FINE TUNING THREAT DETECTION
ANALYZING BEHAVIOR TO IDENTIFY THREATS
Webroot SecureAnywhere employs heuristics that not only rank potential threats on age and popularity, but also on their behavior. This adds tremendous depth to the rapid characterization of malware. Additionally, Webroot SecureAnywhere allows administrators to tune heuristics to suit the environment and user activity, allowing for different levels of sensitivity when using external media like USB sticks or CD/DVDs, or when the endpoint is offline.
- RELATED FEATURES:
- Advanced Heuristics | Offline Protection | Cloud Predictive Intelligence Intelligent Outbound Firewall
Webroot offers security that is far superior to anything else on the market.
Age, Popularity and Avanced Heuristics Provide Ultimate Protection
Webroot SecureAnywhere’s heuristics settings allow administrators to adjust the level of heuristic threat analysis that is performed when an endpoint is scanned (on or offline). They can also be adjusted for analyzing any newly introduced programs as they run.
Heuristic setting are adjustable for:
- Local drives
- USB drives
- Internet access
- Network access
- Local CD/DVDs, and
Flexible heuristics settings can be tuned to meet your needs
Unlike the fixed heuristics settings found in other endpoint solutions, Webroot SecureAnywhere’s heuristic threat analysis settings are flexible. They may be tailored to suit individual policy needs and also provide granular control over how new programs are analyzed. Three types of heuristic scans are available, and each offers five levels of protection ranging from disabled to maximum.
- Advanced Heuristics are behavioral in nature and are responsible for analyzing new programs for suspicious behaviors that are typical of malware.
- Age Heuristics analyze programs based on the amount of time they have been seen within the collective Webroot Intelligence Network environment. Legitimate programs are generally used in an environment for a long time, while malware often has a short lifespan.
- Popularity Heuristics analyze programs based on statistics of how often they are seen by the Webroot Intelligence Network and how often the programs change. Legitimate programs do not change quickly, but malware often mutates at a rapid pace, and often installs itself as a unique copy on every computer, making it statistically ‘unpopular’.
We take our security and the welfare and protection of our employees very seriously. Webroot enables us to fulfill our role as guardians of our firm's Web security, and to carry it out as simply and effectively as possible.
Webroot SecureAnywhere is at its most effective when online and connected to the Webroot Intelligence Network; however, it also provides significant offline protection as well.
If a new program is introduced when offline, for example via a USB stick, Webroot SecureAnywhere’s advanced heuristics review the file. Then, if it fails inspection, it is immediately quarantined if there are telltale attributes of malware. By applying this local offline security logic, Webroot SecureAnywhere blocks many threats automatically. However, in the event that a threat does get past the heuristics, the behavior monitoring shield ensures it cannot do any real damage. The behavior monitoring shield means that the program will be allowed to execute, but that every action it performs is meticulously journaled. If the program is later deemed as malicious, all the changes made by the program will be rolled back. Then the machine is restored to its pre-infected state with no further action needed.
Offline security protects endpoints by utilizing
Webroot's Advanced Heuristics
If a suspicious program tries to modify the system in a way that couldn't be repaired, then the change is automatically blocked and the administrator is notified when the endpoint is back online. Also, if any similar infections (i.e. a mutated version of the infection) are introduced to the system while it’s offline, they will be blocked. Webroot SecureAnywhere’s local protection is able to evaluate the overall flow and layout of a program rather than its exact checksum.
Webroot SecureAnywhere doesn’t solely rely upon being online to protect endpoints. And because of its behavioral monitoring, journaling, and rollback it protects an offline endpoint far better than a solution that relies on a signature database and offers no remediation.
CLOUD PREDICTIVE INTELLIGENCE
While we were using a competitor's product, we were averaging at least one infection each month. I'd have to determine the infection type and attempt to remove it - but sometimes removal wouldn't work and I'd have to either re-create the user account on the PC to restore to a previous point or do a clean install. The process could take anywhere from one to five hours for each event.
Cloud Predictive Intelligence is the method Webroot uses to assess whether existing, new or changed files and processes are safe to run on a user’s machine.
When the Webroot SecureAnywhere Agent is first installed, it scans the endpoint to build a local cache of all the files and processes already present. It then continuously monitors for new or changed files that are attempting, or are poised, to execute. Files are instantaneously validated against the Webroot Intelligence Network to make a categorization as ‘known good’ or ‘known bad’. If a determination of ‘known good’ or ‘known bad’ cannot be made, files go into a third category: ‘unknown/undetermined’.
The Cloud Predictive Intelligence process flow for a 'known bad' file
The Cloud Predictive Intelligence process flow for a 'known good' file
How it Works
When a new file is identified or an existing file is changed, a file hash is created on the local endpoint. That hash is then encrypted and securely sent to the Webroot Intelligence Network.
If the Webroot Intelligence Network has seen the file before, and it is ‘known good’, the determination is sent back to the endpoint and the file is allowed to execute.
If the Webroot Intelligence Network has seen the file before, and makes a ‘known bad’ determination, the file is immediately quarantined and blocked from being able to execute.
The Cloud Predictive Intelligence process flow for an 'unknown/undetermined' file
The most significant risk to endpoints is from newly released malware, also known as a Zero Day threat. In this scenario, the file has never been seen before, so the Webroot Intelligence Network is unable to make an instantaneous determination based on the file hash alone. Rather than simply assuming the file is a non-threat because the file is not ‘known bad’, the agent does a trial execution of the file within a Sandbox on the local Agent to examine what other files are touched, any changes that are made, and any network activity that is attempted without compromising the endpoint. The behaviors from this pseudo-execution are analyzed in more detail and matched against the Webroot Intelligence Network’s database of behavioral rule sets.
If a definitive determination is still not possible based on the behavior, the file is then allowed to run on the endpoint. Full monitoring and journaling runs alongside all the other Webroot security shields until the new file can be clearly identified as ‘known good’ or ‘known bad’. Any behaviors that exhibit malware behaviors are immediately blocked despite the allowed file execution.
When the Webroot Intelligence Network has enough information about the file to accurately identify it as ‘known bad’, it will block any further execution, quarantine the file, and roll back any changes that have been made based on the information journaled since the file was first identified on the endpoint. This will restore the machine to the pre-infection state.
Strength in Numbers
Additionally, if a file is determined as 'known bad', all other endpoints in the network that might encounter this program are automatically protected as well because the file hash is updated in the Webroot Intelligence Network. This means the next time that file is seen, there is no need to do a behavioral analysis or journaling, because the file hash will immediately be identified as malware upon the first check.
Safeguards Against False Positives
If a file has been determined as ‘known bad’ by the Webroot Intelligence Network, but is being run intentionally in an environment, administrators have the ability to set an override to allow its continued use. For instance, a keylogger may have been legitimately deployed within a network for IT or development work. Webroot SecureAnywhere is likely to classify this type of file as ‘known bad’ since it exhibits malicious keylogger behaviors. This would be an inaccurate determination for a specific set of users in this environment. With Webroot SecureAnywhere, an administrator is able to immediately override a ‘known bad’ determination with a few mouse clicks from within the web management console and re-classify the file as ‘known good’ for their network.
INTELLIGENT OUTBOUND FIREWALL
We are saving users from being infected, which is a boost in productivity for everyone. It simply works and does what it says it does. You can't ask for more than that!
Conventional endpoint firewalls require the user or administrator to decide whether a program may access the Internet - Webroot SecureAnywhere does it differently.
Webroot SecureAnywhere integrates a completely new outbound firewall helper that offers additional capabilities to protect and analyze all outbound connections and manage all outbound application traffic. This intelligent outbound firewall functionality considerably enhances the existing inbound protection offered by the Windows Firewall. It automatically monitors all outbound traffic and blocks illegitimate call home and other types of malware communication - thus immediately stopping them from successfully extracting and stealing data.
This intelligent firewall functionality is managed via the local Agent and by using the Webroot Intelligence Network to validate the legitimacy of outbound traffic communications. It taps into this real-time automated decision making to avoid errors or pestering users with requests for online access from applications that they know nothing about.
By taking firewall decisions about outbound application communication away from the users, we minimize firewall request popups, and prevent user judgment errors that lead to endpoint infections. This approach to firewall management is another unique way that we leverage the benefits of the Webroot Intelligence Network in a very practical, time-saving, yet secure way. And by having the combined capabilities of the Webroot and Windows Firewalls, your endpoint data has reliable inbound and outbound data loss prevention.
The Intelligent Outbound Firewall offers additional security by protecting and analyzing outbound connections and managing application traffic.