Evaluating SecureAnywhere Antivirus: feedback and some questions

Userlevel 2
Hi everybody.
I am (was?) a long time Kaspersky user and I've always been happy with KAV.
Up until recently, when BSODs with stop code 9F started randomly appearing on two different machines, my production PC and my HTPC, just before entering suspension.
The minidumps pointed to the LAN card drivers, but the two PCs have completely different ethernet adapters and thus completely different drivers, so it seemed a bit strange. Also, those drivers had been in place for months without a hiccup so again it appeared weird they would cause problems simultanously all of a sudden. The only thing they had in common was Kaspersky, so I thought an update from them introduced the BSOD.
To test my diagnosis, I replaced Kaspersky with MS Security Essentials on my HTPC (which has very limited internet access anyway) and activated a SecureAnywhere Antivirus trial on my production machine. The BSODs are so far gone, so I was probably right in my assumption.
Weberoot's software felt immediately very next-gen compared to Kaspersky. Light, fast, well thought out. I've researched the theory behind SA, so I understand why it doesn't shine in tests, at least until they provide a testbed than keeps its characteristics into account.
But this is my production machine, which means that here I write and compile software for my customers.
Kaspersky is heavy but has always proven effective, if a bit too invasive. Now before I commit to WebRoot I need to fully understand its protection model and be sure it fits my needs. As you can imagine, an infection on this machine could propagate to my customers through the software I write and prove disastrous.
So, my questions: as I understand it, with WebRoot signatures aren't all that important because besides allowing or blocking a process it can "suspiciously allow" the process, monitor what it does, and in case it proves malicious revert all the changes it did to the system. Which means you don't have to identify a threat the second it lands on your PC to still protect it.
That on paper sounds wonderful and it's an elegant concept. But. What if a malicious software introduces some changes to the system that make it unusable? Or make it impossible for WebRoot to revert the change? I mean, ok, your software is journaling all the malware is doing, but those changes are still happening. How can you ensure they don't damage the system in a way that reverting all of them is impossible for some reason?
Another thing: on my machine I'm using a software I wrote to manage remote files on my automatic update server. SA correctly put it on "monitor" because of course it can't be on your database. Will it always stay on monitor, potentially creating a neverending journal, or will it be promoted to "allow" when it's run long enough without doing anything dangerous? If so, how long can it take?
I apologize for the wall of text, but I hope you guys understand that for me it's critical to make an informed decision that could impact not only myself but also the companies I supply.

Best answer by explanoit 26 October 2013, 00:35

View original

23 replies

Userlevel 7
Hello weresloth and welcome to the Webroot Community!
While I am not qualified to answer your concerns, I wanted to give you a welcome.  You certainly are no new user and are well versed in security software and in how Webroot works.  Do not apologize for your "wall of words": Excellent post with great questions that I will be monitoring to see the answers!
Userlevel 2
Thanks for your welcome.
An important part of feedback I forgot: in my OP is this: during the first scan SecurityAnywhere Antivirus identified as a threat an uninstall module I thought was legitimate. I used the built-in function to submit the file and then opened a ticket to have it examined.
I have to say that WebRoot's support was blazing fast in whitelisting the program, which now appears as normal in subsequent scans.
Not only the software but also the whole company feels more agile than Kaspersky. To use a metaphor, it's a bit like if WebRoot was a leopard  whereas Kaspersky is a boar. The boar is powerful but slow and clumsy.
If I had to follow my geek heart I'd choose WebRoot right away, and this is also the reason I'm evaluating this and not just opening a ticket with Kaspersky to have the BSODs fixed, which of course I could.
I'm perfectly aware that perfection doesn't exist and no solution (Kaspersky included) can catch 100% of threats, but I have to make sure that if I change my antimalware solution I don't get less protection than before.
So my geek heart will have to wait for a little longer for the answers to my questions, until I'm rationally convinced that, based on what I understand of WebRoot's solution, I'm at least as safe as I was with Kaspersky's.
Userlevel 7
Weresloth, that's a great question.  The "suspiciously allow" action you mentioned is something we refer to as journaling and rollback.  That process is detailed in this YouTube video:


To answer your first question, Webroot has an excellent heuristics system in place to prevent the kind of changes you're referring to.  Cloud-based file determinations are at the core of SecureAnywhere, but it can also intelligently detect a threat based on its actions.  Further, information stealing attacks are protected by the secondary layer of protection that is the Identity Shield.  This shield prohibits keylogging, screen-grabbing, and other types of information pilfering attacks from files that are classified as "unknowns."

Regarding the second question, I gather you're a software developer.  It's possible there could be excessive journaling occurring on your development box because SecureAnywhere could treat those new, unknown files with a higher degree of suspicion.  In such cases, we recommend touching base with our Support department so we can proactively whitelist the files in question where appropriate.  We can do this for you automatically on a regular basis to keep your journal file from becoming unnecessarily large.  The files would eventually be marked as "good" regardless, assuming they are indeed good files, but we would be happy to cut down on the number of "unknowns" on the system for you.
Userlevel 7
Thanks Jim for giving us a deeper insight into WSA journaling feature. ;)
However, have a question ... does it mean that you rule out possible damage of the system files caused by malwares what could end up in the bricked PC?
Userlevel 7
Pegas, if I understand your question properly, I believe you're asking if SecureAnywhere will prevent such damage caused by an unknown threat from occurring. Yes, the heuristics will look for such malicious behaviors and should stop an unknown threat from causing that kind of damage by changing the classification to bad from unknown and triggering a quarantine.

Of course, no antivirus software is ever 100% effective because there are new and evolving threats being created every day. Worst case scenario, Support could take care of anything WSA misses manually if necessary in such infrequent circumstances.
Userlevel 7
Great questions.  Great answers.
Bookmarked.  😃
Userlevel 7
Jim, you understood correctly. Sorry for my brevity, being in the pub for Friday's batch of beers :D

Thanks for the clarification. WSA actualy protect PC from the fatal crash, unbelievable!
Userlevel 2
Jim, thanks for your reply. It's reassuring to know that a class of potentially disruptive actions get blocked even if the whole process is not. Journaling wouldn't be very useful if I can't execute a script provided by your support because the malware has registered some low-level file system driver that causes my system to BSOD every time it boots. That's the kind of situation where it's impossible to easily reverse the actions even though you know them.
About the video you posted, I had watched it already and found it really interesting. The concept behind SecureAnywhere is indeed clever and innovative.
I have a question about the situation portrayed in that video. In there, being a demo, at a certain point the unknown keylogger is blocked by the operator to show that all the changes it made to the system are reversed thanks to the process being monitored and the journaling thereof.
In a real life situation of course the user would be unaware and thus wouldn't block the process manually. How would things work in that case? Would SA eventually turn the monitoring status to block automatically based on the process behavior and then signal the cloud so other enpoints would recognize the threat immediately from then on? Or would the suspicios behaviors trigger an upload of the file in background so that your support can analyze and blacklist it manually? Or do you wait for a customer to ask himself why that process is being monitored and open a ticket? How much would it take for that exact keylogger to be identified as a threat?
I'm trying to understand if SA has some basic characteristics of a swarm intelligence and as a collective system can "learn" and thus become more effective with time.
Userlevel 7
@ wrote:
Would SA eventually turn the monitoring status to block automatically based on the process behavior and then signal the cloud so other enpoints would recognize the threat immediately from then on? Or would the suspicios behaviors trigger an upload of the file in background so that your support can analyze and blacklist it manually? Or do you wait for a customer to ask himself why that process is being monitored and open a ticket? How much would it take for that exact keylogger to be identified as a threat? 
I'm trying to understand if SA has some basic characteristics of a swarm intelligence and as a collective system can "learn" and thus become more effective with time.
Basically, SecureAnywhere sees the unknown on your system.  It then talks to the cloud about it.  The cloud comes back with a response in real time, based on the information it has about that file.  There are two kinds of heuristics - agent heuristics and cloud heuristics.  Agent heuristics look at what the file is doing on that particular system, and cloud heuristics look at what a file is doing across the entire userbase.  If we have data on what that same file has been doing on all of the other computers in our intelligence network, the cloud heuristics are far better off for it and we can make rules in the cloud to identify and blacklist malware based on what the cloud is seeing about a given file.  Those rules can be based on file behaviors, among many other file traits. Malware fitting any of the descriptions in the rules is blacklisted in the cloud.  This categorization is then communicated down to your installation of SecureAnywhere. 
It's certainly possible that a customer could observe that a file is being monitored and inquire about why.  In such cases, Support will look through the logs to determine what the file in question has been doing and work to classify the file for you.  That ties into what I was mentioning before about how you could possibly have more unknowns than usual on a dev system since it's bound to have new executable files we've never seen before.  Malware is typically classified quicker than unknowns that turn out to be good, because malware is more likely to fit the blacklisting descriptions.  I believe the exact keylogger in use in the video is a test file used for the purpose of demoing the Identity Shield and has thus been flagged as unknown intentionally.  So that "exact" keylogger is not likely to be flagged as malware since it's a test file used to show off what happens when we "miss" one.  Keyloggers are typically dealt with very quickly though, to answer the question.
Regarding collective intelligence, yes, the way the rules and heuristics work to flag files is intelligent and involves back-end analysis of all of the data sent up from the individual agents.  If we, for instance, observe a particular MD5-hash of a file that's been seen on some particular number of systems and appears to perform potentially malicious actions X, Y,  and Z, we can categorize that hash and blacklist the file from executing on any system using SecureAnywhere.  Also, any time we realize there is a bad rule, we pull it.  So yes, the Webroot Intelligence Network classification system is ever-evolving and corrective.
Userlevel 7
That's info on WSA. Thanks Jim. Learned a lot.:)
Userlevel 2
OK, I'm sold, heading to your web store.
Jim, thank you very much for taking the time to address my questions. You helped me understand WSA better and make an informed decision.
Also I have to say that besides the product concept that I like a lot, I've been positively impressed both by the community I found on the forums and the efficiency of your support service. Together they gave me the impression I'm subscribing to a virus protection service of which the software is just a part, albeit important, rather than just buying a product.
Out of curiosity, have you ever found a malicious software that was able to stealth from WSA's journaling feature?
Userlevel 7
Glad you found the information you wanted... now stick around with us here and join the fun!  :D
Userlevel 7
Badge +56
Hello weresloth and Welcome to the Webroot Community Forums.
You made a wise choice and we are friendly creatures here so if you have any issues we are here to help.  ;)
Userlevel 7
You couldn't make a better choice weresloth, welcome on the board! :D
I want to emphasise and do thanks for Jim's replies which should be elevated to a KB article or a sticky thread.
Userlevel 7
You're welcome weresloth. :)
Stick around! There is always more to learn!
Userlevel 2
As an added feedback:
I've purchased a three devices license, so now both my wife's PC and my HTPC have WSA as well as my own machine.
The BSODs are completely gone. All the machines suspend without any issues again.
Also, sometimes my wife's PC would hang at the very last phase of the PC's shutdown, just before switching off the hardware. That behavior is now gone as well.
It appears all these problems were caused by Kaspersky.
Another note: while my development machine has a 32GB of RAM and a i7 processor, my HTPC's hardware is much less powerful. In that specific application, WSA's tiny memory footprint and computational lightness are a boon and the general gain in performances compared to Kaspersky is very noticeable.
Userlevel 7
Thanks weresloth for the positive feedback. We're glad you're satisfied with your move to WSA. :D
Userlevel 7
Badge +6
WSA > click the gear next to PC Security > Custom Scan > Full
Yeah, the gear thing isn't super intuitive, there should be a button for Additional Options when you expand the section.
Userlevel 7
Hello LumpyMeatLoaf. Welcome to the Community where everyday is a new learning experience.:)
I just had Webroot put on my computor, and am really disapointed and angery about it. Webroot makes my facebook web pages slow down, freeze and makes me unable to use them!!! I got Webroot as I was told that it was good on facebook, where I have two very important non profits (my church's page,) and a dozen other non profit pages.
     I will be going back to using Norton as soon as I'm able. I'm also telling everyone not to use webroot! Sorry, your a looser!
Userlevel 7
Badge +56
Hello cdraeger and Welcome to the Webroot Community Forums.
I'm sorry your seeing issues with WSA I would suggest you Submit a Support Ticket as the support team can get some logs from you it could be a simple thing as getting some unknown files whitelisted please don't give up on a great product like WSA until you give support a chance to help and get it sorted for you!
Userlevel 7
I would follow TripleHelix's suggestion. I have used Webroot for almost 2 years now, and I tend to be a vey heavy Facebook user. I have not had any problems with slow downs so there may be an issue that Support can help resolve for you.
Userlevel 7
Hello cdraeger. Welcome to the Community.

A problem has to be solved. Leaving it won't do any good. Please follow TripleHelix's instruction and let Webroot Support solve it for you. They'll sort it out in no time. Don't give up on a product on the first problem you face with it. Facebook loads fine here on my pc. A problem particular to your system configuration. So let's solve it. Simple as that.:)