WSA Complete For The Family?

  • 4 February 2012
  • 30 replies

Show first post

30 replies

Userlevel 3
Thanks! I think (I hope) everything is o.k. - like wrote@TripleHelix: Tests tools don't show the true effectiveness of WSA Identity Shield
thanks again?
Userlevel 4
Hi asg,
I wanted to provide you with some more information that will hopefully help you to understand what specifically is being tested for and how.
The first test shown in the screenshots is SpyShelter's screenshot test.  As TripleHelix has pointed out the reason that WSA fails this test is due to the fact that in order to execute the test (ie clicking on the Test1a button) the protected browser will by default be in the background, it is not the active window.  If the browser is not the active window the Identity Shield does not (cannot) protect it for a number of reasons.  First it is infeasible for the Identity Shield to detect the position of the browser in the background.  Is it minimized?  Is it on a second screen, open but not active?  Is it partially obscured?  All of these things would be difficult if not impossible to detect.  Secondly screen-grabbers are designed to only try to screen-grab when the browser (or another program that could potentially be displaying sensitive information) are the active window.  If they were designed to randomly, or systematically take screen shots of the system when those programs are running but not necessarily in the foreground the malware programmer would have a mountain of screen shots to parse for any potentially useful information.  This is very impractical and as a result malware in the wild simply does not try to pull information from browsers that are not active.  If you were to run a screenshot test where the screenshots are taken with the browser active (Zemana's test is much more realistic for this reason) you would find that the Identity Shield blocked the screen-grab and therefore passed the test.
The second test shown is the clipboard test.  In this test it does not matter whether or not the browser is the active window when the test is initiated because it doesn't really start until text is entered and then copied.  The Identity Shield is not designed to pass this test because it is not intended to protect the clipboard.  The information that was entered is not pulled by the test until you copy it (if it was pulled before the text was copied the program would fail the keylogging test which it does not).  Once you have copied the text it has left the protected browser and is entered into a application that is not being protected by the shield (clipboard) which is where it is pulled from.  If you frequently copy and paste passwords and other sensitive information like credit cards we suggest the use of our password management feature which enters the sensitive information without copying and pasting it, thus defeating this type of attack.
I hope this information explains things a little better. Let me know if you have any further questions.
Userlevel 3
Hi Howard!
Thanks for your answer, but here was not about of whether program passed the test or not. I think, like you wrote, Zemana's test is much more realistic.
Second question, short: password management is a perfect solution.
Is a one more question: system protection - registry access. Maybe again everything is o.k, but can You explain why this part of this test is failed?
Userlevel 7
We don't block or restrict access to the registry.  If every unknown file was blocked access to the registry, not much could get done, especially since every file starts out as unknown first.  Blocking, or "Protecting" the registry in the way those outdated and old-theory tests expect, just breaks things. 
Instead of blocking access, SecureAnywhere monitors access and changes and journals them.  If the unknown item is determined to be malicious, all the changes it made are rolled back verbatim.
I think the main thing to remember as well:
Those tests really exist for one purpose.  They exist to say "Look at how great our product is!" for the company that made the test.  The comapny can claim that the tests use "real attacks", but how does a user, know this?  Have they seen a threat use those specific attacks? I assure you that if we come out with a special testing tool like other security companies have, it will go around them very effectively and claim we are perfect, so no worries there. ;)
Webroot is a security company, so I hope we have a general idea about what things threats are and can do, as well as the feasibility of such. ;)
Take the background window protection, for example:  A threat is going to want to get the data it wants (steal your stuff) without getting a lot of junk.  It can take a screenshot when it knows that something important is highly likely to be on the screen, such as when your browser is the foreground window and you are on https, or it can just take a picture, say, every minute.  1440 minutes a day, 10,000 machines infected... so who is going to go through those 14 million screenshots every day to see if some are useful to a thief?
We really are working to take the old concept of security and turn it on its ear.  Stop wasting computer resources and your time doing unnecessary things and do things in a different way that in the long run has the best balance for security versus inconvenience and cost. 
Anyway, that's enough from me here.  I've worked in compuer security industry since years before Webroot was even a tiny company in a garage.  Knowing as much about it as I do, I'm perfectly comfortable using SecureAnywhere (eat your own dog food, amirite?) and very happy with the results and capabilities.
Userlevel 3
Thank you very much. I think - this information was useful not only for me.