (edit it). WSA is like the buffer in the middle, which can save the pattern. If Transporter B ends up malfunctioning, the pattern can still be pulled out of the buffer to rematerialize the proper object. Luckily, since we're talking about computer files and not people, we don't have to deal with things like the metaphysical problems of being a copy either! 😃
As for the file deletion or replacement.
For changes made to a file a delta file would be a good method. (I managed a change control product called ChangeMan that used delta files).
For deletions a delta file is essentially a copy of the file.
For overlaying with a different file a delta file would contain both additions and deletions which most likely means both files are maintained in the delta file. That would be interesting to see in action! (No, I don't want to test on my system, especially with any malware. :D)