What is Webroot's Procedure for White-List Submissions > 10 MB ?


  • Anonymous
  • 0 replies
Hello,

 

What is Webroot's preferred method for white-list submissions?

 

NOTE:  Some of the files I wish to submit are > 10 MB in size.

 

Thanks,

 

HJLBX

26 replies

Userlevel 7
Badge +3
Just to add that you can also copy&paste the file details from a scan log, on to your communication with Support when requesting whitelisting.

Like this, for example: 

[u] c:program filespale moonxul.dll [MD5: 1E88003CCD242BD9CD8C11C97F0BBB0B] [Flags: 00000001.3568]

 http://live.webrootanywhere.com/content/842/Saving-Scan-Logs
Userlevel 7
Badge +62
Hello @,

 

Can one just open a support ticket where Support could send you a log gathering utility. Then they would be able to submit the files through this utility without the 10Mb maximum.

 

In the ticket one can explain that you would like to send these files to be analyzed by using the log gathering utility. If you create the support ticket you could then do this for future files you wish to submit. Then they simply need to update the ticket stating that you have submitted more files to be analyzed.

 

Isn't this true?
Userlevel 7
Badge +3
Hi @  I think I see what you envisage, but wouldn't be able to give a certain answer myself. Hopefully TH or another could explain better than me...

I'd certainly be in favour of any system which would speed-up or optimize the whitelisting process, since if you do have an app which is regularly updated, but consistently rated [u], then one may run into an issue with a growing WRData folder (and re-allowing in "Control Active Processes" etc) until resolved.

This whole area is something the devs are always looking at improving (I believe), and there has been definite progress seen with this, but maybe more needed.

 
Userlevel 7
Badge +56
Yes but you don't even need to add a scan log they can Whitelist all files and Devices attached to the Keycode! It's an awesome system Webroot has and it's only going to get better! And to get more info I will ping a couple of great Threat Reseachers and they can explain more about it! @ @

 

Cheers,

 

Daniel 😉
Userlevel 7
If you have a specific piece of software that when it updates it stops working let us know. We can create whitelist rules using a number of methods. If the files are digitally signed it really helps. 
Userlevel 7
If the logs are over 10mb you can use a dropbox/onedrive/filedropper link. We can normally use that combined with your keycode or endpoint to create some strong rules. 
Userlevel 7
I have never had a piece of software not work due to WSA. I cant go into too much details about the whitelisting process, however the more info we have the better. Sometimes it can be quite hard to whitelist software due to sloppy practises by the software creaters (not saying that this is case here!). I have seen some software updaters that at first glance looks like exactly like certain pieces of malware :S 
Userlevel 7
Looking at the Shadow Defender installer, its now good in the Database. Taking a further look at the installed files it looks like my whitelist rules that I made in the past are still working which is good. 
Userlevel 7
Badge +62
Hello HJLBX,

 

 

I've read  that there is a 10mb cap on the file size.  But I can't be positive.

 

Let me ping @ he certainly would know ok?

 

 

 

Kind Regards,
Hello Sherry,

 

Yes.  On the submission portal it states maximum file size: 10 MB.

 

Just was wondering if Webroot had another way to submit larger files for white-listing.

 

I can always submit a request via Support with a link to the software vendors.

 

Thanks !

 

HJLBX
Userlevel 7
Badge +62
Hello HJLBX,

 

Sorry I wasn't much help then. Sounds like you have a handle on this...

 

 

Best Regards,
Userlevel 7
Badge +62
Hi @,

 

Yes I'm just wondering myself and would like TH to answer this as well. I appreciate your input. I was doing some research and I wasn't sure this was correct or not.

 

Thanks!
Userlevel 7
Badge +56
Hello,

 

Yes and by other means they just don't rely on the hash. Also to get files Whitelisted just Submit a Support Ticket and ask them to Whitelist your files and that's it then when they do they will reply to you to say please do a scan then all the unknowns turn to Good or Bad. WSA is not your typical AV that only knows Good or Bad with WSA it's Good, Bad or Unknown and in time unknown files will get whitelisted and it depends on how many PC's see the files on the Cloud Database so if an unknown turns out to be bad then WSA can rollback to the pre-infection state. See this short video to see what happens when WSA deals with an Unknown: https://community.webroot.com/t5/Webroot-Education/What-Happens-if-Webroot-quot-Misses-quot-a-Virus/ta-p/10202 and this one is great as well: and more info on the WIN Cloud http://www.brightcloud.com/platform/webroot-intelligence-network.php

 

Also this when Webroot Acquired Prevx in Nov 2010! http://www.pcmag.com/article2/0,2817,2392059,00.asp

 

"According to Morris, this database, code named ENZO, can include as many as two million database rows for a single process.

"Cybersecurity is all about information," said Morris. "We store and correlate all the factors about the process's behavior in all the places it was seen. We aim to have more information than anyone, so we can offer better protection than anyone."

 

 

HTH,

 

Daniel ;)

 

And it must be close or more than 200TB's of info by now as this picture is about a year old.

 



 



 

 
Thanks for the infos TripleHelix...

 

All my [u]s have got to be submitted... I'm really picky too.  ;)

 

Besides, I don't feel like dealing with the whole re-submit rigmarole every time a legiitimate app updates.

 

Right now, System Control monitors the Shadow Defender installer.  This interferes with the install and causes an AppHang.

 

Also, JAM Software is monitored.

 

Both vendors should be white-listed... including the .tmpdata install files.

 

Best Regards,

 

HJLBX
Userlevel 7
Hi HJLBX

 

I run a lot of JAM software and none is being blocked or monitored so I am suspecting that it is most likely that you are running very new versions of their apps or something like that.

 

Also, and Roy, please correct me if I am wrong, but it is not a question of whitelisting app authors and/or producers but the specific app version themselves, as whitelisting the author/producer offers no security whatsoevre and so in the great scheme of things is pointless.

 

Regards, Baldrick
Userlevel 7
Hi HJLBX

 

I do know that as I am (and have been since it was first launched) a user of Ultra Search and I am often updating the version on my systems...and to date I have to say that I have never had an issue with doing so in terms of WSA.

 

Yes, very occasionally, I might notice that the is a [u] entry against a new version but that often disappears very quickly as the WIN is updated...so I do not worry about it. If I may say...I suspect that you issue may have something to do with you being 'picky' about having [u]. I can understand that but personally feel that the odd one or two, which is what I get occasionally, is only WSA going about it's business normally and I don't worry about it. May I respectfully suggest less 'pickiness' going forward?

 

In terms of the "...WR can whitelist the softs using various techniques" I would hazard a guess that'by author/producer' is not one of them...as that would not be a very secure way of 'validating' the authenticity of an app (very easy to forge IMHO/experience), so I suspect that Author/Producer whitelisting is not an option.

 

But as you say...perhaps Roy can at least confirm if it is an option or not (I know, Roy, that you are not able to divulge much in terms of what the specific techniques are...for obvious reasons, etc.).

 

Regards, Baldrikc
Does Webroot only white-list by hash?

 

This is problematic with softs that are updated regularly.. requiring the user to re-submit a white-list request when the software is updated.

 

The above issue is a long-standing WSA user complaint.

 

Other security software vendors largely eliminate the issue by relying upon digital signatures andor "trusted" vendor status.

 

Best Regards,

 

HJLBX
Userlevel 7
Badge +56
Also average users will not even know like my family I never ask to get there [u] files whitelisted me I'm picky and maybe allot more picky than most Advanced users. :D

 

Cheers,

 

Daniel 😉
Thank You, Rakanisheu.
Hello Baldrick,

 

The JAM develper constantly releases new versions of UltraSearch... sometimes two or three times in a months time.  Other times, it may not be updated for a whole month or two... but all his softs are updated at a consistently rapid pace.

 

Rakanisheu states WR can whitelist the softs using various techniques.

 

Submitting white-list requests every time an app is updated is not workable nor sustainable.

 

I'll submit the requests and see what WR Staff decides.
Hello Baldrick,

 

You are absolutely correct.

 

In my experience, "Trusting" files simply because they are digitally signed is a really bad idea.

 

I am not too sure about WSA's white-listing algorithm, but other vendors use a combination of statistics that include source, prevelance, a valid certificate and developer's reputation.  Some even go so far as to inspect how a file is packed.

 

UltraSearch I'm not so concerned about unless WSA interferes with its direct disk access.

 

On the other hand, WSA monitoring of the Shadow Defender installer is problematic; the installer needs  to make system settings changes but it is given a "low restricted access" by WSA.  This causes an AppHang.

 

It's no big deal.

 

I just manually "Allowed" each one in the BlockAllow Files list before executing.

 

Solves the problem, but I'd rather not have to do it every time a file changes.
Userlevel 7
Cheers, Roy

 

Have to say that I agree with you...in the main WSA does not interfere with other apps unless it is to stop them dead or to monitor them as suspicious and even in the latter case I have rarely been aware that this was happening until I checked in the usual places and found the status as 'monitored', etc.

 

That is why I suported the recent suggestion/feature request for notification of when 'monitoring' is started...just so that the user, if they switch on such a feature, has the option to know if they are so interested.

 

I think that 'spoofing' software was all the rage sometime ago and probably still continues to some degree and (as all things nefarious) will most probably make a come back in some form...but to be honest in WSA (and the Webroot Team backing it up) I trust...end of story.

 

Regards, Baldrick

 

 
Hello Baldrick,

 

Oh man...

 

"Spoofing" software is still at work like you wouldn't believe.

 

HJLBX
Userlevel 7
Hi HJLBX

 

I can see your point re. Shadow Defender but given what it does you I can see why WSA would be taking a cautious approach, and to be honest I am surpised that it gets updated that oftens...does not fill me with warm feelings if such an app is constantly being updated.  GIven what it does (which IMHO is somewhat limited)  it should be relatively stable.

 

But as you say, if you use it then you will just have to grin and bear the interaction.

 

Regards, Baldrick
Userlevel 7
@ wrote:

Hello Baldrick,

 

Oh man...

 

"Spoofing" software is still at work like you wouldn't believe.

 

HJLBX

I know but my point is that it is not like it use to be (and I am speaking of way, way, way back when) and to be honest as a technique itis no longer cutting edge even with all the bells and whistles the Dark Side trot out.

 

Baldrick

 

 

Reply