I love the feature to block programs unless whitelisted. Didn't even know it existed until I dug around a little. You guys should advertise this feature. I love to use whitelisting when dealing with a click-happy user. The only thing I noticed that needs changing is:
1. Allow password protect to block installation of unknown files. Currently any user can choose "Allow" or "Always Allow" with no restrcitions. Blocking users from installing is great for a corperate/business environment to keep employees from downloading crapware.
2. Multiple prompts to block. Once the file is blocked (choose "Block"), if the user tries to click on the file again, there is no prompt anymore. This almost seems as if (to the standard user) that the file is corrupt...etc. They may assume something is wrong with the computer. Please make it where each time the file is opened, the whitelist prompt pops up to warn the user.
3. Don't mark blocked files as threats. I tested some rare DVR remote viewing programs and blocked them. Webroot came back and marked them as W32.Ruleblock.1 threats and asked to run a scan and remove these files. They are not considered threats and should only be blocked (not removed). Other whitlisting programs (Kaspersky:Trusted App Mode/Avast:Hardened Mode) only block, not mark them as threats. I believe blocking (unless deemed as a obvious malware file) should be the only thing Webroot does to unknown (Ruleblocked) files.
I think when implementing correctly, whitelisting (good database from AV side of known files, password protected to keep users from installing...etc) is top notch for protection and would love to see this feature polished more!
1) There is a policy for the Enterprise product that only allows known Good files to run. Its not recommened to use it as it can cause issue, if you think about how many new legitimate files come out every day!
2) The client will pop up with an alert if you try to re-download or run a known infection even if it was already seen on said PC.
3) A manually blocked application wont appear as a threat but will tell you its a manually blocked process. See screenshot below
We have a database of millions of known good files however known good files can be code-injected or modifed so its an ever changing number. You can also password protect the client/make it invisible/stop users from making changes etc in the Enterprise console. There are loads of cool little features built in WSA that can be quite useful. Most are for advanced users and they can cause issues if you dont know what your doing 🙂 So do be careful!
2) The client will pop up with an alert if you try to re-download or run a known infection even if it was already seen on said PC.
3) A manually blocked application wont appear as a threat but will tell you its a manually blocked process. See screenshot below
We have a database of millions of known good files however known good files can be code-injected or modifed so its an ever changing number. You can also password protect the client/make it invisible/stop users from making changes etc in the Enterprise console. There are loads of cool little features built in WSA that can be quite useful. Most are for advanced users and they can cause issues if you dont know what your doing 🙂 So do be careful!
+56Glad you like that feature and thanks for the in-depth feedback. I'm make sure that gets in front of the right people here. We also have an Ideas Exchange section, that allows people to vote on product suggestions, so you could also enter some of those ideas there. That way the dev team can see which ideas have garnered the most support and will be useful to the most people.
Thanks for the quick reply. I am mainly trying to keep users from downloading and installing PUAs. I notice protection from these programs is hit or miss among AV manufactures (ESET seems to be the most strict). Whitlisting has been one way I have been detering installation of most PUA files.
One file example I've used is Utorrent.exe. This file is heavily packed with PUA programs that most AV vendors don't seem to block. Even with whitelisting on, Webroot may still not block the installation of this particular file (because the orignal file is deemed safe, not the wrapped software attached).
90% of the PC repair I perform is on PUA infested systems. I understand that Webroot does block PUAs by default, but I am not sure how expansive the block list is for PUAs in comparison to other vendors. PUAs seem to be (in my line of work...standard PC repair), much larger of a problem than critcal malware.
Maybe I am approaching this the wrong way. Most users I deal with only need to browse the internet, open Word/Excel, use Adobe Reader, check email...etc. When they click on a AD claiming to clean their PC of registry problems...I want them to be protected against the ever changing PUA junk out there.
One file example I've used is Utorrent.exe. This file is heavily packed with PUA programs that most AV vendors don't seem to block. Even with whitelisting on, Webroot may still not block the installation of this particular file (because the orignal file is deemed safe, not the wrapped software attached).
90% of the PC repair I perform is on PUA infested systems. I understand that Webroot does block PUAs by default, but I am not sure how expansive the block list is for PUAs in comparison to other vendors. PUAs seem to be (in my line of work...standard PC repair), much larger of a problem than critcal malware.
Maybe I am approaching this the wrong way. Most users I deal with only need to browse the internet, open Word/Excel, use Adobe Reader, check email...etc. When they click on a AD claiming to clean their PC of registry problems...I want them to be protected against the ever changing PUA junk out there.
Oh dont get me started on PUA`s! We have guidelines on what we can mark as PUA`s so for instance a lot of enterprise enviroments dont want people torrenting but technically its not malicious or illegal so we cant mark them bad because of this. I stopped using uTorrent as its now adware and I did mark some of it adware earlier today.I will have to recheck uTorrent.exe as a whole in the Database on Monday.
With Enterprise clients sometimes you will have manually block certain files, I know one of my friends uses the console as a virtual banhammer and blocks everything. You can use it to block online games for instance by blocking the main executable.
With Enterprise clients sometimes you will have manually block certain files, I know one of my friends uses the console as a virtual banhammer and blocks everything. You can use it to block online games for instance by blocking the main executable.
+56Hi Roy,@ wrote:
Oh don't get me started on PUA`s! We have guidelines on what we can mark as PUA`s
Maybe the guidelines needs to be reworked to be more aggressive by the Powers that be as PUA's are out of control IMHO! And I'm not saying to block them all but most times users don't watch when installing so a notification would be very, very useful the most issues I see on many Security Malware Cleaning forums are PUA's and as you know Roy they are hard to remove at times and it puts more work for the Webroot Threat Team to remove these nasty pest again IMHO.
Daniel
http://i58.tinypic.com/1o2j2a.gif
I agree with triple. PUAs are out of control. I'm not to sure on the idea of a "prompt" though. Limiting the amount of info on the screen for the standard user is vital. Many of my customers have no idea what is 'good' and 'bad'. What's Bitdefender? What's WSA? What's Conduit? They don't know because respectfully they don't read forums or have time to research and keep up with the ever changing trends of software. I believe that is where AV vendors come in to try and control what is good and bad for customers. I know it is tough, but it can be limited. At least create an option for "aggressive detection of PUAs" if anything.
I know one thing. 95% of my clients think PUAs are viruses. I have to constantly explain that the reason why the customer's antivirus didn't detect this crapware is because it is not considered a 'real' peice of malware and they look at me crazy ;P Sometimes I catch myself looking for a vendor who may create a anti-pua program to deal with this problem only because 'some' AV manufacturers are always a little slow to mark PUA more agressively (no pune intended towards WSA...I love the software and know you guys are working your butts off).
I know one thing. 95% of my clients think PUAs are viruses. I have to constantly explain that the reason why the customer's antivirus didn't detect this crapware is because it is not considered a 'real' peice of malware and they look at me crazy ;P Sometimes I catch myself looking for a vendor who may create a anti-pua program to deal with this problem only because 'some' AV manufacturers are always a little slow to mark PUA more agressively (no pune intended towards WSA...I love the software and know you guys are working your butts off).
+56I agree if I want a simple toobar I will go get one but the crapware is in almost all apps these days and people don't watch what there installing. This is 1 good example Java update via the internal updater:
http://i58.tinypic.com/2qintw5.png
TH
http://i58.tinypic.com/2qintw5.png
TH
For informational purposes:
I was testing ESET AV 7 recently and their PUA blocker has the ablitity to filter PUA wrappers (I believe that is what it is called) on good programs so when you install the application, only the good program gets installed and the attached PUAs don't...even if it is checked during the install. Interesting feature...hint...hint... ;)
Here is my post over at ESET if anyone is interested:
(I was inquiring about too many prompts required to block a PUA. PUA detection was very good, but required the user to make too many decisions.)
https://forum.eset.com/topic/1846-auto-decision-on-puas/
Maybe a similiar feature could be implemented into WSA?
I was testing ESET AV 7 recently and their PUA blocker has the ablitity to filter PUA wrappers (I believe that is what it is called) on good programs so when you install the application, only the good program gets installed and the attached PUAs don't...even if it is checked during the install. Interesting feature...hint...hint... ;)
Here is my post over at ESET if anyone is interested:
(I was inquiring about too many prompts required to block a PUA. PUA detection was very good, but required the user to make too many decisions.)
https://forum.eset.com/topic/1846-auto-decision-on-puas/
Maybe a similiar feature could be implemented into WSA?
Hi mar122999
Interesting thread...and approach, but whether this can be implemented or not in WSA is one for the development team. Best way to get this to their attention is to raise a feature request in the Ideas Exchange where other users can review, comment on and support your idea if they like it, and which the Development Team do review periodically/advise on status, etc., and also do pick up idea from(of course). Not saying that they will adopt the idea if raised but that this is the best way for it to get the right attention.
HTH?
Regards
Baldrick
Interesting thread...and approach, but whether this can be implemented or not in WSA is one for the development team. Best way to get this to their attention is to raise a feature request in the Ideas Exchange where other users can review, comment on and support your idea if they like it, and which the Development Team do review periodically/advise on status, etc., and also do pick up idea from(of course). Not saying that they will adopt the idea if raised but that this is the best way for it to get the right attention.
HTH?
Regards
Baldrick
+35- OpenText Employee
Mar122999,
That the search engines are filled with "remove (insert PUA name) virus" results annoys me to now end. It's like the XKCD Virus Venn Diagram
We do tend to target the PUA wrappers - I ususally refer to them as "download managers" since that is often the way they get around T.OS. and Licence issues - they don't actually bundle the legitimate app with their junkware, they simply download it and install it for you along with a bunch of other stuff you didn't want or know you were installing.
TH,
Our guidelines for detecting PUAs are actually fairly aggressive, and were updated not that long ago along with the "Detect PUAs" option to make sure we were able to detect the vast majority of what people consider PUAs. Unfortunately, we cannot detect a piece of software just because we (or others) don't like it. I do have some questions for you regarding what we may not be catching... I'll shoot you a PM.
Education also plays a big part in regards to PUAs. We do receive questions like "why did you block my Firefox installer?" which are inevitably due to doing a search for "download app name" and clicking on the first search result (Ad) which leads to a third party download site that installs PUAs. Our answer is always to direct them to the official download site and suggest only downloading software from the official download sites whenever possible.
-Dan
That the search engines are filled with "remove (insert PUA name) virus" results annoys me to now end. It's like the XKCD Virus Venn Diagram
We do tend to target the PUA wrappers - I ususally refer to them as "download managers" since that is often the way they get around T.OS. and Licence issues - they don't actually bundle the legitimate app with their junkware, they simply download it and install it for you along with a bunch of other stuff you didn't want or know you were installing.
TH,
Our guidelines for detecting PUAs are actually fairly aggressive, and were updated not that long ago along with the "Detect PUAs" option to make sure we were able to detect the vast majority of what people consider PUAs. Unfortunately, we cannot detect a piece of software just because we (or others) don't like it. I do have some questions for you regarding what we may not be catching... I'll shoot you a PM.
Education also plays a big part in regards to PUAs. We do receive questions like "why did you block my Firefox installer?" which are inevitably due to doing a search for "download app name" and clicking on the first search result (Ad) which leads to a third party download site that installs PUAs. Our answer is always to direct them to the official download site and suggest only downloading software from the official download sites whenever possible.
-Dan
Rather than block the app outright (which is kind of the default), it would be nice to just pop up a box warning the user that the defaults will install a PUA.
There's a huge difference between an app with a virus, which you never want to run, and an app with a PUA which you (probably) want to run.
- Frank
There's a huge difference between an app with a virus, which you never want to run, and an app with a PUA which you (probably) want to run.
- Frank
Reply
Login to the community
No account yet? Create an account
Enter your E-mail address. We'll send you an e-mail with instructions to reset your password.