CONTAINING UNKNOWN THREATS
PROTECTION FROM 'THE UNKNOWN' THROUGH UNIQUE JOURNALING AND ROLLBACK
Webroot SecureAnywhere accounts for malware that may have never been seen before, Zero Day threats or highly targeted malware, through a variety of unique protection measures. First, any file that is not explicitly known as ‘good’ is assumed to be suspicious. A suspicious file’s initial execution is conducted in a protected environment where the other files it wants to touch, changes it wants to make, and network activities it needs to initiate are matched against behaviors of known malware. If the behaviors match known ‘bad’ behavior, the file is immediately blocked from further execution. If its behaviors do not immediately classify it as ‘bad’, it is allowed to execute on the endpoint, but every action is meticulously journaled so that in the event the file is later classified as a threat, everything it has done can be rolled-back to return the endpoint to its pre-infection state.
JOURNALING, MONITORING AND ROLLBACK
I've found the rollback feature to be really interesting and useful. Usually, there is a lot of management involved but this is much simpler. Now, it's just automatic.
A unique capability that sets Webroot SecureAnywhere apart from every other antivirus solution is the way unknown or ‘undetermined’ malware is handled, and the automatic remediation that is provided to ensure endpoint protection.
If a brand new program is introduced to an endpoint protected by Webroot SecureAnywhere, and it has no existing relationship to anything else on that machine, then local heuristics and other defenses are automatically applied to make a good or bad determination.
This logic will automatically block virtually every threat. However, in the rare case that a threat does get through the heuristics, sandbox, and other defenses, the ongoing journaling and monitoring of behavior ensures it cannot do any permanent damage to a user’s machine.
For example, if a suspicious or undetermined program has passed the several layers of local and Webroot Intelligence Network checks, it is monitored extremely closely, and watched to see which files, registry keys and memory locations it alters.
The journaling function then records and remembers the before and after state of each change made. If a monitored program is later found to be behaving maliciously, Webroot SecureAnywhere can step-in to block and quarantine it, alert the user and administrator, and proceed to automatically clean-up the threat.
This ability to safely defer a decision reduces false positive and false negative categorizations, and comes into play when Webroot SecureAnywhere is not sure if a program is potentially ‘suspicious’ or ‘bad’. Other AV solutions only make good or bad determinations and have no journaling or rollback, so any remediation is standardized and likely to be ineffective.
The inability of legacy solutions to offer individualized and tailored protection often results in administrators having to re-image infected machines. This causes huge losses in productivity and man-time. On the other hand, Webroot SecureAnywhere’s rollback process ensures every change made to that particular machine by a piece of malware is reversed, getting the endpoint back to its prior pre-infected state. This results in fewer endpoints needing to be reimaged due to missing or changed files that cause the machine to operate in an unstable or unsafe way.
Legacy endpoint security solutions do not incorporate monitoring and journaling, so even if they do offer post-infection remediation, they often cannot fully restore the endpoint to its pre-infected state.
CLOUD PREDICTIVE INTELLIGENCE
While we were using a competitor's product, we were averaging at least one infection each month. I'd have to determine the infection type and attempt to remove it - but sometimes removal wouldn't work and I'd have to either re-create the user account on the PC to restore to a previous point or do a clean install. The process could take anywhere from one to five hours for each event.
Cloud Predictive Intelligence is the method Webroot uses to assess whether existing, new or changed files and processes are safe to run on a user’s machine.
When the Webroot SecureAnywhere Agent is first installed, it scans the endpoint to build a local cache of all the files and processes already present. It then continuously monitors for new or changed files that are attempting, or are poised, to execute. Files are instantaneously validated against the Webroot Intelligence Network to make a categorization as ‘known good’ or ‘known bad’. If a determination of ‘known good’ or ‘known bad’ cannot be made, files go into a third category: ‘unknown/undetermined’.
The Cloud Predictive Intelligence process flow for a 'known bad' file
The Cloud Predictive Intelligence process flow for a 'known good' file
How it Works
When a new file is identified or an existing file is changed, a file hash is created on the local endpoint. That hash is then encrypted and securely sent to the Webroot Intelligence Network.
If the Webroot Intelligence Network has seen the file before, and it is ‘known good’, the determination is sent back to the endpoint and the file is allowed to execute.
If the Webroot Intelligence Network has seen the file before, and makes a ‘known bad’ determination, the file is immediately quarantined and blocked from being able to execute.
The Cloud Predictive Intelligence process flow for an 'unknown/undetermined' file
The most significant risk to endpoints is from newly released malware, also known as a Zero Day threat. In this scenario, the file has never been seen before, so the Webroot Intelligence Network is unable to make an instantaneous determination based on the file hash alone. Rather than simply assuming the file is a non-threat because the file is not ‘known bad’, the agent does a trial execution of the file within a Sandbox on the local Agent to examine what other files are touched, any changes that are made, and any network activity that is attempted without compromising the endpoint. The behaviors from this pseudo-execution are analyzed in more detail and matched against the Webroot Intelligence Network’s database of behavioral rule sets.
If a definitive determination is still not possible based on the behavior, the file is then allowed to run on the endpoint. Full monitoring and journaling runs alongside all the other Webroot security shields until the new file can be clearly identified as ‘known good’ or ‘known bad’. Any behaviors that exhibit malware behaviors are immediately blocked despite the allowed file execution.
When the Webroot Intelligence Network has enough information about the file to accurately identify it as ‘known bad’, it will block any further execution, quarantine the file, and roll back any changes that have been made based on the information journaled since the file was first identified on the endpoint. This will restore the machine to the pre-infection state.
Strength in Numbers
Additionally, if a file is determined as 'known bad', all other endpoints in the network that might encounter this program are automatically protected as well because the file hash is updated in the Webroot Intelligence Network. This means the next time that file is seen, there is no need to do a behavioral analysis or journaling, because the file hash will immediately be identified as malware upon the first check.
Safeguards Against False Positives
If a file has been determined as ‘known bad’ by the Webroot Intelligence Network, but is being run intentionally in an environment, administrators have the ability to set an override to allow its continued use. For instance, a keylogger may have been legitimately deployed within a network for IT or development work. Webroot SecureAnywhere is likely to classify this type of file as ‘known bad’ since it exhibits malicious keylogger behaviors. This would be an inaccurate determination for a specific set of users in this environment. With Webroot SecureAnywhere, an administrator is able to immediately override a ‘known bad’ determination with a few mouse clicks from within the web management console and re-classify the file as ‘known good’ for their network.