What is Webroot's preferred method for white-list submissions?
NOTE: Some of the files I wish to submit are > 10 MB in size.
What is Webroot's Procedure for White-List Submissions > 10 MB ?
Already have an account? Login
Login to the community
No account yet? Create an account
Enter your username or e-mail address. We'll send you an e-mail with instructions to reset your password.
I've read that there is a 10mb cap on the file size. But I can't be positive.
Let me ping
Yes. On the submission portal it states maximum file size: 10 MB.
Just was wondering if Webroot had another way to submit larger files for white-listing.
I can always submit a request via Support with a link to the software vendors.
Sorry I wasn't much help then. Sounds like you have a handle on this...
Like this, for example:
[u] c:program filespale moonxul.dll [MD5: 1E88003CCD242BD9CD8C11C97F0BBB0B] [Flags: 00000001.3568]
Can one just open a support ticket where Support could send you a log gathering utility. Then they would be able to submit the files through this utility without the 10Mb maximum.
In the ticket one can explain that you would like to send these files to be analyzed by using the log gathering utility. If you create the support ticket you could then do this for future files you wish to submit. Then they simply need to update the ticket stating that you have submitted more files to be analyzed.
Isn't this true?
I'd certainly be in favour of any system which would speed-up or optimize the whitelisting process, since if you do have an app which is regularly updated, but consistently rated [u], then one may run into an issue with a growing WRData folder (and re-allowing in "Control Active Processes" etc) until resolved.
This whole area is something the devs are always looking at improving (I believe), and there has been definite progress seen with this, but maybe more needed.
Yes I'm just wondering myself and would like TH to answer this as well. I appreciate your input. I was doing some research and I wasn't sure this was correct or not.
This is problematic with softs that are updated regularly.. requiring the user to re-submit a white-list request when the software is updated.
The above issue is a long-standing WSA user complaint.
Other security software vendors largely eliminate the issue by relying upon digital signatures andor "trusted" vendor status.
Yes and by other means they just don't rely on the hash. Also to get files Whitelisted just Submit a Support Ticket and ask them to Whitelist your files and that's it then when they do they will reply to you to say please do a scan then all the unknowns turn to Good or Bad. WSA is not your typical AV that only knows Good or Bad with WSA it's Good, Bad or Unknown and in time unknown files will get whitelisted and it depends on how many PC's see the files on the Cloud Database so if an unknown turns out to be bad then WSA can rollback to the pre-infection state. See this short video to see what happens when WSA deals with an Unknown: https://community.webroot.com/t5/Webroot-Education/What-Happens-if-Webroot-quot-Misses-quot-a-Virus/ta-p/10202 and this one is great as well:
Also this when Webroot Acquired Prevx in Nov 2010! http://www.pcmag.com/article2/0,2817,2392059,00.asp
"According to Morris, this database, code named ENZO, can include as many as two million database rows for a single process.
"Cybersecurity is all about information," said Morris. "We store and correlate all the factors about the process's behavior in all the places it was seen. We aim to have more information than anyone, so we can offer better protection than anyone."
And it must be close or more than 200TB's of info by now as this picture is about a year old.
All my [u]s have got to be submitted... I'm really picky too. ;)
Besides, I don't feel like dealing with the whole re-submit rigmarole every time a legiitimate app updates.
Right now, System Control monitors the Shadow Defender installer. This interferes with the install and causes an AppHang.
Also, JAM Software is monitored.
Both vendors should be white-listed... including the .tmpdata install files.
I run a lot of JAM software and none is being blocked or monitored so I am suspecting that it is most likely that you are running very new versions of their apps or something like that.
Also, and Roy, please correct me if I am wrong, but it is not a question of whitelisting app authors and/or producers but the specific app version themselves, as whitelisting the author/producer offers no security whatsoevre and so in the great scheme of things is pointless.
The JAM develper constantly releases new versions of UltraSearch... sometimes two or three times in a months time. Other times, it may not be updated for a whole month or two... but all his softs are updated at a consistently rapid pace.
Rakanisheu states WR can whitelist the softs using various techniques.
Submitting white-list requests every time an app is updated is not workable nor sustainable.
I'll submit the requests and see what WR Staff decides.
I do know that as I am (and have been since it was first launched) a user of Ultra Search and I am often updating the version on my systems...and to date I have to say that I have never had an issue with doing so in terms of WSA.
Yes, very occasionally, I might notice that the is a [u] entry against a new version but that often disappears very quickly as the WIN is updated...so I do not worry about it. If I may say...I suspect that you issue may have something to do with you being 'picky' about having [u]. I can understand that but personally feel that the odd one or two, which is what I get occasionally, is only WSA going about it's business normally and I don't worry about it. May I respectfully suggest less 'pickiness' going forward?
In terms of the "...WR can whitelist the softs using various techniques" I would hazard a guess that'by author/producer' is not one of them...as that would not be a very secure way of 'validating' the authenticity of an app (very easy to forge IMHO/experience), so I suspect that Author/Producer whitelisting is not an option.
But as you say...perhaps Roy can at least confirm if it is an option or not (I know, Roy, that you are not able to divulge much in terms of what the specific techniques are...for obvious reasons, etc.).
You are absolutely correct.
In my experience, "Trusting" files simply because they are digitally signed is a really bad idea.
I am not too sure about WSA's white-listing algorithm, but other vendors use a combination of statistics that include source, prevelance, a valid certificate and developer's reputation. Some even go so far as to inspect how a file is packed.
UltraSearch I'm not so concerned about unless WSA interferes with its direct disk access.
On the other hand, WSA monitoring of the Shadow Defender installer is problematic; the installer needs to make system settings changes but it is given a "low restricted access" by WSA. This causes an AppHang.
It's no big deal.
I just manually "Allowed" each one in the BlockAllow Files list before executing.
Solves the problem, but I'd rather not have to do it every time a file changes.
Have to say that I agree with you...in the main WSA does not interfere with other apps unless it is to stop them dead or to monitor them as suspicious and even in the latter case I have rarely been aware that this was happening until I checked in the usual places and found the status as 'monitored', etc.
That is why I suported the recent suggestion/feature request for notification of when 'monitoring' is started...just so that the user, if they switch on such a feature, has the option to know if they are so interested.
I think that 'spoofing' software was all the rage sometime ago and probably still continues to some degree and (as all things nefarious) will most probably make a come back in some form...but to be honest in WSA (and the Webroot Team backing it up) I trust...end of story.
"Spoofing" software is still at work like you wouldn't believe.
I can see your point re. Shadow Defender but given what it does you I can see why WSA would be taking a cautious approach, and to be honest I am surpised that it gets updated that oftens...does not fill me with warm feelings if such an app is constantly being updated. GIven what it does (which IMHO is somewhat limited) it should be relatively stable.
But as you say, if you use it then you will just have to grin and bear the interaction.