dslreports logo
site
 
    All Forums Hot Topics Gallery
spc

spacer




how-to block ads


Search Topic:
uniqs
3984
share rss forum feed

claudiubotez

join:2009-06-28

Your opinion about running 2 real time AV/Antimalware

Hi,

MBAM claims that is complementary to a real time antivirus and can be installed and ran the same time; the developers and fans will try to persuade you that, indeed, this is true.

Some sceptical user would argue that even though you do not see any slowdown the scanners will fight each other and an malware(s) can slip in between.

see:

hxxp://forums.malwarebytes.org/index.php?showtopic=110227

What is your (documented) opinion?

Thanks,
Claudiu


PrivacyExprt

join:2010-09-29
Longwood, FL

I tend to prefer products with more than one engine. Emsisoft comes to mind, and when combined with the FW, adds some pretty insane protection. (A2Malware+IKARUS AV)

I have MBAM installed, always have, but have yet to see it catch anything behind the above product, so I really question it's value. I suppose there is 'something' it would eventually catch. Also, MBAM is going more for URL/IP blocking, that may be much of the benefit with going with it. Toss Threatfire over that, and it's pretty intense.. Oh, lock down the system with VISPA as well, obviously.

Layered security tends to be better. It's like your home, lights outside, locks on the door, alarm system, dog.. Layers. Nobody is dumb enough to try and break into a layered home, and not a whole lot of threats get through a layered PC.



Triple Helix
Go Blue Jays Go
Premium
join:2007-07-26
Oshawa, ON
kudos:7
Reviews:
·Rogers Hi-Speed

1 edit
reply to claudiubotez

You can run Webroot SecureAnywhere with other Anti-Viruses and Anti-Malwares as it was design to work with others or by itself! If someone wants a great combo that works very well and I highly recommend is WSA and MBAM paid version!

»www.webroot.com/En_US/consumer.html

TH

--
Triple Helix - Microsoft® MVP Consumer Security 2012
VIP Member Of ASAP - (Alliance of Security Analysis Professionals™)
Official Webroot SecureAnywhere (Prevx) Support Forum Helper!
(H59 Clan)



Greg Davis

join:2011-11-15
San Mateo, CA
kudos:2

1 recommendation

reply to claudiubotez

Since most antivirus and internet security applications use many system resources it is true that in most cases you do not want to run more than one real-time scanner at the same time to avoid conflicts, which can leave your computer more vulnerable to infections.

Webroot SecureAnywhere is different than the rest of the pack in the way that it operates and is powerful enough to be your only real-time antivirus/internet security solution. The installation takes less than one minute, the agent only uses about 15 MB of disk space, it uses very few system resources and scans your computer in about 2-3 minutes.

Instead of having a bloated client that uses the traditional definition file download, SecureAnywhere uses a unique combination of our cloud database and local behavioral analysis to detect and stop threats. This gives us the ability to protect all users of SecureAnywhere against the latest threats in real-time.

If by chance you would like to use a layered approach to security, like Triple Helix points out, Webroot SecureAnywhere is one of the exceptions and runs just fine with other internet security applications. To ensure that there are no conflicts, Webroot conducts extensive QA testing with SecureAnywhere and other security applications.

If anyone has any other questions about SecureAnywhere, please post them.

If you are interested in trying it out, here is a link to the trail downloads.

Webroot SecureAnywhere Trial download

Thanks
--
Greg Davis
Webroot Support Team
»www.webroot.com/En_US/index.html



jaykaykay
4 Ever Young
Premium,MVM
join:2000-04-13
Scottsdale, AZ
kudos:24
Reviews:
·Cox HSI
·Speakeasy

1 recommendation

reply to claudiubotez

I run, and have for some time, more than one, MWB being one of them. I have not noted any perceptible real slowdown on my system. I wouldn't be without the one(s) I run, real-time and layered on my system, even if something did slow it down either. I firmly believe in what I have running and would not compromise my system by not doing so for a little slow down. A true drag on the system, and I might have to rethink my position.

--
JKK

Age is a very high price to pay for my maturity. If I can't stay young, I can at least stay immature!

»www.pbase.com/jaykaykay



gugarci
Premium
join:2004-02-25
Lyndhurst, NJ
Reviews:
·Comcast
reply to claudiubotez

MBAM is more of an anti malware than an AV. You can run MBAM in real time with other AV's with no issues. Although BitDefender, which is a great AV, makes you uninstall MBAM before you can install their AV. But afterwards you can reinstall MBAM and it will play nicely with BitDefender.



Smokey Bear
veritas odium parit
Premium
join:2008-03-15
Annie's Pub
kudos:4
reply to Greg Davis

said by Greg Davis:
Webroot SecureAnywhere is different than the rest of the pack in the way that it operates and is powerful enough to be your only real-time antivirus/internet security solution.

So with SecureAnywhere a layered approach to security isn't necessary anymore?
--
~ The fool is one of the wisest people of all ~


Greg Davis

join:2011-11-15
San Mateo, CA
kudos:2

1 recommendation

Smokey Bear,
As I had stated in my post, the general rule is to not have more than one real-time antivirus/security application installed at the same time to avoid conflicts, etc. SecureAnywhere is powerful enough to serve as your single source of real-time protection and most of our customers use it exclusively. One of the features of SecureAnywhere that is unique though, is that if you choose the layered approach with another real-time scanning application, you will not experience conflicts or make your computer more vulnerable to threats as you would with other security applications.

Thanks
--
Greg Davis
Webroot Support Team
»www.webroot.com/En_US/index.html



QuaffAPint
A Big Thanks To The Troops

join:2001-01-10
Downingtown, PA
reply to claudiubotez

I've been running MBAM real-time alongside MSSE for quite some time and have had no issues on my Win7 x64.
--
{Send Secure Notes Free and Easily} :: whisperBot.com


wat0114
Premium
join:2012-02-20
Calgary, AB
reply to claudiubotez

the same opinion I have about running even one real-time av: unnecessary.


PrivacyExprt

join:2010-09-29
Longwood, FL
reply to claudiubotez

Funny thing, the actual Webroot download link (direct) is totally blocked by Emsisoft Surf Protection as a malicious link. Might want to take that up with the folks over at Emsisoft there..

»anywhere.webrootcloudav.com/zero···tall.exe

One of the things I did to evaluate security products is to monitor the various databases from the online multi-engine scanners. I found Emsisoft was scoring vastly higher than most products, primarily because of the A2+Ikarus engine inclusions, and robust Heuristics. Of course those scanners don't factor HIPS into the scheme of this, but when you combine onlinearmor+emsisoft, you have a seriously layered approach between both modules. Which are basically Mamutu+Firewall+A2 Antimalware Engine+Ikarus AV engine. A lovely set of layers.

Webroot seems interesting, if I didn't already have 5 licenses for Emsisoft+OA for the next 324 days, I'd give it a whirl. I will surely add it to the mix of ones I test when that expires.

Anyway, one good way to check is to monitor »virscan.org/ over time, and you will find ASQUARED/Emsisoft/Ikarus finds virtually everything none of the other products find. To the point it's sometimes the only product finding some threats. That's only part of what I considered, but to be honest I don't feel ANY system drag with Emsisoft running, that's a big bonus.


PX Eliezer7
Premium
join:2008-08-09
Hutt River
kudos:13
Reviews:
·callwithus
·voip.ms
·Optimum Voice
·Vitelity VOIP
reply to gugarci

said by gugarci:

MBAM is more of an anti malware than an AV. You can run MBAM in real time with other AV's with no issues.

Agreed.

And I have the paid MBAM installed at my office---though I'm not sure if it adds any security or not on top of a modern FW and AV.


gugarci
Premium
join:2004-02-25
Lyndhurst, NJ
Reviews:
·Comcast
reply to PrivacyExprt

said by PrivacyExprt:

Funny thing, the actual Webroot download link (direct) is totally blocked by Emsisoft Surf Protection as a malicious link. Might want to take that up with the folks over at Emsisoft there..

»anywhere.webrootcloudav.com/zero···tall.exe

You're right, I just looked at my logs. But sites their surf protection blocks come from Hosts File.net.
»www.hosts-file.net/
--
Desktop Win 7 x64 Emsisoft Anti Malware v6. Laptop Win 7 x64 & Desktop XP Pro Emsisoft Anti Malware v6 & Online Armor Premium v5. Netbook Avast v7. Netbook MSE. MBAM and Hitman Pro used on-demand only.

Mele20
Premium
join:2001-06-05
Hilo, HI
kudos:4
reply to Triple Helix

Click for full size
said by Triple Helix:

You can run Webroot SecureAnywhere with other Anti-Viruses and Anti-Malwares as it was design to work with others or by itself! If someone wants a great combo that works very well and I highly recommend is WSA and MBAM paid version!

»www.webroot.com/En_US/consumer.html

TH

Webroot touts its rating from AV-Test. This is unfortunate since the owner of AV-Test is not trustworthy. Thus, I put little credence in its test results. I have a lot more trust in IBK See Profile who runs AVComparatives. So, I went there to see what it says about Webroot. I don't believe I want it. Since the first of this year, it is the MOST COMPROMISED of all AV tested. I'm still going to install GData on a new machine I will acquire soon and continue to use Avira 8 free version on my current XP Pro machine (along with Process Guard).
--
When governments fear people, there is liberty. When the people fear the government, there is tyranny. Thomas Jefferson


Smokey Bear
veritas odium parit
Premium
join:2008-03-15
Annie's Pub
kudos:4

said by Mele20:
So, I went there to see what it says about Webroot.

....

Since the first of this year, it is the MOST COMPROMISED of all AV tested.

It's also producing the most false positives/alarms (On-Demand Comparative March 2012, last revision 10th April 2012, 20 products were tested).
--
~ The fool is one of the wisest people of all ~

PrivacyExprt

join:2010-09-29
Longwood, FL

1 edit
reply to claudiubotez

Yup, no offense but I ran some tests and was underwhelmed by Webroot SecureAnywhere. They talk it up big time, but it under performs from what I can see from reviews/tests. My system got notably 'slower' surfiing with it installed, and it actually failed to find a couple malware links I tried. Changed image back to Emsisoft+OnlineArmor, things got faster, and the sites were found.

Also Webroot kept spamming to 'register' so 'all' of my devices can share in the bliss of it. No thanks, that's too much privacy to give up for me. Checking some youtube reviewers I know, Webroot did poorly for virtually all of them, while Emsisoft scored exceptionally high with most of them.

I wanted to love it, I really did..

EDIT: Most of the issues with Webroot, were sourced to other security products. Once removed, Webroot functioned much better.


PrivacyExprt

join:2010-09-29
Longwood, FL

4 edits

2 recommendations

reply to Greg Davis

said by Greg Davis:

Smokey Bear,
As I had stated in my post, the general rule is to not have more than one real-time antivirus/security application installed at the same time to avoid conflicts, etc. SecureAnywhere is powerful enough to serve as your single source of real-time protection and most of our customers use it exclusively. One of the features of SecureAnywhere that is unique though, is that if you choose the layered approach with another real-time scanning application, you will not experience conflicts or make your computer more vulnerable to threats as you would with other security applications.

Thanks

I am going to publicly eat some crow on this one.. I was wrong about Webroot SA.. I setup a VM to test it, what I found was a security application that on the surface looks pretty basic, and appeals to the unwashed masses of consumers. If you dig deeper, you literally find a wealth of features, layer after layer after layer of hidden options, features, tweaks.. Something I love, and I suspect many other people love.

Upon digging even deeper, I find settings, options, and tweaks that 'appear' to make this an absolutely fantastic security suite. Out of the box most of the good stuff is turned off, likely to avoid 'scaring' the less knowledgable users, but also most likely to prevent all potential false positives. Things like "Protect Host File from Alteration" are toggled OFF, which seems really odd. (along with a wealth of other features) In fact, I can't believe the stuff this has nested under the hood for you to discover. For example you can set ANYTHING on your computer to be 'monitored' rather than Allow/Block, which reduces the potential damage it can do, and believe me this works! None of these features are always easy to find, but when found you get a bunch of 'ahh hahhh!' moments.

I have a honeypot to get a bunch of 0-day crap for testing, and to submit them to various AV companies to improve them (usually the one I choose to use hehe). Sure enough, within 10-15 minutes a new 0-day threat arrived on the honeypot. I coped this over, and webroot picked it up immediately as a "Generic", which means heuristics easily picked up a fresh 0-day threat. I ran this threat through a few online multi-engine scanners, and found that only up to 3-6 products picked it up out of between 20-40 products.. That's pretty impressive. Here's a shot;

»xoom.cc/images/2012/06/05/fOymJ.jpg

(resubmission after many hours, and 19 engines updated) Still only 31% detecting what Webroot stopped 0-day.
(viruscan link removed)

At Jotti's, only 5 out of 20 products detected it. But after 8 hours or so from sending it off, 19 engines updated, only 11 out of 36 products detect it, and 4 of those using Heuristics alone. That's 25 products offering absolutely no detections of this. Webroot being one that would offer it. Now I know this is only one sample, i will eventually get around to tossing more through it. But the critical thing is, my honeypot collects 'emerging' threats, and this product detected an emerging threat when the majority of products failed. I think any test where Webroot isn't doing good, such as these Youtube reviewers are because of a few things;

1) They don't have the product properly configured for maximum detection.
2) Webroot is best not as a scanner, but as a 'preventer' of activity, beyond HIPS.
3) The test protocols are designed for traditional scanners, Webroot actually appears more advanced than those, as a result probably nearly requires a separate test methodology to really show the power.

Now from the looks of it, Webroot contains many technologies within it, although I do not have proof of this without getting some technical datasheets. It appears to contain the best elements of their Antispyware, AV, PrevX, as well as a cloud based analysis system, and possibly Sopho's virus database. One thing I noticed is Webroot automagically 'isolates' untrusted applications, and seemingly holds them in a sort of 'limited' permission stance until the cloud can fully evaluate them in comparison to emerging threats. Sort of like an automatic sandbox that 'releases' the executable when it is deemed safe. I am unsure of the actual mechanics without looking into it more, and watching it more carefully, and going through some purposeful infections. This feature is really good though, almost like the 'Runsafer' aspect of Online Armor, but a bit more intelligent in this case.

You can insert any application you want into 'monitored' with a click of the button, which essentially gives the product a magnifying glass, and orders to 'watch this thing close'. I was unable to get a product to take desktop screenshots, alter the registry, or even move files around the system when it was being monitored, yet I was still able to run the product to the point where it was running, but impossible for it to do anything malicious. Again, similar to a smart-sandbox of sorts. But my point is, a lot of things about this product would make it not necessarily score 100% in a raw scanning test, but would make it score 100% in stopping infections. For me that's the most important thing. Noting the latest AVComparatives puts the raw scanning part of Webroot at 98.2%, which is still very nice, but doesn't factor the best parts of this product IMO.

Overall, I am VERY impressed with this product. I have purchased a few licenses of it now, and will begin testing it across various PC's I have access to at work. Those always pick up junk, regardless of what AV I put on them, so we will see how this one goes. I will test it more at home on the VM/Honeypot, and see what comes up. I have already submitted 0-Day threats to them, let's see how fast they add sigs beyond heuristics. I will add they have a fantastic submission system in the program.

It's a slick piece of work!

PrivacyExprt

join:2010-09-29
Longwood, FL

2 recommendations

reply to claudiubotez

Might as well address some of the settings while I sit here playing with it..

For one, the heuristic system is fantastic. You can set/adjust heurisics to a variety of levels, for a variety of things on your PC. Advanced(traditional?), Age(file mod based), Popularity(cloud based). Some really nice functionality there! Screenshot;
»xoom.cc/images/2012/06/05/fGwhY.jpg

Now the web protection settings are really awesome. You can specify specific websites, and adjust settings to be whatever you want for THAT particular website. So for a banking site, you can lock it down really tight - as an example. Each setting can be customized, and checked or unchecked as you feel is needed. Or you can setup these as global settings. Very powerful, but all of these options are 'fairly' well hidden from the generic mass-consumer user, but powerful for tweakers. Screenshot;
»xoom.cc/images/2012/06/05/tmKqo.jpg

Next setting I found is pretty cool, you can specify applications to 'protect better', although I do not yet fully understand what it does. It seems to offer 'enhanced' monitoring of that application to prevent hijacking or manipulation of it. Almost like a sandbox - sort of - but something a bit better where it functions like normal, but if 'funky stuff' starts being done to the problem, it stops it. Or if the program tries to function outside of it's normal parameters, it stops the activity. I'd really like a Webroot tech to comment on that. Screenshot(sorry for the obfuscation)
»xoom.cc/images/2012/06/05/IHCgq.jpg

This next setting is wickedly cool. If an application is untrusted, it's in monitored mode. If you 'kill process' it undoes anything the application did. So you place your web browser monitored, something funky goes down in it, killprocess/undo. It's sort of like a non-klunky, seamless sandboxie that you don't really know is even there. Tweakers can have a load of fun, placing stuff manually into monitored mode for the sake of better security. Newb's won't even know this menu is even in the product.
»xoom.cc/images/2012/06/05/hkBY.jpg

This is just a built in sandbox. Lots of fun with this for techies. Toss in anything you download, run it, play around with it, then kill it. Really nice for files you are unsure of, and Webroot runs it's scanners on it, tosses it through the cloud, and evaluates it. Really nice actually, I can see using this a lot. Again, most consumers won't even find it;
»xoom.cc/images/2012/06/05/keamh.jpg

Huge amounts of configuration settings for each aspect of your PC. For example this one you can block screen grabs, block tracking, examine content for phishing, MM blocking, etc.
»xoom.cc/images/2012/06/05/pISMz.jpg

Another cool setting.. Before you click links, Webroot has already 'scanned' for malware/threats on the site. No speed difference is discernible for me. Filter options are available of course;
»xoom.cc/images/2012/06/05/P6Lrn.jpg

Some really nice 'tools' for dealing with Malware, restoring windows policies, etc. Also a really nice tool that removes the malware, and associated files/registry actions the malware tool. Overall some pretty cool stuff here to mess with. These I think really wouldn't be appreciated by the masses, but techies would find them quite handy.
»xoom.cc/images/2012/06/05/9Onb.jpg

Good cleanup tool with secure deletion, lots of settings to tweak.
»xoom.cc/images/2012/06/05/5QDV1.jpg

Standard permission based firewall.
»xoom.cc/images/2012/06/05/IdQtb.jpg

The statistics and reports section of this product blow my mind. They allow you to keep 'deep' watch on what everything does, and get an overall snapshot of what's been going on.

Overview Stats: »xoom.cc/images/2012/06/05/zADc8.jpg

Dig down into each event to serious levels, examining EVERY aspect of what it is doing, and has done. Then if that isn't enough, filters (Custom Rules) that allow you to control each aspect of what is being done.. Oh my...
»xoom.cc/images/2012/06/05/BfX8n.jpg

Well that's my overview so far, but this package is a MONSTER in functionality, and I cannot believe how 'tiny' it is. Something like 15mb of disk space, and virtually no memory when it is running. Figure 2-4 minutes to scan most PC's top to bottom.

Disclaimer: I am not a Webroot shill, don't work for them, aren't paid by them. I have only been testing it for a couple of days, and these are simply my findings thus far. In fact, I thought the program was garbage..



Triple Helix
Go Blue Jays Go
Premium
join:2007-07-26
Oshawa, ON
kudos:7
Reviews:
·Rogers Hi-Speed

2 edits

Thanks PrivacyExprt for testing and and showing the Community here that Webroot SecureAnywhere is the real thing!

Cheers,

TH

EDIT: Also WSA does not use Sophos signatures as Webroot has there own cloud database built on Prevx Technology!!

--
Triple Helix - Microsoft® MVP Consumer Security 2012
VIP Member Of ASAP - (Alliance of Security Analysis Professionals™)
Official Webroot SecureAnywhere (Prevx) Support Forum Helper!
(H59 Clan)


Mele20
Premium
join:2001-06-05
Hilo, HI
kudos:4

2 edits
reply to PrivacyExprt

I installed it on a virtual machine running XP Pro SP2 after reading your first post. You got me curious.

First off, it froze my machine before I even tried to install it. I started to click on open the file from Fx download page but didn't because I decided to make a snapshot first. I made the snapshot which just took a few seconds and then noticed Task Manager icon was showing CPU usage running at almost 100%. I couldn't bring up Task Manager and barely managed minimizing the virtual machine. I had to shut it down from the host machine's Task Manager. I started it again and everything seemed ok so I then proceeded to install Webroot.

It is supposed to work with other antimalware programs. It is inferior to ProcessGuard because PG, even after I allowed the installation, keeps blocking it from modifying explorer.exe and other things. If it was a true classic HIPS then it would be ducking it out with PG. Instead PG has full control over it. They are not working with each other.

It also conflicts with the Proxomitron. I had to completely disable the Web shield (as I would with any AV that has that). If I tried to chain it to Proxo as a second proxy, it would kill my ability to surf (would cause a tremendous slowdown). So, now it yells at me because I disabled that shield.

Right after I installed it, before I had a chance to examine any settings, or exclude things such as C:\System Volume Information from the Real Time or On Demand scanners, it tried to do a full scan of the computer! That is a TOTAL NO-NO. This program is ONLY for ignorant of computers users. Any knowledgeable user would want to set up all parameters, etc. before any scan takes place. I did keep it from scanning initially but it now yells at me about that. I won't ever let it do a full scan because once I examined all settings that could be confiigured, I learned that one CANNOT PROPERLY CONFIGURE the scanners.

There are no options for block and ask user what to do. That is the only acceptable setting on an AV. Webroot insists on automatically quarantining anything it finds! Yes, it has the ability to allow the user to ADD to the exclusions section a SPECIFIC FILE BEFORE THE FACT ONLY. That is unacceptable. It takes way too long to add all the files, plus, adding like that does not solve the problem of Webroot automatically quarantining any new "threat" it finds!

Webroot has an extremely high false positive rate. What if it gets tainted definitions like Avast and Avira (and all of them have this happen at one time or another) and starts quarantining critical files? I was able to save my computer from total disaster when Avast had tainted VDF the first time because I had it configured to temporarily Block and then ASK me what to do. I almost couldn't keep up as it asked so fast about one critical Windows file after another that I thought I couldn't stop it from either deciding on its own to delete or quarantine the files if there was a backlog building up of alerts asking me what to do. But somehow, I managed to keep clicking furiously, and I avoided the total disaster that befell so many users who had unbootable computers especially when it turned out Avast's quarantine was not designed to hold thousands of files and, thus, when it was full Avast just started permanently deleting critical windows files it thought were infected if the user had Avast configured in the manner that Webroot is configured by default and that cannot be changed. The saving grace with Avast (because this same tainted VDF crap has happened three more times since that first time several years ago) is that the user has the CHOICE of configuring the scanners so that nothing automatically goes to quarantine and that configuration is what saved me more than once with Avast.

I have tried most AV out there at one time or another and almost all of them have serious problems with quarantine (including my beloved Avira version 8 which can't restore properly...no Avira version can on some files). Thus, I do not trust quarantine and I NEVER allow any file to be put in quarantine. An AV that does not allow for Block and then ask user what to do is a poor AV for those who are not ignorant about computers. With Webroot's high false positive rate one has to be suicidal to install it since it has no way to safely configure what should happen when malware is found.

Then there is all the cloud stuff. I don't use things that are in the cloud. I also don't like it bugging me to set up an cloud account so I can check the status from the cloud. That is a gimmick and violates my privacy. Anything in the cloud violates my privacy and I would want all cloud stuff turned off. In the case of this AV, turning off the cloud invasive stuff just about renders the AV worthless. This is another reason why a classic HIPS such as ProcessGuard is far superior.

Then there is the problem that the slideups are too tiny and, like with most AV these days, down in the bottom right corner which is almost impossible to read there. Why not in an upper corner or the left bottom corner if for some weird reason only bottom slide up is allowed. Why can't you put it where you want it? (I prefer middle of my screen where it is easily viewable). Why can't you enlarge it? And yes, I now have almost perfect reading vision with my Crystal lens implants yet Webroot's slide ups are very difficult to read.

It's not worth $40 when you have to turn off web shield (even though it claims no conflict with other security protection) and not worth the cost when it lacks crucial configurability. Avast is FREE and has a lot more configurability. ProcessGuard has a free version that I have on this XP virtual machine and it is far more configurable and it is free and does more than Webroot. For Vista/Win 7, there is an excellent free version of Online Armor (although not up to PG standards).

I think it amazing and sad that there is nothing out there that can come anywhere close to the protection of ProcessGuard. PG was first offered in late 2003 (I think it was) and not updated since 2006. Yet it run circles around all these other programs. Plus, it has a free version and there is no privacy violations with it because it doesn't need cloud crap at all.
--
When governments fear people, there is liberty. When the people fear the government, there is tyranny. Thomas Jefferson



gugarci
Premium
join:2004-02-25
Lyndhurst, NJ
Reviews:
·Comcast
reply to claudiubotez

Mele20 See Profile Have you ever tried DefenseWall or Geswall? I love DefenseWall but I don't use it because it's only works on 32 bit systems.
»www.softsphere.com/
»www.gentlesecurity.com/geswall.html
--
Desktop Win 7 x64 Emsisoft Anti Malware v6. Laptop Win 7 x64 & Desktop XP Pro Emsisoft Anti Malware v6 & Online Armor Premium v5. Netbook Avast v7. Netbook MSE. MBAM and Hitman Pro used on-demand only.


PrivacyExprt

join:2010-09-29
Longwood, FL

2 recommendations

reply to Mele20

Comments based on what I know so far in testing/evaluation, you are making some assumptions that are incorrect, and I wil explain why but I am short on time and might have to come back to this later;

said by Mele20:

It is supposed to work with other antimalware programs. It is inferior to ProcessGuard because PG, even after I allowed the installation, keeps blocking it from modifying explorer.exe and other things. If it was a true classic HIPS then it would be ducking it out with PG. Instead PG has full control over it. They are not working with each other.

The reason for this is that WSAE will take a 'backseat' to another security product, in effect remaining silent until the other product cedes control of the threat. For example if you have KIS2012+WSAE installed, if KIS2012 grabs the threat, WSAE will remain silent. This can 'seemingly' make it out as not being effective, but if you disable KIS2012, and repeat the same thing, WSAE will take over the threat. If you RELEASE the threat from KIS20120, WSAE will acquire it, and deal with it. PG has full control because it is being ceded full control, this is by design from what I can see, and what some technical sheets say.

It also conflicts with the Proxomitron. I had to completely disable the Web shield (as I would with any AV that has that). If I tried to chain it to Proxo as a second proxy, it would kill my ability to surf (would cause a tremendous slowdown). So, now it yells at me because I disabled that shield.

No need to have both of these doing the same thing. But I suspect they haven't added exclusions to that product. You could try manually adding exclusions.

Right after I installed it, before I had a chance to examine any settings, or exclude things such as C:\System Volume Information from the Real Time or On Demand scanners, it tried to do a full scan of the computer! That is a TOTAL NO-NO. This program is ONLY for ignorant of computers users. Any knowledgeable user would want to set up all parameters, etc. before any scan takes place. I did keep it from scanning initially but it now yells at me about that.

That's good, it's supposed to scan. It takes 2-4 minutes to scan an entire PC, how is that a bad thing? Personally this just blows past so fast, it's a non-issue. Emsisoft, and many other products conduct a scan immediately on installation. Seems normal to me.

I won't ever let it do a full scan because once I examined all settings that could be confiigured, I learned that one CANNOT PROPERLY CONFIGURE the scanners. There are no options for block and ask user what to do. That is the only acceptable setting on an AV. Webroot insists on automatically quarantining anything it finds!

You are missing the point. IF it finds something, it places it into MONITORED mode, which then allows you to 'allow/deny/remove/block'. This is actually superior to normal AV's in my opinion because the threat is tossed into a sandbox immediately, not impacting the system at all until a decision is made. What's wrong with this method?

Yes, it has the ability to allow the user to ADD to the exclusions section a SPECIFIC FILE BEFORE THE FACT ONLY. That is unacceptable. It takes way too long to add all the files, plus, adding like that does not solve the problem of Webroot automatically quarantining any new "threat" it finds!

Not true, once a threat is found, if you 'uncheck' remove, you can then declare how to handle the threat. It's placed in monitor mode simply because it was discovered. I feel this is a superior method simply because REGARDLESS of what the user clicks, it's still in monitored/protected mode BEFORE they make that final decision. The decision windows aren't evident, perhaps you missed them?

Webroot has an extremely high false positive rate.

I haven't had one FP yet, but it's early.. I will see after a month or two of testing. So far so good, with heuristics maxed.

An AV that does not allow for Block and then ask user what to do is a poor AV for those who are not ignorant about computers. With Webroot's high false positive rate one has to be suicidal to install it since it has no way to safely configure what should happen when malware is found.

But it does do this, you missed it! As I said it simply tosses a threat, or potential thread into monitored mode. If you click the dialog, you get options to allow/block/remove/monitor. But once detected, it's now setup to allow it to run, but it is sandboxed for safety. This doesn't negatively impact it, but allows it to be rolled back to remove infections.

Then there is all the cloud stuff. I don't use things that are in the cloud. I also don't like it bugging me to set up an cloud account so I can check the status from the cloud.

I hate this too, thankfully you can disable it notifying you of this. I haven't seen it since installation. No more nags, but the cloud aspect is still fully functional.

It's not worth $40

I actually paid $29 per 3 PC license for the Essentials version. Some nice links out there with coupons!


Greg Davis

join:2011-11-15
San Mateo, CA
kudos:2

2 recommendations

reply to PrivacyExprt

Hi PrivacyExpert,

Just wanted to thank you for your very detailed review of SecureAnywhere Essentials. As Triple Helix pointed out, the design of SecureAnywhere incorporates Prevx technology for the cloud database, which not only eliminates the need for constant definition updates, but also allows us to update all users of SecureAnywhere when new threats are found, etc, all in real-time.

Here is a link to the SecureAnywhere Help file which provides even more detailed information about the product.

Webroot SecureAnywhere Help

Thanks again
--
Greg Davis
Webroot Support Team
»www.webroot.com/En_US/index.html


PrivacyExprt

join:2010-09-29
Longwood, FL

1 recommendation

reply to Mele20

said by Mele20:

Webroot has an extremely high false positive rate. What if it gets tainted definitions like Avast and Avira (and all of them have this happen at one time or another) and starts quarantining critical files? I was able to save my computer from total disaster when Avast had tainted VDF the first time because I had it configured to temporarily Block and then ASK me what to do.

I wanted to come back to a few things, I was heading off earlier, and really couldn't finish it off.

Webroot appears to not even use VDFs, rather it uses cloud analysis. So the scenario you present simply couldn't happen. This is just one reason I feel the VDF system is on it's last legs. Now what I have seen already with Webroot is if a product has a very new update, such as a beta then webroot might flag it, toss it into monitoring until it can gather more evidence from the cloud over time. I don't see it ever doing what you describe above unless the cloud itself was globally compromised, and if that happened Webroot would be in serious trouble as a business.

In regards to not having options other than remove, if you uncheck remove, then click next, you are given options on how to handle the file. This seems like a logical progression of menus to me. I have provided a screenshot to illustrate this;

»xoom.cc/images/2012/06/05/rFtHG.jpg

With all due respect melee, I don't think you really understood how the product is supposed to operate. It does this different than what most people are used to, but probably really darn effectively! I noticed on AVC it scored nearly 99% on detections without factoring anything other than the scanning aspect. My preliminary tests are indicating it would be *VERY* hard to infect a system with WSAE running on it. But I can't guarantee that without more testing.

For now, I am honeypotting it to help build their cloud database up to some pretty nice levels. I figure the more 0-day I toss into the cloud, the better everyone will be. That's something I really like compared to automated/blind VDF scanning which we know the limits of these days.


Mannus
Premium
join:2005-10-25
Fort Wayne, IN
reply to claudiubotez

I have been running PCTools Threatfire along side AVG Free for the past 2 years w/o issue. I also run WinPatrol Free and Peerblock for what it's worth.



Name Game
Premium
join:2002-07-07
Grand Rapids, MI
kudos:7
reply to PrivacyExprt

Info from their site.....

"Hello,

We actually have discontinued Spysweeper because we have made a revolutionary antivirus product that is now cloud based and will work along side any other antivirus/firewall application out there just as Spysweeper did.

Unlike the 2011 version of Webroot AntiVirus, Webroot SecureAnywhere 2012 version does not rely on traditional antivirus definitions, is smaller, runs scans more quickly, and is designed to co-exist with other security software installed on the same system. This new program represents a revolutionary new method for protecting your information and privacy and we are very excited to offer it to our customers.

To learn more about Webroot SecureAnywhere, we recommend you view the video tutorial at the link below.

Cloud antivirus protection vs. traditional antivirus protection

Let us know if you have any questions and welcome to the community!"

___________________________________________

"SecureAnywhere is able to run alongside other security software by both its advanced heuristic detection as well as the connection with the Webroot Intelligence Network.

Because SecureAnywhere communicates with the Webroot Intelligence Network, we are aware of other good files, no matter what access they have to your machine. As I'm sure you are aware, security software requires a very high level of permission on the computer to perform its job correctly. Many times, the conflict between antivirus software occurs because of this access to the computer.

Also, with our heuristics detection, we are able to monitor the behavior of other software and deem this malicious or not. Because the behavior of other security software is not found as malicious, we will not detect another security software as a threat.

You mention that you are using some endpoint software and if this is in regards to business software, we have recently released Webroot® SecureAnywhere Endpoint Protection here: »www.webroot.com/En_US/business-p···int.html

If you are managing a network, this software will return control to the user and allow you to truly have freedom over network management.

If you have any questions, just let us know.

Thanks,
Josh C"

»community.webroot.com/t5/Webroot···894#M154
--
Gladiator Security Forum
»www.gladiator-antivirus.com/


PrivacyExprt

join:2010-09-29
Longwood, FL

1 edit
reply to claudiubotez

From what I can tell so far, WSAE cedes control to other security protocols as a first detection. It looks like for example if KIS2012 grabs something, WSAE ignores it, letting KIS do the job. If KIS doesn't, then WSAE snags it. Which makes it appear WSAE isn't offering any protection, when in fact it is. It appears when installed WITH another security application it functions almost like an MBAM type of secondary defense.

I probably wouldn't run it this way, as it seems robust enough to function as a main security product based on my honeypot activity with it thus far. (100% detection, 100% capture) I'm also enjoying feeding their cloud emerging threats. But overall, I am really liking the product, and think it has come a LONG way.. Not recommending it yet, but I like what I see in testing.

Now this seems like advertising, but it isn't, as I DO NOT endorse this product at this time. I am still in testing on it, evaluation, etc. I purchased licenses to distribute to a few PC's that are always picking up stuff, and the honeypot. I called this product 'crap' early on, and admit that I rushed to that conclusion, and have corrected myself after closer inspection. However if it has epic failures on the work PC's, or the honeypot blows it up, I will repost saying how much of a failure it was without holding back - that I promise.

I did find a 50% off link where I purchased several licenses which I will share here, without 50% off I wouldn't have purchased it, and would have just run the trial for a few weeks. Tossed it on a few PC's at work to see how it goes, one of them ALWAYS gets infected because of browsing habits afterhours from one of the dudes there.. Can't wait to see what happens, as the other AV snagged 5-10+ items in quarantine every week.
»www.webroot.com/En_US/sites/bbi/···-50disc/

[mod edit -- removed referral link and left real link-- fatness]



Name Game
Premium
join:2002-07-07
Grand Rapids, MI
kudos:7

Glad yer not selling anything when you are ready to "endrose" it let us know. Marge likes it too.


Mele20
Premium
join:2001-06-05
Hilo, HI
kudos:4
reply to PrivacyExprt

No, it is not taking a back seat to ProcessGuard because there is no "threat" except WSAE which keeps trying to modify Explorer.exe and ProcessGuard blocks it. PG, until I tell it otherwise, considers what WSAE wants to do to be a "threat". My point, which you missed, was that if this is so great an anti malware product then it should be fighting with PG for control. Yeah, I can avoid the fighting by telling PG to allow WSAE to modify explorer.exe but I am not impressed by programs that can't stand up to PG. As far as I know, there are NONE that can. WSAE would have to hook the kernel at ring 0 and start earlier in the boot process than PG to have control over PG and the computer. PG starts extremely early in the XP boot process (I can see this from booting while using Bootlog XP program).

As for Proxo, you cannot add exclusions for a local proxy. The only way ANY of these Webguards/shields/etc can work with Proxo is for me to CHAIN Webshield to Proxo so that after Webshield filters then Proxo will filter. That means unbelievable slowdown in surfing. Plus, I don't need a webshield as everything on the web is being filtered by Proxo and it kills web bugs, defangs malicious iframes, places toggle switches on Java and Flash Player so they cannot start automatically, kills all ads so no worry about infections from ads, and a lot of other things. I just need an outstanding real time scanner and on demand scanners. I don't need any gimmicks which is what the majority of AV programs today are made of primarily.

It is very poor practice and AGAINST MICROSOFT RECOMMENDATIONS that any AV immediately perform a scan after being installed and before the user has a chance to exclude such folders as System Volume Information. I rely on System Restore and Microsoft warns that AV should NEVER be allowed to scan System Volume Information folder because if it finds a virus and deletes it then ALL restore points are RUINED. Maybe it is different in Windows 7, I don't know because I still use XP. If I had allowed it to run a scan at first startup, it would have found "viruses" in System Volume Information folder because I have a bunch on the computer and they are not encrypted. It would have ruined System Restore. I don't ever run a full scan. I have no viruses running on the computer but I do have files of viruses. Besides, with its high rate of FP's it would find a ton of those I am sure. Avira, when I got it in Jan 2007, (and it was the last time I ran a full scan on this computer) found 45 viruses. They were all FP's. I don't know what WSAE's policy is on such things as key finders. Avira will flag them as viruses because Avira wishes to play moral policeman (this is even after it partnered with ASK toolbar sleazeware) and doesn't believe there is any legit use for a key finder. Anyhow, there are many reasons why I don't run full scans. Trying to put all those "threats" into exclusion folders is a hassle.

A threat is nothing UNTIL it executes. Why would a threat that has been found need to be thrown into a sandbox? That is unnecessary hoopla designed to impress the ignorant of computer users and make them feel safer. There is no danger until execution, but AV have always tried to mislead users in this regard. As long as the AV blocks access, which it should do by default, when it finds a "threat" then there is no need for any other action. Avira is set to block access each time it "discovers" or "rediscovers" a "threat". Nothing else needs doing. Besides, Process Guard would not allow the threat to execute. I would have to expressly tell PG that it was ok for that executable to execute and I would not do that.

You are forgetting about the high false positive rate if you think there is no potential problem in monitoring and throwing in a sandbox anything WSAE thinks is malware. What if it throws a critical Windows file (or maybe 100 critical Windows files) into a sandbox for monitoring before you can stop it? You now have a crippled computer. Maybe the risk is worth it for the ignorant of computers users but for more knowledgeable users there should be a setting so that the user has full control which means WSAE does nothing except pop up right in the user's face...not a tiny unreadable box in the lower right corner of the screen ...a box that says "xxxxxx is abctrojan.exe" what action do you wish to take? At this point if this is a false positive on a critical Windows file nothing at all has happened so your computer is not being wrecked by your AV program. You make your choice and, if a critical windows file, I would choose "ignore" or "block" and then I would turn off the AV and submit the file to Virus Total, Jotti, etc. before deciding what to do next.

But the reason it wasn't finding a threat was because I had not allowed PG to allow WSAE to modify Explorer.exe. I allowed that and then I went to a file that is "malware" (a proof of concept that is detected now by all AV - dll.dll) and did a right click on demand scan of the file. It is very fast scanning which is nice but not essential. So, I finally got to see the "remove" box and window. I unchecked that and then it now thinks the file is safe! That is ridiculous. I want it to alert on that file EACH time and then I will decide what to do. There is no setting for this. There is for Avira 8 and 9. Avira 10 changed everything and many old-timers left the program at that point or continued to use the older, better versions of Avira. The way WSAE is set up reminds me of Avira 10 (12 I suppose also but I can't test it because it won't run on XP Pro SP2). There is too much clicking as the menu should be provided immediately. There is no "Ignore" setting. That is the setting I want. Ignore for now in other words but alert again later or ignore until reboot, or ignore for x number of minutes, etc. There should be some kind of "ignore" setting.

It didn't throw the file into a sandbox. What are you talking about? Infections occur after an executable is on the computer and ONLY when it is allowed to execute so I don't understand about "threads" - oh, I guess that was a typo and you meant "threats" - but still why would it put this file sitting on my computer into a sandbox when I told it to scan the file? That makes no sense. The file is not doing any harm. It is only if I decide to allow it to execute that harm may occur.

It appears to be mightily confused. Since I chose "allow", if I rescan the file it says no virus found, BUT then a few seconds later a slideup states that a virus has been found! That is both absurd and dangerous. There needs to be an "ignore for now" setting! THIS SERIOUS PROBLEM ALONE WOULD MAKE IT IMPOSSIBLE FOR ME TO USE OR RECOMMEND THIS AV. I think this AV is only for ignorant of computers users as there are no advanced settings and it works ok only if you leave it at default settings which are settings for those totally ignorant of computers.

Another question is why does it NOT alert IMMEDIATELY upon opening Explorer and getting anywhere near the infected files? I can put my mouse right on the file and it won't alert! I have to right click and choose scan with WSAE for it to notice there is a threat. I scanned a second infected file and it did the same weird thing: I had to choose allow because I don't want it deleted nor do I want it monitored and there is no ignore. A few seconds later, there was an alert slide up saying the file is infected. But when I went back and rescanned it because I told it to allow WSAE found nothing. However, a few seconds later, I got a second slideup saying it had found a virus in that file. This is dangerous and ridiculous. It can't make up its mind and it has bad settings since there is no Ignore. Plus, I don't understand the monitor thing. Why would I want a file "monitored"? Either I have a virus or I don't. There is no reason to "monitor" the file. If later, the virus definitions/heuristics/in the cloud whatever detect a virus but they don't now...well, my goose is still cooked if I believe the scanner that says the file is ok and then I let it run and get infected. How does "monitoring" make a difference in that hard fact?

I can't see where one would change the "allow" either if I were to change my mind. The Help file is one of the worst I have ever encountered. It requires you be online to view it (I HATE that sort of help file but there are a lot that are sloppy like that these days). I don't want a help file opening in a browser. It should be downloaded to disk and open on the computer. Plus, the help file when clicked on the ? does NOT open to the section where you clicked the ? Avira's opens directly to the help section that you were on when you clicked the ? With this help file, you have to stumble all over trying to find where the help is for the question you have!

The Help file is in an extremely tiny font as is portions of the main GUI for WSAE. I can't read the settings for the modules without using a magnifying glass. My reading vision is perfect now so it not "bad" eyesight. Somebody just really goofed with the font size both for the main GUI and the Help file. (They need to take a lesson from Avast 5 or 6 -don't know about 7 as I haven't tried it - as the Avast 5/6 Help file and configuration screens, etc are the best I have ever seen for any AV and the font is a nice size not tiny and unreadable). Anyhow, I can't find where I look on the GUI to see the last file scanned or where to change a decision like "allow". I did find, yesterday, where it is that you add exceptions for the scanners, but I can't find it again now. It is so painful to try and read that ultra tiny font they use that I won't look further. Besides, that help file displays in a grayish font not crisp black which may be because it is on a virtual machine running on VMWare Workstation 7. Surely the font is dark black on non virtual machines! Tiny font is bad enough but grayish instead of dark black makes it even harder to try to read.
--
When governments fear people, there is liberty. When the people fear the government, there is tyranny. Thomas Jefferson


Mele20
Premium
join:2001-06-05
Hilo, HI
kudos:4
reply to PrivacyExprt

said by PrivacyExprt:

said by Mele20:

Webroot has an extremely high false positive rate. What if it gets tainted definitions like Avast and Avira (and all of them have this happen at one time or another) and starts quarantining critical files? I was able to save my computer from total disaster when Avast had tainted VDF the first time because I had it configured to temporarily Block and then ASK me what to do.

I wanted to come back to a few things, I was heading off earlier, and really couldn't finish it off.

Webroot appears to not even use VDFs, rather it uses cloud analysis. So the scenario you present simply couldn't happen. This is just one reason I feel the VDF system is on it's last legs. Now what I have seen already with Webroot is if a product has a very new update, such as a beta then webroot might flag it, toss it into monitoring until it can gather more evidence from the cloud over time. I don't see it ever doing what you describe above unless the cloud itself was globally compromised, and if that happened Webroot would be in serious trouble as a business.

In regards to not having options other than remove, if you uncheck remove, then click next, you are given options on how to handle the file. This seems like a logical progression of menus to me. I have provided a screenshot to illustrate this;

»xoom.cc/images/2012/06/05/rFtHG.jpg

With all due respect melee, I don't think you really understood how the product is supposed to operate. It does this different than what most people are used to, but probably really darn effectively! I noticed on AVC it scored nearly 99% on detections without factoring anything other than the scanning aspect. My preliminary tests are indicating it would be *VERY* hard to infect a system with WSAE running on it. But I can't guarantee that without more testing.

For now, I am honeypotting it to help build their cloud database up to some pretty nice levels. I figure the more 0-day I toss into the cloud, the better everyone will be. That's something I really like compared to automated/blind VDF scanning which we know the limits of these days.

I don't know what using the cloud over virus definitions downloaded to the AV has to do with whether or not FP's could wreck the computer. Cloud detection can be just as disastrous if not more so as far as I see it (not to mention the privacy invasion of cloud detection. I am really surprised that someone who values privacy would use an AV that has cloud protection. I won't. I didn't realize when I installed it that it has all this cloud crap. I don't use anything in the cloud be it AV, Microsoft crap or any other crap that is based in the cloud).

I don't want an AV that does not alert on an infected file even if it evidently blocks the execution. I just tried to download "eicar.com" file. It doesn't alert on mouse hover for one thing...most AV do. I clicked to download and Fx download manager simply reported the download failed. I got NO report or alert from Webroot about it. That is weird. With the zipped eicar files, Webroot let's me unzip them and run them. It never alerts. It should alert as soon as WinRAR opens before I try to extract.

It says it needs to run a scan to clean my computer. Not only can I not find again where to list exclusions but there is no way to configure the scan! How do you tell it to just scan drive C but not drives D, E, F and G? How do you tell it to not scan external drives, or to scan only the volume where your programs are downloaded to, or scan My Documents excluding all photos, etc?

I'm done playing with it. I will be installing GData on my new computer. (It is too much for this virtual machine which only has 1GB RAM but should be fine on a new computer with 12 or 16GB RAM).
--
When governments fear people, there is liberty. When the people fear the government, there is tyranny. Thomas Jefferson