Skip to main content
Hi all, moving in here from Wilders.

 

[Edited Pending Moderator Review]



Today I opened that computer after a couple of months, I finally had some time to spend with it.

When I left it it was infected with various infections, at least that is what Malwarebytes, Emsisoft etc. tells me.

These infection has been in WSA:s cloud now for months and it still does not detects them?

I might add that no files were monitored, just saw some flash by when the computer came into Windows, but it went so fast I could not see the file name before it disapered.

 

The most worrying thing is when I submit a file on my desktop (a Trojan) to Webroot and I am told the file is bad and was detected almost a year ago.

The question is: why is this file not detected and removed from my desktop if it is already known to be bad by Webroots cloud?

Am I not connected to the "good cloud" with the client or what? ;)

 

Confused.

 

/Esse

 

 
Hi Esse

 

Welcome to the Community Forums.

 

Whilst welcoming you may I also caution you to check out the Community Guidelines as they are quite specific in relation to malware testing or the discussion of it here, and more specifically:

 

"No Private Testing Discussions.

We do not condone private malware testing by end-users.  This is never a good idea, and in some areas it's actually illegal.  The whole point of antivirus software is to not get infected, and unfortunately when somebody sets a bad example, there will always be others who are influenced into following the same path.  It's not something we want to allow to be encouraged."

 

I appreciate that you are not making specific reference to malware but we do not want to get this htread started down towards that potential end.  Please review and amend your post accordingly.

 

Many thanks

 

 

Baldrick
I am sorry to hear that you have this approach, but never mind.

 

Just tell me why a already known bad file does not get detected in scans?

How can I trust WSA to protect me and clients were I have it installed when issues like this occurs?

 

/Esse
Hi Esse.

 

I was also over at Wilders and contribute here (and did there) very occasionally. May I put my word in edgeways? I'm no techie but there are one or two things i've picked up along the way so here they are.

 

As you probably know already, WSA focusses (I am struggling to find the words to express this properly) on malware blocking as opposed to malware detection. What I am trying to say is that WSA doesn't go looking in every nook and cranny of your storage media for a malware file (which would take a very long time, which is why other AVs are slower than WSA). It considers such a course of action to be a waste of time and resources. Rather, it pounces on any malware file that executes and also actively looks for malware files that are in folders that indicate they are likely to execute in the near or even not so near future.

 

You may have a malware file lurking in an email attachment or in an archive folder that will probably never see the light of day. But if it ever does, WSA is onto it like a ton of bricks. Immediately.! And if perchance it hasn't pounced immediately, it will have already tracked every single malevolent action the offending executable did in those milliseconds or minutes prior to detection and will now reverse them: see this.

 

But I'm sure you probably know this already. Nevertheless, hope that helps 😉
@ wrote:

I am sorry to hear that you have this approach, but never mind.

 

Just tell me why a already known bad file does not get detected in scans?

How can I trust WSA to protect me and clients were I have it installed when issues like this occurs?

 

/Esse

My apologies Esse but I do not make the rules (I do not work for Webroot) and I would hate for the thread to be closed or removed for trangressing the 'house' rules such as they are. ;)

 

Muddy7 is absolutely correct in terms of what he has posted and to support this I would also recommend that you take a look at this previous post (in particular the 2nd of the three embedded vidoes) which also helps explain the rather unique way WSA protects.

 

Again, my apologies for a rather brusque introduction to this Community...but we are glad to have you here.

 

Regards

 

 

Baldrick
First, I know how WSA works, I got the license from an employee at Webroot, for testing purposes.

 

I guess that questions like this will never be answered here, I thank you for the time and answers, and are heading over to [Edited Pending Moderator Review] were the forums are open and matters like this can be discussed.

A representative from Webroot should hang out there to inform and get ideas from some very competent members.

 

Goodbye.

 
Hi Esse

 

Sorry to hear that this Community is not for you. :(

 

All I would say is that if you have some specific details of malware tests that you wish to present and/or query with Webroot then this is best done directly rather than here, and can be accomplished by Opening a Support Ticket, which will most probably be passed to one of Webroot's Threat Researchers for review & progressing.

 

There are a number of the Support Team, including Threat Researchers, who frequent the Community but they like us volunteers are not allowed to openly discuss malware testing or anything related to it in open forum.  We can however discuss how WSA behaves in the way it does, wjy it does and how it should, etc., without reference to private malware testing.

 

I urge you to open that support ticket and communicate directly with Webroot in this matter, as they are always pleased to receive such information directly from users. @ , would you agree with me on that approach?

 

And again, sad to hear that the Community can apparently be of no assistance to you.

 

Shouldmyou have any issues with WSA in the future then please consider coming back here for assistance. We will be very glad to see you back.

 

Regards

 

 

 

Baldrick
Hi Esse.

 

I know this question might sound a bit stupid, but did you try executing those malware files that got on your test computer? I’m just following up on my detection versus blockage point (post#4 above).

 

Once again, I’m aware that you know what you’re talking about, but I have found that there are some very competent people on Wilders who participate in the “Prevx forum” threads but who don’t seem to get that WSA’s aim is not always to stop 100% of malware files from getting on your computer; but is certainly to stop 100% of them from executing. I know that may sound shocking at first hearing, but when you approach WSA you have to realise that you are looking at a completely different concept in AV. You have to have a completely different mindset. So no, it does not necessarily surprise me that you could have had malware files somewhere on your test computer for months and that WSA had not detected them.

 

Having said that, I am very aware that your answer may be: ‘Yes, of course I know that, and of course I have tried executing them!’
Hi Muddy7

 

Nice try but I think that we are dealing with a lost cause here.  There are indeed people over at Wilders who know a vast amount about WSA as a result of involvement with Prevx, beta testing versions both from Prevx and WSA...I myself was a Prevx user & tester before moving to doing the same thing once Webroot bought Prevx, etc.  It is also sad that the Prevx forum over at Wilders has closed, which operates under different rulesmto us over here.

 

Having said that there will always be people who want to take the risk of engaging in private malware testing and discussing it...that is their absolute right to do...and good luck to them, in the same way that it is Webroot's right to object to and therefore not tolerate discussion about or based on this practice.

 

Hopefully, Esse will be back and share aspects of his/her knowledge with us as appropriate, as all are welcome...within the rules.

 

Regards

 

 

 

Baldrick

 

 
Yes, very sad.

 

I moved over to Prevx back in 2006 when I got infected by a very nasty rootkit that only Prevx was able to properly clean up. Since then, I've never looked back. And I've been completely virus free ever since 😃.

 

 

 

 

 

 

 

.
You and me both, Muddy, you  and me both...;)
I personally fail to see the problem here.  The OP asked a question in a manner that is not allowed for very good reason, and would not be acceptable in its form at Wilders either.

 

The overall point of the question, how detection works, has been answered.  Thank you Muddy and Baldrick!

 

The OP seems to have failed to realize 1) how to ask questions and discuss in an acceptable manner and 2) read the answer provided regardless of how the question was phrased.

 

That is a shame.... i think the OP can learn a lot here and be a contibuting member, but as a polite request was made to edit the format of the question, including the reason why, has been ignored by the OP and in a bit of an unkind manner, I am going to flag his post for Moderator Review.  (Report)
Thanks for your comments, David...much appreicated...as always. :D

 

Baldrick
Thanks for the good discussion all.  We'll leave this thread up since it will hopefully be instructive to others who do come here wanting to discuss malware testing on this site.  I'm sure there are other good communities out there where they do allow such discussion.

Reply