How did WSA know? A modern day mystery.

Hi explanoit,
 
As Dan mentioned, the file was determined by a rule on our cloud. This occurs immediately in most cases, but sometimes it may take a few minutes before a new sample we have not seen before is processed in the cloud and flagged as malicious by one of our rules. This will only occur the first time a new sample is seen. Since its initial detection, the file in question was seen on 13 additional computers and was immediately detected and removed on each one.
 
I hope this helps!
 
-Brenden

Hello Brenden and nice to meet you and great explanation how the cloud is extremely effective than all other users are automatically protected from this threat! ;)
 
Cheers,
 
Daniel !

Thanks Daniel! It's nice to meet you as well. I am glad I was able to help!

-Brenden

Webroot support is so cool. Thanks Dan and Brenden. It's awesome that you're here to answer even back-end questions like this! Kudos all around!

Could you expand on the "rule" term you use?
I assume this is Webroot terminology for certain file metrics and behaviours that were set off by this file?

All I can say about this is... I am very impressed.  I know the theory behind the cloud protection, but this is an awesome case example of how rapidly ALL users are protected once a new threat has been found.
 
 

Agreed, the modern threat landscape requires some minimum of cloud functionality for cases just like this.
Not to say that all security products need this, but at least one product on your machine should have the ability to work with other computers to share intelligence.
 
Looking back now, the progression to the cloud approach seems so obvious. But this used to be absolutely radical stuff. From what I've gathered talking to Webroot employees directly, the interface they get access to is absolutely incredible and allows tracking everything about threats across the world. I'm quite envious.
 
Once concern that I do have is that antivirus companies like Webroot not become too reliant on automatic threat catageorization. I know there are plenty of people in their threat research, but Webroot marketing seems to focus too much on their technology instead of their people sometimes. Too many slick graphics and stock photos instead of real people and real buildings.
 
The story of Prevx was that of a a Few Good Men/Women changing the world. I miss that sometimes. Perhaps I'm too romantic over computer security technology.

I've been use to that for years since using Prevx since 2004 I'm so glad Webroot is carrying on the Cloud Technology and Building upon so much more even though I had SpySweeper for 5 years during that time. :D
 
TH

Hello again everyone,
 
To answer explanoit's earlier question: a 'rule' is a set of criteria by which a file determination is made in our cloud. This can include any number of file characteristics, including behavioral data gathered from the endpoints and file signatures similar to those used in traditional AV solutions. Usually a rule will include multiple data points that, when used together, allow us to determine if a file is malicious with a high degree of certainty.
 
Webroot Threat Researchers are hard at work producing many thousands of such rules every week to target malware seen on our customers' PCs.

Thanks,
-Brenden

Thanks! How did you get into threat research as a career Brenden?

Glad to help!
 
I've been very into computers my entire life, starting as a kid on my 386 and DOS. I've been interested in computer security ever since it first started becoming a serious issue with the rise of the internet. I had a lot of personal experience in the field acting as tech support for my entire family and their businesses.
 
My career at Webroot started on the support side with manual malware removals for customers and then eventually I was promoted to Threat Research. It's been a long road with many changes along the way, but I've had the benefit of learning from some exceptionally talented people here. Webroot has been very good to me and I've learned a ton over the years.
 
-Brenden

Hello Brended and many thanks for your valuable comments in this thread. You gave us a chance to look under the hood a bit 😃

Hello Brenden, Welcome to the Webroot Community Forum. :D

__________________________________________________

@ wrote:
You gave us a chance to look under the hood a bit :D

Exactly. Webroot Employees, the people that know what's happening under the hood work with the members on the forum to explain and work problems out. Not many forums like this one. Excellent work Webroot! 😉

Thanks everyone! It is good to meet you all.
 
I'm happy to help however I can.
 
-Brenden

I got my start on a TRS-80 Color Computer 2.

How things have changed!

News stories on this:
http://www.v3.co.uk/v3-uk/news/2240103/automated-blackhole-trojan-targeting-fedex-customers
http://www.net-security.org/malware_news.php?id=2390