So many (techie) product questions...

Creating a support ticket makes sense to find how to streamline WSA scans---or to put in a feature request for it. IDK what table or index the scan refers to and how it varies on other boxes but hope to hear more about this. No "bait and switch" tactics here. In this community, I found other inquisitive folks who care to help and are wise enough to know where to refer questions to. Like you, I wrote to potential internet security providers. For whatever reason, I did not get an answer from this community at the time. But in fairness, did not check for one--once I realized that WSA is the best thing available for Mac. Health permitting, I follow this community and learn. For most folks here it is probably time permitting. I appreciate the attitude and spirit of this community.

So I guess here is my rub...
Not to mention I feel like this has turned into some bait and switch with the community responses (or lack there of) here... Remember the knowledgeable community here was one of my major reasons for purchasing this software in the first place...
 
Box #1 running an i7 with 12GB memory, dual SATA3 240GB SSD, single SATA3 1.5TB 10K RPM data drive, using 3 separate USB 3.0 external drives on occasion (but have not reconnected any of them since the original manual scan done on them)
Scans continue to look for files on these now removed (removable) drives and it is also till looking for a now deleted file that had flagged as a threat...
27,430 files scanned took 3:13...
 
 
Box #2 running an i3 with 8 GB memory single 1.5 TB 7200 RPM SATA3 drive...
54,640 files scanned took 1:19...
 
Both systems running Windows 7x64 Ultimate
 
Almost TWICE the files scanned in less than half the time on a SLOWER system???
 
WHY??? 
My SSD system is MUCH faster (other than the obvious issues with WSA attempting to access non-existent drives/files wasting a HUGE amount of time)...
 
HOW CAN I FIX THIS?...
How can I stop WSA from looking for non-existant devices/files??? (seems rather silly for it to continue looking after they are not found even once)
 

Now I have more questions...
 
Seems that since I have done manual scans on my external drives and even cleaned a couple of threats off of them it seems the system scan continually attempts to access these drives, even when they are no longer attached...
 
I also had one detection on my local data drive which I resorted to simply deleting the file but now the system scans are also looking for that specific file even though it has been deleted and the free space on the drive wiped...
 
My original 14 second system scan has now become 3 Minutes and 27 seconds and it seems to keep getting longer... even with no external drives attached...
 
I could see where if I had added a bunch of new files or something but in the last scan it decided it needed to scan 27+K files when the original scan only wanted to scan 16+K... 10K more files = 3 minutes 13 seconds?
 
I am wondering if there is any way to purge the files/locations that WSA has decided it wants to scan in order to avoid these un-needed scan attempts? Or do these flagged scan locations fall away over time automatically? (if so how long does it take?)
 
Oh and another minor thing... There is now a "Personalized Security Report" pop up on every reboot?
 
Edit: The "Personalized Security Report" pop up has stopped...
 

Well here are my thoughts on WSA.
 
Very nice and light weight, nothing extra running, but still very reactive to threats.
 
A minor issue with application version changes: IE: I am a programmer and when my software builds the version number is incremented to denote the new version, WSA then reverts to blocking the same application (all be it with a newer version) in the same location it has been told to allow prior.
I again have to tell WSA that it is okay to allow it to access the network... and then again also tell it that it is OK to access the copy buffer... (for instance I manually copy my router log to the copy buffer (ctrl+c) to then process in my application and then output the results based on type of entry and/or source IP)
Not a huge thing but a slight annoyance when you are a programmer.
 
Note: This does not seem to happen when you update a web browser like FireFox for instance (which is open source)
 
Beyond that I have had no problems with the functionality and it has passed all the tests I have put it through!
 
Thank you for doing what is needed and not forcing me to have "features" I would never use.

@ 
 
Yes I have only had these Port 0 attacks show up twice as I mentioned so it has not been a big issue if they persist I will obviously speak with my ISP. (I still find it odd that it only ever happened shortly after installing BitDefender and then again shortly after removing BitDefrender)
 
As to configuration my IP is configured as DHCP at the cable modem BUT... The cable modem is controlled by the ISP (including firmware version) and is serial number matched and locked with its physical MAC address to what is basically an externally static IP.
 
My router is configured to use the Modems provided local IP as DHCP so if I lose connection with my ISP(Internet) my local network (Intranet) is still functional and reverts back once the ISP is re-connected.
 
This seems to be a pretty safe configuration as the connection to the ISP is physically secured using the serial number and hardware MAC. Pretty hard to spoof something like that without having the actual Serial number and Physical MAC of the modem.
 
Even if something does get through the modem my router is then the second line of defense as I have Ping, FTP, uPNP, remote admin, wireless,  all turned off,  as well as having other specific address/site blocks set up on it.
 
Then if all of that fails each connected device still has its own firewall and anti-virus/anti-malware system installed and configured.
 
I feel I am likely much safer than many of the corporate/government networks that have outsourced their IT support... *cough* *cough* that's real safe...

@ 
 
In response to your questions...
 
Started with: [DoS Attack: WinNuke Attack] from source: 188.165.236.154, port 0, Monday, October 20,2014 22:07:56
Last attack: [DoS Attack: WinNuke Attack] from source: 77.37.7.105, port 0, Tuesday, October 21,2014 00:52:30
 
167 individual attacks from 92 unique ips (there are a few within their own same sub-net range)
 
They were shown as several "types" by my router:
[DoS Attack: WinNuke Attack]
[DoS Attack: FIN Scan]
[DoS Attack: SYN/RST Scan]
[DoS Attack: ACK Scan]
[DoS Attack: NULL Scan]
[DoS Attack: Xmas Tress Scan]
[DoS Attack: IMAP Scan]
 
All to port 0 which: “Generally speaking port zero traffic can be indicative of a possible reconnaissance attack, and may be a precursor to more serious penetration attempts”
 
Attackers can use such abnormal traffic to fingerprint operating systems and network security devices, because different OSes and network equipment can respond differently to port zero traffic, the researcher said. “This can enable the attacker to make a more precise attempt to compromise a network.”
 
 
 

Pardon my delay in getting back again...
 
I had about a 3 hour Port 0 attack again last night starting at about 10:07PM and lasting till about 1:00AM that was stopped by my router again...
 
This is only the second time I have had these port 0 attacks happen and not to point fingers but it seems odd that the first time (which lasted just short of 24 hours) was shortly after installing BitDeffender...
And then last night almost 14 days later exactly (and 2 days after removing BitDefender) it happens again...
 
Not that it affected anything on my machines as in both instances the router stopped/dropped all of the packets.
 
Beyond that everything seems to be running smoothly, though I have noticed some streaming content will buffer a bit at the start but it then smooths back out after several seconds.
 
Even my DiabloSport inTune updates worked fine (after allowing it through the firewall)
Yes I am a performance car buff too... :S
 

Enjoyed this entire post! Paranoia vs Caution...I remember what it felt like to hang out, unprotected while removing old security---keeping offline till new security refused to go further without phoning home to validate my purchase and update definitions. All the while, holding my breath and hoping there was no breach of ports. (I was glad when RussH suggested that security may want to look at that weak link.) The others did a good job of addressing every point--explaining how WSA works well with most other security--so LAYERED security is the way around some vulnerabilities. And I learned more about how WSA works in the process. I can also identify with RussH when it comes to who controls the running processes. With a PC it was often me in charge but Mac has a different idea. I do think that computers are a lot better at handling resources today. And I can say that WSA is not a resource hog. I avoid frivolous or risky apps. The Webroot features mentioned are optional when it comes to Mac and would seem to be so for PCs too. Best wishes y'all!

Hi RussH
 
Thanks for coming back and posting on progress.  I am not surprised at anything that you report, not even the "slight knee jerk reaction on my part was the 14 second initial scan".  A lot of people using WSA for the first time do that...the reason for this is the way that WSA works...the philosophy is that malware is only dangerous as and when it is active so WSA monitors for malware activity both using Cloud-based whitelisting, and heuristics both does nothing with any file  or app that is not active.
 
So you may have the largest repository of malware packages residing on your system but if they are all inactive/dormant then it will pay no attention to them...BUT...the merest sniff of activitty and WSA will pounce, analyse and block...in otherwords WSA does not waste time or resources on things that cannot cause damage etc., but rather focusses on those that can.  Particularly clever and effective is what it does if it cannot determine whether an active file is malicious or not...in that case it monitors/journals the file's activities (which it also limits as well) and if eventually determined to be good it then stops the monitoring/restriction, etc., but if bad it it rollsback back any journalled activity so to negate the impact of the 'now determined to be malicious' file. :D
 
I hope I have described the philosphy properly.  I am sure that with your background you have probably researched this but for more information please take a look at this previous post, especially the three vidoes, for more information on the unique way that WSA works to protect the system it is installed on.
 
Of course, post back if you have any more questions.
 
All that I will say more at this oint is sit back, relax...you are well protected.
 
Regards, Baldrick

Hi RussH
 
Well, that is a shame...and just our luck...so we cannot close the 'window of opportunity' as you are quite right that with what you are currently using you must uninstall and cleanse your system just to be on the safe side.  What a shame.
 
Still, given the specs of your system I can say without feasr of contradication that WSA will fly and that you will see quite a difference when compared to your current security solution.
 
Look forward to hearing how you get on and of course, we are here should you have any further questions or need further assistance.
 
Regards, Baldrick

Hi RussH
 
You are most welcome...that is what we are here for in part (as well as having some fun, learning lots, and of course, making new friends).
 
I follow what you are saying, but would provide the following snippet.  Are you aware that WSA is designed to be compatibile/play well with all other major AV/IS products around...and it is 99% successful as far as I am aware.  I have run it successfully in tandem with KIS, and there are other members who have do ne the same with NIS and some other of the major players, all with no ill effects...but of course more drain on one's system (usually due to the other AV/IS used).  The only one that I am aware of that WSA does not play well with is BitDefender.
 
I am not aware of what yo are currently running but unless it is BitDefender I do not see why you cannot install WSA with your current security apps installed & running and then, once WSA is installed, uninstall your curent app.
 
Worth considering I would suggest and if you go with that then the 'window of opportunity' we were discussing is reduced to zero.  If you are tempted to try then let us know what you currently use/what WSA will be replacing and we can poll around the Community to see if anyone has any experience; positive or negative re. using both at the same time.
 
Regards, Baldrick

Hi RussH
 
I do completely understand the reasons for your caution and I think that you are exceptionally wise to have that sort of precious and sensitive data/source held on extrenal drives that are hopefully disconnected from the internet unless they need to be.
 
I also think that your approach of "run the install from CD off-line until it complains about no connection" does reduce the 'window of opportunity' but sadly by very little as when I trialled the disconnected install (prior to one of my posts) it was a matter of seconds, from clicking to run the installer, to the installer advising that it could not authenticate, and offerring to abort the install....but on the positive side...it will reduce the window by a few seconds more than if connected.
 
I do hope that you do take the plunge and do finally join our Community.  Please let us know what you decide either way.
 
Regards, Baldrick