Why of all my customers, only customers that are using webroot gets ransomware

  • 5 April 2018
  • 8 replies

Seriously, Why of all my customers, only customers that are using Webroot are the ones getting ransomware hit?
I have when over an extra mile to convert my customers to use webroot and they get hit by ransomware!
Does webroot even know what it is like to face a customer like that? getting Fked over and over because it doesnt scan Emails coming into the client

8 replies

Userlevel 2
Scan for what?  Ransomware is just a random (encrypted) line of code and a legitimate web server file.  The other antivirus wouldn't have caught it either.  Antivirus should only be one piece of your defense agains ransomware.
Userlevel 7
Badge +33
Hey @
Sorry to hear you are having an unpleasant experience. Let's try and explain how things work and that you need to take an hollistic and layered approach to handle infections (Crypto-Ransomware being one).
This is gonna be a long response so prepare yourself, but these sorts of tips will go a very long way to help you and anybody who has to deal with malware/security in general.
First, absolutely NO product is 100% effective against all types of infections. I know that's a pretty canned response, but it's true. It's more about lowering the infection surface area whereby the chances of getting hit are less and recovery and remediation is easier if/when something does happen.
- Start with good backups. Cloud backup services are cheap insurance, USE Them. Also, an external drive and simply using the built in backup offerings of Windows/MAC OS combined with cloud backups, will give you a fighting chance to recover should something really cause a mess.
- Make sure that you have a good router with DNS Protection and egress control (don't let things out). One of the best is DNSThingy from dnsthingy.com. If you place all of your devices on a whitelist and a business feature called "Don't Talk to Strangers" (DTTS), then there's almost NO chance that even if a ransomware were to slip by, it simply can't communicate to a Command and Control server to get encryption information. It wouldn't be allowed because it's not whitelisted, was never approved, it gets checked against threat lists, if it's an IP request only, it'll simply NEVER get through to the outside world. The ransomeware will run, but can't infect. Check it out....very good. We have to assume we are going to get infected and prevent everything from getting out unless explicitly allowed. 
- Make sure that you are completely turning off AutoPlay/AutoRun, Macros (turn off WITHOUT notification in Trust Centre) and the Windows Script Host. If scripts can't run, they can't infect. If a malicious document with macros doesn't present the option to enable, it can't run. These tips are regardless of what AV you use. 
- Make sure that your MAC OS and Windows Firewalls are installed. Yes, they are good enough.
- Unless absolutely needed, Turn OFF or remove Powershell. That way powershell commands can't run.
- Make sure that all the apps installed are up to date
- Make sure the OS is up to date. 
- Remove Java/Flash from all systems unless absolutely needed.
- Have Webroot Support go over your policies on your systems. They'll be happy to audit things to ensure that you have the best protection. They did for me and pointed out some things I missed.
- Make sure the users email account settings on their host are setup with security in mind. Make sure they are using SSL, spam filters are setup etc... 
- Educate users. Tell them to NEVER open any links or attachments from ANYBODY AT ALL, regardless of sender, until they verify it's legit. Webroot has Security Awareness Training. Look into it. 
In terms of Webroot not scanning email. No, they don't scan the email itself as it's coming in, BUT, they'll take action on any file acted upon, such as an attachment. It won't take action on a Word document attachment with macros (they should), but the agent WILL if the macro runs and writes something to disk. Hence my above to disable macros and Script Host so those two layers with Webroot will negate most of this. Plus if you have DNSThingy as well, the script or macro simply won't be allowed out to download a malicious file.
If you are running the Webroot in a business environment, make sure that  you set your policy to NOT allow the agent to be disabled or unmanged.That way users can't go and muck with settings or disable protections. 
Webroot after first installing will take, in essence, a snapshot of the system, it's running processes etc.. and use that as a baseline going forward. When new files/processes are introduced to the system, Webroot will check the files against the cloud to see if it knows them to be malicious/good/unknown and take appropriate action to allow or stop/quarantine the file. 
The days of throwing on the agent of an AV product or trying to "layer" by loading up multiple products and walking away are gone.
One product like Webroot, backups, lock the system down, educate the users, DNS router with Egress control and whitelisting all help. If you don't do these things, you are essentially doing the people a disservice. 

Hope this helps.
Any reason why you recommend DNSThingy over your Webroot DNS Protection?
Userlevel 7
Badge +33
DNS Protection from Webroot is good, however it provides nowhere near the level of granularity over DNSThingy and it can easily be bypassed, whereas having DNSThingy on your gateway, it can't be bypassed at all, not even by VPN behind. 
Updates to DNS Protection this month provide more granularity. Can you explain what prevents DNSThingy from being bypassed that Webroot DNS does not provide?
Userlevel 7
Badge +33
Everything is done on the gateway using rules so absolute control over the traffic is there. DNS Protection is essentially allowing you to control blocking of various categories etc... 
We need to start thinking of the rule of "Block All, Allow Some" instead of "Allow All First, Then Block as needed." Cause with that, the bad actors have already won. 
My understanding is that yes, DNS Protection from Webroot does block by category so that you can filter out social media or adult content, but beyond that they scan for threats and use reputation scores to block sites within your allowed range to further protect your unfiltered browsing.
How would you expect to block all traffic and unblock as needed for an organization with 100+ users that need access to thousands of sites daily? That doesn't seeem possible and I doubt it would go over well with a client.
Userlevel 7
Badge +33
It works very well as they have deployments with large retailers with thousands of endpoints. It's just a matter of gathering the traffic habbits of the networks, setting up the whitelists and then they also have an auto whitelist feature, where it blocks initially and then when requested to unblock, will analyze everything first and only bring down the data needed for the site to work. All the other stuff such as ads etc.. .are continued to be blocked. They're more than happy to work with organizations to get everything up and running. 
The granularity can be down to a device level. So this is not just limited to PC/Macs, it protects everything behind it including TV's and all other smart devices from "calling home."