Solved

Question about detecting viruses

  • 20 March 2013
  • 9 replies
  • 60 views

Userlevel 2
I have about 10 installations of Webroot Secure Anywhere Complete and IS installed on family memeber PCs. The other day, I came up on a computer with WSA installed and the icon was grey with a ! mark. I clicked on the icon and noticed it detected a virus previously. The prompt wanted me to click next and go through a process of removing the virus and running a scan. 
 
My question is, why didn't the antivirus automatically remove the malware with no prompt. I could understand a 'scan' as being a user prompt, but not removal. Typical PC users usually click the X to close software assuming it is unimportant (what happened in the above situation). I know it may not matter because the virus is harmless sitting inactive on the hard drive, but having the WSA icon grey (!) for a long period of time is not reassuring either to the average/advanced user. 
 
Is this prompt and removal how WSA operates when 'some' detections are found or did I miss something?
 
Thanks!
icon

Best answer by JimM 21 March 2013, 01:32

View original

9 replies

Userlevel 7
Hello,
 
Can you check the status of "Automatically perform the recommended action ..." under Behavior Shield in settings? You may have this option unchecked, hence giving you a prompt.
 
EDIT: Also please adjust options under Realtime Shield to suit your needs.
Userlevel 2
Thanks for the reply. It was unchecked, but I believe that was a default setting. If so, why is that?
 
Edit: Is it becuase the file was a behavior detection instead of a signature detection...so WSA is asking what to do with this file because it could be bad/good?
 
Only trying to understand how WSA operates :D
Userlevel 7
It is generally thought that users would like to see the option and to know an action is being taken on a file. The counterexample is a false positive scenario, which although infrequent, would be more irritating to a user if a file was quarantined without a notification of that quarantine action having occurred. Of course, as Pegas noted, there is an option to change that prompt behavior.

When WSA is prompting you to do something with an infection, that infection is being held in stasis already and is not allowed to continue causing trouble while you are waiting to make your decision. So for all purposes, it's in a temporary quarantine state.
Userlevel 7
Badge +56
@ wrote:
It is generally thought that users would like to see the option and to know an action is being taken on a file. The counterexample is a false positive scenario, which although infrequent, would be more irritating to a user if a file was quarantined without a notification of that quarantine action having occurred. Of course, as Pegas noted, there is an option to change that prompt behavior.

When WSA is prompting you to do something with an infection, that infection is being held in stasis already and is not allowed to continue causing trouble while you are waiting to make your decision. So for all purposes, it's in a temporary quarantine state.
I agree Jim as like to know what's happening when something is detected IMO. ;)
 
Daniel
Userlevel 2
Very helpful information Jim.
 
One last question:
 
When a malware file is found, installed, missed by WSA (running on the PC in WSA monitored mode), how long does it normally take for the file to be identified as malware by WSA cloud and while the file is in monitored mode, what 'rights' does the file have (access to, internet access ...etc)?
Userlevel 7
WSA will not intentionally impede the function of an executable file as an unknown except insofar as Identity Shield interactions are concerned, which is to prevent identity theft. However, it will journal everything the unknown file does and roll back any changes the file makes if and when the unknown file is later determined to be bad. How long such a determination takes varies, so that part of the question is not so easy to provide a numerical answer to. In some cases, it can be a few minutes if it's a brand new file we have never seen before and we need to see it on more than a handful of computers in order to draw a conclusion. In other cases, the determination may be made by a threat researcher who is actively researching unknowns. We have a team of such researchers whose objective is to wade through all the unknowns and classify them as good or bad.

It's worth pointing out that while the monitoring itself and the unknown status itself are not triggers to limit the rights of a file, heuristic determinations are made based off behavior. So sometimes what can happen is that a piece of malware we aren't aware of yet will sit as an unknown until it triggers a heuristic detection that then stops the malicious behavior when that behavior actually occurs. The heuristics then flag it as bad, and whatever that file did to anything else on your computer ever since its point of entry is then reverted.
Userlevel 2
Good info. I appreciate your reply and help understanding how WSA works. ;)
 
So an unknown file that gets marked as 'monitored' will automatically be sent to the cloud/server for Webroot researchers to analyze? 
 
And if I want to remove a piece of malware that was missed but marked as 'monitored', could I click "blocked" under Control Active Processes to easily rollback and remove the malware trace instead of running another standalone malware scanner (ex: Malwarebytes)?
Userlevel 7
@ wrote:
So an unknown file that gets marked as 'monitored' will automatically be sent to the cloud/server for Webroot researchers to analyze? 
That's correct.  :)
mar122999 wrote:
And if I want to remove a piece of malware that is monitored, could I click "blocked" to under Control Active Processes to easily rollback and remove the malware trace?
Blocking in Control Active Processes will stop the process in question from taking action on the system and quarantine it.  You could also go to PC Security -> Quarantine -> Detection Configuration and add the file you're convinced is malware in that area as well.
 
A word to the wise - be careful what you block in Control Active Processes, and be careful what you try to quarantine manually.  These are more advanced features.  If you're ever uncertain as to whether there is an infection, shoot support a quick support case, and we can check for you.  It's better than manually quarantining something important that really isn't an infection.  On the other hand, if you're sure it's an infection, that's what the feature's in there for.  🙂
Userlevel 2
Ok. Thanks a bunch. Your the best 😉

Reply