Sorry, this isn't a rumor or a myth (yet). It's a question and this seemed like the best area for it:
I've searched, but I can't find a clear answer on which files get hashed and submitted to the cloud. Imagine a scenario where you receive a sensitive Word document or PDF--let's say it's the Pentagon Papers--as an email attachment. Does this file ever get hashed and submitted? If so, can Webroot be subpoenaed to reveal which accounts submitted that hash for inspection?
Solved
Privacy hypothetical
Best answer by Kit
No hash data is sent to the cloud on anything that is not constructed of operational machine code (Program Executable, or PE). Not even in cases where files are extracted from archives, compressed or not. Documents extracted from archives are examined, just like by an old AV system, and when it's determined that they are not PE, there is no data hashed, sent, or retained in any location.
Also, acquirable non-modified information on a given file hash just includes the NUMBER of computers it was seen on, the geo-located country it was first seen in, the OS version, default browser, and a few internal things like the version of the file that was hashed, version of the WSA agent it was seen by, etc. Other information is anonymized instantly, for example, if the file was seen as C:UsersKitDesktopFile.exe, that is stripped to be %desktop%file.exe.
So basically, No. Webroot cannot see or provide information on every computer that scanned a specific file hash, especially not if it's not a PE. The most we could say is how many computers scanned it.
And also, No. Webroot does not maintain a history of all files seen by a given system indefinitely or even for a minor amount of time. As a good example, when I look up my home computer's keycode on the system, I see files that were included in the most recent non-trivial (Deep) scan, but not, for example, an executable on my desktop that I deleted two days ago.
Honestly, given the number of cache files, temp files, etc, keeping a cross-linked record of every single file out of thousands of transient files per day per computer across every one of millions of computers would be prohibitive, data-wise, and would not help protect computers against threats.
Edit: And no, document hashes, even with macros or scripts, do not get submitted.
View originalAlso, acquirable non-modified information on a given file hash just includes the NUMBER of computers it was seen on, the geo-located country it was first seen in, the OS version, default browser, and a few internal things like the version of the file that was hashed, version of the WSA agent it was seen by, etc. Other information is anonymized instantly, for example, if the file was seen as C:UsersKitDesktopFile.exe, that is stripped to be %desktop%file.exe.
So basically, No. Webroot cannot see or provide information on every computer that scanned a specific file hash, especially not if it's not a PE. The most we could say is how many computers scanned it.
And also, No. Webroot does not maintain a history of all files seen by a given system indefinitely or even for a minor amount of time. As a good example, when I look up my home computer's keycode on the system, I see files that were included in the most recent non-trivial (Deep) scan, but not, for example, an executable on my desktop that I deleted two days ago.
Honestly, given the number of cache files, temp files, etc, keeping a cross-linked record of every single file out of thousands of transient files per day per computer across every one of millions of computers would be prohibitive, data-wise, and would not help protect computers against threats.
Edit: And no, document hashes, even with macros or scripts, do not get submitted.
Hi Eldan!
This is an extremely complicated question, but let's break it down. As for how the files are hashed, we use the industry standard md5. Only files that are executable will be scanned and hashed. Archives are extracted, and their contents are hashed as well. The MD5 hashes are submitted to the cloud database and returned as "Good", "Bad", or "Unknown." These hashes do not contain data and would not be able to reassembled into a working exe. They are encrypted hashes of data...they can be decrypted, but we don't have the entire file. As far as being subpoenaed, yes we can track which users or accounts submitted file information.
Thanks!
This is an extremely complicated question, but let's break it down. As for how the files are hashed, we use the industry standard md5. Only files that are executable will be scanned and hashed. Archives are extracted, and their contents are hashed as well. The MD5 hashes are submitted to the cloud database and returned as "Good", "Bad", or "Unknown." These hashes do not contain data and would not be able to reassembled into a working exe. They are encrypted hashes of data...they can be decrypted, but we don't have the entire file. As far as being subpoenaed, yes we can track which users or accounts submitted file information.
Thanks!
+23Will MD5 be use used for the foreseeable future or will Webroot switch to using SHA1?
Great question! At this moment we are going to continue to use MD5 as it is the industry standard. Any other hash system we decide to use will be determined when that time comes. Until then we always use the industry standard to hash and identify malicious threats and legitimate files.
+23No worries. I ask because the talk of hashes got me thinking about the Flame authors, and how they used an MD5 collision to forge a Windows code-signing certificate, as detailed here.
The type of hash is not relevant, as long as it can be assumed a hash uniquely identifies a file. The question is, would the confidential but generally non-executable (but could contain script or macros) file EVER have its hash submitted to the cloud? From your answer, it sounds like a yes, especially if the file is zipped.
The question is not whether anyone can reconstruct the data. The question is whether someone in possesion of the file and who therefore knows it's hash value, can through some legal means identifiy all of Webroot's customers that also possess the file.
I'm wondering why it is necessary to track which users submit which hashes, how long those records are kept, and what the privacy policy is regarding those submissions.
The question is not whether anyone can reconstruct the data. The question is whether someone in possesion of the file and who therefore knows it's hash value, can through some legal means identifiy all of Webroot's customers that also possess the file.
I'm wondering why it is necessary to track which users submit which hashes, how long those records are kept, and what the privacy policy is regarding those submissions.
Hi Eldan,
Please take a look at our privacy policy and see if that answers your question. It covers Why Webroot Collects Personal Information, What Information Webroot Collects...etc
Thanks!
Please take a look at our privacy policy and see if that answers your question. It covers Why Webroot Collects Personal Information, What Information Webroot Collects...etc
Thanks!
I think the privacy policy should explicitly state that use of the cloud network means all the scanned files on your computer are linked to your account indefinitely, i.e. even after you've deleted them.
No hash data is sent to the cloud on anything that is not constructed of operational machine code (Program Executable, or PE). Not even in cases where files are extracted from archives, compressed or not. Documents extracted from archives are examined, just like by an old AV system, and when it's determined that they are not PE, there is no data hashed, sent, or retained in any location.
Also, acquirable non-modified information on a given file hash just includes the NUMBER of computers it was seen on, the geo-located country it was first seen in, the OS version, default browser, and a few internal things like the version of the file that was hashed, version of the WSA agent it was seen by, etc. Other information is anonymized instantly, for example, if the file was seen as C:UsersKitDesktopFile.exe, that is stripped to be %desktop%file.exe.
So basically, No. Webroot cannot see or provide information on every computer that scanned a specific file hash, especially not if it's not a PE. The most we could say is how many computers scanned it.
And also, No. Webroot does not maintain a history of all files seen by a given system indefinitely or even for a minor amount of time. As a good example, when I look up my home computer's keycode on the system, I see files that were included in the most recent non-trivial (Deep) scan, but not, for example, an executable on my desktop that I deleted two days ago.
Honestly, given the number of cache files, temp files, etc, keeping a cross-linked record of every single file out of thousands of transient files per day per computer across every one of millions of computers would be prohibitive, data-wise, and would not help protect computers against threats.
Edit: And no, document hashes, even with macros or scripts, do not get submitted.
Also, acquirable non-modified information on a given file hash just includes the NUMBER of computers it was seen on, the geo-located country it was first seen in, the OS version, default browser, and a few internal things like the version of the file that was hashed, version of the WSA agent it was seen by, etc. Other information is anonymized instantly, for example, if the file was seen as C:UsersKitDesktopFile.exe, that is stripped to be %desktop%file.exe.
So basically, No. Webroot cannot see or provide information on every computer that scanned a specific file hash, especially not if it's not a PE. The most we could say is how many computers scanned it.
And also, No. Webroot does not maintain a history of all files seen by a given system indefinitely or even for a minor amount of time. As a good example, when I look up my home computer's keycode on the system, I see files that were included in the most recent non-trivial (Deep) scan, but not, for example, an executable on my desktop that I deleted two days ago.
Honestly, given the number of cache files, temp files, etc, keeping a cross-linked record of every single file out of thousands of transient files per day per computer across every one of millions of computers would be prohibitive, data-wise, and would not help protect computers against threats.
Edit: And no, document hashes, even with macros or scripts, do not get submitted.
Kit - Prior Webroot Quality Assurance / Prior Webroot Escalation Engineer
@ wrote:
Thanks for that thorough and VERY reassuring answer.
Absolutely. Sorry it took so long, the weekend is my days off and my wife would rather I play SW:TOR with her than do work things..
Reply
Login to the community
No account yet? Create an account
Enter your E-mail address. We'll send you an e-mail with instructions to reset your password.