dslreports logo
site
 
    All Forums Hot Topics Gallery
spc

spacer




how-to block ads


Search Topic:
uniqs
6081
share rss forum feed


pizz
bye bye twc. hello Comcast.
Premium
join:2000-10-27
Astoria, NY
Reviews:
·Time Warner Cable
reply to Mele20

Re: Unobtrusive Antivirus?

i sent mele20 a PM, and she guided me to a great AV. It's GData. It's very light on the PC with this current build. So far so great here.
--
It's ok to say, 'I don't know'. It's even better when someone takes the time to explain what you, 'don't know'.


KitFox

join:2002-10-09
Denver, CO
kudos:1

1 recommendation

reply to MSE_fan

Of course I'm the same person. Please note the "Retired" portion on the community. So it's fully accurate that I do not work for them, and by default, ex-employees usually don't bother with their prior company's work unless they actually personally like it.

PDF Virus:
2010, PDF reader buffer overflow exploit causing execution of code within the PDF in the context of Adobe Reader (and Foxit at the time). So no, it is accurate that this PDF would not be seen by WSA. Nor would it work on updated copies of PDF readers. A user would need to explicitly have a vulnerable version of the PDF reader installed specifically to allow that "PDF Virus" to work. You really want your AV to scan for something that can't affect you unless you make an explicit effort to allow it to? It's less effort to just turn off the AV to allow an infection than to get a specific faulty version of a PDF reader and find a PoC malware item.

Either way, it's moot, because said PDF virus (and other JS/Java/PDF/Insert-TLA-Here exploits) has enough space within its framework to do minimal items within the buffer overflow context or the sandbox escape context. In this case, it replicates to other PDFs. In most cases, the goal is to bootstrap a larger payload by downloading and executing that payload. PE is downloaded and executed, which matches the "Checks PEs".

Persistent Cache:
Addresses your concern that the network has a constant, ongoing list of what is on your computer, since the data is no longer sent to the cloud.

Privacy:
Your lack of comprehension is disturbing. But I'll admit, text doesn't show sarcasm very well. "Possibly" is sarcasm.
How about this:
Can an agency subpoena MSE_fan for the color of Hillary Clinton's undergarments? Possibly.

They would need to give MSE_fan access to their security cameras to find out, but then they could see it themselves via the same cameras.

Make more sense now?

The testing agencies have already acknowledged that they cannot accurately test the detection rate on Webroot. So you can't quote any tests for detection rate.

Cheaper? Didn't know you were so broke. Hey, Avast is free and they were very excited when they were "As good as some paid AV".

Why would anybody take the risk? Because they're smart and they listen to smart people who have more experience than you saying it's not a risk.

I provide subscription computer services, flat rate. That means that when a threat gets by an AV on a computer under a subscription plan, I have more work to do and less profit, or sometimes cost beyond income for that machine. It doesn't take a lot of sense to see that in that case I want to put the most effective AV on the system as possible, because my livelihood is at stake. I've used everything, and I still allow customers to choose their own AV (though I very strongly push Webroot), however my contract includes a clause that if they are not using Webroot, after the second infection removal in a year, they will get a copy of Webroot for free from me to continue receiving the coverage for malware removal. After that, I see them only for regular tune-ups and check-ups and don't have to do any costly malware removals or full system restores.

With experience in the security industry since 1996 and seeing how everything works and working on thousands of machines and making a living from having good AV on customers' machines, I won't take the risk of using anything else. You can discuss PoCs and tests until your fingers fall off, but I know what works in reality across a huge set of systems, not just "My PC".

Feel free to risk your computer with other things, but I won't risk mine or my customers' systems.



MSE_fan

@rogers.com

Nice to hear that Kit from Webroot is the same person with KitFox from dslreports! Now everything makes sense.

If you make a living from computer services based on a flat rate makes sense to recommend WSA; as per their advertising they will disinfect the pc for free, so all you have to do is to transfer the work from your shoulders to Webroot’s employees shoulders.

I am somehow convinced that if you have had informed your customers in an open way about privacy issues with WSA many of them would have been reluctant to accept it on their pc.(I hope you will not get in any trouble if they read this )

Funny thing: every time I argue with somebody about WSA , either “20-30-40 years experience in programming” or “thousand of pc’s” are thrown into the picture.

I do not have “thousand” of pc to manage, only 3; I have MSE4 (free)+MBAM (one time pay)+PCToolsFirewallPlus+; never had an infection on any of them.

So, why would I pay 49$ /year for WSA (BestBuy) and have my pc exposed naked to the cloud or whoever is behind cloud????


KitFox

join:2002-10-09
Denver, CO
kudos:1

1 recommendation

I'm faster at malware removal because I used to do it for Webroot and it's a lot easier to be physically at the computer. But regardless, they don't call Webroot to get it done for free either. They just don't get infected.

I advise every single one of them of the privacy information. I provide them with a copy of the EULA ("We don't care about your stuff, we don't look at your stuff, we don't store your stuff, we don't use a list of your stuff for anything or give it to anybody), point out the MD5s in the logs, and point out that we absolutely know that the cloud gets a list of those MD5s and can associate them with a computer if somebody gets, decrypts, and provides the MID off the computer to the company with a subpoena. Not a single person has a problem with it. I work with normal people, not paranoid folks.

While I can't say 20, 30, 40 years of experience, I can give proof to information security experience since early 1996. Ahh, the old days when Back Orifice was one of the premier threats and people made Malware for fun and bragging rights. *Nostalgiaficates all over* Now the malware is all about profit and a heck of a lot more complicated. A good chunk of the old stuff won't even run on contemporary systems at all. Now it's gotten into MBR infections, hidden partitions, kernel drivers, and even BIOS infections. Integrated ADB to infect phones that are plugged in, dropping code on and reconfiguring routers, and all sorts of other fun stuff. Prior to 1996 it was school daze with nothing prior to Apple IIe at school around 1985 or so, then teaching Apple Logo and some IBM PCs to my class around 1986. That was fun. First Tandy computer in 1989. Yay for 8088 CPUs and memory in the Sub-Megabyte range. 720K floppy disks and swap out several to load Deskmate. Then an upgrade to a Tandy 1000 RL/HD in 1992 IIRC

I also don't see why you consider this an argument. If you take that attitude, then you're going into it all wrong. You bring up what you see as valid concerns and they are addressed in return. An argument stems from unrectifiable differences of opinion and a desire to try to damage the other with one's opinion. I'll point out facts when you have some incorrect and try to assuage concerns you may have, but I'm not specifically trying to get you personally to use Webroot. No need to bash it based on inaccuracies though.

The reason I point out the thousands of seats is because while you can point out that your three PCs have not been infected with your choice of solutions, I can point out that when the sample size is larger, the numbers change. Otherwise it's like claiming that because you yourself have never been hit by a car while walking across the street, nobody ever is.

MBAM: Highly sensitive to "new threats" but also very touchy. In actual removal work, it has missed a tremendous amount of things (which I then remove by hand) and has displayed a habit of damaging systems with overzealous removal. Legitimate software accidentally looking at it funny is frequently bent over and killed. While it makes a very good quick recommendation for free help for infected machines, I've always viewed it like throwing powerful antibiotics at an undiagnosed illness. It can do a great job, but it can also miss or mess things up. I'd trust Avast or MSE for realtime better and only use free MBAM if there are no other options at the time or for doing a quick pre-sweep of something that replicates furiously in a non-expendable directory.

MSE: Free stuff, which has that benefit. Highly targetable and the best threats out there have writers who need no special investment to ensure that their malware evades it. A careful roll out of targeted malware gets past MSE no problem. If the malware hits a distribution of 1000 copies and is not detected for two weeks, chances are it never will be unless it becomes epidemic. Definitely better than nothing at all though and not ineffective, but also not as light and not as good for my uses.

PCTFWP: It's a firewall. You can still use it with WSA.

Why would you pay $49.95 a year from Best Buy? I dunno. I wouldn't. The same thing is $29.99 from Webroot directly, and then you can get three years at once as well. Discounts on the site are not uncommon and AV-only is 39.99 regular price. I did recommend AV-only.

Why would you get it at all? You personally might not. If you have a solution you are satisfied with and it works, then stick with it. Change is scary, remember? However somebody who recognizes that Webroot is a set of "good guys" and doesn't expose their data any more than any other solution can, works exceptionally well, and takes up almost no local resources... and is willing to not poke it with a stick XD... will likely use it. They want something more proven-effective and lighter than MSE with a guarantee of removal for free and less-militant and more effective than MBAM and less-complex than dealing with three things at once.

Assuming you allow MSE and MBAM to update their own definitions though, how do you know that your data will never be taken by MBAM or MSE and sent to their network systems? That's all "the cloud" is. Network computer resources. It's a way of saying the definitions are stored there and your tiny list of content hashes is sent there for checking against the huge list instead of being checked against a much-smaller list locally.

Are you always installing definitions from downloads on another computer copied to the computer in question and placed in manually? Are you blocking the other AV from touching the internet at all? If not, it's trivial for them to, under subpoena or court order or as they desire, send up a quick list of the data you're worried about the cloud getting.


sparky57

join:2003-05-18
New Bedford, MA
reply to jaykaykay

Agree with you on that jkk. I use it and it stays out of my face.


grreyeyezz

join:2002-01-05
Cleveland, OH
reply to joako

I just dumped avast went back to avira, boy did avast slow my browsing down with all those shields, way overrated.



CylonRed
Premium,MVM
join:2000-07-06
Bloom County
reply to tmaertin

said by tmaertin:

One trick - to prevent those annoying ads to buy from coming up in the free version, you can block the .exe's that run ads from running (avnotify.exe and ipmgui.exe in the Program Files\Avira folder).

I still can't get any of these methods to work in Win 7 Pro 64 bit with the newest Avira. Started last year with XP, even local policy does not stop the popups (disallow both exe's) and the registry edit to prevent the popups - tried it today and it does not work either. Really getting irritating as the popups seem to be more frequent.
--
Brian

"It drops into your stomach like a Abrams's tank.... driven by Rosanne Barr..." A. Bourdain

Mele20
Premium
join:2001-06-05
Hilo, HI
kudos:5
reply to grreyeyezz

said by grreyeyezz:

I just dumped avast went back to avira, boy did avast slow my browsing down with all those shields, way overrated.

Why didn't you uninstall the shields you didn't want? Or at least disable them. I always used ONLY real time and on demand and the network shields. Avast was light and fast (it still had a ton of FP's....serious ones...and that is why I stopped using it)).
--
When governments fear people, there is liberty. When the people fear the government, there is tyranny. Thomas Jefferson


jmorlan
Hmm... That's funny.
Premium,MVM
join:2001-02-05
Pacifica, CA
kudos:4
reply to KitFox

said by KitFox:

@JMorlan:
It will definitely cause problems with CSS and JS in Firefox if you run the System Cleaner (Complete feature) with FireFox running and ignore the message that says to shut down Firefox. In fact, most of the problems you describe are Complete functionality. The Toolbar (password management, Lastpass-based), asking about cookies (You deleted them with the Cleanup), etc. To recover Firefox CSS/JS stuff, simple clear the cache from within FireFox. Then don't run system cleaner with FireFox running.

Deleted autorun? It won't delete autorun.inf files unless something it considers to be a threat makes them.

I have seen exactly three true FPs on any of several thousands of systems that I have managed, and all of those were easy to understand as VT showed over 50% positives on the files in question. And yes, it does quarantine things recoverably. If it "deletes" something related to cleanup, restoring the item that was the origin will also restore the deleted data fully.

It does not change any browser settings at all other than attempting to install the LastPass-based password toolbar -IF- and -WHEN- you go into the agent and tell it to, and that only in the Internet Security and Complete versions. I specifically recommend only the AV version in your case and don't assume that something is an FP unless you wrote it yourself. otherwise, just shoot a message to support. I've had complaints about FPs that were easy to show as not FPs when I looked at them.

I did specifically say "The AV version", and I said "Install it and forget it". Instead, the Complete version was installed and then poked at tremendously with apparently an incomplete understanding of what the user was doing.

Easy solution here: Get AV-only. Even a trial. Less expensive, doesn't install a Toolbar, doesn't clean up FireFox and allow you to ignore the message that says to shut down FireFox before running the cleanup otherwise there could be problems. And check on those claimed FPs, because they may not be.

At the same time, I can't say that everything will work perfectly for everybody. Heck, I even disable the ID shield on -MY- copy of Webroot because it has some annoying side effects otherwise with the combination of things I run.

If you would like direct advice on "Do this, don't do this, there, you're good to go", feel free to let me know. In summary:
- Get AV-Only
- Install
- Turn off ID Shield if you use a lot of stuff that messes with the keyboard (fake keystrokes, macros, etc) or mouse or screenshots. Or just if you want to be happier, since I have been driven absolutely nuts by the ID shield since the product was first released.
- Don't touch it
-- If it detects something that you swear is an FP, restore from quarantine if you're brave and submit a support ticket for it to be resolved in a few hours at most.

Either way, regardless of what people claim on here, I will continue to install it on several hundred to several thousand consumer and enterprise endpoints per week because it makes my life and other peoples' lives a heck of a lot easier. I will not stop just because of a bad experience due to what matches the fingerprint of user error, and every AV can be made into a nightmare by user error.

A lot of points there, and not easy to respond to all of it, but we were talking about an UNOBTRUSIVE antivirus and you recommended

quote:
Webroot SecureAnywhere. Least intrusive, period.Set, forget, and it just works.
You did not specifically recommend the AV only version. You did mention something about the AV having an "egress firewall extender." It turns out that there are three different products all called "SecureAnywhere." At this point I'm not sure exactly which one I tested.

You are undoubtedly correct that many of my Firefox problems were caused by running a cleanup while Firefox was open. However, I did not "ignore warnings." There were no warnings that I saw. If there were warnings, they were buried somewhere and not immediately obvious to me, a new user. On the other hand, the auto blocking of cookies by default was extremely annoying and the popups to allow cookies were very intrusive and I certainly noticed them.

As I said, a toolbar was installed silently in IE and with permission in Firefox. It seemed to be unaware that I already had "LastPass" installed on both of those browsers. Clearly the toolbars were redundant over what I already had. Furthermore I will bet that redundancy was part of the cause of the problems I encountered even before I ran a cleanup.

The false positives were definitely false positives as far as I am concerned. Webroot claimed they were Trojans which they were not. They may have been somewhat dodgy in other ways, but they were definitely not trojans as claimed. Claiming a trojan when a file is actually better classified as "potentially unwanted software" is a false positive as far as I am concerned.

You say the files could be restored from quarantine. I never found any quarantine in the program, nor was it immediately obvious how to restore any of the files that appeared to be deleted. Perhaps I should have read the manual, but we were talking about a set-and-forget unobtrusive AV. I really didn't want to spend a lot of time going into settings. When I uninstalled the program, there was no option to save anything from quarantine. I'm not convinced the program ever set up a quarantine at all. If it did, I was not made aware of it.

Yes, it deleted without warning, both autorun.inf files from my external hard disks. You can believe me or chose not to believe me, but those files were there before I installed the program and gone after I removed it. I seriously doubt there was some other program that removed those files.

Heck even the code for the trial didn't work at first. Trying to make it work, it turned out that a lot of users have reported the same problem. They have to contact support when their key doesn't work.

I'm not saying it's a bad program or a good program. I didn't run it long enough to say either way. I am saying that for me it was not "unobtrusive," nor was it "set-and-forget."

Anyway, that's my story and I'm sticking to it.
--
"It turns out we're very good at not seeing things" - Jack Hitt

KitFox

join:2002-10-09
Denver, CO
kudos:1

1 recommendation

said by jmorlan:

You did not specifically recommend the AV only version. You did mention something about the AV having an "egress firewall extender." It turns out that there are three different products all called "SecureAnywhere." At this point I'm not sure exactly which one I tested.

One is called "SecureAnywhere Antivirus", one is "SecureAnywhere Internet Security Plus" and one is "SecureAnywhere Complete". I was under the impression that the combination of my mention of the antivirus specifically plus your request for AV specifically would be sufficient for you to interpolate your personal desires and click on the Antivirus version.

The one you tried to get the results you describe would be "Complete".

said by jmorlan:

You are undoubtedly correct that many of my Firefox problems were caused by running a cleanup while Firefox was open. However, I did not "ignore warnings." There were no warnings that I saw. If there were warnings, they were buried somewhere and not immediately obvious to me, a new user. On the other hand, the auto blocking of cookies by default was extremely annoying and the popups to allow cookies were very intrusive and I certainly noticed them.

The FireFox cleaning would require you to actively open the agent, click the System Tools tab at the top, and click the "Clean Up Now" button. At that point, if "Mozilla Firefox - Cached Files" is selected under the Applications section of System Cleaner Settings (which it is by default), it should pop up a warning advising you to close Firefox before clicking OK to run the cleanup.

SecureAnywhere makes no changes whatsoever to cookie settings in any browser. However if you have Internet Explorer set to prompt for cookie handling separately and also modify the system cleaner settings in SecureAnywhere to delete IE cookies followed by running a cleanup, then you will get re-prompted for the cookies you just deleted.

said by jmorlan:

As I said, a toolbar was installed silently in IE



Which puts your IE version quite out of date, as standard Windows updates made that impossible.

said by jmorlan:

and with permission in Firefox. It seemed to be unaware that I already had "LastPass" installed on both of those browsers. Clearly the toolbars were redundant over what I already had. Furthermore I will bet that redundancy was part of the cause of the problems I encountered even before I ran a cleanup.



Strange. When I install it on a system with LastPass installed, the Webroot-branded LastPass toolbar refuses to install because there is a copy of LastPass there already. Did you have a broken LP TB or something that couldn't be detected by the branded installer?

said by jmorlan:

The false positives were definitely false positives as far as I am concerned. Webroot claimed they were Trojans which they were not. They may have been somewhat dodgy in other ways, but they were definitely not trojans as claimed. Claiming a trojan when a file is actually better classified as "potentially unwanted software" is a false positive as far as I am concerned.

What precisely do they do to the system (in detail), and do they do exactly what they claim and no more? Do they hide anything behind a false premise or hide details in an obscure place?

said by jmorlan:

You say the files could be restored from quarantine. I never found any quarantine in the program, nor was it immediately obvious how to restore any of the files that appeared to be deleted. Perhaps I should have read the manual, but we were talking about a set-and-forget unobtrusive AV. I really didn't want to spend a lot of time going into settings.

To double-check, I had my dad look for the quarantine. He's in his late 70's and has trouble with tech of all types. He looked at the overview tab, clicked on PC Security (the second tab), noted the word "Quarantine" on the left and clicked on it, then clicked on the really-obvious "View Quarantine" button. It took him 15 seconds and he never looks at the program normally.

said by jmorlan:

Yes, it deleted without warning, both autorun.inf files from my external hard disks. You can believe me or chose not to believe me, but those files were there before I installed the program and gone after I removed it. I seriously doubt there was some other program that removed those files.

Now I wonder what you did to achieve that or what was in those files. I tested my installation with autorun files on thumb drives, main hard drives, external HDDs, and even on a hot-swap bay drive and it never got touched.

said by jmorlan:

Heck even the code for the trial didn't work at first. Trying to make it work, it turned out that a lot of users have reported the same problem. They have to contact support when their key doesn't work.

Under normal circumstances, keys generated by the trial system are sent to the licensing system once per minute on the turn of the minute. Since the download takes a few seconds and a fast person can enter the key quickly, there is a chance for that to occur normally. However I am curious where you found "a lot of users have reported the same problem". Cite your source?

said by jmorlan:

I'm not saying it's a bad program or a good program. I didn't run it long enough to say either way. I am saying that for me it was not "unobtrusive," nor was it "set-and-forget."

Anyway, that's my story and I'm sticking to it.

Understandable. There is no program in existence that is impossible for a user to cause problems with somehow. Which is why I offered basic advice (Get AV. Don't poke it.) and the offer for more advanced advice should you want it. *Shrugs* This is why I prefer to work with people face to face. I install it or give them explicit instructions and they're happy.


jmorlan
Hmm... That's funny.
Premium,MVM
join:2001-02-05
Pacifica, CA
kudos:4

1 edit

I's been over a week since I tested this thing. I don't remember the files that got deleted or exactly what they were, but I do remember checking them against Virus Total and Jotti and they were false positives as far as I'm concerned. Anyway they are gone off my system so I cannot investigate them any further. If you believe they were Trojans because they were flagged by webroot, there's not much I can say to convince you otherwise at this point.

You say I'm running an old version of IE. Actually I am running the current release version of IE, but I rarely use it. I just launched it to check the version and got a pop-up saying "The 'Webroot Toolbar' from an unknown publisher is ready for use. - Enable -- Don't Enable."

So the toolbar was installed without my permission, but it was not enabled. I did not want this thing installed at all. I wanted it gone. Heck I removed the software over a week ago and the toolbar is still there waiting to be enabled. Sorry, but that's not nice. Again, LastPass is already installed in IE. There is nothing broken or unusual about my LastPass installation. It works just fine.

And please don't blame me because your program deleted my autorun.inf files on both external drives. You wondered what was in them. Here they are...

[autorun]
icon=FreeAgentDesktop.ico

[autorun]
icon=wdlogo.ico

Hardly malicious.
--
"It turns out we're very good at not seeing things" - Jack Hitt



jaynick
lit up
Premium
join:2001-02-06
Sterling Heights, MI
kudos:2

1 recommendation

reply to siljaline

Another vote for Eset. Been using it since Ver. 2.7, light and nary an issue.

Expand your moderator at work