Solved

Spysweeper update includes more than what I want

  • 29 February 2012
  • 39 replies
  • 476 views


Show first post

39 replies

Userlevel 7
I guess I should really put my two cents in here, since I don't talk PR, but I do talk tech. I've been in the security industry for 17 years, and etc, but all in all I have half an idea of what I'm talking about. ;)
 
"Don't run two AV programs at the same time." is specifically due to the fact that normally an AV program has to be hyper-aggressive.  Scan everything in a blocking manner, scan disk access, interdict access, and several other aspects that cannot work well together.  In non-tech speak, the best description is two cartoon cops bonking heads trying to apprehend the criminal.  Let's get down to the tech parts of it though...
 
Antispyware software is non-aggressive or subservient to Antivirus software.  While it will try to lock and interdict if allowed, it will not attempt to bypass locks or interdictions.  Blocking scans may still occur, but have a VERY tight timeout if they do, otherwise scans are non-blocking.  Even with patern-based scans, the substantially-smaller pattern set takes much less to compare against, and the patterns are made in such a way as to be lighter on CPU resources than Antivirus products.
 
The Bad of two AV products...
Let's just call them AV1 and AV2. First you start with blocking on-access scanning (this is a type of interdiction).
When there is an attempt to access the file, either one allone will block that process for the time it takes to scan the file against its pattern or definition set.  This is -usually- a trivial amount of time in human terms, for example, 60ms.  It's a relatively long amount of time in computer terms.  Of course, if it wants to scan and it gets blocked itself, it becomes more aggressive because it assumes that something is wrong.
 
When you have two AV products trying to do an on-access scan at the same time, one will block the original requesting process, then start its own request, at which point it will be blocked by the second one.  The second one will try to do its scan first, while the first one gets upset about being blocked, so tries to break that block, which slows down or interferes with the second one.  The end result is horrible system performance for simple file I/O and possibly very bad conflicts.
 
Scanning + Realtime Blocking Scanning
So then you start a scan with one of them.  The other promptly determines that the file it is scanning is being accessed, so it scans it, in a blocking manner, then lets the first one scan it as part of the normal scan process.  This means that every file either one scans is being scanned by both of them at the same time.  One via on-access and one via the scan.
 
Interdiction, Lockout, and Remediation
Then you get an infection.  Both of them see it, of course.  So both of them demand to remove it.  They both try to lock the file and prevent anything else at all from touching it.  They both try to take it, copy the data into the appropriate quarantine, and then remove whatever necessary traces they need to, from the files, to folders, to registry entries.  When you have two of them doing this at the same time, it gets ugly.  When removing an infection, they don't want ANYTHING else touching it, but they -HAVE- to touch it and remove it.  So they literally battle for access, both trying to block each other and access the file.  Depending on their aggression levels, they may try to terminate each other due to the interference.  It's...  Not good to say the least.
 
So why does Antispyware and Antivirus not have this issue?
Antispyware is submissive.  If it is locked out, it will not try to break that lock.  If its lock is broken, it won't try to force it back or take retribution against the process that broke the lock.  The scan and realtime scan both happening will always be the same thing, but without locking the files for scanning or trying to break locks, the impact is substantially lower.
 
SecureAnywhere literally takes the whole Antivirus concept and turns it on its head.  In non-tech terms, it goes from being the knight in platemail trudging along and taking blows and swinging a huge sword to being a ninja assassin, sneaking around, using the enemy's energy against it, and staying out of sight.  But enough about fantasy PR-type speak.
 
SecureAnywhere is able to be an effective security platform without needing to be aggressive.  Development very specifically works to overcome any compatibiltiy issues with other antimalware platforms.  That's something that no other antivirus program can say.  If you look at it from an industry viewpoint, they really don't want to.  Since no protection is 100%, there will always be something they miss.  If another product on the same machine catches it, they "look bad" to the average person.  So if they are all running, whoever catches it first "wins" and nobody realizes that next week the other will catch something the previous "winner" didn't.
 
SecureAnywhere knows what other antivirus programs are.  It is aware of what they do, and it tracks what they do.  It does not block with on-access scanning, nor does it try to break the lockouts.  It has one specific feature that they don't have:  It knows who the good guys are.
 
The other AV programs need to lock down and rip out and prevent all other interference because they only have a list of what is bad.  Everything else is unknown.  So even if it's potentially good, they need to block it in case it might be bad and trying to kill them or prevent them from cleaning your system.
 
SecureAnywhere tracks Good, Bad, and Unknown.  If it sees a threat on the system, it will try to lock it.  If the SEP process then tries to break the lock because it also sees the threat and wants to handle it, SecureAnywhere is informed enough to recognize the SEP process as a Good process and allows it to do so, while also covering its back if it knows more about the threat than Symantec does.
 
"Knowing more about the threat?"  SecureAnywhere journals what unknown processes do.  If the process drops random registry entries, random polymorphic files, and other such things before it's removed by SEP, SEP has no way of catching its droppings.  SecureAnywhere can.  So while is allows SEPto handle the main problem (which it would handle effectively on its own if SEP were not present), it cleans up everything else that SEP is unaware of.
 
AntiSpyware can be alongside AntiVirus because it is submissive.  Traditional Antivirus cannot be submissive because it only knows "Bad" or "Unknown", so when handling a threat, it has to treat all unknowns that try to interfere as potentially bad and take action against them.  Therefore, AntiSpyware cannot play an AntiVirus role in the traditional sense.
 
SecureAnywhere is as submissive as AntiSpyware in the sense of not locking, and not conflicting.  However it is as aggressive as AntiVirus when it needs to be because it has the information it needs to decide that another Antivirus is a good process.  So we literally put a full-capabiltiy Antivirus system into a package that reacts with other Antivirus like it was Antispyware just because it is aware of the other Antivirus.
 
Finally, if all else fails, look at it from a this standpoint:
If you ask Symantec directly about SecureAnywhere, they will say "No, you cannot run that!  Us only, no matter what!  If you don't like this, don't useus, because if you have them, we won't support you."
If you ask us directly about SEP, we will say "Yes, you absolutely can run that as well if you like.  We think you will like us better and will decide you don't need them, but we will not take your freedom of choice away from you.  If you encounter a problem with the combination, we will help work around it and develop around it so that you may continue to use both, and we will support you fully with both."
 
Am I saying that Symantec is a despotic, controlling jerk?  Maaaaybe. ;)  But we have won millions over with our honey, our speed, our efficiency, our effectiveness, and our support. 
 
When it gets to the point where I personally can say that I have gone onto our back-end system, do a search, and find 5,000 systems infected with unique copies of a polymorphic threat that released into the wild twenty minutes ago and -NOBODY- detects, not even SecureAnywhere...  then made a change on our end to determine not only those individual items, but also the entire family of infection, thus catching the next 97,000 that come out in the following two days...  Well, that's why I work for this company now.  The technology is amazing, the system is amazing, and I can put 17 years of security industry experience behind that statement.  Even better, I installed our Enterprise Endpoint on my parents' computer in Oregon (I'm in Colorado).  When they got an infection that was brand new (again, nothing at all detected it), I was able to remove it remotely via the SecureAnywere web console rather than having to use ComboFix or any other big group of stuff, which is both a pain in the tail and also historically has a good chance of nuking the system (ever wondered why they insist you install the recovery console?).
 
So really, when we are saying "Try it, you can use it with other things", we really do mean it.  We mean that we are offering the same compatibility that SpySweeper had, plus much more capability and flexibility, and full support just as if you were using SpySweeper with McAffee instead of SecureAnywhere with McAfee.  Plus a heck of a lot more, honestly.
 
For example, it also comes down to whether you know the answer to "Why does SpySweeper work with SEP?"  After all, they both use definitions and patterns to detect stuff, and they can even detect many of the same things.  So if SpySweeper was given the definition information for detecting more stuff that SEP detects, would it suddenly stop working because it can find more?  Not at all, since the ability to coexist is in the way it's built for the most part.  But the main AntiSpyware thing, to avoid system slowdown, is the simplicity of the scanning engine and lower number of definitions
 
I can really only give a general semi-tech overview because I cannot read minds and know all of your potential questions or concerns.  This addresses "Antispyware vs Antivirus" and "Two AntiVirus products".
 
You're also concerned about efficacy.  I'll be honest, given the new detection and remediation scheme, in official tests, we missed "remnants".  That is, "SecureAnywhere didn't remove log files created by this threat that are text and not a threat, but we count that against them.  Oh, and they didn't detect these broken downloads that the virus got that are not able to actually RUN or do anything, but the virus tried to download them so must be bad."
 
You point out that you don't want to call for support when working with 10,000 machines.  Understandable.  Especially since waiting for MEP support can be a bit of time.  My response to that is simple:  Without even going to the machine, a minimally-knowledgable person can see exactly what is on it, .  If SEP misses something (go ahead and tell me it never has), you run ComboFix.  If SecureAnywhere misses something, you look at the handful of unknown items on the machine, from the central console, say "huh, that's not one of ours.", mark it bad, and it's taken care of.  Taken care of to the point where everything it did and everything that caused it is corrected as well.  Not sure about it?  We answer the Enterprise lines very fast, have 24/7 threat research who are able to make a central determination simply based on knowing what machine(s) is/are having the problem and the issue is taken care of in a few minutes.  SecureAnywhere also provides advanced cleanup tools for manual correction that allows for a more surgical approach than the broad-spectrum-antibiotics-but-hope-it-doesn't-kill-the-patient approach ComboFix takes (Sometime take a look at what's inside ComboFix. ;)   It's a great program, but scary really).
 
If you have specific questions that I have not addressed, please feel free to ask.  Feel free to get the free SME trial.  It's 100% fully featured, supported, and set, doesn't require payment credentials, and the worst that'll happen is you get a followup email from us afterward.  Test it with SEP.  See what happens or doesn't happen.  Check our enterprise support team out.  Don't take anybody's word for it.  Get your own knowledge and be free of any FUD at all.
 
@David12846
"The bigger question is then, will other antivirus programs work properly when SecureAnywhere is installed? I can just see Webroot hoping other antivirus programs that are installed, choke when it see another antivirus program like SecureAnywhere running. Perfect opportunity to get us to blame the "other guy" and get rid of the other guy's antivirus program when it crashes!"
 
Perhaps see my comparison above.  If you look at it from a business standpoint, it's in their interest to choke when we're installed.  Then it's just a matter of convincing the user it's our fault and use them alone.  After all, many people don't understand layered security and have the mistaken thought that if we catch something RandomAV doesn't, then they will blame RandomAV for it and get rid of them.  Bad idea, since it also work the other way around, and they can ctach stuff we won't.  It's the security versus usability tradeoff of course.  Similar efficacy, different sets missed, but size and cost differences that are dramatic.
 
So, then, also...  "RandomAV and Webroot SecureAnywhere work together.  Then RAV gets an update and stops working, and they blame WSA.  WSA changes to allow RAV's new thing to work again.  Then RAV gets another new thing and stops working again."  Yes, obviously WSA's fault, it was our plan all along.  (A bit of sarcasm there. 😉 )
 
If they really don't work, but we do, and when you mix multiple AV's, usually BOTH of them don't work, who is actually having the problem?  We give you choice.  They try to give you no choice.  And honestly, we'd rather have them work.  We literally develop constantly to fix any issues that crop up with compatibility.  We're more interested in having your computer be protected and giving you, the user, a choice, than in holding the top of the hill, so to speak.  We -KNOW- for a fact that we detect things they don't, so we provide a substantial benefit.  That doesn't mean they won't end up detecting some things we don't, but we tend to keep that side of the overlap gap narrow and provide top notch manual capability and support for -when- something gets by (not if...  there is no if in those cases with anything, as all highly-skilled technicians know).
 
Anyway, if they broke just because we're there, couldn't a virus do the same thing we do to break them and gt by them?  ;)
 
 
Userlevel 3
Hello,
 
Actually our software has been tested along side all the other antivirus companies out there and they all work perfectly with our software. We do not conflict with them and they like us, so there is no issues on either side. However this is not the case with other antivirus programs, so you could not do something like Norton and Trend Micro at the same time because they are still using features like virus definitions. Our software is the first of its kind which is why a lot of customers are going to need to get used to a program like ours. It really is as good as it sounds 😃
Userlevel 1
@ wrote:
 Hello there,
 
Although many antivirus programs work against each other and are not compatible, Webroot SecureAnywhere effectively works in tandem with other antivirus and antispyware programs. ...
 
Thank you,
The Webroot Support Team
 
According to your reply, Webroot SecureAnywhere will work in tandem with other installed antivirus programs.
 
The bigger question is then, will other antivirus programs work properly when SecureAnywhere is installed? I can just see Webroot hoping other antivirus programs that are installed, choke when it see another antivirus program like SecureAnywhere running. Perfect opportunity to get us to blame the "other guy" and get rid of the other guy's antivirus program when it crashes!
Userlevel 2
Until I hear from AV-Comparatives, I don't consider PC mag and it's reliance on advertising to be a reputable source. My own experience with Webroot has very mixed results and you know that Combofix is the best tool for Fake Antivirus removal and webroot misses all that is picked up there. Well trained IT people do not need technical support. In over 18 years and 25,000 computers, I can count on lest than half of one hand, the times I need technical support and I have not have a group of people I  don not know- do my work for me. 
 
We are off subject and the point is that some of us bought webroot under one consideration and now it has changes. I will go to the Symantec forums and see what they have to say about conflicts.
 
T
Userlevel 3
I agree, it will take some getting used to but you will see how revolutionary the new Webroot SecureAnywhere software really is after you test it out. :manhappy:
Userlevel 3
Badge +3
Hi Jazzwineman,
 
If detection and removal is your primary concern, you will be happy to know that Webroot SecureAnywhere received the first and only perfect malware blocking score http://www.pcmag.com/article2/0,2817,2393683,00.asp 
 
This is not to say that there is no chance that malicious software could make its way onto a machine as no software is 100% effective.  If it does occur however, we will be more than happy to assist you with the removal of this, free of charge.
 
Thanks,
Josh C
 
 
Userlevel 2
This is just telling software/hardware benchmarks and in IT that is not my major concern- detection and removal is far more important.
Userlevel 3
Badge +3
Hello Jazzwineman,
 
We understand that IT managers are a "believe when I see it" type group and thats why we offer a complete 30 day trial for you to use.  Even better, it can install over your existing endpoint software.
 
Wanna try it?  Click here: http://www.webroot.com/customerSupport/trialRegistration.php?trpd=WSAB&loc=USA
 
I've also attached a PDF file with the comparison of Webroot SecureAnywhere Business Endpoint to other manufactures so that you can continue your research.
 
Thanks,
Josh C
Userlevel 2
i would be curious if anyone else on the forum that is an IT manager or user would ever want to repalce SEP with Webroot's version?  I think that is quite silly.
 
T
Userlevel 3
Badge +3
Hello jazzwineman,
 
SecureAnywhere is able to run alongside other security software by both its advanced heuristic detection as well as the connection with the Webroot Intelligence Network. 
 
Because SecureAnywhere communicates with the Webroot Intelligence Network, we are aware of other good files, no matter what access they have to your machine.  As I'm sure you are aware, security software requires a very high level of permission on the computer to perform its job correctly.  Many times, the conflict between antivirus software occurs because of this access to the computer.
 
Also, with our heuristics detection, we are able to monitor the behavior of other software and deem this malicious or not.  Because the behavior of other security software is not found as malicious, we will not detect another security software as a threat.

You mention that you are using some endpoint software and if this is in regards to business software, we have recently released Webroot® SecureAnywhere Endpoint Protection here: http://www.webroot.com/En_US/business-products-secureanywhere-endpoint.html
 
If you are managing a network, this software will return control to the user and allow you to truly have freedom over network management.
 
If you have any questions, just let us know.
 
Thanks,
Josh C
Userlevel 2
Some of us that have been in the business for some time and manage thousands of computers won't buy that off the corner talker. We Symantec Endpoint and while they have their own problems webroot is one of the most lacking programs based on what most of us see in the many variation of Fake Antivirus. You owe it to the people that have bought Webroot in good faith as a Maleware/antispyware  program- how you are able to do what everyone knows is taboo in the business of running 2 antivirus programs on the same computer. Please explain in detail. Your assurances does not mean you are coming out in the field and straighten out problems that we have to deal with. Bit I will assure you that long before SEP comes off, Webroot in be in the dumpster.
 
Thanks
 
Tom in Dallas
Userlevel 3
Beat me to it!!! But the point is we are compatible with any other antivirus program out there just like Spysweeper was! 😃
Userlevel 3
Hello,
 
We actually have discontinued Spysweeper because we have made a revolutionary antivirus product that is now cloud based and will work along side any other antivirus/firewall application out there just as Spysweeper did.
 
Unlike the 2011 version of Webroot AntiVirus, Webroot SecureAnywhere 2012 version does not rely on traditional antivirus definitions, is smaller, runs scans more quickly, and is designed to co-exist with other security software installed on the same system. This new program represents a revolutionary new method for protecting your information and privacy and we are very excited to offer it to our customers.
 
To learn more about Webroot SecureAnywhere, we recommend you view the video tutorial at the link below.

Cloud antivirus protection vs. traditional antivirus protection

Let us know if you have any questions and welcome to the community!
Userlevel 7
 Hello there,
 
Although many antivirus programs work against each other and are not compatible, Webroot SecureAnywhere effectively works in tandem with other antivirus and antispyware programs. We understand that you liked the functionality of Spy Sweeper and we offer increased functionality with Webroot SecureAnywhere. Your support and questions are greatly appreciated! We understand that the upgrade to Webroot SecureAnywhere may be an adjustment, at first.  However, we assure you that the changes in this version are in the interest of providing the highest level of security with the least intrusion possible into your computing experience.  In contrast with previous versions, this new product will scan your entire PC in about two minutes* and doesn't require you to download updates.
For more details about what’s new in Webroot SecureAnywhere, please see the PDF document to see Whats New in SecureAnywhere! We also have video tutorials for  Best Practices Videos. Webroot SecureAnywhere has been receiving excellent reviews. 
 
*After the initial scan of your PC, full system scans will typically take two minutes or less.
Feel free contact us at any time, if you have additional questions or concerns.
Thank you,
The Webroot Support Team
 

Reply