I run a side line pc tech business out of my house. Most of my customers usually have some virus or another. 9 times out of 10 they take my recommendation to install your antivirus software but it doesn't find all viruses. I have to use adwcleaner, malwarebytes, and mbar (made by malwarebytesJ) and in some occasions tdsskiller by Kapersky.
I almost always have to run four programs to clean their pc's.
Can someone explain to me why webroot can't find all these viruses?
TIA
Dave
This topic has been closed for comments
Page 1 / 2
Userlevel 7
+35
I almost always have to run four programs to clean their pc's.
Can someone explain to me why webroot can't find all these viruses?
TIA
Dave
We would need more information. If you believe that Webroot missed an infection, please contact support.
-Dan
Userlevel 7
Since no third party ever certified the performance of Webroot as an antivirus, is logical to believe that , indeed, misses A LOT of malwares.
Otherwise, the company would be proud to display the software performance against the well known antiviruses on the market.
No AV/IS/AM will catch 100% of the nasties 100% of the time...yes, there are some that do in 'the tests' but when compared to what is out there the test samples are relatively small.
Not going to go into a polemic on 'the tests'...it has been done to death and will continue to be...as like AV/IS/AM software no test is 100% either.
In fact WRSA does not "misses A LOT of malwares"...and there are test that show that...but is it any better than the other key players in the market space...that is a moot point.
Plus one has to factor in the way WRSA is designed to work. To quote the latest review by Neil J. Rubenking, of PCMag:
"For the past few years, Webroot has done very well in my own hands-on malware protection tests, though it handles them differently from most other products. When I downloaded my folder of samples from Dropbox and opened it, Webroot didn't react immediately, the way many products do. However, the first sample I launched triggered a kind of chain reaction."
The full review can be read HERE.
And in addition, you may also be interested in THIS previous thread on the topic.
Personally, I think that one should be informed before making statements that are questionable in some peoples' minds.
But that is just my opinion...of course.
Regards, Baldrick
Okay, I'm back. Funny, I only got two emails that someone had replied to my initial post. A lot of discussion since.
A little background: I started working on PC's before Windows ever existed. Okay, I'm old. lol. After a long IT career, I started my home pc repair business as a sideline to help folks with their home PCs. I've been doing this for 10 years now. So in 35 years, I have seen a ton of computers over the years and every antivirus program that ever existed.
I also do not expect Webroot to be the end all antivirus program that catches everything. In fact, I have also purchased Malwarebytes and between these two programs, I rarely pick up something.
I was just curious as to why I see so many of my customers PCs that I had previously installed Webroot on come back with obvious infections. I'll run Webroot in Safe Mode and it finds nothing. A quick run of Adwcleaner more often than not uncovers viral infections. I then use Malwarebytes, Mbar, and Tdsskiller to root out the rest. Some of the common infections are Conduit and DriverSupport but there are many more, I just don't jot down their names every time. I am going to start gathering that info from now on and posting in their service tickets for documentation.
Most of my customers are senior citizens but not all. I invariably get the question "I have Webroot, how come I'm infected?" I do explain no one program catches all and try and give them safe computing suggestions.
Regards
Dave
💾 And yes I use to boot off of 8 1/2" floppies!
A little background: I started working on PC's before Windows ever existed. Okay, I'm old. lol. After a long IT career, I started my home pc repair business as a sideline to help folks with their home PCs. I've been doing this for 10 years now. So in 35 years, I have seen a ton of computers over the years and every antivirus program that ever existed.
I also do not expect Webroot to be the end all antivirus program that catches everything. In fact, I have also purchased Malwarebytes and between these two programs, I rarely pick up something.
I was just curious as to why I see so many of my customers PCs that I had previously installed Webroot on come back with obvious infections. I'll run Webroot in Safe Mode and it finds nothing. A quick run of Adwcleaner more often than not uncovers viral infections. I then use Malwarebytes, Mbar, and Tdsskiller to root out the rest. Some of the common infections are Conduit and DriverSupport but there are many more, I just don't jot down their names every time. I am going to start gathering that info from now on and posting in their service tickets for documentation.
Most of my customers are senior citizens but not all. I invariably get the question "I have Webroot, how come I'm infected?" I do explain no one program catches all and try and give them safe computing suggestions.
Regards
Dave
💾 And yes I use to boot off of 8 1/2" floppies!
Maybe because Webroot concentrates on viruses that are likely to run rather than viruses that are in zip files, email attachments or in remote folders on the disk that are unlikely ever to run? Webroot, as I understand it, is more a behaviour blocker (instantly zap anything that runs or is likely to run) than a malware finder (look in all the remotest nooks and crannies of your disk).
I've seen similar kind of behaviour from Prevx & Webroot. The important thing is that (to the best of my knowledge) I've never been infected since using Prevx/Webroot.
Well, without knowing more details of the incident, and also not being that IT-"fluent", I can't really say more.
Daniel (Triple Helix) has posted with his request, and that may be a more fruitful avenue to follow. Also, if the client has not reinstalled Webroot since then (or removed it), it would be extremely interesting to get in touch with Webroot Support as they could give a better diagnosis of what happened with the logs.
Also the key question: was the client infected with this malware? Not clear as you say on the one hand "The user downloaded the exe and ran the file to install the program. Webroot didn't catch the download or the installation" and then on the other "the exe then "dwelled" in the My Documents folder for 202 days until Webroot finally found it on 7/14/2015." (Installed? .exe still in My Documents folder? Not quite following you. Maybe it's because I'm not very fluent in IT?) If it was a momentary installation, did Webroot monitor and journal it as an Unknown exe. and then monitoring ceased because it was no longer executed/was uninstalled. So many questions... The first, as Daniel says is the MD5 Hash question. After that, maybe analysis by Webroot Support to better help us all understand what happened?
I think I'll pass this over to Daniel and let him handle it (maybe
Userlevel 7
Imagine going to University, and instead of participating to the admission exam , you will come with a friend to testify that you are a good guy and you never created problems to anyone 😀....
With respect...yes, real life experience (good & bad) can if the 'professional third party testings' do not make sure that that the 'tests' are fair and representative (and your analogy leaves much to be desired, by the way).
That would be akin to emissions testing a diesel engine car using ALL of the parameters & tests applied to petrol engine cars...clearly that is not the case...whilst there are many tests that can be applied to both the fact that the technologies/the way the different engine types work are not identical is taken into consideration when setting up & undertaking the engine tests.
As has been clearly stated in the articles linked to (and indeed acknowledged by some of the so called 'professional third party testings') the tests do not cater for the rather unique way that WRSA works compared to the run of the mill rest of the field.
Having said that I know that Webroot is working with some of the testing organisations to get the 'playing field' levelled...hopefully soon.
Baldrick
Userlevel 7
Baldrick
"The "journaling" approach, while seems "advanced" has major flaws, and has not been embraced by other major players on the market (only few anti-ransomware software employ this)
- the computer is not boot-able after a malware attack , so the user cannot start it. Webroot cannot restore files from jurnaling if the computer is not bootable
- The malware (ex: non Petia) destroyed MBR , so again PC is not bootable
- the user has no internet connection ( example a flight Amsterdam- Australia) for extended number of hours and is inserting an infected USB drive. Webroot has a minimal signature database stored locally , so cannot juornal for 16 hours or handle this situation"
After 1 hour of analyzing , restoring the files modified will not do anything , as the info is already stolen.
What you are missing here locomotive is a very salient point...when an object cannot be determined as good or bad,; so that specific action can be taken, WRSA will start monitoring that object journaling its actions but ALSO severely restricting the actions it can perform...and one of those is communication to the outside world...therefore whilst you certainly can "can add the situation when a malware is stealing personal info (banc accounts, login info) , while Webroot is "journaling"" you would be completely wrong as the 'addition' is irrelevant/cannot happen.
One should really do some more focussed research rather than just spouting the some old diatribe that has been seen/heard before...it is like a broken or scratched record.
Some points have been raised...they have been responded to appropriately as it happens...and there is an end to it. We have to beg to differ, and go our separate ways on this.
Wishing you ease of being...elsewhere.
Baldrick
Neither one; he simply tries to advertise WSA as the best thing since sliced bread...
I probably came on a bit too strong. It's just that I've been around for a while now and I know a bit about this subject. I know we tend to look for the so-called best AV program but truth be told - there is no best in anything (cars, shavers, computers, software programs). Anything we make is imperfect and with AV software there is no 100% guarantee of anything. There are always holes and always the need to patch and re-patch. I use WSA but I'm not under the delusion that it is necessarily "the" best program bar none. I use it mainly because of its low impact on system resources and its ability to scan quickly. I have a certain amount of confidence in its ability to prevent and/or root out malware but I don't ascribe anything more to it in that regard than any of the top contenders identified by AV-Test or AV-Comparatives or Virus Bulletin. The price is right... the program is light... and I'm fine with it (for now). My wife uses nothing but Windows Defender and before than Security Essentials with no problems whatsoever. I'm not here to play up to Webroot staff. I will say that the ones I've communicated with are very friendly and knowledgeable and I'm glad to be here. But I don't view the product through rose-tinted glasses. It's a program subject to errors and hopefully patched quickly. So far I'm not impressed with the inability to mend the Password feature.
Thanks for coming back, @davetully .
Great to get more information from you!
Essentially, I had two questions I wished to ask you:
DIGRESSION:
Here are the reasons for my asking these two questions.
Re Point #1:
Webroot has traditionally taken the approach that it does not block all PUPs (see@bjm_ 's link) because:
(i) it does not consider them in the true sense to be malware but rather just bl**dy nuisances
(ii) it was the decision of the user to voluntarily install these toolbars etc. For example, I had a student (not using Webroot, I should hasten to add) who had installed Babel and/or some. kind of toolbar which were some kind of PUP and I told him that I thought they were not good, but in the final count that was his decision (he decided to keep them, but at a later date I found, probably because of the advice of his IT man, that they were no longer present on his device)
(iii) quite a few AV companies are loath to remove PUPs because there have been some nasty legal suits that have been introduced by these companies that can prove prohibitively expensive to contest with the added risk that one might lose.
I believe Webroot has been improving in this area in the last few years and there is also now the option in Advanced Settings > Scan Settings to check "Detect Potentially Unwanted Applications" (i.e. PUPs)
Re Point #2:
Webroot's great strength is as a behaviour and malware blocker. It may not be the best AV (though it's certainly far from bad—as far as I know!) at cleaning existing infections.
I notice that you mention two culprits that you have come across on your customers' computers: Conduit and Driver Support. I'm not that au fait in IT matters so I needed to google these critters. It appears that Conduit is a toolbar and Driver Support a driver search and update software. Both therefore seem to me to come under the category of Potentially Unwanted Applications.
We in the Webroot Community have been pushing Webroot to take a more pro-active stance in blocking PUA/PUPs. Personally, I agree with Webroot that they are not strictly malware but would prefer Webroot to detect and, at least invite the remover to take the option, to remove them.
END OF DIGRESSION
------------------------------------------------------------------------------------------------------------
Anyway, I am curious to hear your reply to my two questions.
Again, thanks for coming back!
Great to get more information from you!
Essentially, I had two questions I wished to ask you:
- How many of the malware that you encountered were PUPs?
- Of those that were not PUPs, how many of them were pre-existing on the machines prior to Webroot SecureAnywhere installation?
DIGRESSION:
Here are the reasons for my asking these two questions.
Re Point #1:
Webroot has traditionally taken the approach that it does not block all PUPs (see
(i) it does not consider them in the true sense to be malware but rather just bl**dy nuisances
(ii) it was the decision of the user to voluntarily install these toolbars etc. For example, I had a student (not using Webroot, I should hasten to add) who had installed Babel and/or some. kind of toolbar which were some kind of PUP and I told him that I thought they were not good, but in the final count that was his decision (he decided to keep them, but at a later date I found, probably because of the advice of his IT man, that they were no longer present on his device)
(iii) quite a few AV companies are loath to remove PUPs because there have been some nasty legal suits that have been introduced by these companies that can prove prohibitively expensive to contest with the added risk that one might lose.
I believe Webroot has been improving in this area in the last few years and there is also now the option in Advanced Settings > Scan Settings to check "Detect Potentially Unwanted Applications" (i.e. PUPs)
Re Point #2:
Webroot's great strength is as a behaviour and malware blocker. It may not be the best AV (though it's certainly far from bad—as far as I know!) at cleaning existing infections.
I notice that you mention two culprits that you have come across on your customers' computers: Conduit and Driver Support. I'm not that au fait in IT matters so I needed to google these critters. It appears that Conduit is a toolbar and Driver Support a driver search and update software. Both therefore seem to me to come under the category of Potentially Unwanted Applications.
We in the Webroot Community have been pushing Webroot to take a more pro-active stance in blocking PUA/PUPs. Personally, I agree with Webroot that they are not strictly malware but would prefer Webroot to detect and, at least invite the remover to take the option, to remove them.
END OF DIGRESSION
------------------------------------------------------------------------------------------------------------
Anyway, I am curious to hear your reply to my two questions.
Again, thanks for coming back!
Userlevel 7
+63
I've seen similar kind of behaviour from Prevx & Webroot. The important thing is that (to the best of my knowledge) I've never been infected since using Prevx/Webroot.
Do you have the MD5 Hash so I can check it?
But I'm certainly interested in what transpires if you do decide to follow this through.
Thanks, @NicCrockett , for going to the trouble of explaining all that ☺️
Not good that Support was not able to come up with a clear explanation of what happened and why 😐
Maybe this case history is still in their archives and maybe if so,@TripleHelix , you might have an ability to pull some strings so we can have some more info on this. Or @LLiddell ?? Or @freydrew ??
EDIT: Btw I understand that the .exe (installer?) file remained dormant in the My Documents folder for 202 days but, far more important, what happened with the app that the user had installed onto his system from that .exe and was presumably using?
Not good that Support was not able to come up with a clear explanation of what happened and why 😐
Maybe this case history is still in their archives and maybe if so,
EDIT: Btw I understand that the .exe (installer?) file remained dormant in the My Documents folder for 202 days but, far more important, what happened with the app that the user had installed onto his system from that .exe and was presumably using?
Userlevel 7
That is where we have to agree to disagree.
A. PCMag is far from insignificant in the market (at I would say it is not about the magazine but rather the reviewer...and in this case he is extremely well regarded in the milieu).beg to differ. Likewise the view can and is taken that some of the 'testing organisations' are dubious to say the least. Again, do not wish to start a polemic on this as it has been oft done.
B. The article that I linked to explains as to why this whole area is an issue re. WRSA. So to quote from that PCMag article:
"As noted, Webroot handles new, unknown programs by letting them run under strict monitoring.
It prohibits irreversible actions like sending personal data to the internet, and keeps a journal of reversible actions, all while awaiting a verdict from Webroot's cloud analysis system. If the program under judgment proves to be nasty, Webroot wipes it out and reverses all its changes.
This system just isn't compatible with many independent lab tests. Labs like AV-Test Institute and AV-Comparatives expect antivirus programs to act right away on malware they recognize, whether detection occurs using signatures, heuristics, or behavioral analysis. Webroot's relationship with the labs has been rocky, but two of the four that I follow have recently included Webroot in their testing, with decent results."
If you read on from that point in the article you will further explanation...assuming that you are minded to read it.
I am not saying that all this proves a point but rather helps to inform on the original point...which is backed up by the experience of the vast majority of Community members who have expressed themselves. In my own case WRSA has, on a number of occasions in the past, 'saved my bacon', since I started using it . I cannot say the same for a couple of the other solutions I used prior to that.
But as ever, only my experience of WRSA.
Regards, Baldrick
A. PCMag is far from insignificant in the market (at I would say it is not about the magazine but rather the reviewer...and in this case he is extremely well regarded in the milieu).beg to differ. Likewise the view can and is taken that some of the 'testing organisations' are dubious to say the least. Again, do not wish to start a polemic on this as it has been oft done.
B. The article that I linked to explains as to why this whole area is an issue re. WRSA. So to quote from that PCMag article:
"As noted, Webroot handles new, unknown programs by letting them run under strict monitoring.
It prohibits irreversible actions like sending personal data to the internet, and keeps a journal of reversible actions, all while awaiting a verdict from Webroot's cloud analysis system. If the program under judgment proves to be nasty, Webroot wipes it out and reverses all its changes.
This system just isn't compatible with many independent lab tests. Labs like AV-Test Institute and AV-Comparatives expect antivirus programs to act right away on malware they recognize, whether detection occurs using signatures, heuristics, or behavioral analysis. Webroot's relationship with the labs has been rocky, but two of the four that I follow have recently included Webroot in their testing, with decent results."
If you read on from that point in the article you will further explanation...assuming that you are minded to read it.
I am not saying that all this proves a point but rather helps to inform on the original point...which is backed up by the experience of the vast majority of Community members who have expressed themselves. In my own case WRSA has, on a number of occasions in the past, 'saved my bacon', since I started using it . I cannot say the same for a couple of the other solutions I used prior to that.
But as ever, only my experience of WRSA.
Regards, Baldrick
I'm not suggesting you (or anyone) not share their experience. I was simply asking the question: how does one become regularly infected? In the 22 years I've been online I've only had one virus and that was during my second year as a newbie still not aware of things. Common sense precautions, an updated system and pretty much any of the top ten AV programs will prevent infections for most users. WSA is not unique in doing this... they all do. What WSA has to offer is low impact and fast scanning. Beyond that it's pretty much the same as most other programs in terms of its effectiveness (i.e. Avast, Avira, AVG, Norton, McAfee, F-Secure, Sophos, Kaspersky, Bitdefender and so forth). And I've used them all over the years and without exception, they all worked just fine with one caveat: some of them had a greater impact on my system using its resources and slowing things down.
Quote" Essentially, I had two questions I wished to ask you:
#1
Again, I rarely keep records on what was found/detected (but will as of today) so I have no idea on how many were PUPs.
#2
New customers typically are infected either due to no protection at all or by using ineffective software. Since I've been doing this for a while in our area its pretty rare I get a new customer so I deal with mostly past customers who have Webroot installed and reinfected. At times the customer forgot to empty their Quarantine for months so reeducation on promptly clearing is done.
Speaking of which, it sure would be nice if Webroot would put a button on the main menu to access the Q without burying it under hotspot next to PC Security.
- How many of the malware that you encountered were PUPs?
- Of those that were not PUPs, how many of them were pre-existing on the machines prior to Webroot SecureAnywhere installation?"
#1
Again, I rarely keep records on what was found/detected (but will as of today) so I have no idea on how many were PUPs.
#2
New customers typically are infected either due to no protection at all or by using ineffective software. Since I've been doing this for a while in our area its pretty rare I get a new customer so I deal with mostly past customers who have Webroot installed and reinfected. At times the customer forgot to empty their Quarantine for months so reeducation on promptly clearing is done.
Speaking of which, it sure would be nice if Webroot would put a button on the main menu to access the Q without burying it under hotspot next to PC Security.
Userlevel 7
+28
Personally, I've seen a virus caught on a system that the file was originally created over a year earlier. Why did it take Webroot that long to find it? Based on the records at the time, their database knew about the virus before the file was created. Webroot had been installed on the PC since before the file was created on the system. So, I understand why @davetully is asking these questions and wonder myself why they are seeing such poor results.
Userlevel 7
+28
I don't want to take over @davetully 's thread. I was only pointing out an example of an extreme failure with Webroot's software finding threats accurately and timely. However, I will answer your questions for clarification, but this thread doesn't need to become about an old virus that we got.
@locomotive , I'm aware of how Webroot works and why it runs scans fast. However, it should catch something when it is downloaded and runs. As I pointed out, it did neither. Thus, what is the point of owning an AV software if it does nothing but scan a few places quickly once a day. I realize that is simplifying what Webroot does, but it gets across a point that the software is no good if it doesn't perform the task it is meant to do.
As for your question@TripleHelix . This happened a few years ago and I no longer have the MD5 hash. I was able to pull the dates from the All Threats Seen report. However, the MD5 hash was cutoff in the report. At the time it found the virus, I did open a support case. However, support was never able to give me a logical explanation as to why it wasn't found 202 days earlier.
To explain your questions of clarifying what I was saying@Muddy7 , I'll try again.
As for your question
To explain your questions of clarifying what I was saying
- The user downloaded a .exe file to their My Documents folder that Webroot should have caught as virus.
- Since Webroot didn't quarantine the file, the user installed the program.
- Points 1 and 2 happened on 12/24/2014.
- On 7/14/2015, 202 days later, Webroot found the .exe file on a regular daily scan in the users My Documents folder and quarantined it as a virus. In Webroot they call the 202 days, dwell time on a system. In other words, how long the file was on the system.
- Why wasn't it caught during download?
- Why wasn't it caught when the user ran the file?
- Why did it take 202 daily scans to finally find the file, which was easily located in the My Documents folder?
Userlevel 7
+28
I appreciate you trying to get an answer on this @Muddy7 . However, I'm not concerned about it at this point. The problem has been resolved and I don't want to take over the @davetully 's thread. Obviously anyone is allowed to post about it if they want, but it's really the original poster that needs answers at this point.
Userlevel 7
+36
Honestly this is over my head, I'm not fully trained as a support tech so I'm not sure the answer to this. Our support team is the best resource for this, do you know which support agent was unable to provide clarity on this issue?
Hello,
Since no third party ever certified the performance of Webroot as an antivirus, is logical to believe that , indeed, misses A LOT of malwares.
Otherwise, the company would be proud to display the software performance against the well known antiviruses on the market.
Since no third party ever certified the performance of Webroot as an antivirus, is logical to believe that , indeed, misses A LOT of malwares.
Otherwise, the company would be proud to display the software performance against the well known antiviruses on the market.
Personally, I think that one should be informed before making statements that are questionable in some peoples' minds.
Regards, Baldrick
I agree with you about being better informed.
It is impossible to be informed though if Webroot is not tested by anyone in the last 6 years ; PC Mag is insignificant in the market and for every software in the market if you look long enough , you can find a positive review...
Bottom line, as long as Webroot stays "in the house" and doesn't get exposure to third party testers I will not touch it....
It prohibits irreversible actions like sending personal data to the internet, and keeps a journal of reversible actions, all while awaiting a verdict from Webroot's cloud analysis system. If the program under judgment proves to be nasty, Webroot wipes it out and reverses all its changes.
This system just isn't compatible with many independent lab tests. Labs like AV-Test Institute and AV-Comparatives expect antivirus programs to act right away on malware they recognize, whether detection occurs using signatures, heuristics, or behavioral analysis.
Regards, Baldrick
Hello Baldrick,
Thank you for clarifications!
Typically, the cloud analysis of an unknown application is very fast , almost instantaneous , so if Webroot has something to say this will happen in a few seconds.
So I believe that "Jurnaling" issue is just an excuse for non detection; of course , after a while most antiviruses will detect the "unknown" malware and then Webroot will claim " finally , we finished the analysis and , if we had the chance, we would revert the malicious changes"
I do not see a scenario when Webroot will journal for days , only to make a decision a week later.
The "journaling" approach, while seems "advanced" has major flaws, and has not been embraced by other major players on the market (only few anti-ransomware software employ this)
- the computer is not boot-able after a malware attack , so the user cannot start it. Webroot cannot restore files from jurnaling if the computer is not bootable
- The malware (ex: non Petia) destroyed MBR , so again PC is not bootable
- the user has no internet connection ( example a flight Amsterdam- Australia) for extended number of hours and is inserting an infected USB drive. Webroot has a minimal signature database stored locally , so cannot juornal for 16 hours or handle this situation
Ditto for me.
Nothing unusual here: go to other forums (Avast , Avira, Kasbersky, Bitdefender" and you will find people saying the same :
"Avast / Avira / Kasbersky / Bitdefender on a number of occasions in the past, 'saved my bacon', since I started using it"
Your own experience with WSA cannot substitute professional third party testings.
Imagine going to University, and instead of participating to the admission exam , you will come with a friend to testify that you are a good guy and you never created problems to anyone 😀....
Well, that's my regularly being infected while using various well-known AVs pre-2006, and then never knowingly being infected since—plus others who I refer to serving large customer bases and reporting similar results—dexterously dismissed.
Page 1 / 2
Login to the community
No account yet? Create an account
Enter your E-mail address. We'll send you an e-mail with instructions to reset your password.