Comments on: Webroot Bulletin Regarding AV-Comparatives Results

By: JL

JL — Mon, 23 Jul 2012 22:48:29 +0000

Thank you, Joe, for your generous offer and willingness to help above expectations. At the time, Webroot researchers worked to troubleshoot but nothing was found. Whether it was something that redirected DNS traffic or a simple http cookie with an imbedded iframe, never know for certain. Keep up the groundbreaking work; it’s clear the product has improved over the past several months and may pave the way for the future of internet security. And some feedback if you’re willing. If Webroot built a dual layered product that offered cloud-based protection and client-based definitions engine, I’d be interested even at a premium. Don’t mind the resource usage and system memory, traditional machines are built to accomodate those needs.

By: glhaldeman

glhaldeman — Fri, 20 Jul 2012 18:55:34 +0000

The vast majority of threats are still blocked automatically – just in the case where we don’t block a threat, we have the backup measures in place to continue protecting the system, unlike other security products which do nothing and allow threats to roam free. WSA applies a transparent sandbox which will limit the infections ability to affect the system and will automatically undo its changes even if they are complex and wide reaching. The generic information stealing trojan protection will prevent it from stealing user data or logging keystrokes. So, while our goal is to certainly block everything before it runs, you’re still safe even if we miss it initially.

Hope that helps!

Regards,
-Joe Jaroch

By: glhaldeman

glhaldeman — Fri, 20 Jul 2012 18:54:49 +0000

It’s hard to say at this point as redirection threats can take place at multiple levels, many of which don’t require an active infection. We’d be happy to help if you ever see something like this again, even if you aren’t using a Webroot product. Just write into our support inbox and we’ll help you diagnose the issue directly.

Regards,
- Joe Jaroch

By: Anonymous

Anonymous — Fri, 20 Jul 2012 16:12:03 +0000

So letting malicious code run and upload files is fine, as long as you revert all the changes in a few hours?

By: JL

JL — Fri, 20 Jul 2012 15:34:34 +0000

Very informative piece, helps explain how WSA applies unique techniques to protect the client. While I no longer use Webroot, I am intrigued by your advanced products and continue to follow your development. In light of your article, I am curious if you may have further information or clarification to a circumstance experienced on a client running WSA. Having used Webroot for years, I uninstalled WSA on this client some months ago after I was getting redirected to fake AV download requests. When the redirection recurred during separate randow browsing sessions, I did not notice any response from WSA in the browser protection or auto-protection. WSA was monitoring select processes but no infection was blocked even after a couple weeks. I installed a different security product on the client in addition to WSA. Promptly this product’s firewall blocked outbound malicious network traffic, which may have been a MD5 phoning out for the fake AV to intrude the system. WSA scans and other scans still revealed no rogues. My question in light of reading your article, could it be that I was actually being protected by WSA even though I was repeatedly redirected to rogue AV website? It would be helpful if you can walk through an example. I’m not sure how to address the other firewall blocking outbound traffic, though.