dslreports logo
site
 
    All Forums Hot Topics Gallery
spc

spacer




how-to block ads


Search Topic:
uniqs
4736
share rss forum feed

claudiubotez

join:2009-06-28

Webroot SecureAnywhere scanning PC - suspiciously fast....

I would be interested in a second opinion...

My whole PC (>120Gb) is being scanned in less that 90sec . This seems suspiciously fast, so I decided to "hide" a malicious file in different files and folders and to rescan the whole PC and see the results.

To my surprise in most of the situations (5 from 7) Webroot SecureAnywhere reported NOTHING after a FULL computer scan even though on "Context Scan" (right click scan) on that particular folder Webroot Antivirus detected that particular executable as a malitious one.

The executable is "Ardamax keylogger" (a PUP, not mallitios) from "http://www.ardamax.com/download.html" and the detection is in Quarantine as "c:\users\claudiu\appdata\local\microsoft\windows\temporary internet files\low\content.ie5\as8hq1ck\install_akl[1].exe"

I am eager to hear an explanation about "not quite full" PC scan.

Thanks,
Claudiu


claudiubotez

join:2009-06-28

Click for full size
just to be clear...


Trel
Good Evening
Premium
join:2002-10-08
Hillsborough, NJ
reply to claudiubotez

Click for full size


rcdailey
Dragoonfly
Premium
join:2005-03-29
Rialto, CA
Reviews:
·Time Warner Cable

1 edit
reply to claudiubotez

Sounds as if you might want to check the configuration of the full scan--what targets, are folders included, etc.

I'll add that if it is called a "full" scan and it is really by default only a partial scan, then it should be called a "partial" scan or a "quick" scan or something similar. Other products use that sort of nomenclature when they don't mean "full."
--
It is easier for a camel to put on a bikini than an old man to thread a needle.


redwolfe_98
Premium
join:2001-06-11
kudos:1
Reviews:
·Time Warner Cable

4 edits
reply to claudiubotez

said by claudiubotez:

I decided to "hide" a malicious file in different files and folders and to rescan the whole PC and see the results.

To my surprise in most of the situations (5 from 7) Webroot SecureAnywhere reported NOTHING after a FULL computer scan even though on "Context Scan" (right click scan) on that particular folder Webroot Antivirus detected that particular executable as a malitious one.

The executable is "Ardamax keylogger" (a PUP, not mallitios) from "http://www.ardamax.com/download.html" and the detection is in Quarantine as "c:\users\claudiu\appdata\local\microsoft\windows\temporary internet files\low\content.ie5\as8hq1ck\install_akl[1].exe"

I am eager to hear an explanation about "not quite full" PC scan

if it was me, i would use the "eicar.com" test-file, for testing, or, under some circumstances, i would use "trojan simulator", from "misec", instead, for testing.. or, if i wanted to use real malware, for testing, i would use real malware, not a legitimate keylogger that may not be flagged since it is legitimate software..

the detection is in Quarantine as "c:\users\claudiu\appdata\local\microsoft\windows\temporary internet files\low\content.ie5\as8hq1ck\install_akl[1].exe"(?)

if the file has, somehow, been "quarantined", that may be another reason for its not being flagged..

i think your testing methodology is wrong.. did you actually install the ardamax keylogger? my guess is no, that you did not actually install the ardamax keylogger and that you are using the program's "installer", for testing.. you might not get the same results when using the program's "installer" rather than using the program's actual files, not to mention that the program is legitimate and therefore may not be flagged.. besides, when you say the file is "quarantined", that seems like another problem as far as your testing goes..

as far as secureanywhere's fast scanning, i suppose that that is because it just checks files' "MD5" signatures, or something like that.. i don't see a problem with its having fast scans, particularly if nothing is flagged.. (if something was actually flagged as being suspicious, it may take longer to process)..

so, if you are going to try to test the "secureanywhere" program, i think you should have a better methodology, like using an actual test-file or real malware, not a "PUP" which is a legitimate program, and not an "installer" for a "PUP", which may not be flagged, regardless.. (and not a file that is in "quarantine")..

i think that if you have any questions or issues regarding "secureanywhere", you should talk with someone from "webroot" about it.. they probably can clear up any concerns that you have..

p.s. claudiu, something else that i thought of.. if you scanned your computer with "secureanywhere" and it flagged a file, and you clicked "ignore", it may not flag the file again, after that, when running scans.. what i am talking about is maybe the file's "MD5" signature is already in the database and, so, the secureanywhere program thinks that the file is OK, since it is in the "MD5" database.. that could be an issue..

also, it may be that the normal scans check "MD5" signatures while, on the other hand, when running scans from the context menu, maybe "MD5" signatures are not used, and that is why the file is flagged when scanned from the "context menu" while not being flagged when running a normal scan (when the file's "MD5" signature is already in the secureanywhere's MD5-signature database)..

clocks11

join:2002-05-06
00000
Reviews:
·Comcast
reply to claudiubotez

First WSA is not snake oil. Dumb comment by someone that is uninformed.

The new Webroot is based off of Prevx. It's scan checks processes running in memory, and a few critical areas. Scans that take about a minute are normal, similar to Hitman Pro.

If you were to try to run the virus file, more likely than not, WSA would scan it on execution and quarantine it. If you want to check, load up a virtual machine and try it.



Triple Helix
Go Blue Jays Go
Premium
join:2007-07-26
Oshawa, ON
kudos:7
Reviews:
·Rogers Hi-Speed

1 recommendation

reply to claudiubotez

Claudiu what's up are you not happy with Kit's reply at the Webroot Community Forums? »community.webroot.com/t5/Webroot···632#M214

TH

--
Triple Helix - Microsoft® MVP Consumer Security 2012
VIP Member Of ASAP - (Alliance of Security Analysis Professionals™)
Official Webroot SecureAnywhere (Prevx) Support Forum Helper!
(H59 Clan)


claudiubotez

join:2009-06-28

I just want a "nonWebroot" point of view about the whole issue....
After I bought several licences and I had an oportunity to test it , Webroot SecureAnywhere is almost too good to be true...

I do not believe in "overnight revolutionary aproaches" especially in this highly competitive industry - PC security - with big /faimous players.

As I said when I press "Scan my PC" I expect that the wole PC will be scanned and not only several files and after that we can claim "the fastest antivirus"

Is not fair for users and sooner or later they will figure out what ,in fact ,"revolutionarry approach" mens ;let's pretend that we scan the whole PC but scan only here an there (yes, we now better where viruses can be!!!) and...tada!!!!! only 90 sec.

Claudiu



Triple Helix
Go Blue Jays Go
Premium
join:2007-07-26
Oshawa, ON
kudos:7
Reviews:
·Rogers Hi-Speed

It's based on Prevx Technology that's been out since 2004 so Webroot has Acquired Prevx back in Nov 2010 and now Webroot has improved upon it so it's nothing new as I have been using Prevx myself since 2004! Have a read: »www.webroot.com/En_US/pr/momentu···110.html

»www.pcmag.com/article2/0,2817,2392059,00.asp

TH

--
Triple Helix - Microsoft® MVP Consumer Security 2012
VIP Member Of ASAP - (Alliance of Security Analysis Professionals™)
Official Webroot SecureAnywhere (Prevx) Support Forum Helper!
(H59 Clan)


Triple Helix
Go Blue Jays Go
Premium
join:2007-07-26
Oshawa, ON
kudos:7
Reviews:
·Rogers Hi-Speed
reply to claudiubotez

Click for full size
Also if you want to do a full system scan Open the GUI>PC Security>Custom Scan>And put the the dot on FULL! But as Kit was saying there is no need to if the Malware executes it will be blocked and depending on your settings will be Automatically Quarantined!

TH

--
Triple Helix - Microsoft® MVP Consumer Security 2012
VIP Member Of ASAP - (Alliance of Security Analysis Professionals™)
Official Webroot SecureAnywhere (Prevx) Support Forum Helper!
(H59 Clan)




Todd Sloan

@switchvpn.com
reply to claudiubotez

said by claudiubotez:

I just want a "nonWebroot" point of view about the whole issue....
After I bought several licences and I had an oportunity to test it , Webroot SecureAnywhere is almost too good to be true...

It's not, and it is as good as it claims - seriously. While I still think it needs improvements, it is ridiculous how effective it is at capturing threats everything else misses. I love how the deep scan is so fast because it means my clients scan their PC's MUCH more than other products. As noted, if you want to actually scan every file this is easy to change as well - but generally a useless gesture.

Webroot continues to grab threats, like this; »www.virustotal.com/file/871cb25c···9886598/

When the majority of other products fail. Again - while not perfect, it is a significant step in the right direction of technology! I cannot imagine Webroot NOT being the most powerful product of its kind in a few years if they keep up the good work. It's already one I would consider in the top 5 personally. When you can snag licenses for as low as $4.95 for 3 PC's at some of the reseller sites, it's the best deal out there too.
Expand your moderator at work


Name Game
Premium
join:2002-07-07
Grand Rapids, MI
kudos:7

2 recommendations

reply to claudiubotez

Re: Webroot SecureAnywhere scanning PC - suspiciously fast....

You know Claudiu, Over the last 4 years you have been posting at DSLR Security forum..each time it has been some fantastic bullshit story where you just go on and on about pretty much nothing..from you 100% security thingie and now your whining about webroot..and posting the same thing in this forum as you have in the Manufacture's forum and it was answered very well there..but you still dumped it a DSLR because you want a nonwebroot point of view.

I suggest you go back to your magnificent approach of 2010 you tried to "sell" and call it a day..

Claudiu:
"No, I am not! I have a subscription for AntiVir (1 year) , MBAM life time and Mamutu (4years) but I found Malware Defender 's
approach absolutely magnificent!!"

»Re: 100% pc security / different approach

As for this amazing fact you found that your current love is finished in 90 secs...the full scan they do is not revolutionary..many scan engine did the same thing starting 3 years ago..keeping track of the areas of your hard drive that were active since the last full scan..and then only scanning those area the next time. And since the era of multi engine scans and unpackers the whole ball game changed..same hold true for defraggers and other silly tools out there.

So if you want to tell us you feel cheated cause you did not get what you expected because of the "wording" and how YOU interpreted the sales literature ..big deal..dump it , ask for you money back or live with it.. you are not telling most of us any new info that we did not already understand...but personally I think you're just posting the stuff for shits and giggles..and after your thread of 2010..most of us could care less if you ran with nothing or did a reformat/reinstall every day you hit the net. They are your boxes and you can do with them as you please.
--
Gladiator Security Forum
»www.gladiator-antivirus.com/

Expand your moderator at work

claudiubotez

join:2009-06-28
reply to Triple Helix

Re: Webroot SecureAnywhere scanning PC - suspiciously fast....

Hi TripleHelix,

See the answer given to Kit,please.

Thanks,
Claudiu

Expand your moderator at work


Name Game
Premium
join:2002-07-07
Grand Rapids, MI
kudos:7

2 recommendations

reply to claudiubotez

Re: Webroot SecureAnywhere scanning PC - suspiciously fast....

said by claudiubotez:

Hi TripleHelix,

See the answer given to Kit,please.

Thanks,
Claudiu



You still crack me up...you posted first this at dslr in this post..

»community.webroot.com/t5/Webroot···660#M219

Then you deleted it and left a message for triplehelix..like dslr is a messaging service for you ...ever try the IM thingie we have at this site. Daniel will be happy to talk to you in private there.
--
Gladiator Security Forum
»www.gladiator-antivirus.com/


Trel
Good Evening
Premium
join:2002-10-08
Hillsborough, NJ
reply to clocks11

said by clocks11:

First WSA is not snake oil. Dumb comment by someone that is uninformed.

The new Webroot is based off of Prevx. It's scan checks processes running in memory, and a few critical areas. Scans that take about a minute are normal, similar to Hitman Pro.

If you were to try to run the virus file, more likely than not, WSA would scan it on execution and quarantine it. If you want to check, load up a virtual machine and try it.

If a full scan misses something in the name of speed, then, yeah, kinda looking like snake oil.
--
/chown -R us:us /yourbase


ZapZap

@pressco.it

»community.webroot.com/t5/Webroot···660#M219

It is seems that to whatever impolite and unfounded claim been put forward the WSA staff is responding in a very professional and constructive way. I would have not... lol. A big kudos for WSA staff for maintaining such a professional stand on the issue!!!!


Mele20
Premium
join:2001-06-05
Hilo, HI
kudos:5
reply to claudiubotez

LOL I can't stop laughing after reading Kit's ridiculous comment. THIS CRAP IS SNAKE OIL.

Kit just said that the on demand scanner is irrelevant. Ok. I tend to agree so why have it at all? What is revolutionary about SecureAnywhere's scanning? They are not the first AV to declare the on demand scanner irrelevant or to "adjust" how it scans so it is very fast. Gee, Kaspersky did this back in 2006 and just about got run out town and tarred and feathered for it (but mostly because they lied about it and continued to lie when confronted with the truth and damage was caused to some people's hardware)...at least Kit is being honest.

Why doesn't Webroot just get rid of the on demand scanner? I found the same behavior in their AV program that is rated at the very bottom of all AV tested at AV-Comparatives in the last quarterly results. Webroot's programs rely almost entirely on the real time scanner. That is fine but why keep the on demand around then? I haven't used Avira's on demand scanner for a full scan since right after I got Avira over 5 years ago. I depend on Avira's Guard (the real time scanner) to protect me for the reasons that Kit talks about. A malicious file is not dangerous until you go to execute it and the real time scanner will catch it then. So, an on demand scanner is not needed and never has been needed for much of anything. I can think of one thing it possibly useful for...to check files downloaded from questionable sites and you want the on demand scanner to catch anything malicious early on if you are unzipping a file as the on demand scanner (if really good) will catch it immediately, whereas, the real time scanner will sit there until it has been fully unzipped and will not peep until you actually go to execute it. That scares people and they want the detection earlier. That is why AV companies came up with the idea of webguard scanners which is plain silly and really slows the surfer down. I assume Kit is going to have Webguard removed from their AV also because he just said nothing is needed except the real time scanner.

If you insist on having an AV then just get one where you can uninstall all modules you don't need and keep only the real time scanner. With all the FP's that Webroot AV has it will save you a lot headaches if you only used the real time scanner since Kit says it won't do anything unless the file is about to be executed. Avira real time scanner is far more sensitive than Webroot's...you open Explorer and it sounds off if there is a keylogger anywhere on the drive (Avira alerts on all keyloggers)....you don't have to go to the folder it is in, open the folder, and then try to execute it to get Avira Guard to go crazy. It would be nice if a Real Time scanner doesn't alert until the actual moment of execution as long as your nerves can take it. So, just get rid of the other stuff in Webroot's AV and keep only the real time scanner as that is what Kit is saying.
--
When governments fear people, there is liberty. When the people fear the government, there is tyranny. Thomas Jefferson



johndoe

@eggsolutions.com
reply to ZapZap

Seems like "unfounded claim" is quite founded.....



Name Game
Premium
join:2002-07-07
Grand Rapids, MI
kudos:7
reply to Mele20

AV's are irrelevant... a good clean hips is what most need when they click on every site link known to man..and visit free crap sites.

People have been putting up with AV marketing jive for years now..still remember when they all had a fart caught crosswise when Trojans hit the scene.." Hey that's a trojan..we are an AV company..we only do Virus" ..that mentality would make any sane person puke. Then malware hit the scene and they all went ballistic and the user had to put up with a trojan killer proggie, a AV, a malware killer, a dialer stopper, a firewall ( even firewalls with special rules )and any other fancy gizmo they could find..all competing for RAM that was maybe max at 1gig at the time..and then you had to turn all the stuff off if you were an on-line gammer..
--
Gladiator Security Forum
»www.gladiator-antivirus.com/

Expand your moderator at work


Triple Helix
Go Blue Jays Go
Premium
join:2007-07-26
Oshawa, ON
kudos:7
Reviews:
·Rogers Hi-Speed

1 edit
reply to claudiubotez

Re: Webroot SecureAnywhere scanning PC - suspiciously fast....

As I can't IM anonymous users Kit has a comment on the Webroot Communitiy forums for Trel, Mele20, ZapZap and Name Game and for anyone that's wants to read it with the same link posted earlier just scroll down!

TH

--
Triple Helix - Microsoft® MVP Consumer Security 2012
VIP Member Of ASAP - (Alliance of Security Analysis Professionals™)
Official Webroot SecureAnywhere (Prevx) Support Forum Helper!
(H59 Clan)